Configurer son serveur et ses clients vpn sous mageia



Documentation en cours de rédaction en cours de rédaction !!



Présentation




Ce tutoriel a été réalisé par le biais d'un POC comprenant deux machines virtuelles sous mageia 6.

Le serveur openvpn nommé "serveurmga", connecté sur un réseau local avec l'adresse ip : 192.168.1.15

Une machine cliente nommée "clientmga" connectée au même réseau local avec l'adresse ip : 192.168.1.1.16

Clientmga établira une connexion réseau en 10.8.0.0/24 sur le serveur vpn serveurmga. Ce dernier sera configuré pour être une passerelle vers internet et proposera par défaut les DNS d'opendns.

Dans un premier temps, on désactivera le pare-feu des différentes machines via le Mageia Control Center pour s'assurer qu'il ne perturbe pas le fonctionnement de la solution.

Installation et configuration du serveur




Installation d'openvpn

Code BASH : 
urpmi openvpn


Copie du répertoire easy-rsa

Code BASH : 
cp -r /usr/share/openvpn/easy-rsa/ /etc/openvpn/easy-rsa


On édite le fichier /etc/openvpn/easy-rsa/vars

Code BASH : 
cd /etc/openvpn/easy-rsa
nano vars


On modifie /etc/openvpn/easy-rsa/vars

Code TEXT : 
export EASY_RSA="`pwd`"


Pour avoir

Code TEXT : 
export EASY_RSA="/etc/openvpn/easy-rsa"


Puis on modifie /etc/openvpn/easy-rsa/vars

Code BASH : 
export KEY_SIZE=1024


Pour avoir

Code BASH : 
export KEY_SIZE=2048




Génération des certificats de l'autorité de certification : ca.crt et ca.key


Code BASH : 
cd /etc/openvpn/easy-rsa


On prends en compte la nouvelle configuration

Code BASH : 
[root@localhost easy-rsa]# source ./vars 
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys


On supprime par sécurité les anciens certificats générés sous /etc/openvpn/easy-rsa/keys

Code BASH : 
[root@localhost easy-rsa]# ./clean-all


On génère les certificats de l'autorité de certification

Code BASH : 
root@localhost easy-rsa]# ./build-ca


Code BASH : 
Generating a 2048 bit RSA private key 
....................+++ 
................+++ 
writing new private key to 'ca.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [US]:FR 
State or Province Name (full name) [CA]:FRANCE 
Locality Name (eg, city) [SanFrancisco]:Bordeaux 
Organization Name (eg, company) [Fort-Funston]:vouf.fr 
Organizational Unit Name (eg, section) [changeme]: 
Common Name (eg, your name or your server's hostname) [changeme]:serveurmga 
Name [changeme]:vouf 
Email Address [mail@host.domain]:


Génération des clés serveurs : : serveurmga.csr, serveurmga.key, serveurmga.crt




Code BASH : 
[root@localhost easy-rsa]# ./build-key-server serveurmga


Code BASH : 
Generating a 2048 bit RSA private key 
.......................................+++ 
................................................................+++ 
writing new private key to 'serveurmga.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [US]:FR 
State or Province Name (full name) [CA]:FRANCE 
Locality Name (eg, city) [SanFrancisco]:Bordeaux 
Organization Name (eg, company) [Fort-Funston]:vouf.fr 
Organizational Unit Name (eg, section) [changeme]: 
Common Name (eg, your name or your server's hostname) [serveurmga]:serveurmga 
Name [changeme]:vouf 
Email Address [mail@host.domain]: 
Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: On ne saisi pas de mot de passe
An optional company name []: 
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName           :PRINTABLE:'FR' 
stateOrProvinceName   :PRINTABLE:'FRANCE' 
localityName          :PRINTABLE:'Bordeaux' 
organizationName      :PRINTABLE:'vouf.fr' 
organizationalUnitName:PRINTABLE:'changeme' 
commonName            :PRINTABLE:'serveurmga' 
name                  :PRINTABLE:'vouf' 
emailAddress          :IA5STRING:'mail@host.domain' 
Certificate is to be certified until Jun  1 13:06:57 2027 GMT (3650 days) 
Sign the certificate? [y/n]:y 
1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated


Au niveau du challenge password, il est inutile de renseigner un mot de passe.

