Cet article a été mis à jour, vous consultez ici une archive de cet article!
Dernière mise à jour : 11/06/2017 à 15h01
Table des matières
Documentation en cours de rédaction en cours de rédaction !!
Présentation
Ce tutoriel a été réalisé par le biais d'un POC comprenant deux machines virtuelles sous mageia 6.
Le serveur openvpn nommé "serveurmga", connecté sur un réseau local avec l'adresse ip : 192.168.1.15
Une machine cliente nommée "clientmga" connectée au même réseau local avec l'adresse ip : 192.168.1.1.16
Clientmga établira une connexion réseau en 10.8.0.0/24 sur le serveur vpn serveurmga. Ce dernier sera configuré pour être une passerelle vers internet et proposera par défaut les DNS d'opendns.
Dans un premier temps, on désactivera le pare-feu des différentes machines via le Mageia Control Center
Installation et configuration du serveur
Installation d'openvpn
Code BASH :
urpmi openvpn
Copie du répertoire easy-rsa
Code BASH :
cp -r /usr/share/openvpn/easy-rsa/ /etc/openvpn/easy-rsa
On édite le fichier /etc/openvpn/easy-rsa/vars
Code BASH :
cd /etc/openvpn/easy-rsa nano vars
On modifie /etc/openvpn/easy-rsa/vars
Code TEXT :
export EASY_RSA="`pwd`"
Pour avoir
Code TEXT :
export EASY_RSA="/etc/openvpn/easy-rsa"
Puis on modifie /etc/openvpn/easy-rsa/vars
Code BASH :
export KEY_SIZE=1024
Pour avoir
Code BASH :
export KEY_SIZE=2048
Génération des certificats de l'autorité de certification : ca.crt et ca.key
Code BASH :
cd /etc/openvpn/easy-rsa
On prends en compte la nouvelle configuration
Code BASH :
[root@localhost easy-rsa]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
On supprime par sécurité les anciens certificats générés sous /etc/openvpn/easy-rsa/keys
Code BASH :
[root@localhost easy-rsa]# ./clean-all
On génère les certificats de l'autorité de certification
Code BASH :
root@localhost easy-rsa]# ./build-ca
Code BASH :
Generating a 2048 bit RSA private key ....................+++ ................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:FR State or Province Name (full name) [CA]:FRANCE Locality Name (eg, city) [SanFrancisco]:Bordeaux Organization Name (eg, company) [Fort-Funston]:vouf.fr Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [changeme]:serveurmga Name [changeme]:vouf Email Address [mail@host.domain]:
Génération des clés serveurs : : serveurmga.csr, serveurmga.key, serveurmga.crt
Code BASH :
[root@localhost easy-rsa]# ./build-key-server serveurmga
Code BASH :
Generating a 2048 bit RSA private key .......................................+++ ................................................................+++ writing new private key to 'serveurmga.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:FR State or Province Name (full name) [CA]:FRANCE Locality Name (eg, city) [SanFrancisco]:Bordeaux Organization Name (eg, company) [Fort-Funston]:vouf.fr Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [serveurmga]:serveurmga Name [changeme]:vouf Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: On ne saisi pas de mot de passe An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'FRANCE' localityName :PRINTABLE:'Bordeaux' organizationName :PRINTABLE:'vouf.fr' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'serveurmga' name :PRINTABLE:'vouf' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Jun 1 13:06:57 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Au niveau du challenge password, il est inutile de renseigner un mot de passe.
Création des certificats des clients et du fichier clientmga.3des.key
Génération des certificats pour "un client openvpn"
Code BASH :
[root@localhost easy-rsa]# ./build-key-pass clientmga
Un mot de passe est demandé pour la création du certificat "PEM pass phrase" . En revanche, il est inutile de renseigner un challenge password.
Code BASH :
Generating a 2048 bit RSA private key .........................+++ .......+++ writing new private key to 'clientmga.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:FR State or Province Name (full name) [CA]:FRANCE Locality Name (eg, city) [SanFrancisco]:Bordeaux Organization Name (eg, company) [Fort-Funston]:vouf.fr Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [clientmga]: Name [changeme]:vouf Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'FRANCE' localityName :PRINTABLE:'Bordeaux' organizationName :PRINTABLE:'vouf.fr' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'clientmga' name :PRINTABLE:'vouf' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Jun 1 13:10:54 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Code BASH :
cd keysOn encrypte la clé du client avec l’algorithme 3DES
Code BASH :
[root@localhost keys]# openssl rsa -in clientmga.key -des3 -out clientmga.3des.key
Un mot de passe est demandé...
