Projet

Général

Profil

OpenVPN » Historique » Version 40

Skuld Skuld, 20/07/2017 20:15

1 3 Laurent GUERBY
{{>toc}}
2 3 Laurent GUERBY
3 1 Laurent GUERBY
h1. OpenVPN
4 1 Laurent GUERBY
5 13 Laurent GUERBY
h2. Port sharing
6 12 Laurent GUERBY
7 12 Laurent GUERBY
Apache and nginx
8 12 Laurent GUERBY
http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/
9 12 Laurent GUERBY
10 12 Laurent GUERBY
port-share 127.0.0.1 4443
11 12 Laurent GUERBY
12 14 Laurent GUERBY
http://www.greenie.net/ipv6/openvpn.html
13 14 Laurent GUERBY
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
14 14 Laurent GUERBY
15 35 Laurent GUERBY
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
16 35 Laurent GUERBY
17 15 Laurent GUERBY
h2. Certificats
18 15 Laurent GUERBY
19 34 Baptiste Jonglez
Via mherrb : la page de man 'ssl(8)' d'OpenBSD explique bien comment faire un certificat auto-signé qui marchera pour OpenVPN: 
20 15 Laurent GUERBY
http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
21 15 Laurent GUERBY
22 9 Laurent GUERBY
h2. Server
23 1 Laurent GUERBY
24 9 Laurent GUERBY
<pre>
25 9 Laurent GUERBY
# cat /etc/default/openvpn
26 9 Laurent GUERBY
...
27 9 Laurent GUERBY
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"
28 9 Laurent GUERBY
...
29 9 Laurent GUERBY
# cat /etc/openvpn/ttnn-tap.conf 
30 9 Laurent GUERBY
dev tap0udp
31 9 Laurent GUERBY
port 11195
32 9 Laurent GUERBY
proto udp
33 9 Laurent GUERBY
34 9 Laurent GUERBY
ca ttnn/ca.crt
35 9 Laurent GUERBY
cert ttnn/h1.crt
36 9 Laurent GUERBY
key ttnn/h1.key  # This file should be kept secret
37 9 Laurent GUERBY
dh ttnn/dh1024.pem
38 9 Laurent GUERBY
39 9 Laurent GUERBY
mode server
40 9 Laurent GUERBY
tls-server
41 9 Laurent GUERBY
42 9 Laurent GUERBY
persist-key
43 9 Laurent GUERBY
persist-tun
44 9 Laurent GUERBY
45 9 Laurent GUERBY
client-config-dir ccd
46 9 Laurent GUERBY
47 9 Laurent GUERBY
client-to-client
48 9 Laurent GUERBY
comp-lzo yes
49 9 Laurent GUERBY
keepalive 10 60
50 9 Laurent GUERBY
51 9 Laurent GUERBY
verb 3
52 9 Laurent GUERBY
log-append  log/openvpn-tap.log
53 9 Laurent GUERBY
status status/openvpn-tap.txt
54 9 Laurent GUERBY
55 9 Laurent GUERBY
# cat /etc/openvpn/ttnn-tap6.conf 
56 9 Laurent GUERBY
dev tap6udp
57 9 Laurent GUERBY
port 11196
58 9 Laurent GUERBY
proto udp6
59 9 Laurent GUERBY
60 9 Laurent GUERBY
ca ttnn/ca.crt
61 9 Laurent GUERBY
cert ttnn/h1.crt
62 9 Laurent GUERBY
key ttnn/h1.key  # This file should be kept secret
63 9 Laurent GUERBY
dh ttnn/dh1024.pem
64 9 Laurent GUERBY
65 9 Laurent GUERBY
mode server
66 9 Laurent GUERBY
tls-server
67 9 Laurent GUERBY
68 9 Laurent GUERBY
persist-key
69 9 Laurent GUERBY
persist-tun
70 9 Laurent GUERBY
71 9 Laurent GUERBY
client-config-dir ccd
72 9 Laurent GUERBY
73 9 Laurent GUERBY
client-to-client
74 9 Laurent GUERBY
comp-lzo yes
75 9 Laurent GUERBY
keepalive 10 60
76 9 Laurent GUERBY
77 9 Laurent GUERBY
verb 3
78 9 Laurent GUERBY
log-append  log/openvpn-tap6.log
79 9 Laurent GUERBY
status status/openvpn-tap6.txt
80 9 Laurent GUERBY
81 9 Laurent GUERBY
# cat /etc/openvpn/ttnn-tap-tcp.conf 
82 9 Laurent GUERBY
dev tap0tcp
83 9 Laurent GUERBY
