Openvpn

9 views
Skip to first unread message

atos...@gmail.com

unread,
Jun 21, 2012, 7:40:38 PM6/21/12
to linux...@googlegroups.com

Versão da openvpn que funciona ok no momento é openvpn-2.2.2-install No windows faca uso do arquivo C:\Program Files (x86)\OpenVPN\config\sample.ovpn e altere as

seguintes linhas

remote 201.58.108.8 port 10000 proto udp dev tun tun-mtu 1500

ifconfig 10.1.0.2 10.1.0.1 secret static.key ping-restart 60

ping-timer-rem

persist-tun

persist-key

resolv-retry 86400 ping 10 comp-lzo verb 4

mute 10

No prompt do windows digite o comando abaixo para criar a rota.

route add 192.168.10.0 mask 255.255.255.0 10.1.0.1

No lado Linux crie o seguinte arquivo /etc/openvpn/static-office.conf

dev tun ifconfig 10.1.0.1 10.1.0.2 up ./office.up secret static.key port 10000 user nobody group nogroup comp-lzo ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key verb 3

Crie a chave utilizando o comando openvpn --genkey --secret static.key e copia para o diretorio

/etc/openvpn

--exec $DAEMON -- $OPTARGS --script-security 3 --writepid /var/run/openv pn.$NAME.pid \

atos...@gmail.com

unread,
Jun 21, 2012, 8:12:07 PM6/21/12
to linux...@googlegroups.com

OPENVPN

Openvpn prove uma VPN ( virtual Private Network) de forma simples, rápida e robusta, podendo ser utilizada para conexão entre filiais, conexão com os clientes para suporte entre outros fins. Veremos como instalar e configurá-la.

Estaremos criando uma lado office que será o escritório e um lado home, os dois lados iram utilizar a porta 1194 UDP pois o protocolo UDP não faz teste de pacotes sendo mais rápido, o aplicativo Openvpn cuidará destes testes.

Qualquer erro poderá ser visto no arquvo /var/log/syslog

Instale nos dois lados (cliente e servidor) os seguintes pacotes;

aptitude install openvpn openssl

Servidor OPENVPN

cd /etc/openvpn/

cp /usr/share/doc/openvpn/ examples/sample-config-files/office.up .

cp /usr/share/doc/openvpn/ examples/sample-config-files/static-office.conf .

Edito o arquivo static-home.conf observando os seguintes pontos:

#

# Sample OpenVPN configuration file for

# office using a pre-shared static key.

#

# '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.

# For Linux 2.2 or non-Linux OSes,

# you may want to use an explicit

# unit number such as "tun1".

# OpenVPN also supports virtual

# ethernet "tap" devices.

dev tun

# 10.1.0.1 is our local VPN endpoint (office).

# 10.1.0.2 is our remote VPN endpoint (home).

ifconfig 10.1.0.1 10.1.0.2

# Our up script will establish routes

# once the VPN is alive.

up ./office.up

# Our pre-shared static key

secret static.key

# OpenVPN 2.0 uses UDP port 1194 by default

# (official port assignment by iana.org 11/04).

# OpenVPN 1.x uses UDP port 5000 by default.

# Each OpenVPN tunnel must use

# a different port number.

# lport or rport can be used

# to denote different ports

# for local and remote.

port 1194 #descomente esta linha tirando o ;

# Downgrade UID and GID to

# "nobody" after initialization

# for extra security.

; user nobody

; group nogroup

user www-data #insira esta linha

group www-data #insira esta linha

# If you built OpenVPN with

# LZO compression, uncomment

# out the following line.

comp-lzo #descomente esta linha tirando o ;

# Send a UDP ping to remote once

# every 15 seconds to keep

# stateful firewall connection

# alive. Uncomment this

# out if you are using a stateful

# firewall.

; ping 15

# Uncomment this section for a more reliable detection when a system

# loses its connection. For example, dial-ups or laptops that

# travel to other locations.

ping 15 #descomente esta linha tirando o ;

ping-restart 45 #descomente esta linha tirando o ;

ping-timer-rem #descomente esta linha tirando o ;

persist-tun #descomente esta linha tirando o ;

persist-key #descomente esta linha tirando o ;

# Verbosity level.

# 0 -- quiet except for fatal errors.

# 1 -- mostly quiet, but display non-fatal network errors.

# 3 -- medium output, good for normal operation.

# 9 -- verbose, good for troubleshooting

verb 3

Edite o arquivo office.up e corrija a rede definida para a mostrada abaixo;

#!/bin/sh

route add -net 10.1.0.0 netmask 255.255.255.0 gw $5

Cliente OPENVPN

cd /etc/openvpn/

cp /usr/share/doc/openvpn/ examples/sample-config-files/home.up .

cp /usr/share/doc/openvpn/ examples/sample-config-files/static-home.conf .