Code BASH :
Enter pass phrase for clientmga.key:
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:Sécurisation des échanges de clés
Code BASH :
[root@localhost keys]# cd /etc/openvpn/easy-rsa
Code BASH :
[root@localhost easy-rsa]# ./build-dh
Code BASH :
Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ................................................................................................................+............................................................................................................................ ....................+........+...............................................................+.............+................................................................................................................................. ........................+....................................................+............................................................+..................................................+........+...................................... ................................................................................................................................................................................................................................+............ .....+...............................................................................+........................................................+.............................................................................................. ...............................................................+..........................................+..............................................................+................................................................... ....................................................................................................................+....................................................+..............++*++*
Code BASH :
openvpn --genkey --secret keys/ta.key
On créé le fichier de configuration du client /etc/openvpn/easy-rsa/keys/Default.txt
Code BASH :
cd /etc/openvpn/easy-rsa/keys nano Default.txt
Dans le fichier Default.txt
Code TEXT :
client dev tun proto udp # Protocol udp remote serveurmga 1194 # on peut mettre l'ip du serveur vpn, ou le nom de domaine. On retrouve le port 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ns-cert-type server key-direction 1 cipher AES-128-CBC comp-lzo #Active la compression verb 1 mute 20script-security 2 up /etc/openvpn/update-resolv-conf #Script permettant de mettre à jour les DNS du client à la connexion down /etc/openvpn/update-resolv-conf #A la deconnexion, le client retrouve son DNS de départ
On génère un fichier clientmga.ovpn qui aura à l'avantage de regrouper la configuration du client, l'autorité de certification et la clé
Télécharger MakeOpenVPN.sh et le copier sous /etc/openvpn/easy-rsa/keys
Code BASH :
[root@localhost keys]# bash MakeOpenVPN.sh
Code BASH :
Entrez le nom d'un client existant :
clientmga
Clé publique trouvée : clientmga
Clé privée trouvée : clientmga.3des.key
Clé publique CA trouvée : ca.crt
Clé privée tls-auth trouvée : ta.key
Terminé ! clientmga.ovpn généré avec succès.Fichier de configuration du serveur openvpn
Fichier de configuration du serveur /etc/openvpn/server.conf
Code TEXT :
local 192.168.1.15 # adresse IP locale de votre serveur dev tun # type de VPN, tun (tunnel IP) ou tap (tunnel Ethernet/bridge) proto udp # protocole à utiliser : tcp ou udp, généralement udp port 1194 # le port par défaut pour OpenVPN, à ajuster au besoin ca /etc/openvpn/easy-rsa/keys/ca.crt # clé publique de l’autorité de certification cert /etc/openvpn/easy-rsa/keys/serveurmga.crt # Clé publique du serveur key /etc/openvpn/easy-rsa/keys/serveurmga.key # Clé privée du serveur dh /etc/openvpn/easy-rsa/keys/dh2048.pem # si vous êtes restés sur du 2024 bits server 10.8.0.0 255.255.255.0 #le réseau au sein duquel vous allez attribuer des IP. Les clients auront une ip en 10.8.0x push "redirect-gateway def1 bypass-dhcp" # Permet au serveur de se comporter comme une passerelle. #push "dhcp-option DNS 10.8.0.1" # votre serveur DNS primaire (votre routeur, souvent) push "dhcp-option DNS 208.67.222.222" # votre serveur DNS primaire OpenDNS push "dhcp-option DNS 208.67.220.220" # votre serveur DNS primaire OpenDNS # vous pouvez aussi utiliser le DNS Google 8.8.8.8 ou OpenDNS 208.67.222.222 # pour le reste, a priori pas de raisons d'y toucher à moins de savoir ce que vous faites ! client-to-client duplicate-cn keepalive 10 120 tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 cipher AES-128-CBC comp-lzo #Active la compression user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log 20 log /var/log/openvpn.log verb 3
Code BASH :
nano /etc/sysctl.conf
Ajouter à la fin du fichier /etc/sysctl.conf
Code TEXT :
net.ipv4.ip_forward = 1
Prise en compte de la configuration
Code BASH :
sysctl -pCommande à jouer à chaque redémarrage du serveur. Voir comment l’exécuter automatiquement à chaque reboot.
