====== OpenVPN ====== ===== Serveur ===== ==== Installation ==== apt install openvpn openssl easy-rsa ==== Initialisation des certificats ==== Copie des utilitaires de certificat RSA: cp -R /usr/share/easy-rsa/* /etc/openvpn/server/ renseigner les informations de l'autorité de certification: cd /etc/openvpn/server Ajuster les variables: vim vars Insérer le contenu suivant: export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="myhost.mydomain" export KEY_EMAIL="me@myhost.mydomain" export KEY_OU="MyOrganizationalUnit" Copier le fichier de conf openssl: cp openssl-1.0.0.cnf openssl.cnf Charger les variables: . ./vars Message attendu: NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/server/keys Nettoyage de l'existant: ./clean-all Création du certificat : ./build-ca Resultat et réponses à donner: Generating a RSA private key .................+++++ ..............+++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [myhost.mydomain]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [zweb.zikossworld.com CA]: Name [EasyRSA]: Email Address [me@myhost.mydomain]: Générer la clé serveur: ./build-key-server server :!: mêmez réponses à donner que plus haut avec quelques éléments supplémentaires: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ... Certificate is to be certified until May 27 10:52:54 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Générer la clé client: ./build-key client1 Générer les paramètres Diffie-Hellman : ./build-dh ln -s /etc/openvpn/server/keys/ /etc/openvpn ==== Configuration ==== Créer et éditer le fichier de configuration du serveur: vim /etc/openvpn/server.conf Insérer le contenu suivant: # OpenVPN listen port port 444 # Protocol proto tcp # Interface dev tun # Path to certificates ca server/keys/ca.crt cert server/keys/server.crt key server/keys/server.key dh server/keys/dh2048.pem # VPN network server 10.8.0.0 255.255.255.0 # Other settings ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 # On définit le serveur VPN comme passerelle par défaut pour les clients. push "redirect-gateway def1" push "route 10.9.8.0 255.255.252.0" # Default DNS for VPN clients push "dhcp-option DNS 8.8.8.8" Tester la conf du serveur VPN voir si ça démarre : cd /etc/openvpn openvpn server.conf