OpenVPN » Historique » Version 11
« Précédent -
Version 11/48
(diff) -
Suivant » -
Version actuelle
Laurent GUERBY, 14/07/2012 00:09
OpenVPN¶
Server¶
# cat /etc/default/openvpn ... AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6" ... # cat /etc/openvpn/ttnn-tap.conf dev tap0udp port 11195 proto udp ca ttnn/ca.crt cert ttnn/h1.crt key ttnn/h1.key # This file should be kept secret dh ttnn/dh1024.pem mode server tls-server persist-key persist-tun client-config-dir ccd client-to-client comp-lzo yes keepalive 10 60 verb 3 log-append log/openvpn-tap.log status status/openvpn-tap.txt # cat /etc/openvpn/ttnn-tap6.conf dev tap6udp port 11196 proto udp6 ca ttnn/ca.crt cert ttnn/h1.crt key ttnn/h1.key # This file should be kept secret dh ttnn/dh1024.pem mode server tls-server persist-key persist-tun client-config-dir ccd client-to-client comp-lzo yes keepalive 10 60 verb 3 log-append log/openvpn-tap6.log status status/openvpn-tap6.txt # cat /etc/openvpn/ttnn-tap-tcp.conf dev tap0tcp port 443 proto tcp-server ca ttnn/ca.crt cert ttnn/h1.crt key ttnn/h1.key # This file should be kept secret dh ttnn/dh1024.pem mode server tls-server persist-key persist-tun client-config-dir ccd client-to-client comp-lzo yes keepalive 10 60 verb 3 log-append log/openvpn-tap-tcp.log status status/openvpn-tap-tcp.txt # keys generated with id ip-X-Y-Z-T, files: # ip-91-224-149-165.crt # ip-91-224-149-165.csr # ip-91-224-149-165.key # cat /etc/openvpn/ccd/ip-91-224-149-165 ifconfig-push 91.224.149.165 255.255.255.0 push "route-gateway 91.224.149.254" push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" # bridge brctl addbr br0 brctl addif br0 eth0 ip link set br0 up ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes openvpn --mktun --dev tap0udp openvpn --mktun --dev tap0tcp openvpn --mktun --dev tap6udp brctl addif br0 tap0udp ip link set tap0udp up brctl addif br0 tap0tcp ip link set tap0tcp up brctl addif br0 tap6udp ip link set tap6udp up
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur.
Client¶
# cat /etc/openvpn/ttnn.conf client dev tap ### from outside with UDP available #proto udp #remote openvpn.tetaneutral.net 11195 ### from outside with no UDP proto tcp remote openvpn.tetaneutral.net 443 # 91.224.149.211 443 # from outside using IPv6 over UDP #proto udp6 #remote openvpn6.tetaneutral.net 11196 ca ttnn/ca.crt cert ttnn/ip-91-224-149-165.crt key ttnn/ip-91-224-149-165.key persist-key persist-tun script-security 2 comp-lzo yes keepalive 10 60 verb 3 log-append log/openvpn.log
point a point¶
openvpn --genkey --secret tst.key #server openvpn --mktun --dev-type tap --dev taptst ip link set taptst up openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --port 1234 #client openvpn --mktun --dev-type tap --dev taptst ip link set taptst up openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --remote A.B.C.D 1234
Point-Ã -point avec routage d'un bloc d'IP.¶
Proxmox¶
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html
Links¶
https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7
"Allow 'lport 0' setup for random port binding"