APLU » Historique » Version 2
Aymeric APLU, 11/06/2015 21:47
1 | 1 | Aymeric APLU | h1. De la config en vrac par rapport à TTN |
---|---|---|---|
2 | 1 | Aymeric APLU | |
3 | 1 | Aymeric APLU | By APLU |
4 | 1 | Aymeric APLU | |
5 | 1 | Aymeric APLU | h1. VPN |
6 | 1 | Aymeric APLU | |
7 | 1 | Aymeric APLU | h2. Tunnel VPN de type TUN via openvpn |
8 | 1 | Aymeric APLU | |
9 | 1 | Aymeric APLU | Le but de ce VPN est de faire passer IPv6 et IPv4 au sein du même tunnel pour être visible sur internet avec une l'ip de son serveur. |
10 | 1 | Aymeric APLU | |
11 | 1 | Aymeric APLU | h3. [Serveur] Prerequis |
12 | 1 | Aymeric APLU | |
13 | 1 | Aymeric APLU | * sudo |
14 | 1 | Aymeric APLU | * openvpn |
15 | 1 | Aymeric APLU | |
16 | 2 | Aymeric APLU | h3. [Serveur] Configuration NAT/ip forward |
17 | 2 | Aymeric APLU | |
18 | 2 | Aymeric APLU | dans sysctl.conf : |
19 | 2 | Aymeric APLU | |
20 | 2 | Aymeric APLU | <pre> |
21 | 2 | Aymeric APLU | net/ipv4/ip_forward=1 |
22 | 2 | Aymeric APLU | net/ipv6/conf/default/forwarding=1 |
23 | 2 | Aymeric APLU | net/ipv6/conf/all/forwarding=1 |
24 | 2 | Aymeric APLU | net/ipv6/conf/all/proxy_ndp=1 |
25 | 2 | Aymeric APLU | net.ipv6/conf/eth0/proxy_ndp=1 |
26 | 2 | Aymeric APLU | </pre> |
27 | 2 | Aymeric APLU | |
28 | 2 | Aymeric APLU | |
29 | 2 | Aymeric APLU | iptables : |
30 | 2 | Aymeric APLU | |
31 | 2 | Aymeric APLU | |
32 | 2 | Aymeric APLU | <pre> |
33 | 2 | Aymeric APLU | iptables -t nat -A POSTROUTING -s 10.42.42.0/24 -o eth0 -j MASQUERADE |
34 | 2 | Aymeric APLU | </pre> |
35 | 2 | Aymeric APLU | |
36 | 2 | Aymeric APLU | Si on a ufw il faut modifier /etc/ufw/before.rules, il y a de la doc sur internet. |
37 | 2 | Aymeric APLU | |
38 | 2 | Aymeric APLU | |
39 | 1 | Aymeric APLU | h3. [Serveur] Configurer sudo |
40 | 1 | Aymeric APLU | |
41 | 1 | Aymeric APLU | On édite le fichier sudoers avec les info suivantes, ceci sera utilisé dans la suite pour permettre la déclaration de l'IPv6 tunnel côté TTN pour que l'IPv6 puisse être routé. |
42 | 1 | Aymeric APLU | <pre> |
43 | 1 | Aymeric APLU | Cmnd_Alias IPVPN = /bin/ip neigh add *, /bin/ip neigh del *, /bin/ip neigh replace * |
44 | 1 | Aymeric APLU | nobody ALL = NOPASSWD: IPVPN |
45 | 1 | Aymeric APLU | </pre> |
46 | 1 | Aymeric APLU | |
47 | 1 | Aymeric APLU | TODO: Voir comment rendre ça un peu plus sécurisé |
48 | 1 | Aymeric APLU | |
49 | 1 | Aymeric APLU | h3. [Serveur] Configuration openvpn - creation certificat |
50 | 1 | Aymeric APLU | |
51 | 1 | Aymeric APLU | <pre> |
52 | 1 | Aymeric APLU | # cd /etc/openvpn |
53 | 1 | Aymeric APLU | # mkdir easy-rsa |
54 | 1 | Aymeric APLU | # cp -R /usr/share/easy-rsa/* easy-rsa/ |
55 | 1 | Aymeric APLU | </pre> |
56 | 1 | Aymeric APLU | |
57 | 1 | Aymeric APLU | Editer : /etc/openvpn/easy-rsa/vars pour renseigner les infos relatives à la clef. On peut aussi changer la taille des clefs. |
