Différences entre versions de « Openvpn »
Aller à la navigation
Aller à la recherche
(Page créée avec « = Préparation = Dans un premier temps, il faudra avoir une connexion à Internet, utiliser un serveur DNS et désactiver SELinux. Pour ceux qui auraient manqué des ét... ») |
|||
| Ligne 13 : | Ligne 13 : | ||
= Installation = | = Installation = | ||
| + | |||
| + | <pre> | ||
| + | yum -y install openvpn easy-rsa | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | vi /etc/openvpn/server.conf | ||
| + | |||
| + | push "redirect-gateway def1 bypass-dhcp" | ||
| + | push "dhcp-option DNS 8.8.8.8" | ||
| + | user nobody | ||
| + | group nobody | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | mkdir -p /etc/openvpn/easy-rsa/keys | ||
| + | cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | vi /etc/openvpn/easy-rsa/vars | ||
| + | |||
| + | export KEY_COUNTRY="FR" | ||
| + | export KEY_PROVINCE="Hearult" | ||
| + | export KEY_CITY="Juvignac" | ||
| + | export KEY_ORG="Tala Informatique" | ||
| + | export KEY_EMAIL="root@tala.informatique.fr" | ||
| + | export KEY_OU="Informatique" | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | cd /etc/openvpn/easy-rsa | ||
| + | source ./vars | ||
| + | ./clean-all | ||
| + | ./build-ca | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | [root@openvpn easy-rsa]# ./build-key-server server | ||
| + | Generating a 2048 bit RSA private key | ||
| + | .............+++ | ||
| + | .........+++ | ||
| + | writing new private key to 'server.key' | ||
| + | ----- | ||
| + | You are about to be asked to enter information that will be incorporated | ||
| + | into your certificate request. | ||
| + | What you are about to enter is what is called a Distinguished Name or a DN. | ||
| + | There are quite a few fields but you can leave some blank | ||
| + | For some fields there will be a default value, | ||
| + | If you enter '.', the field will be left blank. | ||
| + | ----- | ||
| + | Country Name (2 letter code) [FR]: | ||
| + | State or Province Name (full name) [Herault]: | ||
| + | Locality Name (eg, city) [Juvignac]: | ||
| + | Organization Name (eg, company) [Tala Informatique]: | ||
| + | Organizational Unit Name (eg, section) [Informatique]: | ||
| + | Common Name (eg, your name or your server's hostname) [server]: | ||
| + | Name [EasyRSA]: | ||
| + | Email Address [root@tala.informatique.fr]: | ||
| + | |||
| + | Please enter the following 'extra' attributes | ||
| + | to be sent with your certificate request | ||
| + | A challenge password []: | ||
| + | An optional company name []: | ||
| + | Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf | ||
| + | Check that the request matches the signature | ||
| + | Signature ok | ||
| + | The Subject's Distinguished Name is as follows | ||
| + | countryName :PRINTABLE:'FR' | ||
| + | stateOrProvinceName :PRINTABLE:'Herault' | ||
| + | localityName :PRINTABLE:'Juvignac' | ||
| + | organizationName :PRINTABLE:'Tala Informatique' | ||
| + | organizationalUnitName:PRINTABLE:'Informatique' | ||
| + | commonName :PRINTABLE:'server' | ||
| + | name :PRINTABLE:'EasyRSA' | ||
| + | emailAddress :IA5STRING:'root@tala.informatique.fr' | ||
| + | Certificate is to be certified until Oct 14 17:16:17 2025 GMT (3650 days) | ||
| + | Sign the certificate? [y/n]:y | ||
| + | |||
| + | |||
| + | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
| + | Write out database with 1 new entries | ||
| + | Data Base Updated | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | ./build-dh | ||
| + | cd /etc/openvpn/easy-rsa/keys | ||
| + | cp dh2048.pem ca.crt server.crt server.key /etc/openvpn | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | cd /etc/openvpn/easy-rsa | ||
| + | ./build-key client | ||
| + | Generating a 2048 bit RSA private key | ||
| + | ...........+++ | ||
| + | ............+++ | ||
| + | writing new private key to 'client.key' | ||
| + | ----- | ||
| + | You are about to be asked to enter information that will be incorporated | ||
| + | into your certificate request. | ||
| + | What you are about to enter is what is called a Distinguished Name or a DN. | ||
| + | There are quite a few fields but you can leave some blank | ||
| + | For some fields there will be a default value, | ||
| + | If you enter '.', the field will be left blank. | ||
| + | ----- | ||
| + | Country Name (2 letter code) [FR]: | ||
| + | State or Province Name (full name) [Herault]: | ||
