[Raspberry Pi] Installation serveur OpenVPN - iZero

Installation serveur OpenVPN

Version de l’OS	Raspbian GNU/Linux 9.3 (stretch)
Version d’OpenVPN	2.4.0

Pré-requis

Openssl, Easy RSA

Article original Publié le : 3 janvier 2018

Mise a jour le : 9 decembre 2018

Installation
Création de l’autorité et des certificats client/serveur
Configuration server.conf
Firewall
Configuration client .ovpn

Installation

Installation des paquets nécessaires

$ <span class="">sudo apt-get install openvpn openssl easy-rsa</span>

1	$ <span class="">sudo apt-get install openvpn openssl easy-rsa</span>

Créer le répertoire easy-rsa et y copier le contenu se trouvant dans /usr/share

$ <span class="">sudo mkdir /etc/openvpn/easy-rsa</span>

1	$ <span class="">sudo mkdir /etc/openvpn/easy-rsa</span>

<span class="">$ sudo cp -r /usr/share/easy-rsa /etc/openvpn</span>

1	<span class="">$ sudo cp -r /usr/share/easy-rsa /etc/openvpn</span>

Éditer le fichier wars

<span class="">$ sudo vim /etc/openvpn/easy-rsa/vars</span>

1	<span class="">$ sudo vim /etc/openvpn/easy-rsa/vars</span>

remplacer

export EASY_RSA="`pwd`"

1	export EASY_RSA="`pwd`"

par

<span class="">export EASY_RSA=</span><span class="st0">"/etc/openvpn/easy-rsa"</span>

1	<span class="">export EASY_RSA=</span><span class="st0">"/etc/openvpn/easy-rsa"</span>

Puis modifier les informations sur la localisation du certificat

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

# These are the default values for fields

# which will be placed in the certificate.

# Don't leave any of these fields blank.

export KEY_COUNTRY="US"

export KEY_PROVINCE="CA"

export KEY_CITY="SanFrancisco"

export KEY_ORG="Fort-Funston"

export KEY_EMAIL="me@myhost.mydomain"

export KEY_OU="MyOrganizationalUnit"

Les valeurs ORG et OU sont a renseigner dans le cadre d’une organisation, sinon un . suffit

/!\ Nota 1: La valeur export KEY_ALTNAMES est a rajouter, voir plus bas Trouble shooting

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="<strong>FR</strong>"
export KEY_PROVINCE="<strong>France</strong>"
export KEY_CITY="<strong>Paris</strong>"
export KEY_ORG="<strong>.</strong>"
export KEY_EMAIL="<strong>monadresseemail@mondomaine.tld</strong>"
export KEY_OU="<strong>.</strong>"
<strong>export KEY_ALTNAMES="Monvpn"</strong>

# These are the default values for fields

# which will be placed in the certificate.

# Don't leave any of these fields blank.

export KEY_COUNTRY="FR"

export KEY_PROVINCE="France"

export KEY_CITY="Paris"

export KEY_ORG="."

export KEY_EMAIL="monadresseemail@mondomaine.tld"

export KEY_OU="."

export KEY_ALTNAMES="Monvpn"

Enfin de-commenter la clé et modifier par le nom de son serveur.

# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN exp$
# You will also need to make sure your OpenVPN server config has the duplicate-cn op$
<strong>export KEY_CN="Nom_du_serveur"</strong>

# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN exp$

# You will also need to make sure your OpenVPN server config has the duplicate-cn op$

export KEY_CN="Nom_du_serveur"

Création de l’autorité et des certificats client/serveur

Création d’une autorité de certification, en entreprise on utilisera sa propre autorité pour en récupérer les comptes de l’AD.

Passer en root pour cette étape

$ sudo -i

$ sudo -i

Puis recharger le fichier vars et cleaner (Attention la commande clean supprime tous les certificats).