58 | 1 | Aymeric APLU | |
59 | 1 | Aymeric APLU | # cd easy-rsa/ |
60 | 1 | Aymeric APLU | # touch keys/index.txt |
61 | 1 | Aymeric APLU | # echo 01 > keys/serial |
62 | 1 | Aymeric APLU | # . ./vars # set environment variables |
63 | 1 | Aymeric APLU | # ./clean-all |
64 | 1 | Aymeric APLU | # ./build-ca |
65 | 1 | Aymeric APLU | # ./build-key-server server |
66 | 1 | Aymeric APLU | # ./build-dh # prends du temps (+15h si on choisi 8192, ~10 minutes pour 2048) |
67 | 1 | Aymeric APLU | |
68 | 1 | Aymeric APLU | |
69 | 1 | Aymeric APLU | h3. [Serveur] Configuration openvpn - openvpn |
70 | 1 | Aymeric APLU | |
71 | 1 | Aymeric APLU | Créer un fichier de configuration /etc/openvpn/myvpn.conf (on peut changer le nom) |
72 | 1 | Aymeric APLU | |
73 | 1 | Aymeric APLU | |
74 | 1 | Aymeric APLU | <pre> |
75 | 1 | Aymeric APLU | dev tun |
76 | 1 | Aymeric APLU | proto udp |
77 | 1 | Aymeric APLU | port 1194 |
78 | 1 | Aymeric APLU | |
79 | 1 | Aymeric APLU | ca /etc/openvpn/easy-rsa/keys/ca.crt # generated keys |
80 | 1 | Aymeric APLU | cert /etc/openvpn/easy-rsa/keys/server.crt |
81 | 1 | Aymeric APLU | key /etc/openvpn/easy-rsa/keys/server.key # keep secret |
82 | 1 | Aymeric APLU | dh /etc/openvpn/easy-rsa/keys/dh2048.pem |
83 | 1 | Aymeric APLU | |
84 | 1 | Aymeric APLU | user nobody |
85 | 1 | Aymeric APLU | group nogroup |
86 | 1 | Aymeric APLU | server 10.42.42.0 255.255.255.0 |
87 | 1 | Aymeric APLU | |
88 | 1 | Aymeric APLU | tun-ipv6 |
89 | 1 | Aymeric APLU | push tun-ipv6 |
90 | 1 | Aymeric APLU | |
91 | 1 | Aymeric APLU | push "route-ipv6 2000::/3" |
92 | 1 | Aymeric APLU | learn-address /etc/openvpn/learn-address |
93 | 1 | Aymeric APLU | |
94 | 1 | Aymeric APLU | # execution de script |
95 | 1 | Aymeric APLU | script-security 2 |
96 | 1 | Aymeric APLU | |
97 | 1 | Aymeric APLU | #mssfix |
98 | 1 | Aymeric APLU | #fragment 1300 |
99 | 1 | Aymeric APLU | |
100 | 1 | Aymeric APLU | persist-key |
101 | 1 | Aymeric APLU | persist-tun |
102 | 1 | Aymeric APLU | |
103 | 1 | Aymeric APLU | keepalive 10 100 |
104 | 1 | Aymeric APLU | |
105 | 1 | Aymeric APLU | status /var/log/openvpn-status.log |
106 | 1 | Aymeric APLU | log-append /var/log/openvpn |
107 | 1 | Aymeric APLU | verb 3 |
108 | 1 | Aymeric APLU | client-to-client |
109 | 1 | Aymeric APLU | |
110 | 1 | Aymeric APLU | push "redirect-gateway def1 bypass-dhcp" |
111 | 1 | Aymeric APLU | push "dhcp-option DNS 10.42.42.1" |
112 | 1 | Aymeric APLU | push "dhcp-option DNS 91.224.149.254" |
113 | 1 | Aymeric APLU | |
114 | 1 | Aymeric APLU | comp-lzo adaptive |
115 | 1 | Aymeric APLU | |
116 | 1 | Aymeric APLU | server-ipv6 2a01:6600:80XX:YY01::1/64 |
117 | 1 | Aymeric APLU | </pre> |
118 | 1 | Aymeric APLU | |
119 | 1 | Aymeric APLU | On adaptera XX:YY en fonction de l'IPv6 fourni par les administrateurs de TTN. |
120 | 1 | Aymeric APLU | |
121 | 1 | Aymeric APLU | |
