Projet

Général

Profil

OpenVPN » Historique » Version 11

Laurent GUERBY, 14/07/2012 00:09

1 3 Laurent GUERBY
{{>toc}}
2 3 Laurent GUERBY
3 1 Laurent GUERBY
h1. OpenVPN
4 1 Laurent GUERBY
5 9 Laurent GUERBY
h2. Server
6 1 Laurent GUERBY
7 9 Laurent GUERBY
<pre>
8 9 Laurent GUERBY
# cat /etc/default/openvpn
9 9 Laurent GUERBY
...
10 9 Laurent GUERBY
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"
11 9 Laurent GUERBY
...
12 9 Laurent GUERBY
# cat /etc/openvpn/ttnn-tap.conf 
13 9 Laurent GUERBY
dev tap0udp
14 9 Laurent GUERBY
port 11195
15 9 Laurent GUERBY
proto udp
16 9 Laurent GUERBY
17 9 Laurent GUERBY
ca ttnn/ca.crt
18 9 Laurent GUERBY
cert ttnn/h1.crt
19 9 Laurent GUERBY
key ttnn/h1.key  # This file should be kept secret
20 9 Laurent GUERBY
dh ttnn/dh1024.pem
21 9 Laurent GUERBY
22 9 Laurent GUERBY
mode server
23 9 Laurent GUERBY
tls-server
24 9 Laurent GUERBY
25 9 Laurent GUERBY
persist-key
26 9 Laurent GUERBY
persist-tun
27 9 Laurent GUERBY
28 9 Laurent GUERBY
client-config-dir ccd
29 9 Laurent GUERBY
30 9 Laurent GUERBY
client-to-client
31 9 Laurent GUERBY
comp-lzo yes
32 9 Laurent GUERBY
keepalive 10 60
33 9 Laurent GUERBY
34 9 Laurent GUERBY
verb 3
35 9 Laurent GUERBY
log-append  log/openvpn-tap.log
36 9 Laurent GUERBY
status status/openvpn-tap.txt
37 9 Laurent GUERBY
38 9 Laurent GUERBY
# cat /etc/openvpn/ttnn-tap6.conf 
39 9 Laurent GUERBY
dev tap6udp
40 9 Laurent GUERBY
port 11196
41 9 Laurent GUERBY
proto udp6
42 9 Laurent GUERBY
43 9 Laurent GUERBY
ca ttnn/ca.crt
44 9 Laurent GUERBY
cert ttnn/h1.crt
45 9 Laurent GUERBY
key ttnn/h1.key  # This file should be kept secret
46 9 Laurent GUERBY
dh ttnn/dh1024.pem
47 9 Laurent GUERBY
48 9 Laurent GUERBY
mode server
49 9 Laurent GUERBY
tls-server
50 9 Laurent GUERBY
51 9 Laurent GUERBY
persist-key
52 9 Laurent GUERBY
persist-tun
53 9 Laurent GUERBY
54 9 Laurent GUERBY
client-config-dir ccd
55 9 Laurent GUERBY
56 9 Laurent GUERBY
client-to-client
57 9 Laurent GUERBY
comp-lzo yes
58 9 Laurent GUERBY
keepalive 10 60
59 9 Laurent GUERBY
60 9 Laurent GUERBY
verb 3
61 9 Laurent GUERBY
log-append  log/openvpn-tap6.log
62 9 Laurent GUERBY
status status/openvpn-tap6.txt
63 9 Laurent GUERBY
64 9 Laurent GUERBY
# cat /etc/openvpn/ttnn-tap-tcp.conf 
65 9 Laurent GUERBY
dev tap0tcp
66 9 Laurent GUERBY
port 443
67 9 Laurent GUERBY
proto tcp-server
68 9 Laurent GUERBY
69 9 Laurent GUERBY
ca ttnn/ca.crt
70 9 Laurent GUERBY
cert ttnn/h1.crt
71 9 Laurent GUERBY
key ttnn/h1.key  # This file should be kept secret
72 9 Laurent GUERBY
dh ttnn/dh1024.pem
73 9 Laurent GUERBY
74 9 Laurent GUERBY
mode server
75 9 Laurent GUERBY
tls-server
76 9 Laurent GUERBY
77 9 Laurent GUERBY
persist-key
78 9 Laurent GUERBY
persist-tun
79 9 Laurent GUERBY
80 9 Laurent GUERBY
client-config-dir ccd
81 9 Laurent GUERBY
82 9 Laurent GUERBY
client-to-client
83 9 Laurent GUERBY
comp-lzo yes
84 9 Laurent GUERBY
keepalive 10 60
85 9 Laurent GUERBY
86 9 Laurent GUERBY
verb 3
87 9 Laurent GUERBY
log-append  log/openvpn-tap-tcp.log
88 9 Laurent GUERBY
status status/openvpn-tap-tcp.txt
89 9 Laurent GUERBY
90 9 Laurent GUERBY
# keys generated with id ip-X-Y-Z-T, files:
91 9 Laurent GUERBY
# ip-91-224-149-165.crt
92 9 Laurent GUERBY
# ip-91-224-149-165.csr
93 9 Laurent GUERBY
# ip-91-224-149-165.key
94 9 Laurent GUERBY
95 9 Laurent GUERBY
# cat /etc/openvpn/ccd/ip-91-224-149-165
96 9 Laurent GUERBY
ifconfig-push 91.224.149.165 255.255.255.0
97 9 Laurent GUERBY
push "route-gateway 91.224.149.254"
98 9 Laurent GUERBY
push "redirect-gateway def1"
99 9 Laurent GUERBY
push "dhcp-option DNS 8.8.8.8"
100 9 Laurent GUERBY