# <span class="">cd /etc/openvpn/easy-rsa</span>

1	# <span class="">cd /etc/openvpn/easy-rsa</span>

# <span class="">source ./vars</span>

1	# <span class="">source ./vars</span>

# <span class="">./clean-all</span>

1	# <span class="">./clean-all</span>

Générer le certificat, depuis le répertoire easy-rsa

# <span class="">./build-ca</span>

1	# <span class="">./build-ca</span>

/!\ Nota 2: Sous Strech, cette erreur apparait, voir plus bas Trouble shooting

grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory

pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong

version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf

The correct version should have a comment that says: easy-rsa version 2.x

grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory

pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong

version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf

The correct version should have a comment that says: easy-rsa version 2.x

Correction: Faire un lien symbolique

# ln -s openssl-1.0.0.cnf openssl.cnf

1	# ln -s openssl-1.0.0.cnf openssl.cnf

La génération du certificat s’appuie sur la conf du fichier vars que l’on a déjà renseigné, il y a juste a faire a entrer.

root@openvpn:/etc/openvpn/easy-rsa# ./build-ca
Generating a 2048 bit RSA private key
............................................+++
..........................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [.]:
Organizational Unit Name (eg, section) [.]:
Common Name (eg, your name or your server's hostname) [openvpn]:
Name [EasyRSA]:
Email Address [monadresseemail@mondomaine.tld]:
root@openvpn:/etc/openvpn/easy-rsa#

root@openvpn:/etc/openvpn/easy-rsa# ./build-ca

Generating a 2048 bit RSA private key

............................................+++

..........................................+++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [FR]:

State or Province Name (full name) [France]:

Locality Name (eg, city) [Paris]:

Organization Name (eg, company) [.]:

Organizational Unit Name (eg, section) [.]:

Common Name (eg, your name or your server's hostname) [openvpn]:

Name [EasyRSA]:

Email Address [monadresseemail@mondomaine.tld]:

root@openvpn:/etc/openvpn/easy-rsa#

Puis générer la clé serveur, il sera demandé un mot de passe, dans mon cas je n’en met pas et un nom de compagnie optionnel, faire entrer également. Valider le certificat et commiter

# ./build-key-server <strong>nom_du_serveur</strong>

1	# ./build-key-server <strong>nom_du_serveur</strong>

root@openvpn:/etc/openvpn/easy-rsa# ./build-key-server openvpn
Generating a 2048 bit RSA private key
.......................................................................................+++
.....................+++
writing new private key to 'openvpn.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [.]:
Organizational Unit Name (eg, section) [.]:
Common Name (eg, your name or your server's hostname) [openvpn]:
Name [EasyRSA]:
Email Address [monadresseemail@mondomaine.tld]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'France'
localityName          :PRINTABLE:'Paris'
organizationName      :PRINTABLE:'.'
organizationalUnitName:PRINTABLE:'.'
commonName            :PRINTABLE:'openvpn'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'monadresseemail@mondomaine.tld'
Certificate is to be certified until Dec 30 15:46:30 2027 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@openvpn:/etc/openvpn/easy-rsa#

root@openvpn:/etc/openvpn/easy-rsa# ./build-key-server openvpn

Generating a 2048 bit RSA private key

.......................................................................................+++

.....................+++

writing new private key to 'openvpn.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [FR]:

State or Province Name (full name) [France]:

Locality Name (eg, city) [Paris]:

Organization Name (eg, company) [.]:

Organizational Unit Name (eg, section) [.]:

Common Name (eg, your name or your server's hostname) [openvpn]:

Name [EasyRSA]:

Email Address [monadresseemail@mondomaine.tld]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'FR'

stateOrProvinceName :PRINTABLE:'France'

localityName :PRINTABLE:'Paris'

organizationName :PRINTABLE:'.'

organizationalUnitName:PRINTABLE:'.'

commonName :PRINTABLE:'openvpn'

name :PRINTABLE:'EasyRSA'

emailAddress :IA5STRING:'monadresseemail@mondomaine.tld'

Certificate is to be certified until Dec 30 15:46:30 2027 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

root@openvpn:/etc/openvpn/easy-rsa#

Enfin générer la clé utilisateur, en faire autant que besoin selon le nombre de personnes qui ont besoin d’un acces VPN.

Il sera demandé un mot de passe PEM, creer un mot de passe solide puis continuer la creation.

