Hello,
Vpn openvpn service is very safe, super stable, and lightweight package (quality drives widely PPTP), relatively simple to implement, although I struggled to understand its simplicity, and full of useful features. If you need to read them in details then you can visit their official site. Apart from the obvious cases where you need to securely connect remote sites, it is a good tool to route data to a gateway and work-Fi, all with a good safety. In addition, the Windows version also works well and is configured somewhat near the same way (and yes, sometimes you manage Windows clients too, it must memory).
Phase 1: prerequisites, necessary preinstallation packages
Beware
The end of install, there are changes to check:
* create a user / group openvpn before running the script.
* Consider changing the listening interface eth0 br0 in the files in eg routing, configuration of various servers (Squid, Samba, etc.) AND especially in / etc / default / dhcp
openvpn sometime crashes with kernel 2.4, it is best to use 2.6.
Moreover, what I did not test for various reasons, it is advisable to use a kernel which is applied the patch grsecurity.
kernel must contain the following active option
Device Driver
-> Networking support
-> Networking Options
---> Universal TUN / TAP device driver support
---> 802.1d Ethernet Bridging
Facilities provided on the debian server:
Code:
apt-get install openvpn bridge-utils openssl-dev libssl-dev liblzo1 liblzo
the client debian:
Code:
apt-get install openvpn liblzo1
All these packages can be made finer source and recompiled of course in the case of a dedicated server access.
Phase 2: implementation of PKI
For authentication We will implement a PKI (Public Key Infrastructure "= Public Key Infrastructure), and identify one to one client access server, using play scripts" easy-rsa "provided by the package openvpn . Start copy in a safe corner, the directory / usr / share / doc / openvpn / examples / easy-rsa.
Code:
Cp-R / usr / share / doc / openvpn / examples / easy-rsa /.
Become root, and secure directory:
Code:
# Chown-R root.root easy-rsa
# chmod-R-0700 easy rsa
Take to the directory.
The first step is to change variables common to the generation of different keys. These variables are adjusted in the file vars. Here's an example:
Code:
export D = `pwd`
export KEY_CONFIG = $ D / openssl.cnf
export KEY_DIR = $ D / keys
export KEY_SIZE = 1024
= U.S. export KEY_COUNTRY
export KEY_PROVINCE = Country
Export KEY_CITY = Anytown
export KEY_ORG = "My Company"
export KEY_EMAIL = dummy @ test.com "
From now on, whenever you come back to generate a key or key operation, think of "sourcing" before this file to update your environment:
Here is what you have to do
Next:
Code:
# Mkdir keys
# touch keys / index.txt
# echo 01> keys / serial
# 0700 chmod-R keys
Preparation key to the server:
Code:
#. / Build-dh
#. / build-ca
#. / build-key-server server
and a client:
Code:
. / Build-key client
Notes:
- Remember to use the CN ( Common Name) unique for each participant (VPN server and each client), otherwise your server will not work! Also put an ON (Organization Name) Common server and clients.
- Do not use fqdn to designate your server and clients, openvpn does not like keys with a long file name with an at sign it. I was not able to know why, but some names fqdn pass, others not.
- Do not transfer your keys in an insecure channel. The ideal is to store the keys directory on a USB key and nothing on the machine but can also use the user openvpn in scp for transfer card (because the user root must be reasonable if you are disabled for ssh).
Configuration server
Bridged or not, uses a mechanism called openvpn Tun / Tap, which is a kind of "virtual cable" between the client and server, which is expressed on both sides by adding an interface (in routed Tunxi, tapX in bridged). The routed mode is easily understandable, namely that it must be configured, once the "cable" plugged in, the possible routing tables on the client and the server is considered so as routers. This setup is fairly simple but requires a network to use "except" to the input interface of the server and clients, an increase of hop distance between the two lan connected, and does not transfer any other protocols as known iptables router (no ipx, or - yuck - netbios, for example). For info, just install the openvpn server config example, change a few values, and configure some routing. As I indicated in the title, this tutorial provides a bridge mode configuration ("Bridged"), as opposed to routed mode (routed). Bridged or not, uses a mechanism called openvpn Tun / Tap, which is a kind of "virtual cable" between the client and server, which is expressed on both sides by adding an interface (in routed Tunxi, tapX in bridged).
The routed mode is easily understandable, namely that it must be configured, once the "cable" plugged in, the possible routing tables on the client and the server is considered so as routers. This setup is fairly simple but requires a network to use "except" to the input interface of the server and clients, an increase of hop distance between the two lan connected, and does not transfer any other protocols as known iptables router (no ipx, or - yuck - netbios, for example). For info, just install the openvpn server config example, change a few values, and configure some routing.
Code:
port 5555
proto udp
dev tap0
ca ca.crt
cert serveur.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.1 255.255.255.0 192.168.0.151 192.168.0.250
keepalive 10 120
comp- lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
a verbport 5555
proto udp
dev tap0
ca ca.crt
cert serveur.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.1 255.255.255.0 192.168.0.151 192.168.0.250
keepalive 10 120
comp- lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
a verb
Config on the client:
On the client, a config file is enough:
* / etc / openvpn / client.conf
Code:
client
dev tap0
proto udp
remote adresse.du.serveur 5555
resolv-retry infinite
nobind
user openvpn
group openvpn
persist, key
persist-tun
ca ca.crt
cert client.crt
client.key key
comp-lzo
verb 1
Reply With Quote
Bookmarks