port 443
84 9 Laurent GUERBY
proto tcp-server
85 9 Laurent GUERBY
86 9 Laurent GUERBY
ca ttnn/ca.crt
87 9 Laurent GUERBY
cert ttnn/h1.crt
88 9 Laurent GUERBY
key ttnn/h1.key  # This file should be kept secret
89 9 Laurent GUERBY
dh ttnn/dh1024.pem
90 9 Laurent GUERBY
91 9 Laurent GUERBY
mode server
92 9 Laurent GUERBY
tls-server
93 9 Laurent GUERBY
94 9 Laurent GUERBY
persist-key
95 9 Laurent GUERBY
persist-tun
96 9 Laurent GUERBY
97 9 Laurent GUERBY
client-config-dir ccd
98 9 Laurent GUERBY
99 9 Laurent GUERBY
client-to-client
100 9 Laurent GUERBY
comp-lzo yes
101 9 Laurent GUERBY
keepalive 10 60
102 9 Laurent GUERBY
103 9 Laurent GUERBY
verb 3
104 9 Laurent GUERBY
log-append  log/openvpn-tap-tcp.log
105 9 Laurent GUERBY
status status/openvpn-tap-tcp.txt
106 9 Laurent GUERBY
107 9 Laurent GUERBY
# keys generated with id ip-X-Y-Z-T, files:
108 9 Laurent GUERBY
# ip-91-224-149-165.crt
109 9 Laurent GUERBY
# ip-91-224-149-165.csr
110 9 Laurent GUERBY
# ip-91-224-149-165.key
111 9 Laurent GUERBY
112 9 Laurent GUERBY
# cat /etc/openvpn/ccd/ip-91-224-149-165
113 9 Laurent GUERBY
ifconfig-push 91.224.149.165 255.255.255.0
114 9 Laurent GUERBY
push "route-gateway 91.224.149.254"
115 9 Laurent GUERBY
push "redirect-gateway def1"
116 9 Laurent GUERBY
push "dhcp-option DNS 8.8.8.8"
117 9 Laurent GUERBY
118 9 Laurent GUERBY
# bridge
119 9 Laurent GUERBY
brctl addbr br0
120 9 Laurent GUERBY
brctl addif br0 eth0
121 9 Laurent GUERBY
ip link set br0 up
122 9 Laurent GUERBY
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes
123 9 Laurent GUERBY
124 1 Laurent GUERBY
openvpn --mktun --dev tap0udp
125 1 Laurent GUERBY
openvpn --mktun --dev tap0tcp
126 1 Laurent GUERBY
openvpn --mktun --dev tap6udp
127 1 Laurent GUERBY
128 1 Laurent GUERBY
brctl addif br0 tap0udp
129 1 Laurent GUERBY
ip link set tap0udp up
130 1 Laurent GUERBY
131 1 Laurent GUERBY
brctl addif br0 tap0tcp
132 1 Laurent GUERBY
ip link set tap0tcp up
133 1 Laurent GUERBY
134 1 Laurent GUERBY
brctl addif br0 tap6udp
135 1 Laurent GUERBY
ip link set tap6udp up
136 1 Laurent GUERBY
137 1 Laurent GUERBY
</pre>
138 1 Laurent GUERBY
139 34 Baptiste Jonglez
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client  --pull et --pull est ce qui accepte les directives serveur.
140 10 Laurent GUERBY
141 10 Laurent GUERBY
h2. Client
142 10 Laurent GUERBY
143 10 Laurent GUERBY
144 10 Laurent GUERBY
<pre>
145 10 Laurent GUERBY
# cat /etc/openvpn/ttnn.conf
146 10 Laurent GUERBY
client
147 10 Laurent GUERBY
dev tap
148 10 Laurent GUERBY
149 10 Laurent GUERBY
### from outside with UDP available
150 10 Laurent GUERBY
#proto udp
151 10 Laurent GUERBY
#remote openvpn.tetaneutral.net 11195
152 10 Laurent GUERBY
153 10 Laurent GUERBY
### from outside with no UDP
154 10 Laurent GUERBY
proto tcp
155 10 Laurent GUERBY
remote openvpn.tetaneutral.net 443
156 10 Laurent GUERBY
# 91.224.149.211 443
157 10 Laurent GUERBY
158 10 Laurent GUERBY
# from outside using IPv6 over UDP
159 10 Laurent GUERBY
#proto udp6
160 10 Laurent GUERBY
#remote openvpn6.tetaneutral.net 11196
161 10 Laurent GUERBY
162 10 Laurent GUERBY
ca ttnn/ca.crt
