[Linux] Installation d'Openvpn V2 - iZero

Installation d’Openvpn

Version de l’OS: Centos 7 (minimal version)
Version d’Openvpn: 2.1.4

Pré-requis
Voir l’article Préparation d’une machine Centos 7.x

Version feignant, j’utilise le scrypt de Nyr disponible sur https://github.com/Nyr/openvpn-install

Installation de quelques outils utiles

$ sudo yum install wget vim bind-utils net-tools

1	$ sudo yum install wget vim bind-utils net-tools

Récupération du script et installation du serveur openvpn

$ sudo wget https://git.io/vpn -O openvpn-install.sh && sudo bash openvpn-install.sh

1	$ sudo wget https://git.io/vpn -O openvpn-install.sh && sudo bash openvpn-install.sh

Renseigner le champ IP adress par l’IP Public
le port par défaut est 1194 (UDP) ou 443 (TCP)
Ensuite on le choix entre ces propres dns, ceux de Google, Opendns …
le script va générer le premier certificat client, choisir le nom

et c’est parti, il faut patienter 15min.

Visualisation du conf server.conf

$ sudo cat /etc/openvpn/server.conf

1	$ sudo cat /etc/openvpn/server.conf

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0 <-- plage ip distante
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "route 192.168.30.0 255.255.255.0"

port 1194

proto udp

dev tun

sndbuf 0

rcvbuf 0

ca ca.crt

cert server.crt

key server.key

dh dh.pem

tls-auth ta.key 0

topology subnet

server 10.8.0.0 255.255.255.0 <-- plage ip distante

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"

push "route 192.168.30.0 255.255.255.0"

Firewall

J’utilise tjrs iptables, du coup je désinstalle firewalld et ré-installe iptables.
Si ce n’est pas déjà fait arrêter le service et mettre disable firewalld

$ sudo systemctl stop firewalld
$ sudo systemctl disable firewalld

1 2	$ sudo systemctl stop firewalld $ sudo systemctl disable firewalld

puis

$ sudo yum remove firewalld
$ sudo yum install iptables-services
$ sudo systemctl enable iptables.service

$ sudo yum remove firewalld

$ sudo yum install iptables-services

$ sudo systemctl enable iptables.service

Fichier de conf iptables

$ sudo vim /etc/sysconfig/iptables

1	$ sudo vim /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Tue Mar 22 12:07:57 2017
*nat
:POSTROUTING ACCEPT
-A POSTROUTING -s 192.168.30.0/24 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.4.7 on Tue Mar 22 12:07:57 2016
# Interdire toutes connexions entrantes et sortantes
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP

#Forward dans les 2 sens
-A FORWARD -i tun -o eth0 -m comment --comment "forward all" -j ACCEPT
-A FORWARD -i eth0 -o tun -m comment --comment "forward ret" -j ACCEPT

# Ne pas casser les connexions etablies
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Autoriser loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Autoriser ping
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Autoriser HTTP/HTTPS
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT

# Autoriser DNS
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT

# Autoriser port de connexions pour les outils interne
-A INPUT -p tcp  -s 192.168.3.0/24 --dport 2223 -m comment --comment "SSH" -j ACCEPT
-A INPUT -p tcp  -s 10.8.0.0/24 --dport 2223 -m comment --comment "SSH" -j ACCEPT
-A INPUT -p tcp  -s 10.8.0.0/24 --dport 8006 -m comment --comment "PROXMOX" -j ACCEPT
-A INPUT -p tcp  -s 10.8.0.0/24 --dport 3389 -m comment --comment "TSE" -j ACCEPT