| + | Locality Name (eg, city) [Juvignac]: | ||
| + | Organization Name (eg, company) [Tala Informatique]: | ||
| + | Organizational Unit Name (eg, section) [Informatique]: | ||
| + | Common Name (eg, your name or your server's hostname) [client]: | ||
| + | Name [EasyRSA]: | ||
| + | Email Address [root@tala.informatique.fr]: | ||
| + | |||
| + | Please enter the following 'extra' attributes | ||
| + | to be sent with your certificate request | ||
| + | A challenge password []: | ||
| + | An optional company name []: | ||
| + | Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf | ||
| + | Check that the request matches the signature | ||
| + | Signature ok | ||
| + | The Subject's Distinguished Name is as follows | ||
| + | countryName :PRINTABLE:'FR' | ||
| + | stateOrProvinceName :PRINTABLE:'Herault' | ||
| + | localityName :PRINTABLE:'Juvignac' | ||
| + | organizationName :PRINTABLE:'Tala Informatique' | ||
| + | organizationalUnitName:PRINTABLE:'Informatique' | ||
| + | commonName :PRINTABLE:'client' | ||
| + | name :PRINTABLE:'EasyRSA' | ||
| + | emailAddress :IA5STRING:'root@tala.informatique.fr' | ||
| + | Certificate is to be certified until Oct 14 17:22:18 2025 GMT (3650 days) | ||
| + | Sign the certificate? [y/n]:y | ||
| + | |||
| + | |||
| + | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
| + | Write out database with 1 new entries | ||
| + | Data Base Updated | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | ||
| + | iptables -F FORWARD | ||
| + | service iptables save | ||
| + | vi /etc/sysctl.conf | ||
| + | net.ipv4.ip_forward = 1 | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | service openvpn start | ||
| + | chkconfig openvpn on | ||
| + | </pre> | ||
| + | |||
| + | =Configuring OpenVPN Client= | ||
Version du 17 octobre 2015 à 17:27
Préparation
Dans un premier temps, il faudra avoir une connexion à Internet, utiliser un serveur DNS et désactiver SELinux.
Pour ceux qui auraient manqué des étapes, les voici:
Assurez-vous d'avoir installé le dépôt EPEL car UCARP vient de cette source.
Une fois ces étapes effectuées, entrons dans le vif du sujet !
Installation
yum -y install openvpn easy-rsa
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
vi /etc/openvpn/server.conf push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" user nobody group nobody
mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
vi /etc/openvpn/easy-rsa/vars export KEY_COUNTRY="FR" export KEY_PROVINCE="Hearult" export KEY_CITY="Juvignac" export KEY_ORG="Tala Informatique" export KEY_EMAIL="root@tala.informatique.fr" export KEY_OU="Informatique"
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca
[root@openvpn easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key .............+++ .........+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [Herault]: Locality Name (eg, city) [Juvignac]: Organization Name (eg, company) [Tala Informatique]: Organizational Unit Name (eg, section) [Informatique]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [root@tala.informatique.fr]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'Herault' localityName :PRINTABLE:'Juvignac' organizationName :PRINTABLE:'Tala Informatique' organizationalUnitName:PRINTABLE:'Informatique' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'root@tala.informatique.fr' Certificate is to be certified until Oct 14 17:16:17 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
./build-dh cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
cd /etc/openvpn/easy-rsa ./build-key client Generating a 2048 bit RSA private key ...........+++ ............+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [Herault]: Locality Name (eg, city) [Juvignac]: Organization Name (eg, company) [Tala Informatique]: Organizational Unit Name (eg, section) [Informatique]: Common Name (eg, your name or your server's hostname) [client]: Name [EasyRSA]: Email Address [root@tala.informatique.fr]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'Herault' localityName :PRINTABLE:'Juvignac' organizationName :PRINTABLE:'Tala Informatique' organizationalUnitName:PRINTABLE:'Informatique' commonName :PRINTABLE:'client' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'root@tala.informatique.fr' Certificate is to be certified until Oct 14 17:22:18 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -F FORWARD
service iptables save
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
service openvpn start chkconfig openvpn on