Serveur OpenVPN sur Linux

Publié le 15 mai 2009, par Hegerys

Dépendances

Noyau avec le support de tun :
- CONFIG_TUN=y
Noyau avec le support crypto AES :
- CONFIG_CRYPTO_AES=y

Système

Si l’on veut faire du client to client, il faut mettre dans /etc/sysctl.conf la ligne suivante :

net.ipv4.ip_forward = 1

puis faire :

sysctl -p

Installation d’OpenVPN

Sous Gentoo, il faut installer net-misc/openvpn avec le flag iproute2 :

# grep net-misc/openvpn /etc/portage/package.use
net-misc/openvpn iproute2

# emerge -av openvpn
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild  N    ] sys-apps/iproute2-2.6.26-r2  USE="berkdb -atm -minimal" 352 kB
[ebuild  N    ] net-misc/openvpn-2.0.7-r2  USE="iproute2 pam ssl -examples -minimal -passwordsave (-selinux) -static -threads" 0 kB
Total: 2 packages (1 new, 1 reinstall), Size of downloads: 352 kB
Would you like to merge these packages? [Yes/No]

Il faut créer l’utilisateur sous lequel va tourner OpenVPN :

groupadd vpn
useradd -g vpn -s /bin/false -d /etc/openvpn vpn

Cette commande copie les scripts de base pour faciliter la création de clés.

cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn/easy-rsa

On prévoit la création des clés pour le serveur concentrateur VPN :

cd /etc/openvpn
cd easy-rsa
mkdir keys

Voici le contenu de /etc/openvpn/easy-rsa/vars. Pour personnaliser ce fichier, modifiez les 5 dernières lignes.

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG="$EASY_RSA/openssl.cnf"
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="FR"
export KEY_PROVINCE="Hauts de Seine"
export KEY_CITY="Boulogne Billancourt"
export KEY_ORG="Euro Web"
export KEY_EMAIL="support@sd-france.com"

On recharge les variables d’environnement :

chmod +x vars
source ./vars
./clean-all

On créé l’autorité de certification (CA) pour le serveur :

./build-ca
Generating a 1024 bit RSA private key
....++++++
..++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [FR]:
Locality Name (eg, city) [Saint-Denis]:
Organization Name (eg, company) [Euro-web]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Euro-web CA]:srv290.sd-france.net
Email Address [support@sd-france.com]:

On peut créer les clés du serveur :

srv290 easy-rsa # ./build-key-server server
Generating a 1024 bit RSA private key
............++++++
.........++++++
writing new private key to 'euro-web.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [FR]:
Locality Name (eg, city) [Saint-Denis]:
Organization Name (eg, company) [Euro-web]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [euro-web]:
Email Address [support@sd-france.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Euro-Web-r0><
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName            RINTABLE:'FR'
stateOrProvinceName    RINTABLE:'FR'
localityName           RINTABLE:'Saint-Denis'
organizationName       RINTABLE:'Euro-web'
commonName             RINTABLE:'euro-web'
emailAddress          :IA5STRING:'support@sd-france.com'
Certificate is to be certified until Jun 14 11:20:00 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Clé Diffie-Hellman

Il faut maintenant générer la clé Diffie-Hellman qui servira lors des échanges de clés entre le client et le serveur.

./build-dh

Le fichier dh1048.pem ne sera utile qu'au serveur.

Générons la clé secrète du serveur.

openvpn --secret /etc/openvpn/easy-rsa/keys/ta.key --genkey

Fichiers de configuration (/etc/openvpn/openvpn.conf)

Avant toute chose :

ln -sv /etc/openvpn/easy-rsa/keys /etc/openvpn/keys

Créer le répertoire des journaux :

mkdir /var/log/openvpn/

Configuration type du concentrateur VPN en TCP :

port 1194
proto tcp-server
mode server
dev tap0
# Clefs:
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.75.1.0 255.255.255.0
# on push la route pour que les autres vpn soient visibles
push "route 10.75.1.0 255.255.255.0"
# push "dhcp-option DNS 10.75.1.1"
ifconfig-pool-persist ipp.txt
float
# permet le trafic entre les clients du vpn
client-to-client
keepalive 10 120
tls-auth keys/ta.key 0 # This file is secret
cipher AES-256-CBC
max-clients 200
user vpn
group vpn
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
status-version 2
log-append /var/log/openvpn/openvpn.log
verb 4
mute 20

Configuration type du concentrateur VPN en UDP :

proto udp #protocole udp plus adapte aux connexions nomades que le mode tcp

Tester la configuration

Pour faire des tests et des diagnostics, utiliser cette commande :

openvpn --config /etc/openvpn/openvpn.conf

Lancement d'OpenVPN via les initscripts

Pour lancer proprement OpenVPN une fois les tests concluants :

/etc/init.d/openvpn start

Pour lancer OpenVPN au démarrage de Linux (avec Gentoo) :

rc-update add openvpn default

Lancement d'OpenVPN comme service via daemontools

Le lancement d'OpenVPN comme service via daemontools se fait à la place du lancement d'OpenVPN via les initscripts.

Cliquez sur les liens suivants pour plus d'informations sur daemontools et les daemon :
Articlés taggés "daemontools"
Articles taggés "daemon"

mkdir /root/openvpn-server
cd /root/openvpn-server

cat >/root/openvpn-server/run <<'EOF'
#!/bin/bash
exec >/dev/null 2>&1
sleep 2
exec ./run_svc
EOF

cat >/root/openvpn-server/run_svc <<'EOF'
#!/bin/bash
cd /etc/openvpn
exec /usr/sbin/openvpn --config /etc/openvpn/openvpn.conf --writepid /var/run/openvpn.pid --cd /etc/openvpn
EOF

chmod 700 /root/openvpn-server/run
chmod 700 /root/openvpn-server/run_svc
ln -s /root/openvpn-server /service/openvpn-server

Création des certificats utilisateurs

# ./build-key premier-client-vpn
Generating a 1024 bit RSA private key
....++++++
...................................................................++++++
writing new private key to 'premier-client-vpn.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [FR]:
Locality Name (eg, city) [Saint-Denis]:
Organization Name (eg, company) [Euro-web]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [premier-client-vpn]:
Email Address [support@sd-france.com]: adresse-email.du.user@sondomaine.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName            RINTABLE:'FR'
stateOrProvinceName    RINTABLE:'FR'
localityName           RINTABLE:'Saint-Denis'
organizationName       RINTABLE:'Euro-web'
commonName             RINTABLE:'premier-client-vpn'
emailAddress          :IA5STRING:'adresse-email.du.user@sondomaine.com'
Certificate is to be certified until Jun 14 14:20:03 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Mots-clefs :Daemon, Howto, Openvpn