OpenVPN » Historique » Version 40
Skuld Skuld, 20/07/2017 20:15
1 | 3 | Laurent GUERBY | {{>toc}} |
---|---|---|---|
2 | 3 | Laurent GUERBY | |
3 | 1 | Laurent GUERBY | h1. OpenVPN |
4 | 1 | Laurent GUERBY | |
5 | 13 | Laurent GUERBY | h2. Port sharing |
6 | 12 | Laurent GUERBY | |
7 | 12 | Laurent GUERBY | Apache and nginx |
8 | 12 | Laurent GUERBY | http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/ |
9 | 12 | Laurent GUERBY | |
10 | 12 | Laurent GUERBY | port-share 127.0.0.1 4443 |
11 | 12 | Laurent GUERBY | |
12 | 14 | Laurent GUERBY | http://www.greenie.net/ipv6/openvpn.html |
13 | 14 | Laurent GUERBY | https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 |
14 | 14 | Laurent GUERBY | |
15 | 35 | Laurent GUERBY | https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux |
16 | 35 | Laurent GUERBY | |
17 | 15 | Laurent GUERBY | h2. Certificats |
18 | 15 | Laurent GUERBY | |
19 | 34 | Baptiste Jonglez | Via mherrb : la page de man 'ssl(8)' d'OpenBSD explique bien comment faire un certificat auto-signé qui marchera pour OpenVPN: |
20 | 15 | Laurent GUERBY | http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html |
21 | 15 | Laurent GUERBY | |
22 | 9 | Laurent GUERBY | h2. Server |
23 | 1 | Laurent GUERBY | |
24 | 9 | Laurent GUERBY | <pre> |
25 | 9 | Laurent GUERBY | # cat /etc/default/openvpn |
26 | 9 | Laurent GUERBY | ... |
27 | 9 | Laurent GUERBY | AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6" |
28 | 9 | Laurent GUERBY | ... |
29 | 9 | Laurent GUERBY | # cat /etc/openvpn/ttnn-tap.conf |
30 | 9 | Laurent GUERBY | dev tap0udp |
31 | 9 | Laurent GUERBY | port 11195 |
32 | 9 | Laurent GUERBY | proto udp |
33 | 9 | Laurent GUERBY | |
34 | 9 | Laurent GUERBY | ca ttnn/ca.crt |
35 | 9 | Laurent GUERBY | cert ttnn/h1.crt |
36 | 9 | Laurent GUERBY | key ttnn/h1.key # This file should be kept secret |
37 | 9 | Laurent GUERBY | dh ttnn/dh1024.pem |
38 | 9 | Laurent GUERBY | |
39 | 9 | Laurent GUERBY | mode server |
40 | 9 | Laurent GUERBY | tls-server |
41 | 9 | Laurent GUERBY | |
42 | 9 | Laurent GUERBY | persist-key |
43 | 9 | Laurent GUERBY | persist-tun |
44 | 9 | Laurent GUERBY | |
45 | 9 | Laurent GUERBY | client-config-dir ccd |
46 | 9 | Laurent GUERBY | |
47 | 9 | Laurent GUERBY | client-to-client |
48 | 9 | Laurent GUERBY | comp-lzo yes |
49 | 9 | Laurent GUERBY | keepalive 10 60 |
50 | 9 | Laurent GUERBY | |
51 | 9 | Laurent GUERBY | verb 3 |
52 | 9 | Laurent GUERBY | log-append log/openvpn-tap.log |
53 | 9 | Laurent GUERBY | status status/openvpn-tap.txt |
54 | 9 | Laurent GUERBY | |
55 | 9 | Laurent GUERBY | # cat /etc/openvpn/ttnn-tap6.conf |
56 | 9 | Laurent GUERBY | dev tap6udp |
57 | 9 | Laurent GUERBY | port 11196 |
58 | 9 | Laurent GUERBY | proto udp6 |
59 | 9 | Laurent GUERBY | |
60 | 9 | Laurent GUERBY | ca ttnn/ca.crt |
61 | 9 | Laurent GUERBY | cert ttnn/h1.crt |
62 | 9 | Laurent GUERBY | key ttnn/h1.key # This file should be kept secret |
63 | 9 | Laurent GUERBY | dh ttnn/dh1024.pem |
64 | 9 | Laurent GUERBY | |
65 | 9 | Laurent GUERBY | mode server |
66 | 9 | Laurent GUERBY | tls-server |
67 | 9 | Laurent GUERBY | |
68 | 9 | Laurent GUERBY | persist-key |
69 | 9 | Laurent GUERBY | persist-tun |
70 | 9 | Laurent GUERBY | |
71 | 9 | Laurent GUERBY | client-config-dir ccd |
72 | 9 | Laurent GUERBY | |
73 | 9 | Laurent GUERBY | client-to-client |
74 | 9 | Laurent GUERBY | comp-lzo yes |
75 | 9 | Laurent GUERBY | keepalive 10 60 |
76 | 9 | Laurent GUERBY | |
77 | 9 | Laurent GUERBY | verb 3 |
78 | 9 | Laurent GUERBY | log-append log/openvpn-tap6.log |
79 | 9 | Laurent GUERBY | status status/openvpn-tap6.txt |
80 | 9 | Laurent GUERBY | |
81 | 9 | Laurent GUERBY | # cat /etc/openvpn/ttnn-tap-tcp.conf |
82 | 9 | Laurent GUERBY | dev tap0tcp |
83 | 9 | Laurent GUERBY | port 443 |
84 | 9 | Laurent GUERBY | proto tcp-server |
85 | 9 | Laurent GUERBY | |
86 | 9 | Laurent GUERBY | ca ttnn/ca.crt |
87 | 9 | Laurent GUERBY | cert ttnn/h1.crt |
88 | 9 | Laurent GUERBY | key ttnn/h1.key # This file should be kept secret |
89 | 9 | Laurent GUERBY | dh ttnn/dh1024.pem |
90 | 9 | Laurent GUERBY | |
91 | 9 | Laurent GUERBY | mode server |
92 | 9 | Laurent GUERBY | tls-server |
93 | 9 | Laurent GUERBY | |
94 | 9 | Laurent GUERBY | persist-key |
95 | 9 | Laurent GUERBY | persist-tun |
96 | 9 | Laurent GUERBY | |
97 | 9 | Laurent GUERBY | client-config-dir ccd |
98 | 9 | Laurent GUERBY | |
99 | 9 | Laurent GUERBY | client-to-client |
100 | 9 | Laurent GUERBY | comp-lzo yes |
101 | 9 | Laurent GUERBY | keepalive 10 60 |
102 | 9 | Laurent GUERBY | |
103 | 9 | Laurent GUERBY | verb 3 |
104 | 9 | Laurent GUERBY | log-append log/openvpn-tap-tcp.log |
105 | 9 | Laurent GUERBY | status status/openvpn-tap-tcp.txt |
106 | 9 | Laurent GUERBY | |
107 | 9 | Laurent GUERBY | # keys generated with id ip-X-Y-Z-T, files: |
108 | 9 | Laurent GUERBY | # ip-91-224-149-165.crt |
109 | 9 | Laurent GUERBY | # ip-91-224-149-165.csr |
110 | 9 | Laurent GUERBY | # ip-91-224-149-165.key |
111 | 9 | Laurent GUERBY | |
112 | 9 | Laurent GUERBY | # cat /etc/openvpn/ccd/ip-91-224-149-165 |
113 | 9 | Laurent GUERBY | ifconfig-push 91.224.149.165 255.255.255.0 |
114 | 9 | Laurent GUERBY | push "route-gateway 91.224.149.254" |
115 | 9 | Laurent GUERBY | push "redirect-gateway def1" |
116 | 9 | Laurent GUERBY | push "dhcp-option DNS 8.8.8.8" |
117 | 9 | Laurent GUERBY | |
118 | 9 | Laurent GUERBY | # bridge |
119 | 9 | Laurent GUERBY | brctl addbr br0 |
120 | 9 | Laurent GUERBY | brctl addif br0 eth0 |
121 | 9 | Laurent GUERBY | ip link set br0 up |
