OpenVPN » Historique » Version 40
Version 39 (Laurent GUERBY, 07/03/2016 21:39) → Version 40/48 (Skuld Skuld, 20/07/2017 20:15)
{{>toc}}
h1. OpenVPN
h2. Port sharing
Apache and nginx
http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/
port-share 127.0.0.1 4443
http://www.greenie.net/ipv6/openvpn.html
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
h2. Certificats
Via mherrb : la page de man 'ssl(8)' d'OpenBSD explique bien comment faire un certificat auto-signé qui marchera pour OpenVPN:
http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
h2. Server
<pre>
# cat /etc/default/openvpn
...
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"
...
# cat /etc/openvpn/ttnn-tap.conf
dev tap0udp
port 11195
proto udp
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap.log
status status/openvpn-tap.txt
# cat /etc/openvpn/ttnn-tap6.conf
dev tap6udp
port 11196
proto udp6
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap6.log
status status/openvpn-tap6.txt
# cat /etc/openvpn/ttnn-tap-tcp.conf
dev tap0tcp
port 443
proto tcp-server
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap-tcp.log
status status/openvpn-tap-tcp.txt
# keys generated with id ip-X-Y-Z-T, files:
# ip-91-224-149-165.crt
# ip-91-224-149-165.csr
# ip-91-224-149-165.key
# cat /etc/openvpn/ccd/ip-91-224-149-165
ifconfig-push 91.224.149.165 255.255.255.0
push "route-gateway 91.224.149.254"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
# bridge
brctl addbr br0
brctl addif br0 eth0
ip link set br0 up
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes
openvpn --mktun --dev tap0udp
openvpn --mktun --dev tap0tcp
openvpn --mktun --dev tap6udp
brctl addif br0 tap0udp
ip link set tap0udp up
brctl addif br0 tap0tcp
ip link set tap0tcp up
brctl addif br0 tap6udp
ip link set tap6udp up
</pre>
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur.
h2. Client
<pre>
# cat /etc/openvpn/ttnn.conf
client
dev tap
### from outside with UDP available
#proto udp
#remote openvpn.tetaneutral.net 11195
### from outside with no UDP
proto tcp
remote openvpn.tetaneutral.net 443
# 91.224.149.211 443
# from outside using IPv6 over UDP
#proto udp6
#remote openvpn6.tetaneutral.net 11196
ca ttnn/ca.crt
cert ttnn/ip-91-224-149-165.crt
key ttnn/ip-91-224-149-165.key
persist-key
persist-tun
script-security 2
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn.log
</pre>
h2. point a point
Version tun :
<pre>
# Sur le serveur IPv4 publique A.B.C.D
openvpn --mktun --dev-type tun --dev tuntst
ip link set tuntst up
openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --port 1234
# Sur le client client
openvpn --mktun --dev-type tun --dev tuntst
ip link set tuntst up
openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --lport 0 --remote A.B.C.D 1234
</pre>
Pour le routage IPv6 et le NAT IPv4 sur le serveur :
<pre>
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
ip -6 route add 2a03:7220:808X:YZ01::1/128 dev tuntst
echo 1 > /proc/sys/net/ipv4/ip_forward
ip route add 10.10.10.10/32 dev tuntst
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
</pre>
Then on the client
<pre>
ip -6 addr add 2a03:7220:808X:YZ01::1/128 dev tuntst
ip -6 route add default tuntst
ip addr add 10.10.10.10/32 dev tuntst
# TODO default route
</pre>
h2. Point-à-point avec routage d'un bloc d'IP.
[[Partage ADSL OpenVPN]]
h2. Performances
[[Benchmark VPN]]
h2. Proxmox
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html
h2. Links
* https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7 "Allow 'lport 0' setup for random port binding"
* https://vador.fdn.fr/wiki/travaux:vpn_misc:doc#configurer_sa_machine_pour_utiliser_l_offre_vpn_de_fdn
* https://wiki.ldn-fai.net/wiki/Tuto_Serveur_OpenVPN
h1. OpenVPN
h2. Port sharing
Apache and nginx
http://www.davidwesterfield.net/2012/08/openvpn-sharing-a-tcp-port-with-ssl-on-nginx-and-apache-yeah-its-possible/
port-share 127.0.0.1 4443
http://www.greenie.net/ipv6/openvpn.html
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
h2. Certificats
Via mherrb : la page de man 'ssl(8)' d'OpenBSD explique bien comment faire un certificat auto-signé qui marchera pour OpenVPN:
http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
h2. Server
<pre>
# cat /etc/default/openvpn
...