# Autoriser Openvpn
-I INPUT -p udp --dport 1194 -j ACCEPT

COMMIT

# Generated by iptables-save v1.4.7 on Tue Mar 22 12:07:57 2017

*nat

:POSTROUTING ACCEPT

-A POSTROUTING -s 192.168.30.0/24 -j MASQUERADE

COMMIT

# Generated by iptables-save v1.4.7 on Tue Mar 22 12:07:57 2016

# Interdire toutes connexions entrantes et sortantes

*filter

:INPUT DROP

:FORWARD DROP

:OUTPUT DROP

#Forward dans les 2 sens

-A FORWARD -i tun -o eth0 -m comment --comment "forward all" -j ACCEPT

-A FORWARD -i eth0 -o tun -m comment --comment "forward ret" -j ACCEPT

# Ne pas casser les connexions etablies

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Autoriser loopback

-A INPUT -i lo -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

# Autoriser ping

-A INPUT -p icmp -j ACCEPT

-A OUTPUT -p icmp -j ACCEPT

# Autoriser HTTP/HTTPS

-A INPUT -p tcp --dport 80 -j ACCEPT

-A INPUT -p tcp --dport 443 -j ACCEPT

-A OUTPUT -p tcp --dport 80 -j ACCEPT

-A OUTPUT -p tcp --dport 443 -j ACCEPT

# Autoriser DNS

-A INPUT -p tcp --dport 53 -j ACCEPT

-A INPUT -p udp --dport 53 -j ACCEPT

-A OUTPUT -p tcp --dport 53 -j ACCEPT

-A OUTPUT -p udp --dport 53 -j ACCEPT

# Autoriser port de connexions pour les outils interne

-A INPUT -p tcp -s 192.168.3.0/24 --dport 2223 -m comment --comment "SSH" -j ACCEPT

-A INPUT -p tcp -s 10.8.0.0/24 --dport 2223 -m comment --comment "SSH" -j ACCEPT

-A INPUT -p tcp -s 10.8.0.0/24 --dport 8006 -m comment --comment "PROXMOX" -j ACCEPT

-A INPUT -p tcp -s 10.8.0.0/24 --dport 3389 -m comment --comment "TSE" -j ACCEPT

# Autoriser Openvpn

-I INPUT -p udp --dport 1194 -j ACCEPT

COMMIT

Redémarrer le service iptables

$ sudo systemctl restart iptables.service

1	$ sudo systemctl restart iptables.service

Vérifier le status

$ sudo systemctl status iptables.service

1	$ sudo systemctl status iptables.service

● iptables.service - IPv4 firewall with iptables
 Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
 Active: <span style="color: #008000;">active (exited)</span> since sam. 2017-03-25 23:44:21 CET; 1h 37min ago
 Process: 2167 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
 Process: 2266 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 2266 (code=exited, status=0/SUCCESS)
 CGroup: /system.slice/iptables.service

● iptables.service - IPv4 firewall with iptables

Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)

Active: <span style="color: #008000;">active (exited)</span> since sam. 2017-03-25 23:44:21 CET; 1h 37min ago

Process: 2167 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)

Process: 2266 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)

Main PID: 2266 (code=exited, status=0/SUCCESS)

CGroup: /system.slice/iptables.service

Redémarrer Openvpn

$ sudo systemctl restart openvpn@server.service

1	$ sudo systemctl restart openvpn@server.service

Vérifier le status

$ sudo systemctl status openvpn@server.service

1	$ sudo systemctl status openvpn@server.service

● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: <span style="color: #008000;">active (running)</span> since sam. 2017-03-25 23:44:32 CET; 1h 39min ago
  Process: 2304 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
 Main PID: 2306 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─2306 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf

● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server

Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)

Active: <span style="color: #008000;">active (running)</span> since sam. 2017-03-25 23:44:32 CET; 1h 39min ago

Process: 2304 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)

Main PID: 2306 (openvpn)

CGroup: /system.slice/system-openvpn.slice/openvpn@server.service

└─2306 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf

Installation d’OpenVPN Access Server (interface web)

$ cd ~
$ wget http://swupdate.openvpn.org/as/openvpn-as-2.0.10-CentOS5.9.x86_64.rpm
$ sudo  rpm -ivh openvpn-as-2.0.10-CentOS5.9.x86_64.rpm

$ cd ~

$ wget http://swupdate.openvpn.org/as/openvpn-as-2.0.10-CentOS5.9.x86_64.rpm

$ sudo rpm -ivh openvpn-as-2.0.10-CentOS5.9.x86_64.rpm

a la fin de l’installation changer le mot de passe du compte openvpn

$ sudo passwd openvpn

1	$ sudo passwd openvpn

puis se connecter a l’interface avec le port 943 par défaut
https://ipserveuropenvpn_ou_fqdn:943

Reste a Faire

Intégration au LDAP a venir
Certificat a mettre en place
Double authentification par code PIN

/!\ Script de Nyr (23-03-2017) ici

Articles lus : 1 250

No votes yet.

Please wait...

[Linux] Installation d’Openvpn V2

Laisser un commentaire Annuler la réponse