Création des certificats des clients et du fichier clientmga.3des.key




Génération des certificats pour "un client openvpn"

Code BASH : 
[root@localhost easy-rsa]# ./build-key-pass clientmga


Un mot de passe est demandé pour la création du certificat "PEM pass phrase" . En revanche, il est inutile de renseigner un challenge password.

Code BASH : 
Generating a 2048 bit RSA private key 
.........................+++ 
.......+++ 
writing new private key to 'clientmga.key' 
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase: 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [US]:FR 
State or Province Name (full name) [CA]:FRANCE 
Locality Name (eg, city) [SanFrancisco]:Bordeaux 
Organization Name (eg, company) [Fort-Funston]:vouf.fr 
Organizational Unit Name (eg, section) [changeme]: 
Common Name (eg, your name or your server's hostname) [clientmga]: 
Name [changeme]:vouf 
Email Address [mail@host.domain]: 
Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName           :PRINTABLE:'FR' 
stateOrProvinceName   :PRINTABLE:'FRANCE' 
localityName          :PRINTABLE:'Bordeaux' 
organizationName      :PRINTABLE:'vouf.fr' 
organizationalUnitName:PRINTABLE:'changeme' 
commonName            :PRINTABLE:'clientmga' 
name                  :PRINTABLE:'vouf' 
emailAddress          :IA5STRING:'mail@host.domain' 
Certificate is to be certified until Jun  1 13:10:54 2027 GMT (3650 days) 
Sign the certificate? [y/n]:y 
1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated
 


Code BASH : 
 
cd keys


On encrypte la clé du client avec l’algorithme 3DES

Code BASH : 
[root@localhost keys]# openssl rsa -in clientmga.key -des3 -out clientmga.3des.key


Un mot de passe est demandé...

Code BASH : 
Enter pass phrase for clientmga.key: 
writing RSA key 
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase:


Sécurisation des échanges de clés




Code BASH : 
 
[root@localhost keys]# cd /etc/openvpn/easy-rsa


Code BASH : 
[root@localhost easy-rsa]#  ./build-dh


Code BASH : 
Generating DH parameters, 2048 bit long safe prime, generator 2 
This is going to take a long time 
................................................................................................................+............................................................................................................................
....................+........+...............................................................+.............+.................................................................................................................................
........................+....................................................+............................................................+..................................................+........+......................................
................................................................................................................................................................................................................................+............
.....+...............................................................................+........................................................+..............................................................................................
...............................................................+..........................................+..............................................................+...................................................................
....................................................................................................................+....................................................+..............++*++*


Code BASH : 
openvpn --genkey --secret keys/ta.key


On créé le fichier de configuration du client /etc/openvpn/easy-rsa/keys/Default.txt

Code BASH : 
cd /etc/openvpn/easy-rsa/keys
nano Default.txt


Dans le fichier Default.txt

Code TEXT : 
client
dev tun
proto udp # Protocol udp
remote serveurmga 1194 # on peut mettre l'ip du serveur vpn, ou le nom de domaine. On retrouve le port 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-256-CBC
compress lz4-v2 #Active la compression
verb 1
mute 20
script-security 2
up /etc/openvpn/update-resolv-conf #Script permettant de mettre à jour les DNS du client à la connexion
down /etc/openvpn/update-resolv-conf #A la deconnexion, le client retrouve son DNS de départ
 




On génère un fichier clientmga.ovpn qui aura à l'avantage de regrouper la configuration du client, l'autorité de certification et la clé

Télécharger MakeOpenVPN.sh et le copier sous /etc/openvpn/easy-rsa/keys

Code BASH : 
[root@localhost keys]# bash MakeOpenVPN.sh


Code BASH : 
Entrez le nom d'un client existant :
clientmga
Clé publique trouvée : clientmga
Clé privée trouvée : clientmga.3des.key
Clé publique CA trouvée : ca.crt
Clé privée tls-auth trouvée : ta.key
Terminé ! clientmga.ovpn généré avec succès.