Il sera egalement demandé un challenge password et optional company name, laisser les vides en fesant entrer egalement. Valider le certificat et commiter

# <span class="">./build-key-pass </span><strong>nom_de_l'utilisateur</strong>

1	# <span class="">./build-key-pass </span><strong>nom_de_l'utilisateur</strong>

root@openvpn:/etc/openvpn/easy-rsa# ./build-key-pass bef
Generating a 2048 bit RSA private key
......+++
.................+++
writing new private key to 'bef.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [.]:
Organizational Unit Name (eg, section) [.]:
Common Name (eg, your name or your server's hostname) [bef]:
Name [EasyRSA]:
Email Address [monadresseemail@mondomaine.tld]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'France'
localityName          :PRINTABLE:'Paris'
organizationName      :PRINTABLE:'.'
organizationalUnitName:PRINTABLE:'.'
commonName            :PRINTABLE:'bef'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'monadresseemail@mondomaine.tld'
Certificate is to be certified until Dec 30 16:09:04 2027 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@openvpn:/etc/openvpn/easy-rsa#

root@openvpn:/etc/openvpn/easy-rsa# ./build-key-pass bef

Generating a 2048 bit RSA private key

......+++

.................+++

writing new private key to 'bef.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [FR]:

State or Province Name (full name) [France]:

Locality Name (eg, city) [Paris]:

Organization Name (eg, company) [.]:

Organizational Unit Name (eg, section) [.]:

Common Name (eg, your name or your server's hostname) [bef]:

Name [EasyRSA]:

Email Address [monadresseemail@mondomaine.tld]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'FR'

stateOrProvinceName :PRINTABLE:'France'

localityName :PRINTABLE:'Paris'

organizationName :PRINTABLE:'.'

organizationalUnitName:PRINTABLE:'.'

commonName :PRINTABLE:'bef'

name :PRINTABLE:'EasyRSA'

emailAddress :IA5STRING:'monadresseemail@mondomaine.tld'

Certificate is to be certified until Dec 30 16:09:04 2027 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

root@openvpn:/etc/openvpn/easy-rsa#

Il faut ensuite chiffrer la clé utilisateur avec l’algorithme 3DES.

Entrer le mot de passe PEM pour deverouiller la cle .key et en remettre une pour la clé .3des.key

# cd keys

# cd keys

# openssl rsa -in bef.key -des3 -out bef.3des.key

1	# openssl rsa -in bef.key -des3 -out bef.3des.key

root@openvpn:/etc/openvpn/easy-rsa/keys# openssl rsa -in bef.key -des3 -out bef.3des.key
Enter pass phrase for bef.key:
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
root@openvpn:/etc/openvpn/easy-rsa/keys#

root@openvpn:/etc/openvpn/easy-rsa/keys# openssl rsa -in bef.key -des3 -out bef.3des.key

Enter pass phrase for bef.key:

writing RSA key

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

root@openvpn:/etc/openvpn/easy-rsa/keys#

Puis securiser l’echange de clés, cela va prendre du temps (~45min), revenir dans le repertoire easy-rsa

# cd ..

# cd ..

# ./build-dh

1	# ./build-dh

root@openvpn:/etc/openvpn/easy-rsa# ./build-dh
 Generating DH parameters, 2048 bit long safe prime, generator 2
 This is going to take a long time
 .......................+.........................................................................................................................................................................................................................+.............................................................................................................................................................+....................................................................................+............................................................................+....................++*++*
root@openvpn:/etc/openvpn/easy-rsa#

root@openvpn:/etc/openvpn/easy-rsa# ./build-dh

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

.......................+.........................................................................................................................................................................................................................+.............................................................................................................................................................+....................................................................................+............................................................................+....................++*++*

root@openvpn:/etc/openvpn/easy-rsa#

Puis créer une clé partagée

<span class=""># openvpn --genkey --secret keys/ta.key</span>

1	<span class=""># openvpn --genkey --secret keys/ta.key</span>

Configuration server.conf

Creer le fichier server.conf et completer le.