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"
...
# cat /etc/openvpn/ttnn-tap.conf
dev tap0udp
port 11195
proto udp
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap.log
status status/openvpn-tap.txt
# cat /etc/openvpn/ttnn-tap6.conf
dev tap6udp
port 11196
proto udp6
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap6.log
status status/openvpn-tap6.txt
# cat /etc/openvpn/ttnn-tap-tcp.conf
dev tap0tcp
port 443
proto tcp-server
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap-tcp.log
status status/openvpn-tap-tcp.txt
# keys generated with id ip-X-Y-Z-T, files:
# ip-91-224-149-165.crt
# ip-91-224-149-165.csr
# ip-91-224-149-165.key
# cat /etc/openvpn/ccd/ip-91-224-149-165
ifconfig-push 91.224.149.165 255.255.255.0
push "route-gateway 91.224.149.254"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
# bridge
brctl addbr br0
brctl addif br0 eth0
ip link set br0 up
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes
openvpn --mktun --dev tap0udp
openvpn --mktun --dev tap0tcp
openvpn --mktun --dev tap6udp
brctl addif br0 tap0udp
ip link set tap0udp up
brctl addif br0 tap0tcp
ip link set tap0tcp up
brctl addif br0 tap6udp
ip link set tap6udp up
</pre>
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client" l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur.
h2. Client
<pre>
# cat /etc/openvpn/ttnn.conf
client
dev tap
### from outside with UDP available
#proto udp
#remote openvpn.tetaneutral.net 11195
### from outside with no UDP
proto tcp
remote openvpn.tetaneutral.net 443
# 91.224.149.211 443
# from outside using IPv6 over UDP
#proto udp6
#remote openvpn6.tetaneutral.net 11196
ca ttnn/ca.crt
cert ttnn/ip-91-224-149-165.crt
key ttnn/ip-91-224-149-165.key
persist-key
persist-tun
script-security 2
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn.log
</pre>
h2. point a point
Version tun :
<pre>
# Sur le serveur IPv4 publique A.B.C.D
openvpn --mktun --dev-type tun --dev tuntst
ip link set tuntst up
openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --port 1234
# Sur le client client
openvpn --mktun --dev-type tun --dev tuntst
ip link set tuntst up
openvpn --dev-type tun --dev tuntst --proto udp --daemon --keepalive 10 120 --secret tst.key --lport 0 --remote A.B.C.D 1234
</pre>
Pour le routage IPv6 et le NAT IPv4 sur le serveur :
<pre>
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
ip -6 route add 2a03:7220:808X:YZ01::1/128 dev tuntst
echo 1 > /proc/sys/net/ipv4/ip_forward
ip route add 10.10.10.10/32 dev tuntst
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
</pre>
Then on the client
<pre>
ip -6 addr add 2a03:7220:808X:YZ01::1/128 dev tuntst
ip -6 route add default tuntst
ip addr add 10.10.10.10/32 dev tuntst
# TODO default route
</pre>
h2. Point-à-point avec routage d'un bloc d'IP.
[[Partage ADSL OpenVPN]]
h2. Performances
[[Benchmark VPN]]
h2. Proxmox
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html
h2. Links
* https://community.openvpn.net/openvpn/changeset/150fb45047c5482858b32a669de4097e66dec1c7 "Allow 'lport 0' setup for random port binding"
* https://vador.fdn.fr/wiki/travaux:vpn_misc:doc#configurer_sa_machine_pour_utiliser_l_offre_vpn_de_fdn
* https://wiki.ldn-fai.net/wiki/Tuto_Serveur_OpenVPN