|
|
# installation : OpenVPN
|
|
|
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
|
|
|
<https://www.ivpn.net/pptp-vs-l2tp-vs-openvpn>
|
|
|
|
|
|
|
|
|
## serveur
|
|
|
|
|
|
# apt-get install openvpn zip unzip
|
|
|
|
|
|
# openvpn --genkey --secret /etc/openvpn/vpn1.$(dnsdomainname).static.key
|
|
|
# cat <<EOF >/etc/openvpn/vpn1.$(dnsdomainname).conf
|
|
|
### common
|
|
|
dev tun
|
|
|
#port 1194
|
|
|
keepalive 10 120
|
|
|
persist-tun
|
|
|
persist-key
|
|
|
log-append "/var/log/openvpn.vpn1.$(dnsdomainname).log"
|
|
|
verb 4
|
|
|
status "/var/run/openvpn.vpn1.$(dnsdomainname).status"
|
|
|
mute 20
|
|
|
comp-lzo adaptive
|
|
|
|
|
|
### server
|
|
|
server 192.168.$(expr $(ip r s | grep 'default via' | cut -d '.' -f 3) + 8).0 255.255.255.0
|
|
|
## Microsoft and "Routing and Remote Access Service" problems
|
|
|
## <http://www.bentasker.co.uk/documentation/19-security/97-openvpn-on-windows-2003>
|
|
|
## <http://openvpn.net/archive/openvpn-users/2005-01/msg00147.html>
|
|
|
## <https://community.openvpn.net/openvpn/ticket/52>
|
|
|
#route-method exe
|
|
|
#route-delay 2
|
|
|
#server-ipv6 2001:db8::/64
|
|
|
#route-ipv6 2001:db8:1000::/60
|
|
|
## <http://openvpn.net/index.php/open-source/documentation/howto.html#redirect>
|
|
|
## cause all outgoing IP traffic to be redirected over the VPN
|
|
|
## better to have it client-side
|
|
|
#push "redirect-gateway def1"
|
|
|
## <http://openvpn.net/index.php/open-source/documentation/howto.html#scope>
|
|
|
#push "route 192.168.1.0 255.255.255.0"
|
|
|
## <http://openvpn.net/index.php/open-source/documentation/howto.html#dhcp>
|
|
|
## these can be used on GNU/Linux via /etc/openvpn/update-resolv-conf
|
|
|
#push "dhcp-option DNS 192.168.$(ip r s | grep 'default via' | cut -d '.' -f 3).1"
|
|
|
#push "dhcp-option DOMAIN $(dnsdomainname)"
|
|
|
#push "dhcp-option WINS 192.168.$(ip r s | grep 'default via' | cut -d '.' -f 3).1"
|
|
|
ifconfig-pool-persist "/var/run/openvpn.vpn1.$(dnsdomainname).ipp" 600
|
|
|
client-to-client
|
|
|
#max-clients 3
|
|
|
## selectively turn compression for clients (but the client must enables
|
|
|
## selective compression by having at least one comp-lzo directive)
|
|
|
push "comp-lzo adaptive"
|
|
|
## limit bandwidth of outgoing tunnel data in bytes
|
|
|
#shaper 20000
|
|
|
opt-verify auth, tls-auth
|
|
|
## <http://openvpn.net/index.php/open-source/documentation/howto.html#auth>
|
|
|
#plugin "/usr/lib/openvpn/openvpn-auth-pam.so" "login login USERNAME password PASSWORD"
|
|
|
## <http://backreference.org/2012/09/14/openvpn-ldap-authentication/>
|
|
|
## <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610339>
|
|
|
#plugin "/usr/lib/openvpn/openvpn-auth-ldap.so" "/etc/openvpn/auth-ldap_ldap.inubo.ch.config"
|
|
|
## very much unsecure, usually set it together the next one
|
|
|
#client-cert-not-required
|
|
|
#username-as-common-name
|
|
|
auth-nocache
|
|
|
|
|
|
### TLS
|
|
|
## <http://openvpn.net/index.php/open-source/documentation/howto.html#pki>
|
|
|
ca "/etc/openvpn/certs/ca.$(dnsdomainname)_OpenVPN.pem"
|
|
|
dh "/etc/openvpn/dh2048.pem"
|
|
|