Edito o arquivo static-home.conf observando os seguintes pontos:

#

# Sample OpenVPN configuration file for

# home using a pre-shared static key.

#

# '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.

# For Linux 2.2 or non-Linux OSes,

# you may want to use an explicit

# unit number such as "tun1".

# OpenVPN also supports virtual

# ethernet "tap" devices.

dev tun

# Our OpenVPN peer is the office gateway.

remote 1.2.3.4 #insira aqui o IP de seu outro lado VPN

# 10.1.0.2 is our local VPN endpoint (home).

# 10.1.0.1 is our remote VPN endpoint (office).

ifconfig 10.1.0.2 10.1.0.1

# Our up script will establish routes

# once the VPN is alive.

up ./home.up

# Our pre-shared static key

secret static.key

# OpenVPN 2.0 uses UDP port 1194 by default

# (official port assignment by iana.org 11/04).

# OpenVPN 1.x uses UDP port 5000 by default.

# Each OpenVPN tunnel must use

# a different port number.

# lport or rport can be used

# to denote different ports

# for local and remote.

port 1194 #descomente esta linha tirando o ;

# Downgrade UID and GID to

# "nobody" after initialization

# for extra security.

; user nobody

; group nogroup

user www-data #insira esta linha

group www-data #insira esta linha

# If you built OpenVPN with

# LZO compression, uncomment

# out the following line.

comp-lzo #descomente esta linha tirando o ;

# Send a UDP ping to remote once

# every 15 seconds to keep

# stateful firewall connection

# alive. Uncomment this

# out if you are using a stateful

# firewall.

; ping 15

# Uncomment this section for a more reliable detection when a system

# loses its connection. For example, dial-ups or laptops that

# travel to other locations.

ping 15 #descomente esta linha tirando o ;

ping-restart 45 #descomente esta linha tirando o ;

ping-timer-rem #descomente esta linha tirando o ;

persist-tun #descomente esta linha tirando o ;

persist-key #descomente esta linha tirando o ;

# Verbosity level.

# 0 -- quiet except for fatal errors.

# 1 -- mostly quiet, but display non-fatal network errors.

# 3 -- medium output, good for normal operation.

# 9 -- verbose, good for troubleshooting

verb 3

Edite o arquivo home.up e corrija a rede definida para a mostrada abaixo;

#!/bin/sh

route add -net 10.1.0.0 netmask 255.255.255.0 gw $5

Nos dois lados faça o seguinte:

edite o arquivo /etc/init.d/openvpn e insira na linha 63 o seguinte parametro --script-security 3, veja abaixo em negrito.

#!/bin/sh -e

### BEGIN INIT INFO

# Provides: openvpn

# Required-Start: $network $remote_fs $syslog

# Required-Stop: $network $remote_fs $syslog

# Should-Start: network-manager

# Should-Stop: network-manager

# X-Start-Before: $x-display-manager gdm kdm xdm wdm ldm sdm nodm

# X-Interactive: true

# Default-Start: 2 3 4 5

# Default-Stop: 0 1 6

# Short-Description: Openvpn VPN service

### END INIT INFO

# Original version by Robert Leslie

# <r...@mars.org>, edited by iwj and cs

# Modified for openvpn by Alberto Gonzalez Iniesta <a...@inittab.org>

# Modified for restarting / starting / stopping single tunnels by Richard Mueller <mue...@teamix.net>

. /lib/lsb/init-functions

test $DEBIAN_SCRIPT_DEBUG && set -v -x

DAEMON=/usr/sbin/openvpn

DESC="virtual private network daemon"

CONFIG_DIR=/etc/openvpn

test -x $DAEMON || exit 0

test -d $CONFIG_DIR || exit 0

# Source defaults file; edit that file to configure this script.

AUTOSTART="all"

STATUSREFRESH=10

if test -e /etc/default/openvpn ; then

. /etc/default/openvpn

fi

start_vpn () {

if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then

# daemon already given in config file

DAEMONARG=

else

# need to daemonize

DAEMONARG="--daemon ovpn-$NAME"

fi

if grep -q '^[ ]*status ' $CONFIG_DIR/$NAME.conf ; then

# status file already given in config file

STATUSARG=""

elif test $STATUSREFRESH -eq 0 ; then

# default status file disabled in /etc/default/openvpn

STATUSARG=""

else

# prepare default status file

STATUSARG="--status /var/run/openvpn.$NAME.status $STATUSREFRESH"

fi

log_progress_msg "$NAME"

STATUS=0

start-stop-daemon --start --quiet --oknodo \

--pidfile /var/run/openvpn.$NAME.pid \

--exec $DAEMON -- $OPTARGS --script-security 3 --writepid /var/run/openvpn.$NAME.pid \

$DAEMONARG $STATUSARG --cd $CONFIG_DIR \

--config $CONFIG_DIR/$NAME.conf || STATUS=1

}

stop_vpn () {

kill `cat $PIDFILE` || true

rm -f $PIDFILE

rm -f /var/run/openvpn.$NAME.status 2> /dev/null

}

case "$1" in

start)

log_daemon_msg "Starting $DESC"

# autostart VPNs

if test -z "$2" ; then

# check if automatic startup is disabled by AUTOSTART=none

if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then

log_warning_msg " Autostart disabled."