Fichier de configuration du serveur openvpn




Fichier de configuration du serveur /etc/openvpn/server.conf

Code TEXT : 
local 192.168.1.15 # adresse IP locale de votre serveur 
dev tun # type de VPN, tun (tunnel IP) ou tap (tunnel Ethernet/bridge)
proto udp # protocole à utiliser : tcp ou udp, généralement udp
port 1194 # le port par défaut pour OpenVPN, à ajuster au besoin
ca /etc/openvpn/easy-rsa/keys/ca.crt # clé publique de l’autorité de certification 
cert /etc/openvpn/easy-rsa/keys/serveurmga.crt # Clé publique du serveur
key /etc/openvpn/easy-rsa/keys/serveurmga.key # Clé privée du serveur
dh /etc/openvpn/easy-rsa/keys/dh2048.pem # si vous êtes restés sur du 2024 bits
server 10.8.0.0 255.255.255.0 #le réseau au sein duquel vous allez attribuer des IP. Les clients auront une ip en 10.8.0x
push "redirect-gateway def1 bypass-dhcp" # Permet au serveur de se comporter comme une passerelle.
#push "dhcp-option DNS 10.8.0.1" # votre serveur DNS primaire (votre routeur, souvent)
push "dhcp-option DNS 208.67.222.222" # votre serveur DNS primaire OpenDNS
push "dhcp-option DNS 208.67.220.220" # votre serveur DNS primaire OpenDNS
# vous pouvez aussi utiliser le DNS Google 8.8.8.8 ou OpenDNS 208.67.222.222
# pour le reste, a priori pas de raisons d'y toucher à moins de savoir ce que vous faites !
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
compress lz4-v2 #Active la compression
push "compress lz4-v2"
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 3


Code BASH : 
 nano /etc/sysctl.conf


Ajouter à la fin du fichier /etc/sysctl.conf

Code TEXT : 
net.ipv4.ip_forward = 1


Prise en compte de la configuration

Code BASH : 
sysctl -p


Commande à jouer à chaque redémarrage du serveur. Voir comment l’exécuter automatiquement à chaque reboot.

Code BASH : 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE
 


Attention au nom de la carte. Ici il s'agit de la carte ethernet enp0s3. Cela peut varier en fonction du matériel. Si vous avez une astuce pour que cette commande soit lancée automatiquement au démarrage !!

Création du service openvpn pour démarrer le serveur

Code BASH : 
[root@localhost etc]# systemctl enable openvpn@server.service


Résultat de la commande pour créer le service openvpn via systemctl

Code BASH : 
Created symlink /etc/systemd/system/openvpn.target.wants/openvpn@server.service → /usr/lib/systemd/system/openvpn@.service.


Démarrage du serveur openvpn

Code BASH : 
systemctl start openvpn@server.service


On remarque la création de l'interface tun0 sur le serveur

Code BASH : 
[root@localhost keys]# ifconfig -a
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.15  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 2a01:cb19:1a2:5200:a00:27ff:fe00:b346  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::a00:27ff:fe00:b346  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:00:b3:46  txqueuelen 1000  (Ethernet)
        RX packets 194036  bytes 138807516 (132.3 MiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 191523  bytes 135687027 (129.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Boucle locale)
        RX packets 34  bytes 4214 (4.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 34  bytes 4214 (4.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::3a19:dbb5:604e:afb8  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 79307  bytes 22061882 (21.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 110498  bytes 105230363 (100.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Code BASH : 
[root@localhost log]# cat /var/log/openvpn-status.log
OpenVPN CLIENT LIST
Updated,Sat Jun  3 18:42:26 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END


Code BASH : 
[root@localhost log]# cat /var/log/openvpn.log
Sat Jun  3 18:41:39 2017 OpenVPN 2.4.0 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 14 2017
Sat Jun  3 18:41:39 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.09
Sat Jun  3 18:41:39 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Jun  3 18:41:39 2017 Diffie-Hellman initialized with 2048 bit key
Sat Jun  3 18:41:39 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun  3 18:41:39 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun  3 18:41:39 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:00:b3:46
Sat Jun  3 18:41:39 2017 TUN/TAP device tun0 opened
Sat Jun  3 18:41:39 2017 TUN/TAP TX queue length set to 100
Sat Jun  3 18:41:39 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jun  3 18:41:39 2017 /usr/sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sat Jun  3 18:41:39 2017 /usr/sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sat Jun  3 18:41:39 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Jun  3 18:41:39 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Jun  3 18:41:39 2017 UDPv4 link local (bound): [AF_INET]192.168.1.15:1194
Sat Jun  3 18:41:39 2017 UDPv4 link remote: [AF_UNSPEC]
Sat Jun  3 18:41:39 2017 GID set to nogroup
Sat Jun  3 18:41:39 2017 UID set to nobody
Sat Jun  3 18:41:39 2017 MULTI: multi_init called, r=256 v=256
Sat Jun  3 18:41:39 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sat Jun  3 18:41:39 2017 Initialization Sequence Completed


