Outils pour utilisateurs
informatique:linux:openvpn
Différences
Ci-dessous, les différences entre deux révisions de la page.
| Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
|
informatique:linux:openvpn [2020/05/29 12:34] benoit [Configuration] |
informatique:linux:openvpn [2020/05/29 15:24] (Version actuelle) benoit [Configuration] |
||
|---|---|---|---|
| Ligne 7: | Ligne 7: | ||
| apt install openvpn openssl easy-rsa | apt install openvpn openssl easy-rsa | ||
| - | ==== Configuration ==== | + | |
| + | |||
| + | |||
| + | ==== Initialisation des certificats ==== | ||
| Copie des utilitaires de certificat RSA: | Copie des utilitaires de certificat RSA: | ||
| - | cp -R /usr/share/easy-rsa/ /etc/openvpn/server | + | cp -R /usr/share/easy-rsa/* /etc/openvpn/server/ |
| renseigner les informations de l'autorité de certification: | renseigner les informations de l'autorité de certification: | ||
| cd /etc/openvpn/server | cd /etc/openvpn/server | ||
| + | |||
| + | Ajuster les variables: | ||
| vim vars | vim vars | ||
| | | ||
| Insérer le contenu suivant: | Insérer le contenu suivant: | ||
| - | export KEY_COUNTRY="FR" | + | export KEY_COUNTRY="US" |
| - | export KEY_PROVINCE="IDF" | + | export KEY_PROVINCE="CA" |
| - | export KEY_CITY="Somewhere" | + | export KEY_CITY="SanFrancisco" |
| - | export KEY_ORG="host.domain.com" | + | export KEY_ORG="myhost.mydomain" |
| - | export KEY_EMAIL="admin@domain.com" | + | export KEY_EMAIL="me@myhost.mydomain" |
| + | export KEY_OU="MyOrganizationalUnit" | ||
| + | |||
| + | Copier le fichier de conf openssl: | ||
| + | cp openssl-1.0.0.cnf openssl.cnf | ||
| + | |||
| + | Charger les variables: | ||
| + | . ./vars | ||
| + | |||
| + | Message attendu: | ||
| + | NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/server/keys | ||
| + | |||
| + | Nettoyage de l'existant: | ||
| + | ./clean-all | ||
| + | |||
| + | Création du certificat : | ||
| + | |||
| + | ./build-ca | ||
| + | |||
| + | Resultat et réponses à donner: | ||
| + | |||
| + | Generating a RSA private key | ||
| + | .................+++++ | ||
| + | ..............+++++ | ||
| + | writing new private key to 'ca.key' | ||
| + | ----- | ||
| + | You are about to be asked to enter information that will be incorporated | ||
| + | into your certificate request. | ||
| + | What you are about to enter is what is called a Distinguished Name or a DN. | ||
| + | There are quite a few fields but you can leave some blank | ||
| + | For some fields there will be a default value, | ||
| + | If you enter '.', the field will be left blank. | ||
| + | ----- | ||
| + | Country Name (2 letter code) [US]: | ||
| + | State or Province Name (full name) [CA]: | ||
| + | Locality Name (eg, city) [SanFrancisco]: | ||
| + | Organization Name (eg, company) [myhost.mydomain]: | ||
| + | Organizational Unit Name (eg, section) [MyOrganizationalUnit]: | ||
| + | Common Name (eg, your name or your server's hostname) [zweb.zikossworld.com CA]: | ||
| + | Name [EasyRSA]: | ||
| + | Email Address [me@myhost.mydomain]: | ||
| + | |||
| + | Générer la clé serveur: | ||
| + | |||
| + | ./build-key-server server | ||
| + | |||
| + | :!: mêmez réponses à donner que plus haut avec quelques éléments supplémentaires: | ||
| + | |||
| + | Please enter the following 'extra' attributes | ||
| + | to be sent with your certificate request | ||
| + | A challenge password []: | ||
| + | An optional company name []: | ||
| + | |||
| + | ... | ||
| + | |||
| + | Certificate is to be certified until May 27 10:52:54 2030 GMT (3650 days) | ||
| + | Sign the certificate? [y/n]:y | ||
| + | |||
| + | |||
| + | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
| + | Write out database with 1 new entries | ||
| + | Data Base Updated | ||
| + | |||
| + | Générer la clé client: | ||
| + | |||
| + | ./build-key client1 | ||
| + | |||
| + | Générer les paramètres Diffie-Hellman : | ||
| + | |||
| + | ./build-dh | ||
| + | |||
| + | |||
| + | ln -s /etc/openvpn/server/keys/ /etc/openvpn | ||
| + | |||
| + | ==== Configuration ==== | ||
| + | |||
| + | Créer et éditer le fichier de configuration du serveur: | ||
| + | |||
| + | vim /etc/openvpn/server.conf | ||
| + | |||
| + | Insérer le contenu suivant: | ||
| + | # OpenVPN listen port | ||
| + | port 444 | ||
| + | # Protocol | ||
| + | proto tcp | ||
| + | # Interface | ||
| + | dev tun | ||
| + | |||
| + | # Path to certificates | ||
| + | ca server/keys/ca.crt | ||
| + | cert server/keys/server.crt | ||
| + | key server/keys/server.key | ||
| + | dh server/keys/dh2048.pem | ||
| + | |||
| + | # VPN network | ||
| + | server 10.8.0.0 255.255.255.0 | ||
| + | |||
| + | # Other settings | ||
| + | ifconfig-pool-persist ipp.txt | ||
| + | keepalive 10 120 | ||
| + | comp-lzo | ||
| + | user nobody | ||
| + | group nogroup | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | status openvpn-status.log | ||
| + | verb 3 | ||
| + | |||
| + | # On définit le serveur VPN comme passerelle par défaut pour les clients. | ||
| + | push "redirect-gateway def1" | ||
| + | push "route 10.9.8.0 255.255.252.0" | ||
| + | |||
| + | # Default DNS for VPN clients | ||
| + | push "dhcp-option DNS 8.8.8.8" | ||
| + | |||
| + | Tester la conf du serveur VPN voir si ça démarre : | ||
| + | |||
| + | cd /etc/openvpn | ||
| + | openvpn server.conf | ||
| + | |||
informatique/linux/openvpn.1590748468.txt.gz · Dernière modification: 2020/05/29 12:34 par benoit
Outils de la page
Sauf mention contraire, le contenu de ce wiki est placé sous les termes de la licence suivante : CC Attribution-Noncommercial-Share Alike 4.0 International
