OpenVPN » Historique » Version 40
« Précédent -
Version 40/48
(diff) -
Suivant » -
Version actuelle
Skuld Skuld, 20/07/2017 20:15
- Contenu
- OpenVPN
OpenVPN¶
Port sharing¶
Apache and nginx
http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/
port-share 127.0.0.1 4443
http://www.greenie.net/ipv6/openvpn.html
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
Certificats¶
Via mherrb : la page de man 'ssl(8)' d'OpenBSD explique bien comment faire un certificat auto-signé qui marchera pour OpenVPN:
http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
Server¶
# cat /etc/default/openvpn ... AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6" ... # cat /etc/openvpn/ttnn-tap.conf dev tap0udp port 11195 proto udp ca ttnn/ca.crt cert ttnn/h1.crt key ttnn/h1.key # This file should be kept secret dh ttnn/dh1024.pem mode server tls-server persist-key persist-tun client-config-dir ccd client-to-client comp-lzo yes keepalive 10 60 verb 3 log-append log/openvpn-tap.log status status/openvpn-tap.txt # cat /etc/openvpn/ttnn-tap6.conf dev tap6udp port 11196 proto udp6 ca ttnn/ca.crt cert ttnn/h1.crt key ttnn/h1.key # This file should be kept secret dh ttnn/dh1024.pem mode server tls-server persist-key persist-tun client-config-dir ccd client-to-client comp-lzo yes keepalive 10 60 verb 3 log-append log/openvpn-tap6.log status status/openvpn-tap6.txt # cat /etc/openvpn/ttnn-tap-tcp.conf dev tap0tcp port 443 proto tcp-server ca ttnn/ca.crt cert ttnn/h1.crt key ttnn/h1.key # This file should be kept secret dh ttnn/dh1024.pem mode server tls-server persist-key persist-tun client-config-dir ccd client-to-client comp-lzo yes keepalive 10 60 verb 3 log-append log/openvpn-tap-tcp.log status status/openvpn-tap-tcp.txt # keys generated with id ip-X-Y-Z-T, files: # ip-91-224-149-165.crt # ip-91-224-149-165.csr # ip-91-224-149-165.key # cat /etc/openvpn/ccd/ip-91-224-149-165 ifconfig-push 91.224.149.165 255.255.255.0 push "route-gateway 91.224.149.254" push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" # bridge brctl addbr br0 brctl addif br0 eth0 ip link set br0 up ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes openvpn --mktun --dev tap0udp openvpn --mktun --dev tap0tcp openvpn --mktun --dev tap6udp brctl addif br0 tap0udp ip link set tap0udp up brctl addif br0 tap0tcp ip link set tap0tcp up brctl addif br0 tap6udp ip link set tap6udp up
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur.
Client¶
# cat /etc/openvpn/ttnn.conf client dev tap ### from outside with UDP available #proto udp #remote openvpn.tetaneutral.net 11195 ### from outside with no UDP proto tcp remote openvpn.tetaneutral.net 443 # 91.224.149.211 443 # from outside using IPv6 over UDP #proto udp6 #remote openvpn6.tetaneutral.net 11196 ca ttnn/ca.crt cert ttnn/ip-91-224-149-165.crt key ttnn/ip-91-224-149-165.key persist-key persist-tun script-security 2 comp-lzo yes keepalive 10 60 verb 3 log-append log/openvpn.log
point a point¶
Version tun :
# Sur le serveur IPv4 publique A.B.C.D openvpn --mktun --dev-type tun --dev tuntst ip link set tuntst up openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --port 1234 # Sur le client client openvpn --mktun --dev-type tun --dev tuntst ip link set tuntst up openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --lport 0 --remote A.B.C.D 1234
Pour le routage IPv6 et le NAT IPv4 sur le serveur :
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding ip -6 route add 2a03:7220:808X:YZ01::1/128 dev tuntst echo 1 > /proc/sys/net/ipv4/ip_forward ip route add 10.10.10.10/32 dev tuntst iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Then on the client
ip -6 addr add 2a03:7220:808X:YZ01::1/128 dev tuntst ip -6 route add default tuntst ip addr add 10.10.10.10/32 dev tuntst # TODO default route
Point-à-point avec routage d'un bloc d'IP.¶
Performances¶
Proxmox¶
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html