Table des matières

OpenVPN

Serveur

Installation

apt install openvpn openssl easy-rsa

Initialisation des certificats

Copie des utilitaires de certificat RSA: 

cp -R /usr/share/easy-rsa/* /etc/openvpn/server/

renseigner les informations de l'autorité de certification: 

cd /etc/openvpn/server

Ajuster les variables: 

vim vars

Insérer le contenu suivant: 

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="myhost.mydomain"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

Copier le fichier de conf openssl: 

cp openssl-1.0.0.cnf openssl.cnf

Charger les variables: 

. ./vars

Message attendu: 

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/server/keys

Nettoyage de l'existant: 

./clean-all

Création du certificat : 

./build-ca

Resultat et réponses à donner: 

Generating a RSA private key
.................+++++
..............+++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [myhost.mydomain]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [zweb.zikossworld.com CA]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Générer la clé serveur: 

./build-key-server server

:!: mêmez réponses à donner que plus haut avec quelques éléments supplémentaires: 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

...

Certificate is to be certified until May 27 10:52:54 2030 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Générer la clé client: 

./build-key client1

Générer les paramètres Diffie-Hellman : 

./build-dh
ln -s /etc/openvpn/server/keys/ /etc/openvpn

Configuration

Créer et éditer le fichier de configuration du serveur: 

vim /etc/openvpn/server.conf

Insérer le contenu suivant: 

# OpenVPN listen port
port 444
# Protocol
proto tcp
# Interface
dev tun

# Path to certificates
ca server/keys/ca.crt
cert server/keys/server.crt
key server/keys/server.key
dh server/keys/dh2048.pem

# VPN network
server 10.8.0.0 255.255.255.0

# Other settings
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

# On définit le serveur VPN comme passerelle par défaut pour les clients.
push "redirect-gateway def1"
push "route 10.9.8.0 255.255.252.0"

# Default DNS for VPN clients
push "dhcp-option DNS 8.8.8.8"

Tester la conf du serveur VPN voir si ça démarre : 

cd /etc/openvpn
openvpn server.conf