Openvpn
De BlaxWiki
Révision datée du 1 janvier 2016 à 11:02 par 127.0.0.1 (discussion)
On va installer ici un openvpn avec un auth-pam, et des certificats
Compilation
* Compilation d'openvpn : ./configure --prefix=/opt/applis/openvpn-2.1.1-1 --disable-lzo --with-ssl-lib=/opt/applis/openssl-1.0.0e-1/lib --with-ssl-headers=/opt/applis/openssl-1.0.0e-1/include * Compilatio d'auth-pam # cd /root/install/openvpn-2.1.1/plugin/auth-pam # make # mkdir /usr/lib/openvpn/ # cp openvpn-auth-pam.so /usr/lib/openvpn/ * Mise en place de Easy-RSA # cp -r /root/install/openvpn-2.1.1/easy-rsa/2.0/* /opt/applis/openvpn/easy-rsa/
Gestion des certificats
- /opt/applis/openvpn/easy-rsa/vars
# easy-rsa parameter settings # NOTE: If you installed from an RPM, # don't edit this file in place in # /usr/share/openvpn/easy-rsa -- # instead, you should copy the whole # easy-rsa directory to another location # (such as /etc/openvpn) so that your # edits will not be wiped out by a future # OpenVPN package upgrade. # This variable should point to # the top level of the easy-rsa # tree. export EASY_RSA="`pwd`" # # This variable should point to # the requested executables # export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" # This variable should point to # the openssl.cnf file included # with easy-rsa. export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` # Edit this variable to point to # your soon-to-be-created key # directory. # # WARNING: clean-all will do # a rm -rf on this directory # so make sure you define # it correctly! export KEY_DIR="$EASY_RSA/keys" # Issue rm -rf warning echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR # PKCS11 fixes export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" # Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=2048 # In how many days should the root CA key expire? export CA_EXPIRE=730 # In how many days should certificates expire? export KEY_EXPIRE=730 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_DIR=/opt/applis/openvpn/easy-rsa/keys export KEY_COUNTRY=FR export KEY_PROVINCE=FR export KEY_CITY=St-Ouen export KEY_ORG=AGARIK SAS export KEY_EMAIL=support@agarik.com
* Aller dans le répertoire de Easy-RSA : # cd /opt/applis/openvpn/easy-rsa/ * Chargez les variables : # . ./vars * Nettoyez : # ./clean-all * Créez l'authorité de certification : # ./build-ca * Générez la clef RSA : # ./build-key-server vpn1.cg81.fr * Générez le certificat client : # ./build-key cg81 * Générez le paramètre de Diffie-Hellman # ./build-dh * Copiez les certificats dans le etc de OpenVPN : # cp /opt/applis/openvpn/easy-rsa/keys/ca.crt /opt/applis/openvpn/etc/ # cp /opt/applis/openvpn/easy-rsa/keys/ca.key /opt/applis/openvpn/etc/ # cp /opt/applis/openvpn/easy-rsa/keys/dh2048.pem /opt/applis/openvpn/etc/ # cp /opt/applis/openvpn/easy-rsa/keys/vpn1.cg81.fr.crt /opt/applis/openvpn/etc/ # cp /opt/applis/openvpn/easy-rsa/keys/vpn1.cg81.fr.csr /opt/applis/openvpn/etc/ # cp /opt/applis/openvpn/easy-rsa/keys/vpn1.cg81.fr.key /opt/applis/openvpn/etc/
server.conf travail
/opt/applis/openvpn/etc/server.conf
proto tcp port 443 dev tun tmp-dir /tmp ca /opt/applis/openvpn/etc/ca.crt cert /opt/applis/openvpn/etc/vpn1.cg81.fr.crt key /opt/applis/openvpn/etc/vpn1.cg81.fr.key dh /opt/applis/openvpn/etc/dh2048.pem server 192.168.255.0 255.255.255.0 push "route 10.42.25.0 255.255.255.240" push "route 10.42.25.16 255.255.255.240" push "route 10.42.25.64 255.255.255.240" keepalive 10 120 cipher AES-128-CBC #comp-lzo max-clients 10 user nobody group nobody username-as-common-name plugin /usr/lib/openvpn/openvpn-auth-pam.so system-auth persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log log-append /var/log/openvpn.log verb 6
server.conf perso
# Serveur TCP/443 mode server tls-server proto udp port 80 dev tun # Clés certificats ca ca.crt cert server.crt key server.key dh dh2048.pem tls-auth ta.key 0 key-direction 0 cipher AES-256-CBC # Réseau server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 # Sécurité user nobody group nogroup chroot /etc/openvpn/jail persist-key persist-tun comp-lzo # Log verb 3 mute 20 status openvpn-status.log log-append /var/log/openvpn.log
Configuration client vpn
#pour signaler que c'est un client ! client #type d'interface dev tun #protocole de communication / se mettre en udp est plus secure #proto tcp proto udp #adresse ip publique du réseau dans lequel le serveur est installé + port identique au serveur remote 92.43.254.226 443 #tentative de connexion infinie resolv-retry infinite nobind #pour rendre la connexion persistante persist-key persist-tun #pour cacher les avertissements mute-replay-warnings #type d'encryptage des données cipher AES-256-CBC #emplacement du master CA ca ca.crt #emplacement du certificat client cert ben.crt #emplacement de la clé privée du client key ben.key tls-auth ta.key 1 #Pour demander le login et password auth-user-pass #activation de la compression comp-lzo #niveau de verbosité verb 5
Verifier sa connexion vpn
Vérifier ses DNS https://www.dnsleaktest.com/ (test extended) : on ne doit voir que les dns définis dans le vpn Vérifier la faille Webrtc https://diafygi.github.io/webrtc-ips/ : on doit voir l ip publique du vpn Vérifier ce qui est visible de l'extérieur : https://ipleak.net/