cert "/etc/openvpn/certs/vpn1.$(dnsdomainname)_vpn1.$(dnsdomainname).crt"
|
|
|
key "/etc/openvpn/certs/vpn1.$(dnsdomainname)_vpn1.$(dnsdomainname).nopass.key"
|
|
|
#askpass "/etc/openvpn/certs/vpn1.$(dnsdomainname)_vpn1.$(dnsdomainname).key.pwd"
|
|
|
## "HMAC firewall", '0' on the server and '1' on the clients
|
|
|
tls-auth "/etc/openvpn/vpn1.$(dnsdomainname).static.key" 0
|
|
|
## check certificate Common Name
|
|
|
#tls-remote "client"
|
|
|
## Netscape-specific, obsolete and replaced by remote-cert-tls
|
|
|
#ns-cert-type client
|
|
|
remote-cert-tls client
|
|
|
#crl-verify "/etc/openvpn/certs/crl.$(dnsdomainname)_OpenVPN.crt"
|
|
|
tls-exit
|
|
|
|
|
|
### scripts
|
|
|
## looking for a better solution, since:
|
|
|
## 1) user nobody is not permitted to \`kill -s HUP \$(pidof dnsmasq)\`
|
|
|
## 2) user dnsmasq can not write to /var/run/
|
|
|
user nobody
|
|
|
group nogroup
|
|
|
## needed for external scripts execution
|
|
|
script-security 2
|
|
|
## the following options require '--mode server'
|
|
|
#client-connect "/etc/openvpn/openvpn-update-dnsmasq.sh"
|
|
|
#client-disconnect "/etc/openvpn/openvpn-update-dnsmasq.sh"
|
|
|
EOF
|
|
|
|
|
|
|
|
|
### génération des clés
|
|
|
|
|
|
# mkdir /etc/openvpn/certs
|
|
|
# cd /root
|
|
|
# cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/ openvpn_$(dpkg-query -W openvpn | awk '{print $2}')_easy-rsa_2.0
|
|
|
# cd openvpn_[TAB]
|
|
|
# nano vars
|
|
|
[replace]
|
|
|
export KEY_SIZE=2048
|
|
|
[replace]
|
|
|
export KEY_COUNTRY="CH"
|
|
|
export KEY_PROVINCE="Geneve"
|
|
|
export KEY_CITY="Geneve"
|
|
|
export KEY_ORG="inubo"
|
|
|
export KEY_EMAIL=
|
|
|
export KEY_CN=
|
|
|
export KEY_NAME=
|
|
|
export KEY_OU="OpenVPN"
|
|
|
# source ./vars
|
|
|
# ./clean-all
|
|
|
|
|
|
# ./build-ca
|
|
|
Email Address []:ca@$(dnsdomainname)
|
|
|
# cp keys/ca.crt /etc/openvpn/certs/ca.$(dnsdomainname)_OpenVPN.pem
|
|
|
[# chmod 644 !$]
|
|
|
|
|
|
# ./build-dh
|
|
|
# cp keys/dh2048.pem /etc/openvpn/
|
|
|
|
|
|
# ./build-key-server vpn1.$(dnsdomainname)
|
|
|
Email Address []:it@$(dnsdomainname)
|
|
|
A challenge password []:$PASSWORD
|
|
|
# cp keys/vpn1.$(dnsdomainname).key /etc/openvpn/certs/vpn1.$(dnsdomainname)_vpn1.$(dnsdomainname).nopass.key
|
|
|
[# chmod 600 !$]
|
|
|
# cp keys/vpn1.$(dnsdomainname).crt /etc/openvpn/certs/vpn1.$(dnsdomainname)_vpn1.$(dnsdomainname).crt
|
|
|
[# chmod 640 !$]
|
|
|
|
|
|
|
|
|
### IP forward
|
|
|
|
|
|
# nano /etc/sysctl.conf
|
|
|
[uncomment]
|
|
|
net.ipv4.ip_forward=1
|
|
|
# service procps reload
|
|
|
# nano /etc/rc.local
|
|
|
[add]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
# Forward OpenVPN traffic
|
|
|
### module:ipt_MASQUERADE needed for MASQUERADE
|
|
|
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.$(expr $(ip r s | grep 'default via' | cut -d '.' -f 3) + 8).0/24 -j MASQUERADE
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# /etc/rc.local
|
|
|
|
|
|
|
|
|
### de toute façon
|
|
|
|
|
|
# service openvpn restart
|
|
|
# etckeeper commit "openvpn/vpn1.$(dnsdomainname).conf: new file"
|
|
|
|
|
|
|
|
|
## client
|
|
|
|
|
|
# mkdir -p /root/openvpn_clients/
|
|
|