Configuration du pare feu sur le serveur




screenshot_20170611_144811

screenshot_20170611_145007

screenshot_20170611_150220

Sur le poste client en mode commande


On se connecter root

On installe openvpn

Code BASH : 
urpmi openvpn


On copie le fichier clientmga.ovpn sous /etc/openvpn/

On créé un fichier /etc/openvpn/update-resolv-conf qui contiendra :

Code BASH : 
#!/usr/bin/env bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
# and Chris Hanson
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
# 07/2013 colin@daedrum.net Fixed intet name
# 05/2006 chlauber@bnc.ch
# 09/2017 Adapté par vouf pour Mageia
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
# foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local'
 
## The 'type' builtins will look for file in $PATH variable, so we set the
## PATH below. You might need to directly set the path to 'resolvconf'
## manually if it still doesn't work, i.e.
## RESOLVCONF=/usr/sbin/resolvconf
##
export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin
RESOLVCONF=$(type -p resolvconf)
 
case $script_type in
 
up)
  for optionname in ${!foreign_option_*} ; do
    option="${!optionname}"
    echo $option
    part1=$(echo "$option" | cut -d " " -f 1)
    if [ "$part1" == "dhcp-option" ] ; then
      part2=$(echo "$option" | cut -d " " -f 2)
      part3=$(echo "$option" | cut -d " " -f 3)
      if [ "$part2" == "DNS" ] ; then
        IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
      fi
      if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then
        IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
      fi
    fi
  done
  R=""
  if [ "$IF_DNS_SEARCH" ]; then
    R="search "
    for DS in $IF_DNS_SEARCH ; do
      R="${R} $DS"
    done
  R="${R}
"
  fi
 
  for NS in $IF_DNS_NAMESERVERS ; do
    R="${R}nameserver $NS
"
  done
  echo -n "$R" | $RESOLVCONF -a "${dev}"
  ;;
down)
  $RESOLVCONF -d "${dev}"
  ;;
esac
 
# Workaround / jm@epiclabs.io 
# force exit with no errors. Due to an apparent conflict with the Network Manager
# $RESOLVCONF sometimes exits with error code 6 even though it has performed the
# action correctly and OpenVPN shuts down.
exit 0
 


On donne les droits d’exécution au fichier /etc/openvpn/update-resolv-conf

Code BASH : 
chmod+x /etc/openvpn/update-resolv-conf


On lance le client vpn

Code BASH : 
[root@localhost openvpn]# openvpn --config /etc/openvpn/clientmga.ovpn
Fri Jun  9 15:36:10 2017 OpenVPN 2.4.0 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 14 2017
Fri Jun  9 15:36:10 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.09
Fri Jun  9 15:36:10 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Enter Private Key Password: *********
Fri Jun  9 15:36:13 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jun  9 15:36:13 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.15:1194
Fri Jun  9 15:36:13 2017 UDP link local: (not bound)
Fri Jun  9 15:36:13 2017 UDP link remote: [AF_INET]192.168.1.15:1194
Fri Jun  9 15:36:13 2017 [serveurmga] Peer Connection Initiated with [AF_INET]192.168.1.15:1194
Fri Jun  9 15:36:14 2017 TUN/TAP device tun0 opened
Fri Jun  9 15:36:14 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Jun  9 15:36:14 2017 /usr/sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Fri Jun  9 15:36:14 2017 /etc/openvpn/update-resolv-conf tun0 1500 1553 10.8.0.6 10.8.0.5 init
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
Fri Jun  9 15:36:14 2017 Initialization Sequence Completed


Sur le client, on note la création de l'interface tun0

Code BASH : 
 
