Rozdíly
Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.
— |
linux:openvpn [15.02.2019 22:57] (aktuální) vm vytvořeno |
||
---|---|---|---|
Řádek 1: | Řádek 1: | ||
+ | ====== OpenVPN ====== | ||
+ | |||
+ | ===== Certifikační autorita ===== | ||
+ | make-cadir /etc/openvpn/ca | ||
+ | |||
+ | cd /etc/openvpn/ca | ||
+ | source vars | ||
+ | ./clean-all | ||
+ | ./build-ca | ||
+ | |||
+ | ./build-key-server ovpn.mysh.cz | ||
+ | ./build-dh | ||
+ | ./build-key kosire.client.vpn.mysh.cz | ||
+ | ./build-key limuzska.client.vpn.mysh.cz | ||
+ | |||
+ | ===== Routování ===== | ||
+ | |||
+ | Jednorázově | ||
+ | cat /proc/sys/net/ipv4/ip_forward | ||
+ | echo 1 > /proc/sys/net/ipv4/ip_forward | ||
+ | |||
+ | Pro trvalé je je potřeba povolit ''ip_forward'' v ''/etc/sysctl.conf''. | ||
+ | |||
+ | ===== Server ===== | ||
+ | Konfigurace pro server. | ||
+ | |||
+ | <file txt /etc/openvpn/server.conf> | ||
+ | ################################################# | ||
+ | # Sample OpenVPN 2.0 config file for # | ||
+ | # multi-client server. # | ||
+ | ################################################# | ||
+ | |||
+ | port 1194 | ||
+ | |||
+ | # TCP or UDP server? | ||
+ | proto tcp | ||
+ | ;proto udp | ||
+ | |||
+ | # "dev tun" will create a routed IP tunnel, | ||
+ | # "dev tap" will create an ethernet tunnel. | ||
+ | # Use "dev tap0" if you are ethernet bridging | ||
+ | # and have precreated a tap0 virtual interface | ||
+ | # and bridged it with your ethernet interface. | ||
+ | # If you want to control access policies | ||
+ | # over the VPN, you must create firewall | ||
+ | # rules for the the TUN/TAP interface. | ||
+ | |||
+ | dev tap | ||
+ | ;dev tun | ||
+ | |||
+ | ca ca.crt | ||
+ | cert ovpn.mysh.cz.crt | ||
+ | key ovpn.mysh.cz.key | ||
+ | |||
+ | # Diffie hellman parameters. | ||
+ | # Generate your own with: | ||
+ | # openssl dhparam -out dh1024.pem 1024 | ||
+ | # Substitute 2048 for 1024 if you are using | ||
+ | # 2048 bit keys. | ||
+ | dh dh2048.pem | ||
+ | |||
+ | # Configure server mode and supply a VPN subnet | ||
+ | # for OpenVPN to draw client addresses from. | ||
+ | # The server will take 10.8.0.1 for itself, | ||
+ | # the rest will be made available to clients. | ||
+ | # Each client will be able to reach the server | ||
+ | # on 10.8.0.1. Comment this line out if you are | ||
+ | # ethernet bridging. See the man page for more info. | ||
+ | server 10.8.0.0 255.255.255.0 | ||
+ | |||
+ | # Maintain a record of client <-> virtual IP address | ||
+ | # associations in this file. If OpenVPN goes down or | ||
+ | # is restarted, reconnecting clients can be assigned | ||
+ | # the same virtual IP address from the pool that was | ||
+ | # previously assigned. | ||
+ | ifconfig-pool-persist ipp.txt | ||
+ | |||
+ | # Uncomment this directive to allow different | ||
+ | # clients to be able to "see" each other. | ||
+ | # By default, clients will only see the server. | ||
+ | # To force clients to only see the server, you | ||
+ | # will also need to appropriately firewall the | ||
+ | # server's TUN/TAP interface. | ||
+ | client-to-client | ||
+ | |||
+ | # IF YOU HAVE NOT GENERATED INDIVIDUAL | ||
+ | # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, | ||
+ | # EACH HAVING ITS OWN UNIQUE "COMMON NAME", | ||
+ | # UNCOMMENT THIS LINE OUT. | ||
+ | ;duplicate-cn | ||
+ | |||
+ | # The keepalive directive causes ping-like | ||
+ | # messages to be sent back and forth over | ||
+ | # the link so that each side knows when | ||
+ | # the other side has gone down. | ||
+ | # Ping every 10 seconds, assume that remote | ||
+ | # peer is down if no ping received during | ||
+ | # a 120 second time period. | ||
+ | keepalive 10 120 | ||
+ | |||
+ | cipher AES-256-CBC # AES | ||
+ | |||
+ | # Enable compression on the VPN link. | ||
+ | # If you enable it here, you must also | ||
+ | # enable it in the client config file. | ||
+ | #comp-lzo | ||
+ | |||
+ | # The persist options will try to avoid | ||
+ | # accessing certain resources on restart | ||
+ | # that may no longer be accessible because | ||
+ | # of the privilege downgrade. | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | |||
+ | # Output a short status file showing | ||
+ | # current connections, truncated | ||
+ | # and rewritten every minute. | ||
+ | status openvpn-status.log | ||
+ | |||
+ | # Set the appropriate level of log | ||
+ | # file verbosity. | ||
+ | # | ||
+ | # 0 is silent, except for fatal errors | ||
+ | # 4 is reasonable for general usage | ||
+ | # 5 and 6 can help to debug connection problems | ||
+ | # 9 is extremely verbose | ||
+ | verb 3 | ||
+ | </file> | ||
+ | |||
+ | ===== RIP routování ===== | ||
+ | |||
+ | apt-get install bird | ||
+ | apt-get install bird-doc | ||
+ | |||
+ | systemctl enable bird | ||
+ | | ||
+ | | ||
+ | <file txt /etc/bird/bird.conf> | ||
+ | |||
+ | router id 198.51.100.1; | ||
+ | |||
+ | protocol direct { | ||
+ | interface "eth1"; # LAN network | ||
+ | } | ||
+ | |||
+ | protocol kernel { | ||
+ | persist; # Don't remove routes on bird shutdown | ||
+ | scan time 20; # Scan kernel routing table every 20 seconds | ||
+ | export all; # Default is export none | ||
+ | } | ||
+ | |||
+ | protocol device { | ||
+ | scan time 10; # Scan interfaces every 10 seconds | ||
+ | } | ||
+ | |||
+ | protocol static { | ||
+ | } | ||
+ | |||
+ | protocol rip MyRIP { # You can also use an explicit name | ||
+ | debug all; | ||
+ | interface "eth1", "tap0" { mode multicast; }; | ||
+ | import filter { print "importing"; accept; }; | ||
+ | export filter { print "exporting"; accept; }; | ||
+ | } | ||
+ | |||
+ | </file> | ||
+ | |||
+ | systemctl start bird | ||
+ | |||
+ | ===== Debugging ===== | ||
+ | |||
+ | ==== OpenVPN v popředí ==== | ||
+ | |||
+ | /etc/init.d/openvpn stop | ||
+ | /usr/sbin/openvpn --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf | ||
+ | /etc/init.d/openvpn start | ||
+ | |||
+ | ==== RIP ==== | ||
+ | apt-get install tcpdump | ||
+ | |||
+ | tcpdump -i any -n udp and port 520 -vv | ||
+ | |||
+ | |||
linux/openvpn.txt · Poslední úprava: 15.02.2019 22:57 autor: vm