122 | 9 | Laurent GUERBY | ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes |
123 | 9 | Laurent GUERBY | |
124 | 1 | Laurent GUERBY | openvpn --mktun --dev tap0udp |
125 | 1 | Laurent GUERBY | openvpn --mktun --dev tap0tcp |
126 | 1 | Laurent GUERBY | openvpn --mktun --dev tap6udp |
127 | 1 | Laurent GUERBY | |
128 | 1 | Laurent GUERBY | brctl addif br0 tap0udp |
129 | 1 | Laurent GUERBY | ip link set tap0udp up |
130 | 1 | Laurent GUERBY | |
131 | 1 | Laurent GUERBY | brctl addif br0 tap0tcp |
132 | 1 | Laurent GUERBY | ip link set tap0tcp up |
133 | 1 | Laurent GUERBY | |
134 | 1 | Laurent GUERBY | brctl addif br0 tap6udp |
135 | 1 | Laurent GUERBY | ip link set tap6udp up |
136 | 1 | Laurent GUERBY | |
137 | 1 | Laurent GUERBY | </pre> |
138 | 1 | Laurent GUERBY | |
139 | 34 | Baptiste Jonglez | Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur. |
140 | 10 | Laurent GUERBY | |
141 | 10 | Laurent GUERBY | h2. Client |
142 | 10 | Laurent GUERBY | |
143 | 10 | Laurent GUERBY | |
144 | 10 | Laurent GUERBY | <pre> |
145 | 10 | Laurent GUERBY | # cat /etc/openvpn/ttnn.conf |
146 | 10 | Laurent GUERBY | client |
147 | 10 | Laurent GUERBY | dev tap |
148 | 10 | Laurent GUERBY | |
149 | 10 | Laurent GUERBY | ### from outside with UDP available |
150 | 10 | Laurent GUERBY | #proto udp |
151 | 10 | Laurent GUERBY | #remote openvpn.tetaneutral.net 11195 |
152 | 10 | Laurent GUERBY | |
153 | 10 | Laurent GUERBY | ### from outside with no UDP |
154 | 10 | Laurent GUERBY | proto tcp |
155 | 10 | Laurent GUERBY | remote openvpn.tetaneutral.net 443 |
156 | 10 | Laurent GUERBY | # 91.224.149.211 443 |
157 | 10 | Laurent GUERBY | |
158 | 10 | Laurent GUERBY | # from outside using IPv6 over UDP |
159 | 10 | Laurent GUERBY | #proto udp6 |
160 | 10 | Laurent GUERBY | #remote openvpn6.tetaneutral.net 11196 |
161 | 10 | Laurent GUERBY | |
162 | 10 | Laurent GUERBY | ca ttnn/ca.crt |
163 | 10 | Laurent GUERBY | cert ttnn/ip-91-224-149-165.crt |
164 | 10 | Laurent GUERBY | key ttnn/ip-91-224-149-165.key |
165 | 10 | Laurent GUERBY | |
166 | 10 | Laurent GUERBY | persist-key |
167 | 10 | Laurent GUERBY | persist-tun |
168 | 10 | Laurent GUERBY | |
169 | 10 | Laurent GUERBY | script-security 2 |
170 | 10 | Laurent GUERBY | |
171 | 10 | Laurent GUERBY | comp-lzo yes |
172 | 10 | Laurent GUERBY | keepalive 10 60 |
173 | 10 | Laurent GUERBY | |
174 | 10 | Laurent GUERBY | verb 3 |
175 | 10 | Laurent GUERBY | log-append log/openvpn.log |
176 | 10 | Laurent GUERBY | </pre> |
177 | 10 | Laurent GUERBY | |
178 | 10 | Laurent GUERBY | h2. point a point |
179 | 10 | Laurent GUERBY | |
180 | 36 | Laurent GUERBY | |
181 | 36 | Laurent GUERBY | Version tun : |
182 | 36 | Laurent GUERBY | |
183 | 36 | Laurent GUERBY | <pre> |
184 | 38 | Laurent GUERBY | # Sur le serveur IPv4 publique A.B.C.D |