[root@localhost etc]# ifconfig -a
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.16  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe6c:9323  prefixlen 64  scopeid 0x20<link>
        inet6 2a01:cb19:1a2:5200:a00:27ff:fe6c:9323  prefixlen 64  scopeid 0x0<global>
        ether 08:00:27:6c:93:23  txqueuelen 1000  (Ethernet)
        RX packets 5588  bytes 4858530 (4.6 MiB)
        RX errors 0  dropped 13  overruns 0  frame 0
        TX packets 1892  bytes 202555 (197.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Boucle locale)
        RX packets 16  bytes 1094 (1.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 1094 (1.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        inet6 fe80::a4fb:abd2:8138:6018  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6  bytes 288 (288.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 


Sur le serveur, on voit la connexion s'établir :

Code TEXT : 
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 TLS: Initial packet from [AF_INET]192.168.1.16:55809, sid=d03d78cc 43d44f6f
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 VERIFY OK: depth=1, C=FR, ST=FRANCE, L=Bordeaux, O=vouf.fr, OU=changeme, CN=serveurmga, name=vouf, emailAddress=mail@host.domain
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 VERIFY OK: depth=0, C=FR, ST=FRANCE, L=Bordeaux, O=vouf.fr, OU=changeme, CN=clientmga, name=vouf, emailAddress=mail@host.domain
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 peer info: IV_VER=2.4.0
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 peer info: IV_PLAT=linux
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 peer info: IV_PROTO=2
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 peer info: IV_NCP=2
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 peer info: IV_LZ4=1
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 peer info: IV_LZ4v2=1
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 peer info: IV_LZO=1
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 peer info: IV_COMP_STUB=1
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 peer info: IV_COMP_STUBv2=1
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 peer info: IV_TCPNL=1
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Jun  3 18:44:42 2017 192.168.1.16:55809 [clientmga] Peer Connection Initiated with [AF_INET]192.168.1.16:55809
Sat Jun  3 18:44:42 2017 clientmga/192.168.1.16:55809 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sat Jun  3 18:44:42 2017 clientmga/192.168.1.16:55809 MULTI: Learn: 10.8.0.6 -> clientmga/192.168.1.16:55809
Sat Jun  3 18:44:42 2017 clientmga/192.168.1.16:55809 MULTI: primary virtual IP for clientmga/192.168.1.16:55809: 10.8.0.6
Sat Jun  3 18:44:43 2017 clientmga/192.168.1.16:55809 PUSH: Received control message: 'PUSH_REQUEST'
Sat Jun  3 18:44:43 2017 clientmga/192.168.1.16:55809 SENT CONTROL [clientmga]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sat Jun  3 18:44:43 2017 clientmga/192.168.1.16:55809 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jun  3 18:44:43 2017 clientmga/192.168.1.16:55809 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key


Si on rencontre des soucis de connexion, on peut être amené à relancer le pare feu du client si celui ci est actif afin de prendre en compte la présence de l'interface tun0.

screenshot_20170611_151432

Vérification du bon usage du VPN




Il s'agit de vérifier si une fois connecté au serveur VPN, les échanges réseaux transitent bien par celui ci.

En utilisant la commande traceroute sur le client, on voit que l'on transite par 10.8.0.1 qui est l'adresse IP de l'interface tun0 du serveur vpn

Code BASH : 
[root@localhost etc]# traceroute www.mageialinux-online.org
traceroute to www.mageialinux-online.org (80.247.225.3), 30 hops max, 60 byte packets
 1  10.8.0.1 (10.8.0.1)  0.794 ms  0.791 ms  0.791 ms
 2  * * *
 3  80.10.245.33(80.10.245.33)  4.864 ms  6.594 ms  6.758 ms
 4  ******
17  * * *
18  atalante.nfrance.com (80.247.225.3)  32.787 ms  33.213 ms  33.707 ms


La commande nslookup nous permettra de vérifier qu'on utilise bien les DNS du serveur vpn

Code BASH : 
[root@localhost etc]# nslookup mageialinux-online.org
Server:         208.67.222.222
Address:        208.67.222.222#53
Non-authoritative answer:
Name:   mageialinux-online.org
Address: 80.247.225.3
 


Sources d'information qui ont permis de produire ce tutorial




[Tuto] Monter son VPN perso avec OpenVPN . Un grand merci pour son travail, sans lui ce tutoriel n'aurait pas pu voir le jour !

Fil de discussion sur le forum MLO

Écrit par: vouf, Le: 11/06/2017