OpenVPN

Source : http://blog.nicolargo.com/2010/10/installation-dun-serveur-openvpn-sous-debianubuntu.html

Installation

sudo aptitude install openvpn
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/

Configuration

Variables d’environnement

vim /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="FR"
export KEY_PROVINCE="75"
export KEY_CITY="Paris"
export KEY_ORG="neolao.com"
export KEY_EMAIL="contact@neolao.com"

Génération des clés

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
openvpn --genkey --secret keys/ta.key

Copie des clés

sudo cp keys/ca.crt keys/ta.key keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpn/

Création des répertoires utiles

sudo mkdir /etc/openvpn/jail
sudo mkdir /etc/openvpn/clientconf

Config

sudo vim /etc/openvpn/server.conf
# Serveur TCP/443
mode server
proto tcp
port 443
dev tun

# Cles et certificats
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
cipher AES-256-CBC

# Reseau
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 4.4.4.4"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120

# Securite
user nobody
group nogroup
chroot /etc/openvpn/jail
persist-key
persist-tun
comp-lzo

# Log
verb 3
mute 20
status openvpn-status.log
; log-append /var/log/openvpn.log

Tester la configuration

sudo openvpn server.conf

Si tout va bien, on peut retirer le dernier commentaire de /etc/openvpn/server.conf

Démarrer le VPN

sudo /etc/init.d/openvpn start

Autoriser e routage

sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
sudo vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

Configuration du NAT

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Création d’un compte client

Génération des clés

cd /etc/openvpn/easy-rsa
source vars
./build-key mon_pc

Copie des clés

sudo mkdir /etc/openvpn/clientconf/mon_pc/
sudo cp /etc/openvpn/ca.crt /etc/openvpn/ta.key keys/mon_pc.crt keys/mon_pc.key /etc/openvpn/clientconf/mon_pc/

Configurer

cd /etc/openvpn/clientconf/mon_pc/
vim client.conf
# Client
client
dev tun
proto tcp-client
remote dev.neolao.com 443
resolv-retry infinite
cipher AES-256-CBC

# Cles
ca ca.crt
cert mon_pc.crt
key mon_pc.key
tls-auth ta.key 1

# Securite
nobind
persist-key
persist-tun
comp-lzo
verb 3
cp client.conf client.ovpn