Projet

Général

Profil

OpenVPN » Historique » Version 14

Laurent GUERBY, 15/01/2013 20:57

1 3 Laurent GUERBY
{{>toc}}
2 3 Laurent GUERBY
3 1 Laurent GUERBY
h1. OpenVPN
4 1 Laurent GUERBY
5 13 Laurent GUERBY
h2. Port sharing
6 12 Laurent GUERBY
7 12 Laurent GUERBY
Apache and nginx
8 12 Laurent GUERBY
http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/
9 12 Laurent GUERBY
10 12 Laurent GUERBY
port-share 127.0.0.1 4443
11 12 Laurent GUERBY
12 14 Laurent GUERBY
http://www.greenie.net/ipv6/openvpn.html
13 14 Laurent GUERBY
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
14 14 Laurent GUERBY
15 9 Laurent GUERBY
h2. Server
16 1 Laurent GUERBY
17 9 Laurent GUERBY
<pre>
18 9 Laurent GUERBY
# cat /etc/default/openvpn
19 9 Laurent GUERBY
...
20 9 Laurent GUERBY
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"
21 9 Laurent GUERBY
...
22 9 Laurent GUERBY
# cat /etc/openvpn/ttnn-tap.conf 
23 9 Laurent GUERBY
dev tap0udp
24 9 Laurent GUERBY
port 11195
25 9 Laurent GUERBY
proto udp
26 9 Laurent GUERBY
27 9 Laurent GUERBY
ca ttnn/ca.crt
28 9 Laurent GUERBY
cert ttnn/h1.crt
29 9 Laurent GUERBY
key ttnn/h1.key  # This file should be kept secret
30 9 Laurent GUERBY
dh ttnn/dh1024.pem
31 9 Laurent GUERBY
32 9 Laurent GUERBY
mode server
33 9 Laurent GUERBY
tls-server
34 9 Laurent GUERBY
35 9 Laurent GUERBY
persist-key
36 9 Laurent GUERBY
persist-tun
37 9 Laurent GUERBY
38 9 Laurent GUERBY
client-config-dir ccd
39 9 Laurent GUERBY
40 9 Laurent GUERBY
client-to-client
41 9 Laurent GUERBY
comp-lzo yes
42 9 Laurent GUERBY
keepalive 10 60
43 9 Laurent GUERBY
44 9 Laurent GUERBY
verb 3
45 9 Laurent GUERBY
log-append  log/openvpn-tap.log
46 9 Laurent GUERBY
status status/openvpn-tap.txt
47 9 Laurent GUERBY
48 9 Laurent GUERBY
# cat /etc/openvpn/ttnn-tap6.conf 
49 9 Laurent GUERBY
dev tap6udp
50 9 Laurent GUERBY
port 11196
51 9 Laurent GUERBY
proto udp6
52 9 Laurent GUERBY
53 9 Laurent GUERBY
ca ttnn/ca.crt
54 9 Laurent GUERBY
cert ttnn/h1.crt
55 9 Laurent GUERBY
key ttnn/h1.key  # This file should be kept secret
56 9 Laurent GUERBY
dh ttnn/dh1024.pem
57 9 Laurent GUERBY
58 9 Laurent GUERBY
mode server
59 9 Laurent GUERBY
tls-server
60 9 Laurent GUERBY
61 9 Laurent GUERBY
persist-key
62 9 Laurent GUERBY
persist-tun
63 9 Laurent GUERBY
64 9 Laurent GUERBY
client-config-dir ccd
65 9 Laurent GUERBY
66 9 Laurent GUERBY
client-to-client
67 9 Laurent GUERBY
comp-lzo yes
68 9 Laurent GUERBY
keepalive 10 60
69 9 Laurent GUERBY
70 9 Laurent GUERBY
verb 3
71 9 Laurent GUERBY
log-append  log/openvpn-tap6.log
72 9 Laurent GUERBY
status status/openvpn-tap6.txt
73 9 Laurent GUERBY
74 9 Laurent GUERBY
# cat /etc/openvpn/ttnn-tap-tcp.conf 
75 9 Laurent GUERBY
dev tap0tcp
76 9 Laurent GUERBY
port 443
77 9 Laurent GUERBY
proto tcp-server
78 9 Laurent GUERBY
79 9 Laurent GUERBY
ca ttnn/ca.crt
80 9 Laurent GUERBY
cert ttnn/h1.crt
81 9 Laurent GUERBY
key ttnn/h1.key  # This file should be kept secret
82 9 Laurent GUERBY
dh ttnn/dh1024.pem
83 9 Laurent GUERBY
84 9 Laurent GUERBY
mode server
85 9 Laurent GUERBY
tls-server
86 9 Laurent GUERBY
87 9 Laurent GUERBY
persist-key
88 9 Laurent GUERBY
persist-tun
89 9 Laurent GUERBY
90 9 Laurent GUERBY
client-config-dir ccd
91 9 Laurent GUERBY
92 9 Laurent GUERBY
client-to-client
93 9 Laurent GUERBY
comp-lzo yes
94 9 Laurent GUERBY
keepalive 10 60
95 9 Laurent GUERBY
96 9 Laurent GUERBY
verb 3
97 9 Laurent GUERBY
log-append  log/openvpn-tap-tcp.log
98 9 Laurent GUERBY
status status/openvpn-tap-tcp.txt
99 9 Laurent GUERBY
100 9 Laurent GUERBY
# keys generated with id ip-X-Y-Z-T, files:
101 9 Laurent GUERBY
# ip-91-224-149-165.crt
102 9 Laurent GUERBY
# ip-91-224-149-165.csr
103 9 Laurent GUERBY
# ip-91-224-149-165.key
104 9 Laurent GUERBY
105 9 Laurent GUERBY
# cat /etc/openvpn/ccd/ip-91-224-149-165
106 9 Laurent GUERBY
ifconfig-push 91.224.149.165 255.255.255.0
107 9 Laurent GUERBY
push "route-gateway 91.224.149.254"