163 10 Laurent GUERBY
cert ttnn/ip-91-224-149-165.crt
164 10 Laurent GUERBY
key ttnn/ip-91-224-149-165.key
165 10 Laurent GUERBY
166 10 Laurent GUERBY
persist-key
167 10 Laurent GUERBY
persist-tun
168 10 Laurent GUERBY
169 10 Laurent GUERBY
script-security 2
170 10 Laurent GUERBY
171 10 Laurent GUERBY
comp-lzo yes
172 10 Laurent GUERBY
keepalive 10 60
173 10 Laurent GUERBY
174 10 Laurent GUERBY
verb 3
175 10 Laurent GUERBY
log-append log/openvpn.log
176 10 Laurent GUERBY
</pre>
177 10 Laurent GUERBY
178 10 Laurent GUERBY
h2. point a point
179 10 Laurent GUERBY
180 36 Laurent GUERBY
181 36 Laurent GUERBY
Version tun :
182 36 Laurent GUERBY
183 36 Laurent GUERBY
<pre>
184 38 Laurent GUERBY
# Sur le serveur IPv4 publique A.B.C.D
185 36 Laurent GUERBY
openvpn --mktun --dev-type tun --dev tuntst
186 36 Laurent GUERBY
ip link set tuntst up
187 36 Laurent GUERBY
openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --port 1234
188 36 Laurent GUERBY
189 38 Laurent GUERBY
# Sur le client client
190 36 Laurent GUERBY
openvpn --mktun --dev-type tun --dev tuntst
191 36 Laurent GUERBY
ip link set tuntst up
192 39 Laurent GUERBY
openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --lport 0 --remote A.B.C.D 1234
193 36 Laurent GUERBY
</pre>
194 36 Laurent GUERBY
195 38 Laurent GUERBY
Pour le routage IPv6 et le NAT IPv4 sur le serveur :
196 1 Laurent GUERBY
197 1 Laurent GUERBY
<pre>
198 1 Laurent GUERBY
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
199 38 Laurent GUERBY
ip -6 route add  2a03:7220:808X:YZ01::1/128 dev tuntst
200 38 Laurent GUERBY
201 38 Laurent GUERBY
echo 1 > /proc/sys/net/ipv4/ip_forward
202 38 Laurent GUERBY
ip route add 10.10.10.10/32 dev tuntst
203 38 Laurent GUERBY
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
204 1 Laurent GUERBY
</pre>
205 1 Laurent GUERBY
206 38 Laurent GUERBY
Then on the client
207 38 Laurent GUERBY
208 10 Laurent GUERBY
<pre>
209 38 Laurent GUERBY
ip -6 addr add 2a03:7220:808X:YZ01::1/128 dev tuntst
210 38 Laurent GUERBY
ip -6 route add default tuntst
211 38 Laurent GUERBY
ip addr add 10.10.10.10/32 dev tuntst
212 38 Laurent GUERBY
# TODO default route
213 10 Laurent GUERBY
</pre>
214 3 Laurent GUERBY
215 34 Baptiste Jonglez
h2. Point-à-point avec routage d'un bloc d'IP.
216 1 Laurent GUERBY
217 1 Laurent GUERBY
[[Partage ADSL OpenVPN]]
218 1 Laurent GUERBY
219 34 Baptiste Jonglez
h2. Performances
220 34 Baptiste Jonglez
221 34 Baptiste Jonglez
[[Benchmark VPN]]
222 34 Baptiste Jonglez
223 1 Laurent GUERBY
h2. Proxmox
224 1 Laurent GUERBY
225 1 Laurent GUERBY
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
226 11 Laurent GUERBY
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html
227 11 Laurent GUERBY
228 11 Laurent GUERBY
h2. Links
229 11 Laurent GUERBY
230 34 Baptiste Jonglez
* https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7 "Allow 'lport 0' setup for random port binding"
231 34 Baptiste Jonglez
* https://vador.fdn.fr/wiki/travaux:vpn_misc:doc#configurer_sa_machine_pour_utiliser_l_offre_vpn_de_fdn
232 34 Baptiste Jonglez
* https://wiki.ldn-fai.net/wiki/Tuto_Serveur_OpenVPN