Openvpn

De BlaxWiki
Révision datée du 23 novembre 2015 à 18:53 par 127.0.0.1 (discussion)
Aller à la navigationAller à la recherche

On va installer ici un openvpn avec un auth-pam, et des certificats

Compilation

* Compilation d'openvpn :
./configure --prefix=/opt/applis/openvpn-2.1.1-1 --disable-lzo --with-ssl-lib=/opt/applis/openssl-1.0.0e-1/lib --with-ssl-headers=/opt/applis/openssl-1.0.0e-1/include

* Compilatio d'auth-pam
# cd /root/install/openvpn-2.1.1/plugin/auth-pam
# make
# mkdir /usr/lib/openvpn/
# cp openvpn-auth-pam.so /usr/lib/openvpn/

* Mise en place de Easy-RSA
# cp -r /root/install/openvpn-2.1.1/easy-rsa/2.0/* /opt/applis/openvpn/easy-rsa/

Gestion des certificats

  • /opt/applis/openvpn/easy-rsa/vars
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
export CA_EXPIRE=730
# In how many days should certificates expire?
export KEY_EXPIRE=730
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_DIR=/opt/applis/openvpn/easy-rsa/keys
export KEY_COUNTRY=FR
export KEY_PROVINCE=FR
export KEY_CITY=St-Ouen
export KEY_ORG=AGARIK SAS
export KEY_EMAIL=support@agarik.com

* Aller dans le répertoire de Easy-RSA :
# cd /opt/applis/openvpn/easy-rsa/

* Chargez les variables :
# . ./vars

* Nettoyez :
# ./clean-all

* Créez l'authorité de certification :
# ./build-ca

* Générez la clef RSA :
# ./build-key-server vpn1.cg81.fr

* Générez le certificat client :
# ./build-key cg81

* Générez le paramètre de Diffie-Hellman
# ./build-dh

* Copiez les certificats dans le etc de OpenVPN :
# cp /opt/applis/openvpn/easy-rsa/keys/ca.crt /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/ca.key /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/dh2048.pem /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/vpn1.cg81.fr.crt /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/vpn1.cg81.fr.csr /opt/applis/openvpn/etc/
# cp /opt/applis/openvpn/easy-rsa/keys/vpn1.cg81.fr.key /opt/applis/openvpn/etc/

server.conf

/opt/applis/openvpn/etc/server.conf 

proto           tcp
port            443
dev             tun
tmp-dir         /tmp
ca              /opt/applis/openvpn/etc/ca.crt
cert            /opt/applis/openvpn/etc/vpn1.cg81.fr.crt
key             /opt/applis/openvpn/etc/vpn1.cg81.fr.key
dh              /opt/applis/openvpn/etc/dh2048.pem
server          192.168.255.0 255.255.255.0
push            "route 10.42.25.0 255.255.255.240"
push            "route 10.42.25.16 255.255.255.240"
push            "route 10.42.25.64 255.255.255.240"
keepalive       10 120
cipher          AES-128-CBC
#comp-lzo
max-clients     10
user            nobody
group           nobody
username-as-common-name
plugin          /usr/lib/openvpn/openvpn-auth-pam.so system-auth
persist-key
persist-tun
status          /var/log/openvpn-status.log
log             /var/log/openvpn.log
log-append      /var/log/openvpn.log
verb            6

Configuration client vpn

#pour signaler que c'est un client !
client
#type d'interface
dev tun
#protocole de communication
proto tcp
#adresse ip publique du réseau dans lequel le serveur est installé + port identique au serveur
remote 92.43.254.226 443
#tentative de connexion infinie
resolv-retry infinite
nobind
#pour rendre la connexion persistante
persist-key
persist-tun
#pour cacher les avertissements
mute-replay-warnings
#emplacement du master CA
ca ca.crt
#emplacement du certificat client
cert cg81.crt
#emplacement de la clé privée du client
key cg81.key
#Pour demander le login et password
auth-user-pass
#type d'encryptage des données
cipher AES-128-CBC
#activation de la compression
#comp-lzo
#niveau de verbosité
verb 5


Verifier sa connexion vpn

Vérifier ses DNS https://www.dnsleaktest.com/ (test extended) : on ne doit voir que les dns définis dans le vpn
Vérifier la faille Webrtc https://diafygi.github.io/webrtc-ips/ : on doit voir l ip publique du vpn 
Vérifier ce qui est visible de l'extérieur : https://ipleak.net/
Récupérée de « https://wiki.blaxeen.com/index.php?title=Openvpn&oldid=4049 »