Jeg lægger ud med en nyinstalleret debian på vpn.eksempel.dk og starter ud med at installere lidt grundlæggende værktøjer:
root@vpn:~# apt-get install vim ssh openvpn bridge-utils
Jeg redigerer /etc/network/interfaces
auto lo br0 iface lo inet loopback allow-hotplug eth0 iface br0 inet static address 260.260.260.2 netmask 255.255.255.0 gateway 260.260.260.2 bridge_ports eth0 tap0 pre-up openvpn --mktun --dev tap0 post-down openvon --rmtun --dev tap0
For at oprette krypteringsnøgler til serveren og klienten bruger vi et script der følger med OpenVPN ved navn “easy-rsa”:
root@vpn:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
Rediger /etc/openvpn/easy-rsa/2.0/vars , de nederste 4 værdier skal tilpasses, som f.eks:
export KEY_COUNTRY="DK" export KEY_PROVINCE="DK" export KEY_CITY="Copenhagen" export KEY_ORG="Mikjaer ApS" export KEY_EMAIL="noc@mikjaer.com"
Påbegynd generation af dit CA ved at køre flg.:
# cd /etc/openvpn/easy-rsa/2.0 # . /etc/openvpn/easy-rsa/2.0/vars # . /etc/openvpn/easy-rsa/2.0/clean-all # . /etc/openvpn/easy-rsa/2.0/build-ca
og siden vi har gemt vores ønskede værdier i vars kan vi køre ./build-ca uden at gøre andet end at acceptere alle “standardværdierne” ved at trykke enter ved hver prompt, herefter er vi klar til at lave serverens nøgle:
root@vpn:/etc/openvpn/easy-rsa/2.0# . /etc/openvpn/easy-rsa/2.0/build-key-server server Generating a 1024 bit RSA private key ..++++++ .........................................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DK]: State or Province Name (full name) [DK]: Locality Name (eg, city) [Copenhagen]: Organization Name (eg, company) [Mikjaer ApS]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [server]: Name []: Email Address [noc@mikjaer.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DK' stateOrProvinceName :PRINTABLE:'DK' localityName :PRINTABLE:'Copenhagen' organizationName :PRINTABLE:'Mikjaer ApS' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'noc@mikjaer.com' Certificate is to be certified until Apr 18 21:30:33 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Herefter skal vi bruge (mindst) en klient nøgle:
root@vpn:/etc/openvpn/easy-rsa/2.0# . /etc/openvpn/easy-rsa/2.0/build-key client1 Generating a 1024 bit RSA private key ..++++++ .............++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DK]: State or Province Name (full name) [DK]: Locality Name (eg, city) [Copenhagen]: Organization Name (eg, company) [Mikjaer ApS]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client1]: Name []: Email Address [noc@mikjaer.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DK' stateOrProvinceName :PRINTABLE:'DK' localityName :PRINTABLE:'Copenhagen' organizationName :PRINTABLE:'Mikjaer ApS' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'noc@mikjaer.com' Certificate is to be certified until Apr 18 21:32:45 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Og til sidst skal du også køre flg. for at generere nøgler til SSL/TLS Handshake (Jeg er faktisk ikke sikker på hvor vigtig rækkefølgen er her):
root@vpn:~/easy-rsa# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..........................................................................+.............................+.......................+. .................+.................................................................................................................. ......................................+...........................+...................................................+........... ........................+............+..................+..........+............................................................. ......................................+..........................................................................+................. ........................................................................+...........+.............................................. ........................................................+......+................................................................... ......+............................................................................................................................. ...................................................................................+................................................ ................+.........................................................................................+........................ ....................................................................................+...........................................++ *++*++*
Kopier server-certifikatere på plads:
root@vpn:/etc/openvpn/easy-rsa/2.0/keys# cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/
Som det sidste skal openvpn.conf tilpasses: vim /etc/openvpn/server.conf:
float port 1194 proto udp dev tap0 ca ca.crt cert server.crt key server.key dh dh1024.pem server-bridge 260.260.260.1 255.255.255.0 260.260.260.100 260.260.260.200 keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 4 mute 10
Server-bridge syntax:
server-bridge <gateway> <netmask> <ip-range-start> <ip-range-stop>
Resten burde du ikke få brug for at rette i lige umiddelbart, på det her tidspunkt plejer jeg at genstarte maskinen, primært for at se at alt kommer op som det skal
Men så er du tilgengæld også klar til at forbinde dine maskiner med VPN Klienter.