122 | 2 | Aymeric APLU | h3. [serveur] Configuration openvpn - scripts |
123 | 2 | Aymeric APLU | |
124 | 1 | Aymeric APLU | Créer le script /etc/openvpn/learn-address avec le contenu suivant (penser à le rendre executable) : |
125 | 1 | Aymeric APLU | |
126 | 2 | Aymeric APLU | Ce script ajoute l'IPv6 du peer au proxy ndp, il fait l'équivalent du soft ndppd qui n'existe plus ou n'est pas maintenu (juin 2015) |
127 | 2 | Aymeric APLU | |
128 | 1 | Aymeric APLU | <pre> |
129 | 1 | Aymeric APLU | #!/bin/bash |
130 | 1 | Aymeric APLU | |
131 | 1 | Aymeric APLU | action="$1" |
132 | 1 | Aymeric APLU | addr="$2" |
133 | 1 | Aymeric APLU | grep -qE "^2a01:.*" <<< "$addr" |
134 | 1 | Aymeric APLU | if [ $? -eq 0 ] |
135 | 1 | Aymeric APLU | then |
136 | 1 | Aymeric APLU | case "$action" in |
137 | 1 | Aymeric APLU | add ) |
138 | 1 | Aymeric APLU | sudo /bin/ip neigh add proxy "$addr" dev eth0 |
139 | 1 | Aymeric APLU | ;; |
140 | 1 | Aymeric APLU | update ) |
141 | 1 | Aymeric APLU | sudo /bin/ip neigh replace proxy "$addr" dev eth0 |
142 | 1 | Aymeric APLU | ;; |
143 | 1 | Aymeric APLU | delete) |
144 | 1 | Aymeric APLU | sudo /bin/ip neigh del proxy "$addr" dev eth0 |
145 | 1 | Aymeric APLU | ;; |
146 | 1 | Aymeric APLU | esac |
147 | 1 | Aymeric APLU | fi |
148 | 1 | Aymeric APLU | </pre> |
149 | 1 | Aymeric APLU | |
150 | 1 | Aymeric APLU | TODO: S'assurer que $addr contient bien une IPv6.. le script est lancée en nobody les checks ne risque rien, le sudo moins. |
151 | 2 | Aymeric APLU | |
152 | 2 | Aymeric APLU | |
153 | 2 | Aymeric APLU | h3. [serveur/client] generer le certificat pour chaque client |
154 | 2 | Aymeric APLU | |
155 | 2 | Aymeric APLU | Si ce n'est pas déjà fait : |
156 | 2 | Aymeric APLU | |
157 | 2 | Aymeric APLU | <pre> |
158 | 2 | Aymeric APLU | # cd /etc/openvpn/easy-rsa/ |
159 | 2 | Aymeric APLU | # . ./vars # set environment variables |
160 | 2 | Aymeric APLU | </pre> |
161 | 2 | Aymeric APLU | |
162 | 2 | Aymeric APLU | Puis: |
163 | 2 | Aymeric APLU | |
164 | 2 | Aymeric APLU | <pre> |
165 | 2 | Aymeric APLU | # ./build-key clientname |
166 | 2 | Aymeric APLU | </pre> |
167 | 2 | Aymeric APLU | |
168 | 2 | Aymeric APLU | clientname correspond au nom du client, penser à signer le certificat une fois la génération fini. |
169 | 2 | Aymeric APLU | |
170 | 2 | Aymeric APLU | |
171 | 2 | Aymeric APLU | h3. [Client] Prerequis |
172 | 2 | Aymeric APLU | |
173 | 2 | Aymeric APLU | * openvpn |
174 | 2 | Aymeric APLU | * resolvconf |
175 | 2 | Aymeric APLU | |
176 | 2 | Aymeric APLU | h3. [Client] Configuration openvpn |
177 | 2 | Aymeric APLU | |
178 | 2 | Aymeric APLU | Créer le fichier de configuration /etc/openvpn/myvpn.conf avec le contenu suivant |
179 | 2 | Aymeric APLU | |
180 | 2 | Aymeric APLU | |
181 | 2 | Aymeric APLU | <pre> |
182 | 2 | Aymeric APLU | client |
183 | 2 | Aymeric APLU | dev tun |
184 | 2 | Aymeric APLU | port 1194 |