Code BASH :
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE
Attention au nom de la carte. Ici il s'agit de la carte ethernet enp0s3. Cela peut varier en fonction du matériel. Si vous avez une astuce pour que cette commande soit lancée automatiquement au démarrage !!
Création du service openvpn pour démarrer le serveur
Code BASH :
[root@localhost etc]# systemctl enable openvpn@server.service
Résultat de la commande pour créer le service openvpn via systemctl
Code BASH :
Created symlink /etc/systemd/system/openvpn.target.wants/openvpn@server.service → /usr/lib/systemd/system/openvpn@.service.
Démarrage du serveur openvpn
Code BASH :
systemctl start openvpn@server.serviceOn remarque la création de l'interface tun0 sur le serveur
Code BASH :
[root@localhost keys]# ifconfig -a enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.15 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 2a01:cb19:1a2:5200:a00:27ff:fe00:b346 prefixlen 64 scopeid 0x0<global> inet6 fe80::a00:27ff:fe00:b346 prefixlen 64 scopeid 0x20<link> ether 08:00:27:00:b3:46 txqueuelen 1000 (Ethernet) RX packets 194036 bytes 138807516 (132.3 MiB) RX errors 0 dropped 2 overruns 0 frame 0 TX packets 191523 bytes 135687027 (129.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Boucle locale) RX packets 34 bytes 4214 (4.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 34 bytes 4214 (4.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2 inet6 fe80::3a19:dbb5:604e:afb8 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 79307 bytes 22061882 (21.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 110498 bytes 105230363 (100.3 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Code BASH :
[root@localhost log]# cat /var/log/openvpn-status.log OpenVPN CLIENT LIST Updated,Sat Jun 3 18:42:26 2017 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref GLOBAL STATS Max bcast/mcast queue length,0 END
Code BASH :
[root@localhost log]# cat /var/log/openvpn.log Sat Jun 3 18:41:39 2017 OpenVPN 2.4.0 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 14 2017 Sat Jun 3 18:41:39 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09 Sat Jun 3 18:41:39 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Sat Jun 3 18:41:39 2017 Diffie-Hellman initialized with 2048 bit key Sat Jun 3 18:41:39 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jun 3 18:41:39 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jun 3 18:41:39 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:00:b3:46 Sat Jun 3 18:41:39 2017 TUN/TAP device tun0 opened Sat Jun 3 18:41:39 2017 TUN/TAP TX queue length set to 100 Sat Jun 3 18:41:39 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sat Jun 3 18:41:39 2017 /usr/sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Sat Jun 3 18:41:39 2017 /usr/sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Sat Jun 3 18:41:39 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET Sat Jun 3 18:41:39 2017 Socket Buffers: R=[212992->212992] S=[212992->212992] Sat Jun 3 18:41:39 2017 UDPv4 link local (bound): [AF_INET]192.168.1.15:1194 Sat Jun 3 18:41:39 2017 UDPv4 link remote: [AF_UNSPEC] Sat Jun 3 18:41:39 2017 GID set to nogroup Sat Jun 3 18:41:39 2017 UID set to nobody Sat Jun 3 18:41:39 2017 MULTI: multi_init called, r=256 v=256 Sat Jun 3 18:41:39 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Sat Jun 3 18:41:39 2017 Initialization Sequence Completed
Configuration du pare feu sur le serveur
Sur le poste client en mode commande
On se connecter root
On installe openvpn
Code BASH :
urpmi openvpn
On copie le fichier clientmga.ovpn sous /etc/openvpn/
On créé un fichier /etc/openvpn/update-resolv-conf qui contiendra :
Code BASH :