$ sudo vim <span class="">/etc/openvpn/server.conf</span>

1	$ sudo vim <span class="">/etc/openvpn/server.conf</span>

# OpenVPN serveur
# local 192.168.3.20 --> <span style="color: #ff0000;">Voir Trouble shooting</span>
# Tunnel mode
dev tun
# Protocole udp ou tcp
proto udp
# Port 1194 ou 443
port 1194
# La CA
ca /etc/openvpn/easy-rsa/keys/ca.crt
# Le certificat serveur
cert /etc/openvpn/easy-rsa/keys/openvpn.crt
# La clé du certificat serveur
key /etc/openvpn/easy-rsa/keys/openvpn.key
# clé Diffie-Hellman generé, si 4096, modifier la
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
# Le serveur dhcp, on definie la plage, par defaut 10.8.0.0/24
server 10.8.0.0 255.255.255.0
# serveur et client distant.
ifconfig 10.8.0.1 10.8.0.2
# Ajout de la route pour le client OpenVPN Server.
push "route 10.8.0.1 255.255.255.255"
# Ajout de la route pour les clients du sous-reseau.
push "route 10.8.0.0 255.255.255.0"
# le réseau local du serveur Openvpn.
push "route 192.168.3.0 255.255.255.0"
# Adresse du serveur DNS, si pas de domaine, utilisez dns public.
push "dhcp-option DNS 208.67.222.222"
# Le serveur sera la passerelle par défaut et tout le trafic sera router par lui.
<del datetime="2018-01-08T07:44:08+00:00"># push "redirect-gateway def1" --> <span style="color: #ff0000;">Voir Trouble shooting</span></del>
push "redirect-gateway def1 <strong>bypass-dhcp</strong>"
client-to-client
# Pour dupliquer le meme certificat
# duplicate-cn
keepalive 10 120
# la clé partagée
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
# Des logs
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

# OpenVPN serveur

# local 192.168.3.20 --> Voir Trouble shooting

# Tunnel mode

dev tun

# Protocole udp ou tcp

proto udp

# Port 1194 ou 443

port 1194

# La CA

ca /etc/openvpn/easy-rsa/keys/ca.crt

# Le certificat serveur

cert /etc/openvpn/easy-rsa/keys/openvpn.crt

# La clé du certificat serveur

key /etc/openvpn/easy-rsa/keys/openvpn.key

# clé Diffie-Hellman generé, si 4096, modifier la

dh /etc/openvpn/easy-rsa/keys/dh2048.pem

# Le serveur dhcp, on definie la plage, par defaut 10.8.0.0/24

server 10.8.0.0 255.255.255.0

# serveur et client distant.

ifconfig 10.8.0.1 10.8.0.2

# Ajout de la route pour le client OpenVPN Server.

push "route 10.8.0.1 255.255.255.255"

# Ajout de la route pour les clients du sous-reseau.

push "route 10.8.0.0 255.255.255.0"

# le réseau local du serveur Openvpn.

push "route 192.168.3.0 255.255.255.0"

# Adresse du serveur DNS, si pas de domaine, utilisez dns public.

push "dhcp-option DNS 208.67.222.222"

# Le serveur sera la passerelle par défaut et tout le trafic sera router par lui.

<del datetime="2018-01-08T07:44:08+00:00"># push "redirect-gateway def1" --> Voir Trouble shooting</del>

push "redirect-gateway def1 bypass-dhcp"

client-to-client

# Pour dupliquer le meme certificat

# duplicate-cn

keepalive 10 120

# la clé partagée

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

cipher AES-128-CBC

comp-lzo

user nobody

group nogroup

persist-key

persist-tun

# Des logs

status /var/log/openvpn-status.log 20

log /var/log/openvpn.log

verb 1

/!\ Certains hotels ou points d’accecs font du filtrage de port, on peux donc utiliser le port 443 en tcp

Pour cela 3 modifs a faire:

Coté serveur dans le fichier server.conf

Remplacer proto udp par proto tcp et port 1194 par port 443

Sur le Firewall (iptables et routeur/fw)

Remplacer udp –dport 1194 par tcp –dport 443

Enfin coté client, il faudra également modifier le fichier .ovpn

Remplacer proto udp par proto tcp et remote ip_public 1194 par remote ip_public 443

Firewall

Installer le paquet netfilter

$ sudo apt install iptables-persistent

1	$ sudo apt install iptables-persistent

Puis éditer le fichier de conf et renseigner le.

$ sudo vim /etc/iptables/rules.v4

1	$ sudo vim /etc/iptables/rules.v4

# Generated by iptables-save v1.6.0 on Tue Jan 2 18:18:34 2018
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.6.0 on Tue Jan 2 18:18:34 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Forward
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT

# Garder les connexions active pour les retours + ping
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Autoriser le loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Autoriser reseau Openvpn
-A INPUT -s 10.8.0.0/24 -j ACCEPT

# Port entrant Openvpn
-A INPUT -p udp --dport 1194 -j ACCEPT

# Connexion au port SSH limité a mes IP public et mon lan
-A INPUT -p tcp -s 1xx.xxx.xxx.xxx -m tcp --dport 2223 -j ACCEPT
-A INPUT -p tcp -s 2xx.xxx.xxx.xxx -m tcp --dport 2223 -j ACCEPT
-A INPUT -p tcp -s 192.168.3.0/24 -m tcp --dport 2223 -j ACCEPT

# Pour la resolution dns
-A OUTPUT -p tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT

# Autoriser le web
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT

COMMIT
# Completed on Tue Jan 2 18:18:34 2018

# Generated by iptables-save v1.6.0 on Tue Jan 2 18:18:34 2018

*nat

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

COMMIT

# Generated by iptables-save v1.6.0 on Tue Jan 2 18:18:34 2018

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

# Forward

-A FORWARD -i tun0 -o eth0 -j ACCEPT

-A FORWARD -i eth0 -o tun0 -j ACCEPT

# Garder les connexions active pour les retours + ping

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A OUTPUT -p icmp -j ACCEPT

# Autoriser le loopback

-A INPUT -i lo -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

# Autoriser reseau Openvpn

-A INPUT -s 10.8.0.0/24 -j ACCEPT

# Port entrant Openvpn

-A INPUT -p udp --dport 1194 -j ACCEPT

# Connexion au port SSH limité a mes IP public et mon lan

-A INPUT -p tcp -s 1xx.xxx.xxx.xxx -m tcp --dport 2223 -j ACCEPT

-A INPUT -p tcp -s 2xx.xxx.xxx.xxx -m tcp --dport 2223 -j ACCEPT

-A INPUT -p tcp -s 192.168.3.0/24 -m tcp --dport 2223 -j ACCEPT

# Pour la resolution dns

-A OUTPUT -p tcp --dport 53 -j ACCEPT

-A OUTPUT -p udp --dport 53 -j ACCEPT

# Autoriser le web

-A OUTPUT -p tcp --dport 80 -j ACCEPT

-A OUTPUT -p tcp --dport 443 -j ACCEPT

COMMIT

# Completed on Tue Jan 2 18:18:34 2018

Sauvegarder la configuration

$ sudo iptables-save

1	$ sudo iptables-save

Vérifier iptables

$ sudo iptables -L

1	$ sudo iptables -L

Activer ensuite le forward entre 2 cartes réseaux dans le fichier sysctl.conf

$ sudo vim /etc/sysctl.conf

1	$ sudo vim /etc/sysctl.conf

Et de-commenter net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

1 2	# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1

Puis rechargez le fichier de conf.

$ sudo sysctl -p

1	$ sudo sysctl -p

Configuration client .ovpn

Il y a un script sur Github qui se nomme MakeOpenVPN, qui permet de nous macher tout ca.

Creer le fichier et copier son contenu ci dessous.

$ sudo vim /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

1	$ sudo vim /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

#!/bin/bash

# Default Variable Declarations 
DEFAULT="Default.txt" 
FILEEXT=".ovpn" 
CRT=".crt" 
KEY=".3des.key" 
CA="ca.crt" 
TA="ta.key" 
 
#Ask for a Client name 
echo "Please enter an existing Client Name:"
read NAME 
 
#1st Verify that client's Public Key Exists 
if [ ! -f $NAME$CRT ]; then 
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT" 
exit 
fi 
echo "Client's cert found: $NAME$CR" 
 
#Then, verify that there is a private key for that client 
if [ ! -f $NAME$KEY ]; then 
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY" 
exit 
fi 
echo "Client's Private Key found: $NAME$KEY"

#Confirm the CA public key exists 
if [ ! -f $CA ]; then 
echo "[ERROR]: CA Public Key not found: $CA" 
exit 
fi 
echo "CA public Key found: $CA" 

#Confirm the tls-auth ta key file exists 
if [ ! -f $TA ]; then 
echo "[ERROR]: tls-auth Key not found: $TA" 
exit 
fi 
echo "tls-auth Private Key found: $TA" 
 
#Ready to make a new .opvn file - Start by populating with the default file
cat $DEFAULT > $NAME$FILEEXT 
 
#Now, append the CA Public Cert 
echo "<ca>" >> $NAME$FILEEXT 
cat $CA >> $NAME$FILEEXT 
echo "</ca>" >> $NAME$FILEEXT

#Next append the client Public Cert 
echo "<cert>" >> $NAME$FILEEXT 
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT 
echo "</cert>" >> $NAME$FILEEXT 
 
#Then, append the client Private Key 
echo "<key>" >> $NAME$FILEEXT 
cat $NAME$KEY >> $NAME$FILEEXT 
echo "</key>" >> $NAME$FILEEXT 
 
#Finally, append the TA Private Key 
echo "<tls-auth>" >> $NAME$FILEEXT 
cat $TA >> $NAME$FILEEXT 
echo "</tls-auth>" >> $NAME$FILEEXT 
 
echo "Done! $NAME$FILEEXT Successfully Created."

#!/bin/bash

# Default Variable Declarations

DEFAULT="Default.txt"

FILEEXT=".ovpn"

CRT=".crt"

KEY=".3des.key"

CA="ca.crt"

TA="ta.key"

#Ask for a Client name

echo "Please enter an existing Client Name:"

read NAME

#1st Verify that client's Public Key Exists

if [ ! -f $NAME$CRT ]; then

echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"

exit

echo "Client's cert found: $NAME$CR"

#Then, verify that there is a private key for that client

if [ ! -f $NAME$KEY ]; then

echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"

exit

echo "Client's Private Key found: $NAME$KEY"

#Confirm the CA public key exists

if [ ! -f $CA ]; then

echo "[ERROR]: CA Public Key not found: $CA"

exit

echo "CA public Key found: $CA"

#Confirm the tls-auth ta key file exists

if [ ! -f $TA ]; then

echo "[ERROR]: tls-auth Key not found: $TA"

exit

echo "tls-auth Private Key found: $TA"

#Ready to make a new .opvn file - Start by populating with the default file

cat $DEFAULT > $NAME$FILEEXT

#Now, append the CA Public Cert

echo "<ca>" >> $NAME$FILEEXT

cat $CA >> $NAME$FILEEXT

echo "</ca>" >> $NAME$FILEEXT

#Next append the client Public Cert

echo "<cert>" >> $NAME$FILEEXT

cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT

echo "</cert>" >> $NAME$FILEEXT

#Then, append the client Private Key

echo "<key>" >> $NAME$FILEEXT

cat $NAME$KEY >> $NAME$FILEEXT

echo "</key>" >> $NAME$FILEEXT

#Finally, append the TA Private Key

echo "<tls-auth>" >> $NAME$FILEEXT

cat $TA >> $NAME$FILEEXT

echo "</tls-auth>" >> $NAME$FILEEXT

echo "Done! $NAME$FILEEXT Successfully Created."

Rendre le script executable.

$ sudo chmod 700 /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

1	$ sudo chmod 700 /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

Éditer le fichier Default et renseigner le comme ci dessous, il y a juste a changer l’ip public et le port.

$ sudo nano /etc/openvpn/easy-rsa/keys/Default.txt

1	$ sudo nano /etc/openvpn/easy-rsa/keys/Default.txt

client
dev tun
proto udp
remote <strong>ip_public 1194</strong>
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20

client

dev tun

proto udp

remote ip_public 1194

resolv-retry infinite

nobind

persist-key

persist-tun

mute-replay-warnings

ns-cert-type server

key-direction 1

cipher AES-128-CBC

comp-lzo

verb 1

mute 20

Il ne reste plus qu’a exécuter le script, repasser en sudo

$ sudo -i

$ sudo -i

# cd /etc/openvpn/easy-rsa/keys

1	# cd /etc/openvpn/easy-rsa/keys

# ./MakeOVPN.sh

1	# ./MakeOVPN.sh

Il faut mettre le nom du client crée précédemment plus haut.

root@openvpn:/etc/openvpn/easy-rsa/keys# ./MakeOVPN.sh
Please enter an existing Client Name:
<strong>bef</strong>
Client's cert found: bef
Client's Private Key found: bef.3des.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key
Done! bef.ovpn Successfully Created

root@openvpn:/etc/openvpn/easy-rsa/keys# ./MakeOVPN.sh

Please enter an existing Client Name:

bef

Client's cert found: bef

Client's Private Key found: bef.3des.key

CA public Key found: ca.crt

tls-auth Private Key found: ta.key

Done! bef.ovpn Successfully Created

Voila c’est crée.