185 | 36 | Laurent GUERBY | openvpn --mktun --dev-type tun --dev tuntst |
186 | 36 | Laurent GUERBY | ip link set tuntst up |
187 | 36 | Laurent GUERBY | openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --port 1234 |
188 | 36 | Laurent GUERBY | |
189 | 38 | Laurent GUERBY | # Sur le client client |
190 | 36 | Laurent GUERBY | openvpn --mktun --dev-type tun --dev tuntst |
191 | 36 | Laurent GUERBY | ip link set tuntst up |
192 | 39 | Laurent GUERBY | openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --lport 0 --remote A.B.C.D 1234 |
193 | 36 | Laurent GUERBY | </pre> |
194 | 36 | Laurent GUERBY | |
195 | 38 | Laurent GUERBY | Pour le routage IPv6 et le NAT IPv4 sur le serveur : |
196 | 1 | Laurent GUERBY | |
197 | 1 | Laurent GUERBY | <pre> |
198 | 1 | Laurent GUERBY | echo 1 > /proc/sys/net/ipv6/conf/all/forwarding |
199 | 38 | Laurent GUERBY | ip -6 route add 2a03:7220:808X:YZ01::1/128 dev tuntst |
200 | 38 | Laurent GUERBY | |
201 | 38 | Laurent GUERBY | echo 1 > /proc/sys/net/ipv4/ip_forward |
202 | 38 | Laurent GUERBY | ip route add 10.10.10.10/32 dev tuntst |
203 | 38 | Laurent GUERBY | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
204 | 1 | Laurent GUERBY | </pre> |
205 | 1 | Laurent GUERBY | |
206 | 38 | Laurent GUERBY | Then on the client |
207 | 38 | Laurent GUERBY | |
208 | 10 | Laurent GUERBY | <pre> |
209 | 38 | Laurent GUERBY | ip -6 addr add 2a03:7220:808X:YZ01::1/128 dev tuntst |
210 | 38 | Laurent GUERBY | ip -6 route add default tuntst |
211 | 38 | Laurent GUERBY | ip addr add 10.10.10.10/32 dev tuntst |
212 | 38 | Laurent GUERBY | # TODO default route |
213 | 10 | Laurent GUERBY | </pre> |
214 | 3 | Laurent GUERBY | |
215 | 34 | Baptiste Jonglez | h2. Point-à-point avec routage d'un bloc d'IP. |
216 | 1 | Laurent GUERBY | |
217 | 1 | Laurent GUERBY | [[Partage ADSL OpenVPN]] |
218 | 1 | Laurent GUERBY | |
219 | 34 | Baptiste Jonglez | h2. Performances |
220 | 34 | Baptiste Jonglez | |
221 | 34 | Baptiste Jonglez | [[Benchmark VPN]] |
222 | 34 | Baptiste Jonglez | |
223 | 1 | Laurent GUERBY | h2. Proxmox |
224 | 1 | Laurent GUERBY | |
225 | 1 | Laurent GUERBY | http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet |
226 | 11 | Laurent GUERBY | http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html |
227 | 11 | Laurent GUERBY | |
228 | 11 | Laurent GUERBY | h2. Links |
229 | 11 | Laurent GUERBY | |
230 | 34 | Baptiste Jonglez | * https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7 "Allow 'lport 0' setup for random port binding" |
231 | 34 | Baptiste Jonglez | * https://vador.fdn.fr/wiki/travaux:vpn_misc:doc#configurer_sa_machine_pour_utiliser_l_offre_vpn_de_fdn |
232 | 34 | Baptiste Jonglez | * https://wiki.ldn-fai.net/wiki/Tuto_Serveur_OpenVPN |