exit 0

fi

if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then

# all VPNs shall be started automatically

for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do

NAME=${CONFIG%%.conf}

start_vpn

done

else

# start only specified VPNs

for NAME in $AUTOSTART ; do

if test -e $CONFIG_DIR/$NAME.conf ; then

start_vpn

else

log_failure_msg "No such VPN: $NAME"

STATUS=1

fi

done

fi

#start VPNs from command line

else

while shift ; do

[ -z "$1" ] && break

if test -e $CONFIG_DIR/$1.conf ; then

NAME=$1

start_vpn

else

log_failure_msg " No such VPN: $1"

STATUS=1

fi

done

fi

log_end_msg ${STATUS:-0}

;;

stop)

log_daemon_msg "Stopping $DESC"

if test -z "$2" ; then

for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do

NAME=`echo $PIDFILE | cut -c18-`

NAME=${NAME%%.pid}

stop_vpn

log_progress_msg "$NAME"

done

else

while shift ; do

[ -z "$1" ] && break

if test -e /var/run/openvpn.$1.pid ; then

PIDFILE=`ls /var/run/openvpn.$1.pid 2> /dev/null`

NAME=`echo $PIDFILE | cut -c18-`

NAME=${NAME%%.pid}

stop_vpn

log_progress_msg "$NAME"

else

log_failure_msg " (failure: No such VPN is running: $1)"

fi

done

fi

log_end_msg 0

;;

# Only 'reload' running VPNs. New ones will only start with 'start' or 'restart'.

reload|force-reload)

log_daemon_msg "Reloading $DESC"

for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do

NAME=`echo $PIDFILE | cut -c18-`

NAME=${NAME%%.pid}

# If openvpn if running under a different user than root we'll need to restart

if egrep '^[[:blank:]]*user[[:blank:]]' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then

stop_vpn

sleep 1

start_vpn

log_progress_msg "(restarted)"

else

kill -HUP `cat $PIDFILE` || true

log_progress_msg "$NAME"

fi

done

log_end_msg 0

;;

# Only 'soft-restart' running VPNs. New ones will only start with 'start' or 'restart'.

soft-restart)

log_daemon_msg "$DESC sending SIGUSR1"

for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do

NAME=`echo $PIDFILE | cut -c18-`

NAME=${NAME%%.pid}

kill -USR1 `cat $PIDFILE` || true

log_progress_msg "$NAME"

done

log_end_msg 0

;;

restart)

shift

$0 stop ${@}

sleep 1

$0 start ${@}

;;

cond-restart)

log_daemon_msg "Restarting $DESC."

for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do

NAME=`echo $PIDFILE | cut -c18-`

NAME=${NAME%%.pid}

stop_vpn

sleep 1

start_vpn

done

log_end_msg 0

;;

status)

GLOBAL_STATUS=0

if test -z "$2" ; then

# We want status for all defined VPNs.

# Returns success if all autostarted VPNs are defined and running

if test "x$AUTOSTART" = "xnone" ; then

# Consider it a failure if AUTOSTART=none

log_warning_msg "No VPN autostarted"

GLOBAL_STATUS=1

else

if ! test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then

# Consider it a failure if one of the autostarted VPN is not defined

for VPN in $AUTOSTART ; do

if ! test -f $CONFIG_DIR/$VPN.conf ; then

log_warning_msg "VPN '$VPN' is in AUTOSTART but is not defined"

GLOBAL_STATUS=1

fi

done

fi

fi

for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do

NAME=${CONFIG%%.conf}

# Is it an autostarted VPN ?

if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then

AUTOVPN=1

else

if test "x$AUTOSTART" = "xnone" ; then

AUTOVPN=0

else

AUTOVPN=0

for VPN in $AUTOSTART; do

if test "x$VPN" = "x$NAME" ; then

AUTOVPN=1

fi

done

fi

fi

if test "x$AUTOVPN" = "x1" ; then

# If it is autostarted, then it contributes to global status

status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1

else

status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}' (non autostarted)" || true

fi

done

else

# We just want status for specified VPNs.

# Returns success if all specified VPNs are defined and running

while shift ; do

[ -z "$1" ] && break

NAME=$1

if test -e $CONFIG_DIR/$NAME.conf ; then

# Config exists

status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1

else

# Config does not exist

log_warning_msg "VPN '$NAME': missing $CONFIG_DIR/$NAME.conf file !"

GLOBAL_STATUS=1

fi

done

fi

exit $GLOBAL_STATUS

;;

*)

echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart|soft-restart|status}" >&2

exit 1

;;

esac

exit 0

# vim:set ai sts=2 sw=2 tw=0:

Criando a chave

Execute o comando abaixo no lado Office e depois copie o arquivos static.key para o lado home.

cd /etc/openvpn

openvpn --genkey --secret static.key

Reinicialize o lado office e depois o lado Home com o comando abaixo:

/etc/init.d/openvpn restart

Verifique com ifconfig que uma nova placa chamada TUN0 foi criada com o ip que você colocou dentro do arquivo conf no /etc/openvpn, parâmetro ifconfig

Atos Ramos Alves

Reply all
Reply to author
Forward
0 new messages