Uživatelské nástroje

Vladimír Mach

Nástroje pro tento web

Historie:

Rozdíly

Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.

Odkaz na výstup diff

linux:openvpn [15.02.2019 22:57] (aktuální)
vm vytvořeno
Řádek 1: Řádek 1:
 +====== OpenVPN ======
 +
 +===== Certifikační autorita =====
 +  make-cadir /​etc/​openvpn/​ca
 +
 +  cd /​etc/​openvpn/​ca
 +  source vars
 +  ./clean-all
 +  ./build-ca
 +
 +  ./​build-key-server ovpn.mysh.cz
 +  ./build-dh
 +  ./build-key kosire.client.vpn.mysh.cz
 +  ./build-key limuzska.client.vpn.mysh.cz
 +
 +===== Routování =====
 +
 +Jednorázově ​
 +  cat /​proc/​sys/​net/​ipv4/​ip_forward
 +  echo 1 > /​proc/​sys/​net/​ipv4/​ip_forward
 +
 +Pro trvalé je je potřeba povolit ''​ip_forward''​ v ''/​etc/​sysctl.conf''​.
 +
 +===== Server =====
 +Konfigurace pro server.
 +
 +<file txt /​etc/​openvpn/​server.conf>​
 +#################################################​
 +# Sample OpenVPN 2.0 config file for            #
 +# multi-client server. ​                         #
 +#################################################​
 +
 +port 1194
 +
 +# TCP or UDP server?
 +proto tcp
 +;proto udp
 +
 +# "dev tun" will create a routed IP tunnel,
 +# "dev tap" will create an ethernet tunnel.
 +# Use "dev tap0" if you are ethernet bridging
 +# and have precreated a tap0 virtual interface
 +# and bridged it with your ethernet interface.
 +# If you want to control access policies
 +# over the VPN, you must create firewall
 +# rules for the the TUN/TAP interface.
 +
 +dev tap
 +;dev tun
 +
 +ca ca.crt
 +cert ovpn.mysh.cz.crt
 +key ovpn.mysh.cz.key  ​
 +
 +# Diffie hellman parameters.
 +# Generate your own with:
 +#   ​openssl dhparam -out dh1024.pem 1024
 +# Substitute 2048 for 1024 if you are using
 +# 2048 bit keys.
 +dh dh2048.pem
 +
 +# Configure server mode and supply a VPN subnet
 +# for OpenVPN to draw client addresses from.
 +# The server will take 10.8.0.1 for itself,
 +# the rest will be made available to clients.
 +# Each client will be able to reach the server
 +# on 10.8.0.1. Comment this line out if you are
 +# ethernet bridging. See the man page for more info.
 +server 10.8.0.0 255.255.255.0
 +
 +# Maintain a record of client <-> virtual IP address
 +# associations in this file.  If OpenVPN goes down or
 +# is restarted, reconnecting clients can be assigned
 +# the same virtual IP address from the pool that was
 +# previously assigned.
 +ifconfig-pool-persist ipp.txt
 +
 +# Uncomment this directive to allow different
 +# clients to be able to "​see"​ each other.
 +# By default, clients will only see the server.
 +# To force clients to only see the server, you
 +# will also need to appropriately firewall the
 +# server'​s TUN/TAP interface.
 +client-to-client
 +
 +# IF YOU HAVE NOT GENERATED INDIVIDUAL
 +# CERTIFICATE/​KEY PAIRS FOR EACH CLIENT,
 +# EACH HAVING ITS OWN UNIQUE "​COMMON NAME",
 +# UNCOMMENT THIS LINE OUT.
 +;​duplicate-cn
 +
 +# The keepalive directive causes ping-like
 +# messages to be sent back and forth over
 +# the link so that each side knows when
 +# the other side has gone down.
 +# Ping every 10 seconds, assume that remote
 +# peer is down if no ping received during
 +# a 120 second time period.
 +keepalive 10 120
 +
 +cipher AES-256-CBC ​  # AES
 +
 +# Enable compression on the VPN link.
 +# If you enable it here, you must also
 +# enable it in the client config file.
 +#comp-lzo
 +
 +# The persist options will try to avoid
 +# accessing certain resources on restart
 +# that may no longer be accessible because
 +# of the privilege downgrade.
 +persist-key
 +persist-tun
 +
 +# Output a short status file showing
 +# current connections,​ truncated
 +# and rewritten every minute.
 +status openvpn-status.log
 +
 +# Set the appropriate level of log
 +# file verbosity.
 +#
 +# 0 is silent, except for fatal errors
 +# 4 is reasonable for general usage
 +# 5 and 6 can help to debug connection problems
 +# 9 is extremely verbose
 +verb 3
 +</​file>​
 +
 +===== RIP routování =====
 +
 +  apt-get install bird
 +  apt-get install bird-doc
 + 
 +  systemctl enable bird
 +  ​
 +  ​
 +<file txt /​etc/​bird/​bird.conf>​
 +
 +router id 198.51.100.1;​
 +
 +protocol direct {
 +        interface "​eth1"; ​      # LAN network
 +}
 +
 +protocol kernel {
 +        persist; ​               # Don't remove routes on bird shutdown
 +        scan time 20;           # Scan kernel routing table every 20 seconds
 +        export all;             # Default is export none
 +}
 +
 +protocol device {
 +        scan time 10;           # Scan interfaces every 10 seconds
 +}
 +
 +protocol static {
 +}
 +
 +protocol rip MyRIP {    # You can also use an explicit name
 +        debug all;
 +        interface "​eth1",​ "​tap0"​ { mode multicast; };
 +        import filter { print "​importing";​ accept; };
 +        export filter { print "​exporting";​ accept; };
 +}
 +
 +</​file>​
 +
 +  systemctl start bird
 +
 +===== Debugging =====
 +
 +==== OpenVPN v popředí ====
 +
 +  /​etc/​init.d/​openvpn stop
 +  /​usr/​sbin/​openvpn ​ --status /​run/​openvpn/​server.status 10 --cd /​etc/​openvpn --config /​etc/​openvpn/​server.conf
 +  /​etc/​init.d/​openvpn start
 +
 +==== RIP ====
 +  apt-get install tcpdump
 +
 +  tcpdump -i any -n udp and port 520 -vv
 +
 +
  
linux/openvpn.txt · Poslední úprava: 15.02.2019 22:57 autor: vm

Nástroje pro stránku