#!/usr/bin/env bash # # Parses DHCP options from openvpn to update resolv.conf # To use set as 'up' and 'down' script in your openvpn *.conf: # up /etc/openvpn/update-resolv-conf # down /etc/openvpn/update-resolv-conf # # Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk> # and Chris Hanson # Licensed under the GNU GPL. See /usr/share/common-licenses/GPL. # 07/2013 colin@daedrum.net Fixed intet name # 05/2006 chlauber@bnc.ch # 09/2017 Adapté par vouf pour Mageia # # Example envs set from openvpn: # foreign_option_1='dhcp-option DNS 193.43.27.132' # foreign_option_2='dhcp-option DNS 193.43.27.133' # foreign_option_3='dhcp-option DOMAIN be.bnc.ch' # foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local' ## The 'type' builtins will look for file in $PATH variable, so we set the ## PATH below. You might need to directly set the path to 'resolvconf' ## manually if it still doesn't work, i.e. ## RESOLVCONF=/usr/sbin/resolvconf ## export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin RESOLVCONF=$(type -p resolvconf) case $script_type in up) for optionname in ${!foreign_option_*} ; do option="${!optionname}" echo $option part1=$(echo "$option" | cut -d " " -f 1) if [ "$part1" == "dhcp-option" ] ; then part2=$(echo "$option" | cut -d " " -f 2) part3=$(echo "$option" | cut -d " " -f 3) if [ "$part2" == "DNS" ] ; then IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3" fi if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then IF_DNS_SEARCH="$IF_DNS_SEARCH $part3" fi fi done R="" if [ "$IF_DNS_SEARCH" ]; then R="search " for DS in $IF_DNS_SEARCH ; do R="${R} $DS" done R="${R} " fi for NS in $IF_DNS_NAMESERVERS ; do R="${R}nameserver $NS " done echo -n "$R" | $RESOLVCONF -a "${dev}" ;; down) $RESOLVCONF -d "${dev}" ;; esac # Workaround / jm@epiclabs.io # force exit with no errors. Due to an apparent conflict with the Network Manager # $RESOLVCONF sometimes exits with error code 6 even though it has performed the # action correctly and OpenVPN shuts down. exit 0
On donne les droits d’exécution au fichier /etc/openvpn/update-resolv-conf
Code BASH :
chmod+x /etc/openvpn/update-resolv-conf
On lance le client vpn
Code BASH :
[root@localhost openvpn]# openvpn --config /etc/openvpn/clientmga.ovpn Fri Jun 9 15:36:10 2017 OpenVPN 2.4.0 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 14 2017 Fri Jun 9 15:36:10 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09 Fri Jun 9 15:36:10 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Enter Private Key Password: ********* Fri Jun 9 15:36:13 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Fri Jun 9 15:36:13 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.15:1194 Fri Jun 9 15:36:13 2017 UDP link local: (not bound) Fri Jun 9 15:36:13 2017 UDP link remote: [AF_INET]192.168.1.15:1194 Fri Jun 9 15:36:13 2017 [serveurmga] Peer Connection Initiated with [AF_INET]192.168.1.15:1194 Fri Jun 9 15:36:14 2017 TUN/TAP device tun0 opened Fri Jun 9 15:36:14 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Fri Jun 9 15:36:14 2017 /usr/sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500 Fri Jun 9 15:36:14 2017 /etc/openvpn/update-resolv-conf tun0 1500 1553 10.8.0.6 10.8.0.5 init dhcp-option DNS 208.67.222.222 dhcp-option DNS 208.67.220.220 Fri Jun 9 15:36:14 2017 Initialization Sequence Completed
Sur le client, on note la création de l'interface tun0
Code BASH :