Il ne reste plus qu’a récupérer le fichier .ovpn et a configurer le client.

Dernière chose, pensez a ouvrir les flux sur le FW/Box (nat, filtrage)

Pour résumer, la création d’un utilisateur, aller sur

# /etc/openvpn/easy-rsa/

1	# /etc/openvpn/easy-rsa/

faire un

# source ./vars

1	# source ./vars

On utilise la commande ./build-key, ou sinon pour un certificat avec un mot de passe on utilise ./build-key-pass

# ./build-key-pass user2

1	# ./build-key-pass user2

Puis on valide les informations et on commit.

On chiffre en 3des et enfin on converti le tout en .ovpn

# openssl rsa -in user2.key -des3 -out user2.3des.key

1	# openssl rsa -in user2.key -des3 -out user2.3des.key

Relancer le scripts MakeOVPN.sh

# keys/MakeOVPN.sh

1	# keys/MakeOVPN.sh

Ci dessous une capture d’écran du processus.

Pour révoquer un certificat, voici un script tout prêt a mettre dans keys.

$ sudo vim revoke_client.sh

1	$ sudo vim revoke_client.sh

#!/bin/bash

username=$1

if [ -z $username ]; then
 echo -e "Utilisation:\n./$(basename $0) nom_de_l'utilisateur"
 exit 2
fi

cd /etc/openvpn/easy-rsa
. ./vars

./revoke-full $username

if [ ! -d "./keys/revoked-$(date +%Y%m%d)" ]; then
 mkdir ./keys/revoked-$(date +%Y%m%d)
fi
mv -f /etc/openvpn/easy-rsa/keys/$username.* /etc/openvpn/easy-rsa/keys/revoked-$(date +%Y%m%d)/

#!/bin/bash

username=$1

if [ -z $username ]; then

echo -e "Utilisation:\n./$(basename $0) nom_de_l'utilisateur"

exit 2

cd /etc/openvpn/easy-rsa

. ./vars

./revoke-full $username

if [ ! -d "./keys/revoked-$(date +%Y%m%d)" ]; then

mkdir ./keys/revoked-$(date +%Y%m%d)

mv -f /etc/openvpn/easy-rsa/keys/$username.* /etc/openvpn/easy-rsa/keys/revoked-$(date +%Y%m%d)/

Faire un lien symbolique pour l’execution

ln -s /etc/openvpn/easy-rsa/keys/revoke_client.sh /usr/local/sbin/

1	ln -s /etc/openvpn/easy-rsa/keys/revoke_client.sh /usr/local/sbin/

Pour révoquer le certificat, il faudra lancer la commande suivante.

$ sudo revoke_client.sh nom_de_l'utilisateur

1	$ sudo revoke_client.sh nom_de_l'utilisateur

Trouble shooting

Nota 1: ~~https://www.alexruf.net/2014/08/02/install-config-openvpn-internet-tunnel.html~~

Nota 2: http://www.mimastech.com/2017/12/22/howto-removeresolve-openvpn-message-key_config-pointing-to-the-wrong-version-of-openssl-cnf-on-linux-systems/

Nota 3: # local 192.168.3.20 : Trouvé sur différents forums, en désactivant cela permet le fonctionnement du client vpn depuis un smartphone

# push “redirect-gateway def1” : a normalement de-commenter, mais chez moi mon routeur n’a pas de redirecteur, si bien que je n’accede pas au web sans les dns en dur. du coup je désactive
Cela permet également de faire passer tout le traffic par le vpn, l’ip public est celle de la box.
/!\ Édit 08.01.2017, fonctionne avec l’option bypass-dhcp

Documentation

Articles lus : 4 797

Rating: 5.0/5. From 1 vote.

Please wait...

Installation

Création de l’autorité et des certificats client/serveur

Configuration server.conf

Firewall

Configuration client .ovpn

Laisser un commentaire Annuler la réponse