185 | 2 | Aymeric APLU | proto udp |
186 | 2 | Aymeric APLU | |
187 | 2 | Aymeric APLU | |
188 | 2 | Aymeric APLU | nobind |
189 | 2 | Aymeric APLU | |
190 | 2 | Aymeric APLU | ca /etc/openvpn/keys/ca.crt |
191 | 2 | Aymeric APLU | cert /etc/openvpn/keys/monclient.crt |
192 | 2 | Aymeric APLU | key /etc/openvpn/keys/monclient.key |
193 | 2 | Aymeric APLU | |
194 | 2 | Aymeric APLU | script-security 2 |
195 | 2 | Aymeric APLU | up /etc/openvpn/update-resolv-conf |
196 | 2 | Aymeric APLU | down /etc/openvpn/update-resolv-conf |
197 | 2 | Aymeric APLU | |
198 | 2 | Aymeric APLU | comp-lzo |
199 | 2 | Aymeric APLU | persist-key |
200 | 2 | Aymeric APLU | persist-tun |
201 | 2 | Aymeric APLU | remote 1.2.3.4 1194 |
202 | 2 | Aymeric APLU | </pre> |
203 | 2 | Aymeric APLU | |
204 | 2 | Aymeric APLU | Pensez à mettre votre IP à la place 1.2.3.4 |
205 | 2 | Aymeric APLU | |
206 | 2 | Aymeric APLU | |
207 | 2 | Aymeric APLU | Le script /etc/openvpn/update-resolv-conf est fourni par le paquet openvpn cependant pour éviter le DNSLeak j'ai effectué la modification suivante |
208 | 2 | Aymeric APLU | |
209 | 2 | Aymeric APLU | <pre> |
210 | 2 | Aymeric APLU | # diff update-resolv-conf.original update-resolv-conf |
211 | 2 | Aymeric APLU | 52a53 |
212 | 2 | Aymeric APLU | > /sbin/resolvconf -d original.resolvconf |
213 | 2 | Aymeric APLU | </pre> |
214 | 2 | Aymeric APLU | |
215 | 2 | Aymeric APLU | h3. [serveur/client] activer |
216 | 2 | Aymeric APLU | |
217 | 2 | Aymeric APLU | Avec systemd faire sur le serveur et sur le client |
218 | 2 | Aymeric APLU | |
219 | 2 | Aymeric APLU | # systemctl daemon-reload |
220 | 2 | Aymeric APLU | # service openvpn restart |
221 | 2 | Aymeric APLU | |
222 | 2 | Aymeric APLU | h3. Pour tester |
223 | 2 | Aymeric APLU | |
224 | 2 | Aymeric APLU | On peut faire un mtr/traceroute pour verifier que le chemin soit correct. |
225 | 2 | Aymeric APLU | Penser à verifier l'IPv6 et l'IPv4 puisque la config offre les deux. |
226 | 2 | Aymeric APLU | |
227 | 2 | Aymeric APLU | Dans la config j'utilise un resolver DNS local présent sur le serveur, ce dernier doit donc accepter de répondre aux requêtes du VPN, le deuxième resolver et celui de TTN. |
228 | 2 | Aymeric APLU | |
229 | 2 | Aymeric APLU | Sur le web on peut verifier que l'IPv4 et IPv6 fonctionnement bien en allant sur : http://test-ipv6.com |
230 | 2 | Aymeric APLU | |
231 | 2 | Aymeric APLU | On peut aussi verifier qu'on ne leak pas d'IP avec : http://ipleak.net |
232 | 2 | Aymeric APLU | |
233 | 2 | Aymeric APLU | h3. Debugger |
234 | 2 | Aymeric APLU | |
235 | 2 | Aymeric APLU | ping/mtr/traceroute |
236 | 2 | Aymeric APLU | |
237 | 2 | Aymeric APLU | A savoir, si un script échoue (par exemple learn-address) la session VPN est refusé. |
238 | 2 | Aymeric APLU | |
239 | 2 | Aymeric APLU | Si l'IPv4 fonctionne mais pas l'IPv6 verifier le proxy ndp. |