[root@localhost etc]# ifconfig -a enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.16 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fe6c:9323 prefixlen 64 scopeid 0x20<link> inet6 2a01:cb19:1a2:5200:a00:27ff:fe6c:9323 prefixlen 64 scopeid 0x0<global> ether 08:00:27:6c:93:23 txqueuelen 1000 (Ethernet) RX packets 5588 bytes 4858530 (4.6 MiB) RX errors 0 dropped 13 overruns 0 frame 0 TX packets 1892 bytes 202555 (197.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Boucle locale) RX packets 16 bytes 1094 (1.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 16 bytes 1094 (1.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5 inet6 fe80::a4fb:abd2:8138:6018 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6 bytes 288 (288.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Sur le serveur, on voit la connexion s'établir :
Code TEXT :
Sat Jun 3 18:44:42 2017 192.168.1.16:55809 TLS: Initial packet from [AF_INET]192.168.1.16:55809, sid=d03d78cc 43d44f6f Sat Jun 3 18:44:42 2017 192.168.1.16:55809 VERIFY OK: depth=1, C=FR, ST=FRANCE, L=Bordeaux, O=vouf.fr, OU=changeme, CN=serveurmga, name=vouf, emailAddress=mail@host.domain Sat Jun 3 18:44:42 2017 192.168.1.16:55809 VERIFY OK: depth=0, C=FR, ST=FRANCE, L=Bordeaux, O=vouf.fr, OU=changeme, CN=clientmga, name=vouf, emailAddress=mail@host.domain Sat Jun 3 18:44:42 2017 192.168.1.16:55809 peer info: IV_VER=2.4.0 Sat Jun 3 18:44:42 2017 192.168.1.16:55809 peer info: IV_PLAT=linux Sat Jun 3 18:44:42 2017 192.168.1.16:55809 peer info: IV_PROTO=2 Sat Jun 3 18:44:42 2017 192.168.1.16:55809 peer info: IV_NCP=2 Sat Jun 3 18:44:42 2017 192.168.1.16:55809 peer info: IV_LZ4=1 Sat Jun 3 18:44:42 2017 192.168.1.16:55809 peer info: IV_LZ4v2=1 Sat Jun 3 18:44:42 2017 192.168.1.16:55809 peer info: IV_LZO=1 Sat Jun 3 18:44:42 2017 192.168.1.16:55809 peer info: IV_COMP_STUB=1 Sat Jun 3 18:44:42 2017 192.168.1.16:55809 peer info: IV_COMP_STUBv2=1 Sat Jun 3 18:44:42 2017 192.168.1.16:55809 peer info: IV_TCPNL=1 Sat Jun 3 18:44:42 2017 192.168.1.16:55809 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sat Jun 3 18:44:42 2017 192.168.1.16:55809 [clientmga] Peer Connection Initiated with [AF_INET]192.168.1.16:55809 Sat Jun 3 18:44:42 2017 clientmga/192.168.1.16:55809 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Sat Jun 3 18:44:42 2017 clientmga/192.168.1.16:55809 MULTI: Learn: 10.8.0.6 -> clientmga/192.168.1.16:55809 Sat Jun 3 18:44:42 2017 clientmga/192.168.1.16:55809 MULTI: primary virtual IP for clientmga/192.168.1.16:55809: 10.8.0.6 Sat Jun 3 18:44:43 2017 clientmga/192.168.1.16:55809 PUSH: Received control message: 'PUSH_REQUEST' Sat Jun 3 18:44:43 2017 clientmga/192.168.1.16:55809 SENT CONTROL [clientmga]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1) Sat Jun 3 18:44:43 2017 clientmga/192.168.1.16:55809 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Sat Jun 3 18:44:43 2017 clientmga/192.168.1.16:55809 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Vérification du bon usage du VPN
Il s'agit de vérifier si une fois connecté au serveur VPN, les échanges réseaux transitent bien par celui ci.
En utilisant la commande traceroute sur le client, on voit que l'on transite par 10.8.0.1 qui est l'adresse IP de l'interface tun0 du serveur vpn
Code BASH :
[root@localhost etc]# traceroute www.mageialinux-online.org traceroute to www.mageialinux-online.org (80.247.225.3), 30 hops max, 60 byte packets 1 10.8.0.1 (10.8.0.1) 0.794 ms 0.791 ms 0.791 ms 2 * * * 3 80.10.245.33(80.10.245.33) 4.864 ms 6.594 ms 6.758 ms 4 ****** 17 * * * 18 atalante.nfrance.com (80.247.225.3) 32.787 ms 33.213 ms 33.707 ms
La commande nslookup nous permettra de vérifier qu'on utilise bien les DNS du serveur vpn
Code BASH :
[root@localhost etc]# nslookup mageialinux-online.org Server: 208.67.222.222 Address: 208.67.222.222#53 Non-authoritative answer: Name: mageialinux-online.org Address: 80.247.225.3
Sources d'information qui ont permis de produire ce tutorial
[Tuto] Monter son VPN perso avec OpenVPN . Un grand merci pour son travail, sans lui ce tutoriel n'aurait pas pu voir le jour !
Fil de discussion sur le forum MLO
Écrit par: vouf, Le: 11/06/2017