Obsah

OpenVPN

Certifikační autorita

make-cadir /etc/openvpn/ca
cd /etc/openvpn/ca
source vars
./clean-all
./build-ca
./build-key-server ovpn.mysh.cz
./build-dh
./build-key kosire.client.vpn.mysh.cz
./build-key limuzska.client.vpn.mysh.cz

Routování

Jednorázově

cat /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward

Pro trvalé je je potřeba povolit ip_forward v /etc/sysctl.conf.

Server

Konfigurace pro server.

/etc/openvpn/server.conf
#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#################################################
 
port 1194
 
# TCP or UDP server?
proto tcp
;proto udp
 
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
 
dev tap
;dev tun
 
ca ca.crt
cert ovpn.mysh.cz.crt
key ovpn.mysh.cz.key  
 
# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh2048.pem
 
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
 
# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
 
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
 
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
 
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
 
cipher AES-256-CBC   # AES
 
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
#comp-lzo
 
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
 
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
 
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

RIP routování

apt-get install bird
apt-get install bird-doc

systemctl enable bird

/etc/bird/bird.conf
router id 198.51.100.1;
 
protocol direct {
        interface "eth1";       # LAN network
}
 
protocol kernel {
        persist;                # Don't remove routes on bird shutdown
        scan time 20;           # Scan kernel routing table every 20 seconds
        export all;             # Default is export none
}
 
protocol device {
        scan time 10;           # Scan interfaces every 10 seconds
}
 
protocol static {
}
 
protocol rip MyRIP {    # You can also use an explicit name
        debug all;
        interface "eth1", "tap0" { mode multicast; };
        import filter { print "importing"; accept; };
        export filter { print "exporting"; accept; };
}
systemctl start bird

Debugging

OpenVPN v popředí

/etc/init.d/openvpn stop
/usr/sbin/openvpn  --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf
/etc/init.d/openvpn start

RIP

apt-get install tcpdump
tcpdump -i any -n udp and port 520 -vv