Projet

Général

Profil

OpenVPN » Historique » Version 38

Version 37 (Laurent GUERBY, 06/03/2016 16:34) → Version 38/48 (Laurent GUERBY, 06/03/2016 16:59)

{{>toc}}

h1. OpenVPN

h2. Port sharing

Apache and nginx
http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/

port-share 127.0.0.1 4443

http://www.greenie.net/ipv6/openvpn.html
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23

https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

h2. Certificats

Via mherrb : la page de man 'ssl(8)' d'OpenBSD explique bien comment faire un certificat auto-signé qui marchera pour OpenVPN:
http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

h2. Server

<pre>
# cat /etc/default/openvpn
...
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"
...
# cat /etc/openvpn/ttnn-tap.conf
dev tap0udp
port 11195
proto udp

ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem

mode server
tls-server

persist-key
persist-tun

client-config-dir ccd

client-to-client
comp-lzo yes
keepalive 10 60

verb 3
log-append log/openvpn-tap.log
status status/openvpn-tap.txt

# cat /etc/openvpn/ttnn-tap6.conf
dev tap6udp
port 11196
proto udp6

ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem

mode server
tls-server

persist-key
persist-tun

client-config-dir ccd

client-to-client
comp-lzo yes
keepalive 10 60

verb 3
log-append log/openvpn-tap6.log
status status/openvpn-tap6.txt

# cat /etc/openvpn/ttnn-tap-tcp.conf
dev tap0tcp
port 443
proto tcp-server

ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem

mode server
tls-server

persist-key
persist-tun

client-config-dir ccd

client-to-client
comp-lzo yes
keepalive 10 60

verb 3
log-append log/openvpn-tap-tcp.log
status status/openvpn-tap-tcp.txt

# keys generated with id ip-X-Y-Z-T, files:
# ip-91-224-149-165.crt
# ip-91-224-149-165.csr
# ip-91-224-149-165.key

# cat /etc/openvpn/ccd/ip-91-224-149-165
ifconfig-push 91.224.149.165 255.255.255.0
push "route-gateway 91.224.149.254"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"

# bridge
brctl addbr br0
brctl addif br0 eth0
ip link set br0 up
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes

openvpn --mktun --dev tap0udp
openvpn --mktun --dev tap0tcp
openvpn --mktun --dev tap6udp

brctl addif br0 tap0udp
ip link set tap0udp up

brctl addif br0 tap0tcp
ip link set tap0tcp up

brctl addif br0 tap6udp
ip link set tap6udp up

</pre>

Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur.

h2. Client

<pre>
# cat /etc/openvpn/ttnn.conf
client
dev tap

### from outside with UDP available
#proto udp
#remote openvpn.tetaneutral.net 11195

### from outside with no UDP
proto tcp
remote openvpn.tetaneutral.net 443
# 91.224.149.211 443

# from outside using IPv6 over UDP
#proto udp6
#remote openvpn6.tetaneutral.net 11196

ca ttnn/ca.crt
cert ttnn/ip-91-224-149-165.crt
key ttnn/ip-91-224-149-165.key

persist-key
persist-tun

script-security 2

comp-lzo yes
keepalive 10 60

verb 3
log-append log/openvpn.log
</pre>

h2. point a point

Version tun :

<pre>
# Sur le serveur IPv4 publique A.B.C.D #server
openvpn --mktun --dev-type tun --dev tuntst
ip link set tuntst up
openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --port 1234

# Sur le client client #client
openvpn --mktun --dev-type tun --dev tuntst
ip link set tuntst up
openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --remote A.B.C.D 1234
</pre>

Pour le routage IPv6 et le NAT IPv4 sur le serveur : For routing

<pre>
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding /proc/sys/net/ipv4/ip_forward
ip -6 route add 2a03:7220:808X:YZ01::1/128 dev tuntst

echo 1 > /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv6/conf/all/forwarding
ip route add 10.10.10.10/32 dev tuntst
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
</pre>

Then on the client

Version tap (obsolete) :
<pre>
ip -6 addr add 2a03:7220:808X:YZ01::1/128 dev tuntst openvpn --genkey --secret tst.key

#server

openvpn --mktun --dev-type tap --dev taptst
ip -6 route add default tuntst link set taptst up
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --port 1234

#client
openvpn --mktun --dev-type tap --dev taptst
ip addr add 10.10.10.10/32 dev tuntst link set taptst up
# TODO default route openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --remote A.B.C.D 1234
</pre>



h2. Point-à-point avec routage d'un bloc d'IP.

[[Partage ADSL OpenVPN]]

h2. Performances

[[Benchmark VPN]]

h2. Proxmox

http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html

h2. Links

* https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7 "Allow 'lport 0' setup for random port binding"
* https://vador.fdn.fr/wiki/travaux:vpn_misc:doc#configurer_sa_machine_pour_utiliser_l_offre_vpn_de_fdn
* https://wiki.ldn-fai.net/wiki/Tuto_Serveur_OpenVPN