Mettre en place un vpn (avec Openvpn) entre un Soekris qui représente le point d’entrée du réseau privé, et un netbook.
Le Soekris fonctionne sous Voyage Linux une distribution dérivée de Debian dédiée aux plateformes embarquées.
Le netbook fonctionne sous Ubuntu.
+--- Machine A
|
Netbook --- internet --- Soekris ---+--- Machine B
|
+--- Machine C
Sur le client (Netbook) et le serveur Openvpn (Soekris)
apt-get install openvpn openssl
cd /usr/share/doc/openvpn/examples/easy-rsa
Editer le fichier vars
export KEY_COUNTRY=FR export KEY_PROVINCE=France export KEY_CITY=Paris export KEY_ORG="MaPetitOrganisation" export KEY_EMAIL="admin@mondomain.fr"
Sourcer le fichier vars
source ./vars
ou
. ./vars
Un nettoyage des éventuelles clefs déjà présentes:
./clean-all
Génération des clefs
./build-ca Generating a 1024 bit RSA private key .................................................................++++++ ......++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [France]: Locality Name (eg, city) [Paris]: Organization Name (eg, company) [MaPetiteOrganisation]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:MonSoekrisAMoi.mondomain.fr Email Address [[admin@mondomain.fr->mailto:admin@mondomain.fr]]:
./build-key-server MonSoekrisAMoi Generating a 1024 bit RSA private key ...................................................................... ..+++++ ...++++++ writing new private key to 'MonSoekrisAMoi.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [France]: Locality Name (eg, city) [Paris]: Organization Name (eg, company) [MaPetiteOrganisation]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:MonSoekrisAMoi Email Address [admin@mondomain.fr]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'France' localityName :PRINTABLE:'Paris' organizationName :PRINTABLE:'MaPetiteOrganisation' commonName :PRINTABLE:'MonSoekrisAMoi' emailAddress :IA5STRING:'admin@mondomain.fr' Certificate is to be certified until Oct 21 10:26:55 2015 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Laisser le champ password à vide
Ces commandes sont à exécuter sur le serveur.
cd /usr/share/doc/openvpn/examples/easy-rsa/ source ./vars ./build-key Netbook
Comme précedemment répondre aux questions.
./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .................................................................... .................................................................... ..............+......................................+.............. .++*++*
Dans le répertoire /usr/share/doc/openvpn/examples/easy-rsa/keys executer les commandes suivantes.
cp ./keys/ca.crt /etc/openvpn/ cp ./keys/ca.key /etc/openvpn/ cp ./keys/MonSoekrisAMoi.crt /etc/openvpn/ cp ./keys/MonSoekrisAMoi.key /etc/openvpn/ cp ./keys/dh1024.pem /etc/openvpn/
Création d’un utilisateur openvpn
groupadd openvpn useradd -d /dev/null -g openvpn -s /bin/false openvpn
Copier la configuration fournie par défaut:
cd /usr/share/doc/openvpn/examples/sample-config-files/ gunzip server.conf.gz cp server.conf /etc/openvpn/
Changer la configuration selon vos besoins. Voici un extrait de la mienne:
cd /etc/openvpn vi server.conf
port 1194 proto udp dev tun ca ca.crt cert MonSoekrisAMoi.crt key MonSoekrisAMoi.key # This file should be kept secret dh dh1024.pem # Subnet pour le VPN server 10.8.0.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. ifconfig-pool-persist ipp.txt # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. push "route 192.168.0.0 255.255.255.0" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats push "dhcp-option DNS 192.168.0.250" push "dhcp-option DOMAIN mondomain.fr" keepalive 10 120 comp-lzo max-clients 20 user openvpn group openvpn # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun
Redémarrer le serveur Openvpn
invoke-rc.d openvpn restart
ou
/etc/init.d/openvpn restart
Si cela c’est bien passé, une interface réseau nommée tun0 (ou tunX) apparait:
ifconfig
...
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:828 errors:0 dropped:0 overruns:0 frame:0
TX packets:487 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:68138 (66.5 KiB) TX bytes:66968 (65.3 KiB)
Reste à forwarder les paquets de l’interface tun0 vers eth0 pour avoir accès au réseau interne:
iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Copier du serveur vers le client dans le répertoire (/etc/openvpn):
ca.crt Netbook.crt Netbook.key
Copier /usr/share/doc/openvpn/examples/sample-config-files/client.conf dans le répertoire /etc/openvpn.
client dev tun proto udp remote monsoekris.domain.fr 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert Netbook.crt key Netbook.key comp-lzo verb 1
Redémarrer openvpn
invoke-rc.d openvpn restart
ou
/etc/init.d/openvpn restart
Sur la version 0.6 de Voyage Linux il est possible que ce message d’erreur arrive (udev n’aime pas les noyaux < 2.6.18 - pas de chance sous voyage linux c’est un 2.6.17):
Sep 26 14:55:08 lotus ovpn-server[2115]: Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) Sep 26 14:55:08 lotus ovpn-server[2115]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface Sep 26 14:55:08 lotus ovpn-server[2115]: Cannot allocate TUN/TAP dev dynamically
Pour résoudre ce problème, saisir en root
mkdir /dev/net # s'il n'existe pas mknod /dev/net/tun c 10 200 modprobe tun