Titre de Votre Tuto

Cette technique permet la création d'une liaison chiffrée entre votre machine et un serveur hébergé sur Internet (par exemple chez un fournisseur d’accès se trouvant en France ou à l'étranger). Tous vos accès à Internet seront alors vus à partir de l'adresse IP de ce serveur VPN et non plus par celle de votre machine.

OpenVPN n'est pas un VPN IPSec. C'est un VPN SSL se basant sur la création d'un tunnel IP (UDP ou TCP au choix) authentifié et chiffré avec la bibliothèque OpenSSL.

Quelques avantages des tunnels VPN SSL :

  Facilité pour passer les réseaux NATés (pas de configuration à faire)
  Logiciel clients disponibles sur **GNU/Linux, BSD, Windows et Mac OS X**


On commence par installer OpenVPN à partir des dépôts officiels :

apt-get update && apt-get install openvpn

Création des certificats de l'autorité de certification :


Vous devriez obtenir ce qui suit, libre à vous d'en changer le contenus :

Generating a 2048 bit RSA private key
writing new private key to 'ca.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

On génère la clé Diffie-Hellman qui sert à sécuriser les échanges :


Qui donne :

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

On génère les certificats du serveur :

./build-key-server srvcert

Qui donne ce qui suit : (remplacez debian-facile par le nom de votre serveur)

Generating a 2048 bit RSA private key
writing new private key to 'srvcert.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [srvcert]:debian-facile
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
commonName            :PRINTABLE:'debian-facile'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jun 19 19:40:11 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Création du fichier de configuration :

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

On configure server.conf

nano /etc/openvpn/server.conf

décommentez ou ajoutez les lignes suivantes :

user nobody
group nogroup
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/srvcert.crt
key /etc/openvpn/easy-rsa/keys/srvcert.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"

remplacez et par vos dns favoris)

On test la configuration openvpn :

service openvpn stop
openvpn /etc/openvpn/server.conf

Vous devriez obtenir quelque chose comme suit :

Fri May 27 15:41:06 2016 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
Fri May 27 15:41:06 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Fri May 27 15:41:06 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri May 27 15:41:06 2016 Diffie-Hellman initialized with 2048 bit key
Fri May 27 15:41:06 2016 Socket Buffers: R=[229376->131072] S=[229376->131072]
Fri May 27 15:41:06 2016 ROUTE_GATEWAY
Fri May 27 15:41:06 2016 TUN/TAP device tun0 opened
Fri May 27 15:41:06 2016 TUN/TAP TX queue length set to 100
Fri May 27 15:41:06 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri May 27 15:41:06 2016 /sbin/ip link set dev tun0 up mtu 1500
Fri May 27 15:41:06 2016 /sbin/ip addr add dev tun0 local peer
Fri May 27 15:41:06 2016 /etc/openvpn/update-resolv-conf tun0 1500 1542 init
Fri May 27 15:41:06 2016 /sbin/ip route add via
Fri May 27 15:41:06 2016 GID set to nogroup
Fri May 27 15:41:06 2016 UID set to nobody
Fri May 27 15:41:06 2016 UDPv4 link local (bound): [undef]
Fri May 27 15:41:06 2016 UDPv4 link remote: [undef]
Fri May 27 15:41:06 2016 MULTI: multi_init called, r=256 v=256
Fri May 27 15:41:06 2016 IFCONFIG POOL: base= size=62, ipv6=0
Fri May 27 15:41:06 2016 IFCONFIG POOL LIST
Fri May 27 15:41:06 2016 Initialization Sequence Completed
ifconfig tun0

Devrais vous retourner :

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:  P-t-P:  Mask:
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B
Le test s'est bien déroulé :
service openvpn start

Activation de l'ip forwarding :

nano /etc/sysctl.conf

Décommentez la ligne


Activez le nouveau jeux de règle :

sysctl -p /etc/sysctl.conf
Ajouts des règles dans iptables :

se référer ici : https://debian-facile.org/doc:reseau:iptables

iptables -t filter -P FORWARD ACCEPT
iptables -t filter -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
N'hésitez pas à y faire part de vos remarques, succès, améliorations ou échecs !
