Projet

Général

Profil

OpenVPN

Port sharing

Apache and nginx
http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/

port-share 127.0.0.1 4443

http://www.greenie.net/ipv6/openvpn.html
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23

https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

Certificats

Via mherrb : la page de man 'ssl(8)' d'OpenBSD explique bien comment faire un certificat auto-signé qui marchera pour OpenVPN:
http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

Server

# cat /etc/default/openvpn
...
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6" 
...
# cat /etc/openvpn/ttnn-tap.conf 
dev tap0udp
port 11195
proto udp

ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key  # This file should be kept secret
dh ttnn/dh1024.pem

mode server
tls-server

persist-key
persist-tun

client-config-dir ccd

client-to-client
comp-lzo yes
keepalive 10 60

verb 3
log-append  log/openvpn-tap.log
status status/openvpn-tap.txt

# cat /etc/openvpn/ttnn-tap6.conf 
dev tap6udp
port 11196
proto udp6

ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key  # This file should be kept secret
dh ttnn/dh1024.pem

mode server
tls-server

persist-key
persist-tun

client-config-dir ccd

client-to-client
comp-lzo yes
keepalive 10 60

verb 3
log-append  log/openvpn-tap6.log
status status/openvpn-tap6.txt

# cat /etc/openvpn/ttnn-tap-tcp.conf 
dev tap0tcp
port 443
proto tcp-server

ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key  # This file should be kept secret
dh ttnn/dh1024.pem

mode server
tls-server

persist-key
persist-tun

client-config-dir ccd

client-to-client
comp-lzo yes
keepalive 10 60

verb 3
log-append  log/openvpn-tap-tcp.log
status status/openvpn-tap-tcp.txt

# keys generated with id ip-X-Y-Z-T, files:
# ip-91-224-149-165.crt
# ip-91-224-149-165.csr
# ip-91-224-149-165.key

# cat /etc/openvpn/ccd/ip-91-224-149-165
ifconfig-push 91.224.149.165 255.255.255.0
push "route-gateway 91.224.149.254" 
push "redirect-gateway def1" 
push "dhcp-option DNS 8.8.8.8" 

# bridge
brctl addbr br0
brctl addif br0 eth0
ip link set br0 up
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes

openvpn --mktun --dev tap0udp
openvpn --mktun --dev tap0tcp
openvpn --mktun --dev tap6udp

brctl addif br0 tap0udp
ip link set tap0udp up

brctl addif br0 tap0tcp
ip link set tap0tcp up

brctl addif br0 tap6udp
ip link set tap6udp up

Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur.

Client

# cat /etc/openvpn/ttnn.conf
client
dev tap

### from outside with UDP available
#proto udp
#remote openvpn.tetaneutral.net 11195

### from outside with no UDP
proto tcp
remote openvpn.tetaneutral.net 443
# 91.224.149.211 443

# from outside using IPv6 over UDP
#proto udp6
#remote openvpn6.tetaneutral.net 11196

ca ttnn/ca.crt
cert ttnn/ip-91-224-149-165.crt
key ttnn/ip-91-224-149-165.key

persist-key
persist-tun

script-security 2

comp-lzo yes
keepalive 10 60

verb 3
log-append log/openvpn.log

point a point

Version tun :

# Sur le serveur IPv4 publique A.B.C.D
openvpn --mktun --dev-type tun --dev tuntst
ip link set tuntst up
openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --port 1234

# Sur le client client
openvpn --mktun --dev-type tun --dev tuntst
ip link set tuntst up
openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --lport 0 --remote A.B.C.D 1234

Pour le routage IPv6 et le NAT IPv4 sur le serveur :

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
ip -6 route add  2a03:7220:808X:YZ01::1/128 dev tuntst

echo 1 > /proc/sys/net/ipv4/ip_forward
ip route add 10.10.10.10/32 dev tuntst
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Then on the client

ip -6 addr add 2a03:7220:808X:YZ01::1/128 dev tuntst
ip -6 route add default tuntst
ip addr add 10.10.10.10/32 dev tuntst
# TODO default route

Point-à-point avec routage d'un bloc d'IP.

Partage ADSL OpenVPN

Performances

Benchmark VPN

Proxmox

http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html

Links