[[openvpn]]
 
Trace: » razor » mysql » python » joomla » nessus » clamav » centos » amavis » locale » openvpn
Table of Contents

OpenVPN Server

Instalacia

Nejako nainstalujeme openvpn :-)

Vyrobime uzivatela a skupinu. 

groupadd openvpn
useradd openvpn -g openvpn

Konfiguracia

mkdir /etc/openvpn
cd /etc/openvpn

Vyrobime konfigurak /etc/openvpn/openvpn.conf s obsahom: 

server 192.168.10.0 255.255.255.0
proto udp
port 1194
dev tun0
ifconfig-pool-persist /etc/openvpn/ipp.txt
ca /etc/openvpn/ca.crt
key /etc/openvpn/server.key
cert /etc/openvpn/server.crt
dh /etc/openvpn/dh1024.pem
keepalive 10 60
persist-key
persist-tun
log /var/log/openvpn.log
verb 3
client-to-client
daemon

SSL

Vyrobime subory potrebne pre SSL:\ Predpokladame, ze mame dve certifikacne autority (CA1 a CA2). CA1 by mla vyrobit certifikat servra a CA1 certifikaty klientov. Staci vsak aj jedna, ktoru budeme pouzivat na ucely obidvoch.

server.key: 

openssl req -new -nodes -out request.pem -keyout server.key -days 1098
chown openvpn:openvpn server.key
chmod 400 server.key

server.crt:
vygeneroval sa nam aj subor request.pem. Posleme ho na podpis nejakej certifikacnej autorite (CA1) (viz. vydanie_certifikatu), ktora vygeneruje subor server.crt. Po ziskani tohto certifikatu uz subor request.pem nebudeme potrebovat, takze ho mozeme zmazat.

dh1024.pem: 

openssl dhparam -out dh1024.pem 1024

ca.crt:
V tomto pripade musi obsahovat certifikat CA2 aj CA1. Z CA1 zozenieme jej certifikat a nahrame do suboru ca.crt. Potom pridame certifikat CA2: 

cat /etc/ssl/CA/cacert.pem >> ca.crt

Start

/etc/init.d/openvpn start
# alebo:
openvpn --config /etc/openvpn/openvpn.conf

OpenVPN Client

mkdir client
cd client

Na servri pripravime pre klienta tieto subory:

openvpn.conf
vim openvpn.conf
obsah suboru: 
client
dev tun
remote 147.175.168.240
port 1194
proto udp
nobind
user openvpn
group openvpn
ca /etc/openvpn/ca.crt
key /etc/openvpn/client.key
cert /etc/openvpn/client.crt
dh /etc/openvpn/dh1024.pem
log /var/log/openvpn
verb 3
daemon
redirect-gateway
persist-key
persist-tun
ca.crt

Je to certifikat CA1. Vacsinou je to subor /etc/ssl/CA/cacert.pem na pocitaci z CA1.

client.key

Vygenerujeme: 

openssl req -new -nodes -out request.pem -keyout client.key -days 1098
chmod 600 client.key

Je bezpecnejsie ak si tieto subory klient vygeneruje sam a nam da len request.pem na podpis (viz. dalsi bod).

client.crt

Subor request.pem nechame pospisat CA2: 

openssl ca -in request.pem -out client.crt

Uz ho nepotrebujeme, tak ho zmazeme: 

rm request.pem
dh1024.pem

Je ten isty ako pre server 

cp /etc/openvpn/dh1024.pem .

Obsah adresara client odosleme klientovi, on ho nahra do /etc/openvpn a spusti: 

openvpn --config /etc/openvpn/openvpn.conf
 
openvpn.txt · Last modified: 31.03.2010 17:51 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki