- Sadržaj
- OpenVpn Server
- Linux OpenVpn klijent
- Windows OpenVpn Klijent
- Notes
OpenVpn Server¶
VPN Prerequisites¶
Potrebni su nam openvpn, iptables i openssl
apt-get install openvpn apt-get install openssl apt-get install iptables
Podešenje¶
/etc/openvpn/server.conf
mode server tls-server # for linux use tun for windows clinets use tap dev tap0 # for windows clients use port 1195, for linux 1194 port 1195 # use the following encryption method cipher BF-CBC auth SHA1 # certificates, server an the private key ca /etc/openvpn/server.crt dh /etc/openvpn/dh1024.pem cert /etc/openvpn/server.crt key /etc/openvpn/server.key # openvpn gateway ifconfig 10.8.1.1 255.255.255.0 # push DNS entries to openvpn client (IP of LAN DNS server) push "dhcp-option DNS 192.168.11.250" push "dhcp-option WINS 192.168.11.250" # ip range for openvpn client ifconfig-pool 10.8.1.2 10.8.1.11 255.255.255.0 # push default gateway to openvpn push "route-gateway 10.8.1.1" push "route 192.168.11.0 255.255.255.0" client-config-dir /etc/openvpn/clients persist-tun persist-key mute-replay-warnings # a 120 second time period. keepalive 10 120 client-to-client comp-lzo
Za podešenje će mo koristiti isporučene uzorke
cp -a /usr/share/doc/openvpn/examples/* /etc/openvpn/easy-rsa cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Podešavamo varijable za generaciju certifikata što name olakšava generaciju istih (kao primjer koristim fbde podešenje)
/etc/openvpn/easy-rsa/vars
export KEY_COUNTRY=DE export KEY_PROVINCE=Oberhausen export KEY_CITY=Oberhausen export KEY_ORG="fuel-boss.de" export KEY_EMAIL="cs@bring.out.ba"
/etc/openvpn/easy-rsa# source ./vars
/etc/openvpn/easy-rsa# ./clean-all
Generacija certifikata¶
Server side certifikati¶
Ako smo dobro podesili prethodno varijable i instalirali uzorke možemo generisati certifikate
/etc/openvpn/easy-rsa# ./build-ca
Generating a 1024 bit RSA private key ...................++++++ ...............++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Oberhausen]: Locality Name (eg, city) [Oberhausen]: Organization Name (eg, company) [fuel-boss.de]: Organizational Unit Name (eg, section) []:fbde Common Name (eg, your name or your server's hostname) [fuel-boss.de CA]: Email Address [cs@bring.out.ba]:
/etc/openvpn/easy-rsa# ./build-key-server router-back.fuel-boss.de
Generating a 1024 bit RSA private key .....++++++ ........................++++++ writing new private key to 'router-back.fuel-boss.de.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Oberhausen]: Locality Name (eg, city) [Oberhausen]: Organization Name (eg, company) [fuel-boss.de]: Organizational Unit Name (eg, section) []:fbde Common Name (eg, your name or your server's hostname) [router-back.fuel-boss.de]: Email Address [cs@bring.out.ba]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Oberhausen' localityName :PRINTABLE:'Oberhausen' organizationName :PRINTABLE:'fuel-boss.de' organizationalUnitName:PRINTABLE:'fbde' commonName :PRINTABLE:'router-back.fuel-boss.de' emailAddress :IA5STRING:'cs@bring.out.ba' Certificate is to be certified until Aug 5 10:27:32 2019 GMT (3650 days) Sign the certificate? [y/n]:yes 1 out of 1 certificate requests certified, commit? [y/n]yes Write out database with 1 new entries Data Base Updated
Diffie-Hellman pem file¶
:/etc/openvpn/easy-rsa# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .......................+.......+..........+........++*++*++*
Klijentski certifikati¶
/etc/openvpn/easy-rsa# ./build-key amir_smajic
Generating a 1024 bit RSA private key ...++++++ .....++++++ writing new private key to 'amir_smajic.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Oberhausen]: Locality Name (eg, city) [Oberhausen]: Organization Name (eg, company) [fuel-boss.de]: Organizational Unit Name (eg, section) []:fbde Common Name (eg, your name or your server's hostname) [amir_smajic]: Email Address [cs@bring.out.ba]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Oberhausen' localityName :PRINTABLE:'Oberhausen' organizationName :PRINTABLE:'fuel-boss.de' organizationalUnitName:PRINTABLE:'fbde' commonName :T61STRING:'amir_smajic' emailAddress :IA5STRING:'cs@bring.out.ba' Certificate is to be certified until Aug 5 10:28:34 2019 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Podešenje klijentskih parametara na serveru (IP adrese, netmask-a)¶
root@router-back:/etc/openvpn/clients/amir_smajic
ifconfig-push 10.8.1.2 255.255.255.0
OpenVpn Server unutar VZ sesije¶
Za ovo važi sve gore navedeno s tim da su potrebne dodatne operacije na openvz hostu i sesiji
Prerequisites¶