101 9 Laurent GUERBY
# bridge
102 9 Laurent GUERBY
brctl addbr br0
103 9 Laurent GUERBY
brctl addif br0 eth0
104 9 Laurent GUERBY
ip link set br0 up
105 9 Laurent GUERBY
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes
106 9 Laurent GUERBY
107 1 Laurent GUERBY
openvpn --mktun --dev tap0udp
108 1 Laurent GUERBY
openvpn --mktun --dev tap0tcp
109 1 Laurent GUERBY
openvpn --mktun --dev tap6udp
110 1 Laurent GUERBY
111 1 Laurent GUERBY
brctl addif br0 tap0udp
112 1 Laurent GUERBY
ip link set tap0udp up
113 1 Laurent GUERBY
114 1 Laurent GUERBY
brctl addif br0 tap0tcp
115 1 Laurent GUERBY
ip link set tap0tcp up
116 1 Laurent GUERBY
117 1 Laurent GUERBY
brctl addif br0 tap6udp
118 1 Laurent GUERBY
ip link set tap6udp up
119 1 Laurent GUERBY
120 1 Laurent GUERBY
</pre>
121 1 Laurent GUERBY
122 1 Laurent GUERBY
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client  --pull et --pull est ce qui accepte les directives serveur.
123 10 Laurent GUERBY
124 10 Laurent GUERBY
h2. Client
125 10 Laurent GUERBY
126 10 Laurent GUERBY
127 10 Laurent GUERBY
<pre>
128 10 Laurent GUERBY
# cat /etc/openvpn/ttnn.conf
129 10 Laurent GUERBY
client
130 10 Laurent GUERBY
dev tap
131 10 Laurent GUERBY
132 10 Laurent GUERBY
### from outside with UDP available
133 10 Laurent GUERBY
#proto udp
134 10 Laurent GUERBY
#remote openvpn.tetaneutral.net 11195
135 10 Laurent GUERBY
136 10 Laurent GUERBY
### from outside with no UDP
137 10 Laurent GUERBY
proto tcp
138 10 Laurent GUERBY
remote openvpn.tetaneutral.net 443
139 10 Laurent GUERBY
# 91.224.149.211 443
140 10 Laurent GUERBY
141 10 Laurent GUERBY
# from outside using IPv6 over UDP
142 10 Laurent GUERBY
#proto udp6
143 10 Laurent GUERBY
#remote openvpn6.tetaneutral.net 11196
144 10 Laurent GUERBY
145 10 Laurent GUERBY
ca ttnn/ca.crt
146 10 Laurent GUERBY
cert ttnn/ip-91-224-149-165.crt
147 10 Laurent GUERBY
key ttnn/ip-91-224-149-165.key
148 10 Laurent GUERBY
149 10 Laurent GUERBY
persist-key
150 10 Laurent GUERBY
persist-tun
151 10 Laurent GUERBY
152 10 Laurent GUERBY
script-security 2
153 10 Laurent GUERBY
154 10 Laurent GUERBY
comp-lzo yes
155 10 Laurent GUERBY
keepalive 10 60
156 10 Laurent GUERBY
157 10 Laurent GUERBY
verb 3
158 10 Laurent GUERBY
log-append log/openvpn.log
159 10 Laurent GUERBY
</pre>
160 10 Laurent GUERBY
161 10 Laurent GUERBY
h2. point a point
162 10 Laurent GUERBY
163 10 Laurent GUERBY
<pre>
164 10 Laurent GUERBY
openvpn --genkey --secret tst.key
165 10 Laurent GUERBY
166 10 Laurent GUERBY
#server
167 10 Laurent GUERBY
openvpn --mktun --dev-type tap --dev taptst
168 10 Laurent GUERBY
ip link set taptst up
169 10 Laurent GUERBY
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --port 1234
170 10 Laurent GUERBY
171 10 Laurent GUERBY
#client
172 10 Laurent GUERBY
openvpn --mktun --dev-type tap --dev taptst
173 10 Laurent GUERBY
ip link set taptst up
174 10 Laurent GUERBY
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --remote A.B.C.D 1234
175 10 Laurent GUERBY
</pre>
176 3 Laurent GUERBY
177 5 Jocelyn Dealande
h2. Point-à-point avec routage d'un bloc d'IP.
178 5 Jocelyn Dealande
179 8 Jocelyn Dealande
[[Partage ADSL OpenVPN]]
180 5 Jocelyn Dealande
181 3 Laurent GUERBY
h2. Proxmox
182 3 Laurent GUERBY
183 3 Laurent GUERBY
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
184 4 Laurent GUERBY
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html
185 11 Laurent GUERBY
186 11 Laurent GUERBY
h2. Links
187 11 Laurent GUERBY
188 11 Laurent GUERBY
https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7
189 11 Laurent GUERBY
"Allow 'lport 0' setup for random port binding"