lundi 31 octobre 2011

Configurer un serveur VPN sur Ubuntu : Openvpn

Afin de relier deux machines distantes via un tunnel securisé, la moins chère des solutions reste openVPN.
L'installation est n'est pas très compliquée , pour cela il faut donc deux machines , le serveur vpn (dans ce cas ubuntu 11.10 ) et le client (windows7)

Allez, on ouvre un terminal et on tappe,

-------------------------------------------------------------------------------------------------
sudo apt-get install openvpn
-------------------------------------------------------------------------------------------------


Nous créer un certificat d'autorité de Certification dont le rôle sera de contrôler les différentes clés ,
via la console nous allons nous rendre dans le repertoire
en va se connecter en super root:)
-------------------------------------------------------------------------------------------------
sudo -s
-------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------
cd /usr/share/doc/openvpn/examples/easy-rsa/2,0/
-------------------------------------------------------------------------------------------------

et editer le fichier « Vars »
-------------------------------------------------------------------------------------------------
nano vars
-------------------------------------------------------------------------------------------------
et remplacer ici le rouge par votre config puis sauvegarder :

export KEY_COUNTRY=FR
export KEY_PROVINCE=IDF
export KEY_CITY=paris
export KEY_ORG=tutosinfo
export KEY_EMAIL=polux@xxx.com
On initialise le tout :
-------------------------------------------------------------------------------------------------
. ./vars
-------------------------------------------------------------------------------------------------
On nettoie les clés et certifs existants :
-------------------------------------------------------------------------------------------------
./clean-all
-------------------------------------------------------------------------------------------------

puis on créée le le certificat et la clé de l'Autorité de Certification Maitre
-------------------------------------------------------------------------------------------------
./build-ca
-------------------------------------------------------------------------------------------------

le certif et et la clé du certif sont maintenant présents dans le dossier
(ca.crt et ca.key)

nous allons maintenant créer un certificat et la clé du serveur

-------------------------------------------------------------------------------------------------
./build-key-server "nom du serveur"
-------------------------------------------------------------------------------------------------

répondre "yes" à chaque question posée...

2 autres fichiers sont desormais créés : nomduserveur.crt et nomduserveur.key


le principe est le même pour tous les clients soit

-------------------------------------------------------------------------------------------------
./build-key client1
-------------------------------------------------------------------------------------------------

ext....

Ensuite certains paramètres doivent être générés sur le serveur vpn

-------------------------------------------------------------------------------------------------
./build-dh
-------------------------------------------------------------------------------------------------

nous allons ensuite copier tous les certis et clés vers /etc/openvpn/

-------------------------------------------------------------------------------------------------
cp keys/dh*.pem keys/ca.crt keys/server.crt keys/server.key /etc/openvpn/

-------------------------------------------------------------------------------------------------

puis on va se rendre dans le dossier suivant

-------------------------------------------------------------------------------------------------
cd /usr/share/doc/openvpn/examples/sample-config-files/
-------------------------------------------------------------------------------------------------

decompresser le fichier exemple de configuration

-------------------------------------------------------------------------------------------------
gunzip server.conf.gz
-------------------------------------------------------------------------------------------------
puis copier le tout dans etc/openvpn/

-------------------------------------------------------------------------------------------------
cp /usr/share/doc/openvpn/eamples/sample-cpnfig-files/server.conf /etc/openvpn/
-------------------------------------------------------------------------------------------------

on va éditer ce fichier :

-------------------------------------------------------------------------------------------------
nano /etc/openvpn/server.conf
-------------------------------------------------------------------------------------------------

voici une config tres basique :

---------------------------

# Which TCP/UDP port should OpenVPN listen on?

# open up this port on your firewall.
port 1194

# TCP or UDP server?
proto tcp
#proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
#dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/ca.crt
cert /etc/openvpn/ubuntu.crt
key /etc/openvpn/ubuntu.key # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/dh1024.pem

# ethernet bridging. See the man page for more info.
server x.x.x.x 255.x.x.x

# x étant vos parametres reseau


# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120


# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
#;cipher BF-CBC # Blowfish (default)
cipher AES-128-CBC # AES
#cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 2

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log openvpn.log
log-append openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 5

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20






---------------------------
redemarrons le deamon openvpn

-------------------------------------------------------------------------------------------------
/etc/init.d/openvpn retart
-------------------------------------------------------------------------------------------------



reste plus qu'à télécharger openvpn pour windows ici : http://openvpn.net/index.php/open-source/downloads.html

et de copier tous les fichiers de client1 du serveur dans C:\Program Files\OpenVPN\config

un raccourci lancera la connexion vpn...et voilà attention bien ouvrir les ports corrspondanrs à open vpn du pare feu (port tcp 1194), ça peut aider..























Aucun commentaire: