OpenVPN » Historique » Version 13
Version 12 (Laurent GUERBY, 18/08/2012 12:35) → Version 13/48 (Laurent GUERBY, 30/08/2012 09:19)
{{>toc}}
h1. OpenVPN
h2. H2. Port sharing
Apache and nginx
http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/
port-share 127.0.0.1 4443
h2. Server
<pre>
# cat /etc/default/openvpn
...
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"
...
# cat /etc/openvpn/ttnn-tap.conf
dev tap0udp
port 11195
proto udp
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap.log
status status/openvpn-tap.txt
# cat /etc/openvpn/ttnn-tap6.conf
dev tap6udp
port 11196
proto udp6
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap6.log
status status/openvpn-tap6.txt
# cat /etc/openvpn/ttnn-tap-tcp.conf
dev tap0tcp
port 443
proto tcp-server
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap-tcp.log
status status/openvpn-tap-tcp.txt
# keys generated with id ip-X-Y-Z-T, files:
# ip-91-224-149-165.crt
# ip-91-224-149-165.csr
# ip-91-224-149-165.key
# cat /etc/openvpn/ccd/ip-91-224-149-165
ifconfig-push 91.224.149.165 255.255.255.0
push "route-gateway 91.224.149.254"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
# bridge
brctl addbr br0
brctl addif br0 eth0
ip link set br0 up
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes
openvpn --mktun --dev tap0udp
openvpn --mktun --dev tap0tcp
openvpn --mktun --dev tap6udp
brctl addif br0 tap0udp
ip link set tap0udp up
brctl addif br0 tap0tcp
ip link set tap0tcp up
brctl addif br0 tap6udp
ip link set tap6udp up
</pre>
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur.
h2. Client
<pre>
# cat /etc/openvpn/ttnn.conf
client
dev tap
### from outside with UDP available
#proto udp
#remote openvpn.tetaneutral.net 11195
### from outside with no UDP
proto tcp
remote openvpn.tetaneutral.net 443
# 91.224.149.211 443
# from outside using IPv6 over UDP
#proto udp6
#remote openvpn6.tetaneutral.net 11196
ca ttnn/ca.crt
cert ttnn/ip-91-224-149-165.crt
key ttnn/ip-91-224-149-165.key
persist-key
persist-tun
script-security 2
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn.log
</pre>
h2. point a point
<pre>
openvpn --genkey --secret tst.key
#server
openvpn --mktun --dev-type tap --dev taptst
ip link set taptst up
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --port 1234
#client
openvpn --mktun --dev-type tap --dev taptst
ip link set taptst up
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --remote A.B.C.D 1234
</pre>
h2. Point-Ã -point avec routage d'un bloc d'IP.
[[Partage ADSL OpenVPN]]
h2. Proxmox
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html
h2. Links
https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7
"Allow 'lport 0' setup for random port binding"
https://vador.fdn.fr/wiki/travaux:vpn_misc:doc#configurer_sa_machine_pour_utiliser_l_offre_vpn_de_fdn
h1. OpenVPN
h2. H2. Port sharing
Apache and nginx
http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/
port-share 127.0.0.1 4443
h2. Server
<pre>
# cat /etc/default/openvpn
...
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"
...
# cat /etc/openvpn/ttnn-tap.conf
dev tap0udp
port 11195
proto udp
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap.log
status status/openvpn-tap.txt
# cat /etc/openvpn/ttnn-tap6.conf
dev tap6udp
port 11196
proto udp6
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap6.log
status status/openvpn-tap6.txt
# cat /etc/openvpn/ttnn-tap-tcp.conf
dev tap0tcp
port 443
proto tcp-server
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap-tcp.log
status status/openvpn-tap-tcp.txt
# keys generated with id ip-X-Y-Z-T, files:
# ip-91-224-149-165.crt
# ip-91-224-149-165.csr
# ip-91-224-149-165.key
# cat /etc/openvpn/ccd/ip-91-224-149-165
ifconfig-push 91.224.149.165 255.255.255.0
push "route-gateway 91.224.149.254"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
# bridge
brctl addbr br0
brctl addif br0 eth0
ip link set br0 up
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes
openvpn --mktun --dev tap0udp
openvpn --mktun --dev tap0tcp
openvpn --mktun --dev tap6udp
brctl addif br0 tap0udp
ip link set tap0udp up
brctl addif br0 tap0tcp
ip link set tap0tcp up
brctl addif br0 tap6udp
ip link set tap6udp up
</pre>
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur.
h2. Client
<pre>
# cat /etc/openvpn/ttnn.conf
client
dev tap
### from outside with UDP available
#proto udp
#remote openvpn.tetaneutral.net 11195
### from outside with no UDP
proto tcp
remote openvpn.tetaneutral.net 443
# 91.224.149.211 443
# from outside using IPv6 over UDP
#proto udp6
#remote openvpn6.tetaneutral.net 11196
ca ttnn/ca.crt
cert ttnn/ip-91-224-149-165.crt
key ttnn/ip-91-224-149-165.key
persist-key
persist-tun
script-security 2
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn.log
</pre>
h2. point a point
<pre>
openvpn --genkey --secret tst.key
#server
openvpn --mktun --dev-type tap --dev taptst
ip link set taptst up
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --port 1234
#client
openvpn --mktun --dev-type tap --dev taptst
ip link set taptst up
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --remote A.B.C.D 1234
</pre>
h2. Point-Ã -point avec routage d'un bloc d'IP.
[[Partage ADSL OpenVPN]]
h2. Proxmox
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html
h2. Links
https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7
"Allow 'lport 0' setup for random port binding"
https://vador.fdn.fr/wiki/travaux:vpn_misc:doc#configurer_sa_machine_pour_utiliser_l_offre_vpn_de_fdn