OpenVPN » Historique » Version 9
Version 8 (Jocelyn Dealande, 02/05/2012 00:41) → Version 9/48 (Laurent GUERBY, 02/06/2012 18:12)
{{>toc}}
h1. OpenVPN
h2. point a point
<pre>
openvpn --genkey --secret tst.key
#server
openvpn --mktun --dev-type tap --dev taptst
ip link set taptst up
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --port 1234
#client
openvpn --mktun --dev-type tap --dev taptst
ip link set taptst up
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --remote A.B.C.D 1234
</pre>
h2. Server
<pre>
# cat /etc/default/openvpn
...
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"
...
# cat /etc/openvpn/ttnn-tap.conf
dev tap0udp
port 11195
proto udp
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap.log
status status/openvpn-tap.txt
# cat /etc/openvpn/ttnn-tap6.conf
dev tap6udp
port 11196
proto udp6
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap6.log
status status/openvpn-tap6.txt
# cat /etc/openvpn/ttnn-tap-tcp.conf
dev tap0tcp
port 443
proto tcp-server
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap-tcp.log
status status/openvpn-tap-tcp.txt
# keys generated with id ip-X-Y-Z-T, files:
# ip-91-224-149-165.crt
# ip-91-224-149-165.csr
# ip-91-224-149-165.key
# cat /etc/openvpn/ccd/ip-91-224-149-165
ifconfig-push 91.224.149.165 255.255.255.0
push "route-gateway 91.224.149.254"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
# bridge
brctl addbr br0
brctl addif br0 eth0
ip link set br0 up
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes
openvpn --mktun --dev tap0udp
openvpn --mktun --dev tap0tcp
openvpn --mktun --dev tap6udp
brctl addif br0 tap0udp
ip link set tap0udp up
brctl addif br0 tap0tcp
ip link set tap0tcp up
brctl addif br0 tap6udp
ip link set tap6udp up
</pre>
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client"
l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur.
h2. Point-Ã -point avec routage d'un bloc d'IP.
[[Partage ADSL OpenVPN]]
h2. Proxmox
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html
h1. OpenVPN
h2. point a point
<pre>
openvpn --genkey --secret tst.key
#server
openvpn --mktun --dev-type tap --dev taptst
ip link set taptst up
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --port 1234
#client
openvpn --mktun --dev-type tap --dev taptst
ip link set taptst up
openvpn --dev-type tap --dev tapstg --comp-lzo yes --cipher none --proto udp --daemon --keepalive 10 30 --secret tst.key --remote A.B.C.D 1234
</pre>
h2. Server
<pre>
# cat /etc/default/openvpn
...
AUTOSTART="ttnn-tap ttnn-tap6 ttnn-tap-tcp ttnn-tap-tcp6"
...
# cat /etc/openvpn/ttnn-tap.conf
dev tap0udp
port 11195
proto udp
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap.log
status status/openvpn-tap.txt
# cat /etc/openvpn/ttnn-tap6.conf
dev tap6udp
port 11196
proto udp6
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap6.log
status status/openvpn-tap6.txt
# cat /etc/openvpn/ttnn-tap-tcp.conf
dev tap0tcp
port 443
proto tcp-server
ca ttnn/ca.crt
cert ttnn/h1.crt
key ttnn/h1.key # This file should be kept secret
dh ttnn/dh1024.pem
mode server
tls-server
persist-key
persist-tun
client-config-dir ccd
client-to-client
comp-lzo yes
keepalive 10 60
verb 3
log-append log/openvpn-tap-tcp.log
status status/openvpn-tap-tcp.txt
# keys generated with id ip-X-Y-Z-T, files:
# ip-91-224-149-165.crt
# ip-91-224-149-165.csr
# ip-91-224-149-165.key
# cat /etc/openvpn/ccd/ip-91-224-149-165
ifconfig-push 91.224.149.165 255.255.255.0
push "route-gateway 91.224.149.254"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
# bridge
brctl addbr br0
brctl addif br0 eth0
ip link set br0 up
ip link set br0 address 52:54:10:00:00:11 #force MAC to avoid MAC changes
openvpn --mktun --dev tap0udp
openvpn --mktun --dev tap0tcp
openvpn --mktun --dev tap6udp
brctl addif br0 tap0udp
ip link set tap0udp up
brctl addif br0 tap0tcp
ip link set tap0tcp up
brctl addif br0 tap6udp
ip link set tap6udp up
</pre>
Pour ignorer les push IP et route du serveur coté client openvpn il suffit de mettre "tls-client" a la place de "client"
l'option --client est un raccourci pour --tls-client --pull et --pull est ce qui accepte les directives serveur.
h2. Point-Ã -point avec routage d'un bloc d'IP.
[[Partage ADSL OpenVPN]]
h2. Proxmox
http://www.nedproductions.biz/wiki/configuring-a-proxmox-ve-2.x-cluster-running-over-an-openvpn-intranet
http://blog.developpeur-neurasthenique.fr/auto-hebergement-configurer-un-cluster-proxmox-2-sans-multicast.html