108 9 Laurent GUERBY
push "redirect-gateway def1"
109 9 Laurent GUERBY
push "dhcp-option DNS 8.8.8.8"
110 9 Laurent GUERBY
111 9 Laurent GUERBY
# bridge
112 9 Laurent GUERBY
brctl addbr br0
113 9 Laurent GUERBY
brctl addif br0 eth0
114 9 Laurent GUERBY
ip link set br0 up
115 9 Laurent GUERBY
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes
116 9 Laurent GUERBY
117 1 Laurent GUERBY
openvpn --mktun --dev tap0udp
118 1 Laurent GUERBY
openvpn --mktun --dev tap0tcp
119 1 Laurent GUERBY
openvpn --mktun --dev tap6udp
120 1 Laurent GUERBY
121 1 Laurent GUERBY
brctl addif br0 tap0udp
122 1 Laurent GUERBY
ip link set tap0udp up
123 1 Laurent GUERBY
124 1 Laurent GUERBY
brctl addif br0 tap0tcp
125 1 Laurent GUERBY
ip link set tap0tcp up
126 1 Laurent GUERBY
127 1 Laurent GUERBY
brctl addif br0 tap6udp
128 1 Laurent GUERBY
ip link set tap6udp up
129 1 Laurent GUERBY
130 1 Laurent GUERBY
</pre>
131 1 Laurent GUERBY
132 1 Laurent GUERBY
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client  --pull et --pull est ce qui accepte les directives serveur.
133 10 Laurent GUERBY
134 10 Laurent GUERBY
h2. Client
135 10 Laurent GUERBY
136 10 Laurent GUERBY
137 10 Laurent GUERBY
<pre>
138 10 Laurent GUERBY
# cat /etc/openvpn/ttnn.conf
139 10 Laurent GUERBY
client
140 10 Laurent GUERBY
dev tap
141 10 Laurent GUERBY
142 10 Laurent GUERBY
### from outside with UDP available
143 10 Laurent GUERBY
#proto udp
144 10 Laurent GUERBY
#remote openvpn.tetaneutral.net 11195
145 10 Laurent GUERBY
146 10 Laurent GUERBY
### from outside with no UDP
147 10 Laurent GUERBY
proto tcp
148 10 Laurent GUERBY
remote openvpn.tetaneutral.net 443
149 10 Laurent GUERBY
# 91.224.149.211 443
150 10 Laurent GUERBY
151 10 Laurent GUERBY
# from outside using IPv6 over UDP
152 10 Laurent GUERBY
#proto udp6
153 10 Laurent GUERBY
#remote openvpn6.tetaneutral.net 11196
154 10 Laurent GUERBY
155 10 Laurent GUERBY
ca ttnn/ca.crt
156 10 Laurent GUERBY
cert ttnn/ip-91-224-149-165.crt
157 10 Laurent GUERBY
key ttnn/ip-91-224-149-165.key
158 10 Laurent GUERBY
159 10 Laurent GUERBY
persist-key
160 10 Laurent GUERBY
persist-tun
161 10 Laurent GUERBY
162 10 Laurent GUERBY
script-security 2
163 10 Laurent GUERBY
164 10 Laurent GUERBY
comp-lzo yes
165 10 Laurent GUERBY
keepalive 10 60
166 10 Laurent GUERBY
167 10 Laurent GUERBY
verb 3
168 10 Laurent GUERBY
log-append log/openvpn.log
169 10 Laurent GUERBY
</pre>
170 10 Laurent GUERBY
171 10 Laurent GUERBY
h2. point a point
172 10 Laurent GUERBY
173 10 Laurent GUERBY
<pre>
174 10 Laurent GUERBY
openvpn --genkey --secret tst.key
175 10 Laurent GUERBY
176 10 Laurent GUERBY
#server
177 10 Laurent GUERBY
openvpn --mktun --dev-type tap --dev taptst
178 10 Laurent GUERBY
ip link set taptst up
179 10 Laurent GUERBY
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --port 1234
180 10 Laurent GUERBY
181 10 Laurent GUERBY
#client
182 10 Laurent GUERBY
openvpn --mktun --dev-type tap --dev taptst
183 10 Laurent GUERBY
ip link set taptst up
184 10 Laurent GUERBY
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --remote A.B.C.D 1234
185 10 Laurent GUERBY
</pre>
186 3 Laurent GUERBY
187 5 Jocelyn Dealande
h2. Point-à-point avec routage d'un bloc d'IP.
188 5 Jocelyn Dealande
189 8 Jocelyn Dealande
[[Partage ADSL OpenVPN]]
190 5 Jocelyn Dealande
191 3 Laurent GUERBY
h2. Proxmox
192 3 Laurent GUERBY
193 3 Laurent GUERBY
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
194 4 Laurent GUERBY
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html
195 11 Laurent GUERBY
196 11 Laurent GUERBY
h2. Links
197 11 Laurent GUERBY
198 11 Laurent GUERBY
https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7
199 1 Laurent GUERBY
"Allow 'lport 0' setup for random port binding"
200 13 Laurent GUERBY
201 13 Laurent GUERBY
https://vador.fdn.fr/wiki/travaux:vpn_misc:doc#configurer_sa_machine_pour_utiliser_l_offre_vpn_de_fdn