apt install openvpn openssl easy-rsa
Copie des utilitaires de certificat RSA:
cp -R /usr/share/easy-rsa/* /etc/openvpn/server/
renseigner les informations de l'autorité de certification:
cd /etc/openvpn/server
Ajuster les variables:
vim vars
Insérer le contenu suivant:
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="myhost.mydomain" export KEY_EMAIL="me@myhost.mydomain" export KEY_OU="MyOrganizationalUnit"
Copier le fichier de conf openssl:
cp openssl-1.0.0.cnf openssl.cnf
Charger les variables:
. ./vars
Message attendu:
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/server/keys
Nettoyage de l'existant:
./clean-all
Création du certificat :
./build-ca
Resultat et réponses à donner:
Generating a RSA private key .................+++++ ..............+++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [myhost.mydomain]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [zweb.zikossworld.com CA]: Name [EasyRSA]: Email Address [me@myhost.mydomain]:
Générer la clé serveur:
./build-key-server server
mêmez réponses à donner que plus haut avec quelques éléments supplémentaires:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ... Certificate is to be certified until May 27 10:52:54 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Générer la clé client:
./build-key client1
Générer les paramètres Diffie-Hellman :
./build-dh
ln -s /etc/openvpn/server/keys/ /etc/openvpn
Créer et éditer le fichier de configuration du serveur:
vim /etc/openvpn/server.conf
Insérer le contenu suivant:
# OpenVPN listen port port 444 # Protocol proto tcp # Interface dev tun # Path to certificates ca server/keys/ca.crt cert server/keys/server.crt key server/keys/server.key dh server/keys/dh2048.pem # VPN network server 10.8.0.0 255.255.255.0 # Other settings ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 # On définit le serveur VPN comme passerelle par défaut pour les clients. push "redirect-gateway def1" push "route 10.9.8.0 255.255.252.0" # Default DNS for VPN clients push "dhcp-option DNS 8.8.8.8"
Tester la conf du serveur VPN voir si ça démarre :
cd /etc/openvpn openvpn server.conf