Différences entre versions de « Openvpn »
Aller à la navigation
Aller à la recherche
| Ligne 187 : | Ligne 187 : | ||
=Configuring OpenVPN Client= | =Configuring OpenVPN Client= | ||
| + | https://openvpn.net/index.php/open-source/downloads.html | ||
Version du 18 octobre 2015 à 14:28
Préparation
Dans un premier temps, il faudra avoir une connexion à Internet, utiliser un serveur DNS et désactiver SELinux.
Pour ceux qui auraient manqué des étapes, les voici:
Assurez-vous d'avoir installé le dépôt EPEL car OpenVPN vient de cette source.
Une fois ces étapes effectuées, entrons dans le vif du sujet !
Partie serveur
Installation
Premièrement, installons les packages nécessaires:
yum -y install openvpn easy-rsa
OpenVPN est livré avec un fichier de configuration d'exemple que nous allons copier dans le bon répertoire:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Configuration
Éditons le fichier maintenant qu'il est au bon endroit:
vi /etc/openvpn/server.conf
Nous allons dé-commenter la ligne suivante qui permet de router le trafic qui vient du client à travers le tunnel VPN:
push "redirect-gateway def1 bypass-dhcp"
La ligne suivante doit être décommentée car elle permet de préciser quel serveur DNS le client doit utiliser. Si vous avez un serveur DNS sur votre réseau, mettez son IP ici, sinon utilisez le serveur de Google:
push "dhcp-option DNS 8.8.8.8"
Les lignes suivantes doivent être décommenteés pour signifier à OpenVPN d'utiliser l'utilisateur et le group nobody. Cela permet d'augmenter la sécurité.
user nobody group nobody
Création des clés
mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
vi /etc/openvpn/easy-rsa/vars export KEY_COUNTRY="FR" export KEY_PROVINCE="Hearult" export KEY_CITY="Juvignac" export KEY_ORG="Tala Informatique" export KEY_EMAIL="root@tala.informatique.fr" export KEY_OU="Informatique"
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca
[root@openvpn easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key .............+++ .........+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [Herault]: Locality Name (eg, city) [Juvignac]: Organization Name (eg, company) [Tala Informatique]: Organizational Unit Name (eg, section) [Informatique]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [root@tala.informatique.fr]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'Herault' localityName :PRINTABLE:'Juvignac' organizationName :PRINTABLE:'Tala Informatique' organizationalUnitName:PRINTABLE:'Informatique' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'root@tala.informatique.fr' Certificate is to be certified until Oct 14 17:16:17 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
./build-dh cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
cd /etc/openvpn/easy-rsa ./build-key client Generating a 2048 bit RSA private key ...........+++ ............+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [Herault]: Locality Name (eg, city) [Juvignac]: Organization Name (eg, company) [Tala Informatique]: Organizational Unit Name (eg, section) [Informatique]: Common Name (eg, your name or your server's hostname) [client]: Name [EasyRSA]: Email Address [root@tala.informatique.fr]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'Herault' localityName :PRINTABLE:'Juvignac' organizationName :PRINTABLE:'Tala Informatique' organizationalUnitName:PRINTABLE:'Informatique' commonName :PRINTABLE:'client' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'root@tala.informatique.fr' Certificate is to be certified until Oct 14 17:22:18 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -F FORWARD
service iptables save
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
service openvpn start chkconfig openvpn on