Vous n'êtes pas identifié(e).
L'icône rouge permet de télécharger chaque page du wiki visitée au format PDF et la grise au format ODT →
Ceci est une ancienne révision du document !
Nota :
Contributeurs, les sont là pour vous aider, supprimez-les une fois le problème corrigé ou le champ rempli !
Cette technique permet la création d'une liaison chiffrée entre votre machine et un serveur hébergé sur Internet (par exemple chez un fournisseur d’accès se trouvant en France ou à l'étranger).
Tous vos accès à Internet seront alors vus à partir de l'adresse IP de ce serveur VPN et non plus par celle de votre machine.
OpenVPN n'est pas un VPN IPSec. C'est un VPN SSL se basant sur la création d'un tunnel IP (UDP ou TCP au choix) authentifié et chiffré avec la bibliothèque OpenSSL.
Quelques avantages des tunnels VPN SSL :
apt-get update && apt-get install openvpn
cp -a /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
source vars
./clean-all
./build-ca
Vous devriez obtenir ce qui suit, libre à vous d'en changer le contenus :
Generating a 2048 bit RSA private key .................+++ ............................................................................................................................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [Fort-Funston CA]: Name [EasyRSA]: Email Address [me@myhost.mydomain]:
./build-dh
Qui donne :
Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..............+......................................................................................
./build-key-server srvcert
Qui donne ce qui suit : (remplacez debian-facile par le nom de votre serveur)
Generating a 2048 bit RSA private key ....+++ .................................+++ writing new private key to 'srvcert.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [srvcert]:debian-facile Name [EasyRSA]: Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'debian-facile' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Jun 19 19:40:11 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
nano /etc/openvpn/server.conf
décommentez ou ajoutez les lignes suivantes :
user nobody group nogroup --- ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/srvcert.crt key /etc/openvpn/easy-rsa/keys/srvcert.key # This file should be kept secret --- dh /etc/openvpn/easy-rsa/keys/dh2048.pem --- push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
remplacez 8.8.8.8 et 8.8.4.4 par vos dns favoris)
service openvpn stop
openvpn /etc/openvpn/server.conf
Vous devriez obtenir quelque chose comme suit :
Thu Dec 22 18:27:00 2016 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015 Thu Dec 22 18:27:00 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08 Thu Dec 22 18:27:00 2016 Diffie-Hellman initialized with 2048 bit key Thu Dec 22 18:27:00 2016 Socket Buffers: R=[212992->131072] S=[212992->131072] Thu Dec 22 18:27:00 2016 ROUTE_GATEWAY 213.32.16.1 Thu Dec 22 18:27:00 2016 TUN/TAP device tun0 opened Thu Dec 22 18:27:00 2016 TUN/TAP TX queue length set to 100 Thu Dec 22 18:27:00 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Dec 22 18:27:00 2016 /sbin/ip link set dev tun0 up mtu 1500 Thu Dec 22 18:27:00 2016 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Thu Dec 22 18:27:00 2016 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Thu Dec 22 18:27:00 2016 GID set to nogroup Thu Dec 22 18:27:00 2016 UID set to nobody Thu Dec 22 18:27:00 2016 UDPv4 link local (bound): [undef] Thu Dec 22 18:27:00 2016 UDPv4 link remote: [undef] Thu Dec 22 18:27:00 2016 MULTI: multi_init called, r=256 v=256 Thu Dec 22 18:27:00 2016 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Thu Dec 22 18:27:00 2016 IFCONFIG POOL LIST Thu Dec 22 18:27:00 2016 Initialization Sequence Completed
ifconfig tun0
Devrait vous retourner :
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B
service openvpn start
nano /etc/sysctl.conf
net.ipv4.ip_forward=1
Activez le nouveau jeux de règle :
sysctl -p /etc/sysctl.conf
se référer ici : tuto Reseau iptable
iptables -t filter -P FORWARD ACCEPT iptables -t filter -A INPUT -p udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
cd /etc/openvpn/easy-rsa/
source vars
./build-key clientCert
Qui donne ce qui suit : (remplacez [clientCert]:debianFacile par le nom de votre client)
Generating a 2048 bit RSA private key ...........................................+++ ......................................................+++ writing new private key to 'monlaptopcert.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [clientCert]:debianFacile Name [EasyRSA]: Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'debianFacile' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Jun 19 20:05:45 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Récupérer les fichiers suivant dans /etc/openvpn/easy-rsa/keys/: scp : transfert de fichiers sécurisé entre machines
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/clientCert.key
/etc/openvpn/easy-rsa/keys/clientCert.crt
sudo apt-get update
sudo apt-get install openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
cd /etc/openvpn
mkdir -p keys
cd keys
Coller dans le dossiers en cours (keys) les fichiers suivants :
ca.crt
clientCert.key
clientCert.crt
Changer le chemin du serveur et des certificats dans /etc/openvpn/client.conf
remote monServeurOpenVPN 1194 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/clientCert.crt key /etc/openvpn/keys/clientCert.key
openvpn /etc/openvpn/client.conf
Vous devez obtenir en fin de séquence :
Initialization Sequence Completed
Si tel est le cas, vérifiez que tun0 est bien listé avec ifconfig, puis vérifiez votre ip par exemple en allant sur http://ifconfig.me/, si tout est ok, on ferme la console openvpn en pensant a faire un Ctrl+C
service openvpn start