# /home/rescue/bin/openvpn-generate-client-pack.sh $OS vpn1.$(dnsdomainname) $VPN_CLIENT
|
|
|
[ce script appelle
|
|
|
/home/rescue/bin/openvpn-generate-client-conf.sh $OS vpn1.$(dnsdomainname) $VPN_CLIENT >config.ovpn]
|
|
|
[donner les fichiers .zip et .sha1 au client]
|
|
|
|
|
|
[attention bug dans le cas d'OSX ]
|
|
|
Modifier le fichier config.ovpn (contenu dans le dossier / pseudo-fichier mac), chemin: $VPN_CLIENT.tblk/Contents/Resources/
|
|
|
commenter la ligne log-append "$(dnsdomainname).log" ainsi #log-append "$(dnsdomainname).log"
|
|
|
|
|
|
|
|
|
|
|
|
### Windows
|
|
|
|
|
|
tout dans C:\Progra~1\OpenVPN\config
|
|
|
|
|
|
|
|
|
### GNU/Linux
|
|
|
|
|
|
*[si pour tout le monde]*
|
|
|
|
|
|
# cd /etc/openvpn
|
|
|
[fichiers:
|
|
|
644 root:root vpn1.$(dnsdomainname).conf
|
|
|
600 root:root vpn1.$(dnsdomainname).static.key]
|
|
|
[si géré par Network Manager, importer le fichier .conf]
|
|
|
# mkdir -p /etc/openvpn/certs
|
|
|
# cd !$
|
|
|
[fichiers:
|
|
|
644 root:root ca.$(dnsdomainname)_OpenVPN.pem
|
|
|
644 root:root $VPN_CLIENT.$(dnsdomainname)_vpn1.$(dnsdomainname).crt
|
|
|
600 root:root $VPN_CLIENT.$(dnsdomainname)_vpn1.$(dnsdomainname).nopass.key]
|
|
|
|
|
|
*[si par utilisateur]*
|
|
|
|
|
|
$ mkdir ~/.ssl
|
|
|
$ chmod 700 !$
|
|
|
$ mkdir !$/private
|
|
|
$ chmod 700 !$
|
|
|
[fichiers:
|
|
|
600 vpn1.$(dnsdomainname).static.key
|
|
|
600 $VPN_CLIENT.$(dnsdomainname)_vpn1.$(dnsdomainname).nopass.key]
|
|
|
$ chmod 600 ~/.ssl/private/*
|
|
|
$ mkdir ~/.ssl/certs
|
|
|
[fichiers:
|
|
|
644 ca.$(dnsdomainename)_OpenVPN.pem
|
|
|
644 $VPN_CLIENT.$(dnsdomainname)_vpn1.$(dnsdomainname).crt]
|
|
|
|
|
|
## revocation certificat client
|
|
|
|
|
|
# cd /root/openvpn_2.2.1-8+deb7u2_easy-rsa_2.0/
|
|
|
# . ./vars
|
|
|
# ./revoke-full $VPN_CLIENT
|
|
|
|
|
|
## Instructions Tunnelblick pour client macOS
|
|
|
|
|
|
1. Emporter le fichier $VPN_CLIENT.tblk.zip sur une clé usb (il est pas recommandé de les transmettre par e-mail).
|
|
|
|
|
|
2. Sur poste fixe ou portable à connecter:
|
|
|
Télécharger la version stable Tunnelblick sur https://tunnelblick.net/downloads.html
|
|
|
(actuellement pour télécharger la version 3.7.5a (https://tunnelblick.net/release/Tunnelblick_3.7.5a_build_5011.dmg)
|
|
|
puis installer.
|
|
|
|
|
|
3. Double-cliquer sur "$VPN_CLIENT.tblk.zip" pour le décompresser.
|
|
|
|
|
|
4. Double-cliquer sur "$VPN_CLIENT.tblk" --> Ça lance Tunnelblick.
|
|
|
|
|
|
5. Sur Invitation de l'installeur donner le mot de passe admin à Tunnelblick pour confirmer l'installation. (pour un seul utilisateur au cas ou il y a d'autres utilisateurs de la machine)
|
|
|
|
|
|
6. A l'apparition d'une fenêtre mentionnant l'extension "down-root", cliquer sur "Toujours utiliser l'extension".
|
|
|
|
|
|
7. Ignorer la fenêtre concernant l'option "comp-lzo" (en cours de résolution chez itopie).
|
|
|
|
|
|
8. Fin de l'installation.
|
|
|
|
|
|
On peut utiliser Tunnelblick en déroulant le menu "Tunnelblick" dans la barre de menu la config "$VPN_CLIENT" y figurera.
|
|
|
En option on peut aller dans le dossier "Applications" et lancer Tunnelblick depuis là. |