Opsætning af OpenVPN med offentlige IP Adresser

Udgivet den april 20, 2013 af mike

Jeg lægger ud med en nyinstalleret debian på vpn.eksempel.dk og starter ud med at installere lidt grundlæggende værktøjer:

root@vpn:~# apt-get install vim ssh openvpn bridge-utils

Jeg redigerer /etc/network/interfaces

auto lo br0
iface lo inet loopback

allow-hotplug eth0
iface br0 inet static
        address 260.260.260.2
        netmask 255.255.255.0
        gateway 260.260.260.2
        bridge_ports eth0 tap0
        pre-up openvpn --mktun --dev tap0
        post-down openvon --rmtun --dev tap0

For at oprette krypteringsnøgler til serveren og klienten bruger vi et script der følger med OpenVPN ved navn “easy-rsa”:

root@vpn:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Rediger /etc/openvpn/easy-rsa/2.0/vars , de nederste 4 værdier skal tilpasses, som f.eks:

export KEY_COUNTRY="DK"
export KEY_PROVINCE="DK"
export KEY_CITY="Copenhagen"
export KEY_ORG="Mikjaer ApS"
export KEY_EMAIL="noc@mikjaer.com"

Påbegynd generation af dit CA ved at køre flg.:

#  cd /etc/openvpn/easy-rsa/2.0
# . /etc/openvpn/easy-rsa/2.0/vars
# . /etc/openvpn/easy-rsa/2.0/clean-all
# . /etc/openvpn/easy-rsa/2.0/build-ca

og siden vi har gemt vores ønskede værdier i vars kan vi køre ./build-ca uden at gøre andet end at acceptere alle “standardværdierne” ved at trykke enter ved hver prompt, herefter er vi klar til at lave serverens nøgle:

root@vpn:/etc/openvpn/easy-rsa/2.0# . /etc/openvpn/easy-rsa/2.0/build-key-server server
Generating a 1024 bit RSA private key
..++++++
.........................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DK]:
State or Province Name (full name) [DK]:
Locality Name (eg, city) [Copenhagen]:
Organization Name (eg, company) [Mikjaer ApS]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [noc@mikjaer.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DK'
stateOrProvinceName   :PRINTABLE:'DK'
localityName          :PRINTABLE:'Copenhagen'
organizationName      :PRINTABLE:'Mikjaer ApS'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'noc@mikjaer.com'
Certificate is to be certified until Apr 18 21:30:33 2023 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Herefter skal vi bruge (mindst) en klient nøgle:

root@vpn:/etc/openvpn/easy-rsa/2.0# . /etc/openvpn/easy-rsa/2.0/build-key client1
Generating a 1024 bit RSA private key
..++++++
.............++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DK]:
State or Province Name (full name) [DK]:
Locality Name (eg, city) [Copenhagen]:
Organization Name (eg, company) [Mikjaer ApS]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address [noc@mikjaer.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DK'
stateOrProvinceName   :PRINTABLE:'DK'
localityName          :PRINTABLE:'Copenhagen'
organizationName      :PRINTABLE:'Mikjaer ApS'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'noc@mikjaer.com'
Certificate is to be certified until Apr 18 21:32:45 2023 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Og til sidst skal du også køre flg. for at generere nøgler til SSL/TLS Handshake (Jeg er faktisk ikke sikker på hvor vigtig rækkefølgen er her):

root@vpn:~/easy-rsa# ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........................................................................+.............................+.......................+.
.................+..................................................................................................................
......................................+...........................+...................................................+...........
........................+............+..................+..........+.............................................................
......................................+..........................................................................+.................
........................................................................+...........+..............................................
........................................................+......+...................................................................
......+.............................................................................................................................
...................................................................................+................................................
................+.........................................................................................+........................
....................................................................................+...........................................++
*++*++*

Kopier server-certifikatere på plads:

root@vpn:/etc/openvpn/easy-rsa/2.0/keys# cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

Som det sidste skal openvpn.conf tilpasses: vim /etc/openvpn/server.conf:

float
port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server-bridge 260.260.260.1 255.255.255.0 260.260.260.100 260.260.260.200
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
mute 10

Server-bridge syntax:

server-bridge <gateway> <netmask> <ip-range-start> <ip-range-stop>

Resten burde du ikke få brug for at rette i lige umiddelbart, på det her tidspunkt plejer jeg at genstarte maskinen, primært for at se at alt kommer op som det skal 🙂

Men så er du tilgengæld også klar til at forbinde dine maskiner med VPN Klienter.

Dette indlæg blev udgivet i Knowledge Base, Linux, Networking, Old Base. Bogmærk permalinket.

Skriv et svar