Vous n'êtes pas identifié(e).
L'icône rouge permet de télécharger chaque page du wiki visitée au format PDF et la grise au format ODT →
Ci-dessous, les différences entre deux révisions de la page.
Prochaine révision | Révision précédente Prochaine révision Les deux révisions suivantes | ||
doc:reseau:vpn:openvpn [27/05/2016 16:11] kawer créée |
doc:reseau:vpn:openvpn [23/10/2016 19:35] kawer |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | ====== Titre de Votre Tuto ====== | + | ====== OPENVPN Serveur et Client ====== |
* Objet : du tuto Configuration d'un serveur openvpn | * Objet : du tuto Configuration d'un serveur openvpn | ||
Ligne 231: | Ligne 231: | ||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | ||
</code> | </code> | ||
+ | |||
+ | == On génère les certificats pour le client == | ||
+ | |||
+ | <code=root>cd /etc/openvpn/easy-rsa/</code> | ||
+ | <code=root>source vars</code> | ||
+ | <code=root>./build-key clientCert</code> | ||
+ | |||
+ | Qui donne ce qui suit : **(remplacez [clientCert]:debianFacile par le nom de votre client) | ||
+ | ** | ||
+ | <code=bash>Generating a 2048 bit RSA private key | ||
+ | ...........................................+++ | ||
+ | ......................................................+++ | ||
+ | writing new private key to 'monlaptopcert.key' | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter '.', the field will be left blank. | ||
+ | ----- | ||
+ | Country Name (2 letter code) [US]: | ||
+ | State or Province Name (full name) [CA]: | ||
+ | Locality Name (eg, city) [SanFrancisco]: | ||
+ | Organization Name (eg, company) [Fort-Funston]: | ||
+ | Organizational Unit Name (eg, section) [MyOrganizationalUnit]: | ||
+ | Common Name (eg, your name or your server's hostname) [clientCert]:debianFacile | ||
+ | Name [EasyRSA]: | ||
+ | Email Address [me@myhost.mydomain]: | ||
+ | |||
+ | Please enter the following 'extra' attributes | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: | ||
+ | An optional company name []: | ||
+ | Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf | ||
+ | Check that the request matches the signature | ||
+ | Signature ok | ||
+ | The Subject's Distinguished Name is as follows | ||
+ | countryName :PRINTABLE:'US' | ||
+ | stateOrProvinceName :PRINTABLE:'CA' | ||
+ | localityName :PRINTABLE:'SanFrancisco' | ||
+ | organizationName :PRINTABLE:'Fort-Funston' | ||
+ | organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' | ||
+ | commonName :PRINTABLE:'debianFacile' | ||
+ | name :PRINTABLE:'EasyRSA' | ||
+ | emailAddress :IA5STRING:'me@myhost.mydomain' | ||
+ | Certificate is to be certified until Jun 19 20:05:45 2025 GMT (3650 days) | ||
+ | Sign the certificate? [y/n]:y | ||
+ | |||
+ | |||
+ | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
+ | Write out database with 1 new entries | ||
+ | Data Base Updated | ||
+ | </code> | ||
+ | |||
+ | === Sur le poste client === | ||
+ | |||
+ | ==On récupère les certificats sur le serveur : == | ||
+ | <code=bash> | ||
+ | scp root@serveur:/etc/openvpn/easy-rsa/keys/ca.crt /tmp | ||
+ | scp root@serveur:/etc/openvpn/easy-rsa/keys/clientCert.crt /tmp | ||
+ | scp root@serveur:/etc/openvpn/easy-rsa/keys/clientCert.key /tmp | ||
+ | </code> | ||
+ | |||
+ | ==On installe openvpn :== | ||
+ | <code=root> | ||
+ | sudo apt-get update | ||
+ | sudo apt-get install openvpn | ||
+ | </code> | ||
+ | |||
+ | ==On copie le le fichier de configuration et certificats == | ||
+ | <code=root> | ||
+ | cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/ | ||
+ | cd /etc/openvpn | ||
+ | mkdir -p keys | ||
+ | cd keys | ||
+ | cp /tmp/ca.crt . | ||
+ | cp /tmp/clientCert.key . | ||
+ | cp /tmp/clientCert.crt . | ||
+ | </code> | ||
+ | |||
+ | == Modification du fichier de configuration == | ||
+ | **Changer le chemin du serveur et des certificats dans /etc/openvpn/client.conf** | ||
+ | <code> | ||
+ | remote monServeurOpenVPN 1194 | ||
+ | ca /etc/openvpn/keys/ca.crt | ||
+ | cert /etc/openvpn/keys/clientCert.crt | ||
+ | key /etc/openvpn/keys/clientCert.key | ||
+ | </code> | ||
+ | |||
+ | == Test de connection == | ||
+ | <code=root> | ||
+ | openvpn /etc/openvpn/client.conf</code> | ||
+ | |||
+ | **Vous devez obtenir en fin de séquence :** | ||
+ | <code>Initialization Sequence Completed</code> | ||
+ | |||
+ | Si tel est le cas, vérifié que tun0 est bien listé avec **ifconfig**, puis vérifié votre ip par exemple en allant sur [[http://ifconfig.me/ | ||
+ | ]], si tout est ok, on ferme la console openvpn en pensant a faire un **Ctrl+C** | ||
+ | |||
+ | == on démarre openvpn== | ||
+ | <code=root>service openvpn start</code> | ||
+ | |||
+ | |||