Potreban nam je bridge-utils, linux moduli vzeth i tun i vznetaddbr
apt-get install bridge-utils
lsmod | grep vzeth
vzethdev 23424 0 vzmon 53264 12 vzethdev,vznetdev,vzrst,vzcpt vzdev 12552 6 vzethdev,vznetdev,vzdquota,vzmon
lsmod | grep tun
tun 23040 2 vzrst,vzcpt
vznetaddbr je attachiran na wiki
Podešenje Openvz hosta i sesije¶
Podešenje br0 > eth0 bridge-a¶
eth0 > br0
/etc/network/interfaces
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.11.7
netmask 255.255.255.0
broadcast 192.168.11.255
network 192.168.11.0
gateway 192.168.11.254
auto br0
iface br0 inet static
address 192.168.11.7
netmask 255.255.255.0
broadcast 192.168.11.255
gateway 192.168.11.254
bridge_ports eth0
bridge_stp off
bridge_maxwait 5
restart networkinga
/etc/init.d/networking restart
ako je sve OK
brctl show
bridge name bridge id STP enabled interfaces br0 8000.001b783940b7 no eth0
Podešenje eth0 unutar sesije¶
Podešavamo eth0 device unutar sesije koji će zamjeniti veth
vzctl set 606 --netif_add eth0 --save
Configure veth devices: veth606.0 Saved parameters for VE 606
brišemo trenutni IP adresu sesije
vzctl set 606 --ipdel 192.168.11.23 --save
Deleting IP address(es): 192.168.11.23 Saved parameters for VE 606
Sada kada imamo eth0 unutar sesije idemo ga podesiti IP adresu
/etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.11.23
netmask 255.255.255.0
gateway 192.168.11.254
bridge br0 > vnet606 tj eth0 sesije (sve operacije se izvode na Openvz hostu)¶
Priloženi vznetaddbr prekopiramo na /usr/sbin/
/etc/vz# vi vznet.conf
#!/bin/bash EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"
vi /etc/vz/conf/606.conf
IP_ADDRESS="" CONFIG_CUSTOMIZED="yes" VZHOSTIF="veth606.0" VZHOSTBR="br0"
dodao bridge br0 > veth606.0
brctl addif br0 veth606.0
ako je sve OK vidimo bridge br0 na eth0 kao i veth606.0 koji predtsavlja eth0 unutar sesije
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.001851b4eae7 no eth0
veth606.0
nakon ovoga zaustavljamo sesiju 606 i ubacujemo ip tables module
vzctl set 606 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
u slučaju da ni nakon ovoga nemožemo prići ostalim hostovima na lanu a možemo vpn serveru onda ubacujemo sljedeće na hostu
/etc/vz/vz.conf
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"
ostaje još unutar openvz sesije podesiti IP routing da bi klineti mogli pristupiti lokalnoj mreži, to je najbolje ubaciti u rc.local
/etc/rc.local
iptables -t nat -A POSTROUTING -d 192.168.11.0/24 -j SNAT --to 192.168.11.23 echo 1 > /proc/sys/net/ipv4/ip_forward
Linux OpenVpn klijent¶
instaliramo openvpn
sudo apt-get install openvpn
podesimo clinet.conf
/etc/openvpn$ vi client.conf
client dev tun proto udp #openvpn server - port remote officesa.sigma-com.net 1194 resolv-retry infinite pull comp-lzo nobind persist-key persist-tun #lokacija ključeva ca /etc/openvpn/bring.out.ba.crt cert /etc/openvpn/bjasko.crt key /etc/openvpn/bjasko.key ping 60
sudo invoke-rc.d openvpn restart
ako je sve OK
ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.179 P-t-P:10.8.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ostaje još dodati rutu prema mreži kojoj VPN-om pristupamo ovo možemo dodati u /etc/rc.local
#openvpn officesa ruta route add -net 192.168.45.0 netmask 255.255.255.0 gateway 10.8.0.179 dev tun0
provjerimo
bjasko@bjasko-jaunty-904:/etc/openvpn$ ip route show
10.8.0.1 dev tun0 proto kernel scope link src 10.8.0.179 192.168.45.0/24 via 10.8.0.179 dev tun0 scope link
..OK
Windows OpenVpn Klijent¶
Instaliramo OpenVpn-WindowsGUI
Podesimo klijentski config.
Lokacija je:
C:\Program Files\OpenVPN\config
Naziv nije važan ali extenzija mora biti .ovpn , npr
amir.ovpn
client dev tap proto udp comp-lzo remote zimbra.fuel-boss.de 1195 resolv-retry infinite pull nobind persist-key persist-tun #Lokacija na koju ubacujemo generisanje klijentske certifikate ca C:\\cert\\ca.crt cert C:\\cert\\amir_smajic.crt key C:\\cert\\amir_smajic.key ping 60
To bi bilo to rutiranje windows sam hendlira, ako dali je OK možemo vidjeti sa
C:\Documents and Settings\jolly>route print 192.168.11.0
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
192.168.11.0 255.255.255.0 10.8.1.1 10.8.1.2 1
Default Gateway: 192.168.1.1
===========================================================================
C:\Documents and Settings\jolly>ping 192.168.11.6
Pinging 192.168.11.6 with 32 bytes of data: Reply from 192.168.11.6: bytes=32 time=107ms TTL=64 Reply from 192.168.11.6: bytes=32 time=90ms TTL=64
Notes¶
Pored gore navedenog, potrebno otvoriti željene portove 1194, 1195 na firewall-u prema OpenVpn serveru