{"id":46,"date":"2015-06-08T14:26:34","date_gmt":"2015-06-08T14:26:34","guid":{"rendered":"http:\/\/memo.xtranet.info\/?p=46"},"modified":"2015-06-12T16:34:17","modified_gmt":"2015-06-12T16:34:17","slug":"openvpn-en-mode-route","status":"publish","type":"post","link":"https:\/\/memo.xtranet.info\/?p=46","title":{"rendered":"OpenVPN"},"content":{"rendered":"<h1>Installation OpenVPN :<a href=\"https:\/\/memo.xtranet.info\/wp-content\/uploads\/2015\/06\/openvpn.jpg\"><img decoding=\"async\" class=\"  wp-image-111 alignright\" src=\"https:\/\/memo.xtranet.info\/wp-content\/uploads\/2015\/06\/openvpn-300x300.jpg\" alt=\"openvpn\" width=\"99\" height=\"99\" srcset=\"https:\/\/memo.xtranet.info\/wp-content\/uploads\/2015\/06\/openvpn-300x300.jpg 300w, https:\/\/memo.xtranet.info\/wp-content\/uploads\/2015\/06\/openvpn-150x150.jpg 150w, https:\/\/memo.xtranet.info\/wp-content\/uploads\/2015\/06\/openvpn-765x765.jpg 765w, https:\/\/memo.xtranet.info\/wp-content\/uploads\/2015\/06\/openvpn.jpg 1024w\" sizes=\"(max-width: 99px) 100vw, 99px\" \/><\/a><\/h1>\n<p><span style=\"color: #ff0000;\">Article non finalis\u00e9 !!<\/span><\/p>\n<pre>Vous pouvez installer <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/memo.xtranet.info\/?p=12\" target=\"_blank\">Webmin<\/a><\/span> en premier.<\/pre>\n<h2><span style=\"color: #99cc00;\">1- Installation OpenVPN :<\/span><\/h2>\n<p>&#8211; apt-get install openvpn openssl<\/p>\n<h2><span style=\"color: #99cc00;\">2- Pr\u00e9paration du serveur :<\/span><\/h2>\n<p>&#8211; Cr\u00e9er le dossier easy-rsa : <em><code id=\"contenuCoded0e172\" class=\"contenuCode\">mkdir \/etc\/openvpn\/easy-rsa\/<\/code><\/em><\/p>\n<p>&#8211; Copier les fichiers de configuration : <span class=\"a\">cp -r \/usr\/share\/doc\/openvpn\/examples\/easy-rsa\/2.0\/* \/etc\/openvpn\/easy-rsa\/<\/span><\/p>\n<h2><span style=\"color: #99cc00;\">3- Configuration du serveur :<\/span><\/h2>\n<p>&#8211; \u00c9diter le fichier<code class=\"contenuCode\"> \/etc\/openvpn\/easy-rsa\/vars : <\/code><em><code id=\"contenuCoded0e207\" class=\"contenuCode\">nano \/etc\/openvpn\/easy-rsa\/vars<\/code><\/em><\/p>\n<hr \/>\n<pre class=\"code_uniquement\"><code class=\"contenuCode\">Export KEY_DIR=$D\/keys\r\nExport KEY_COUNTRY=FR\r\nExport KEY_PROVINCE=FR\r\nExport KEY_CITY=Lille\r\nExport KEY_ORG=example\r\nExport KEY_EMAIL=example@yoyo.org\r\n<\/code><\/pre>\n<hr \/>\n<p><code id=\"contenuCoded0e215\" class=\"contenuCode\">\u00a0- Initialiser les variables :<\/code><\/p>\n<ul>\n<li><code id=\"contenuCoded0e215\" class=\"contenuCode\"><\/code><span class=\"a\">cd \/etc\/openvpn\/easy-rsa\/<\/span><\/li>\n<li><span class=\"a\">source vars<\/span><\/li>\n<li>.\/clean-all<\/li>\n<\/ul>\n<h2><span style=\"color: #99cc00;\">4- G\u00e9n\u00e9ration cl\u00e9s et certificats racine :<\/span><\/h2>\n<ul>\n<li><code id=\"contenuCoded0e207\" class=\"contenuCode\">\u00a0G\u00e9n\u00e9ration du <span style=\"color: #99cc00;\">certificat racine<\/span> \"ca.cert\" et de la <span style=\"color: #99cc00;\">cl\u00e9 d'autorit\u00e9 de certification racine<\/span> \"ca.key\" dans le dossier \/etc\/openvpn\/easy-rsa\/keys.<br \/>\n<\/code><\/p>\n<ul>\n<li>.\/build-ca<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2><span style=\"color: #99cc00;\">5- G\u00e9n\u00e9ration cl\u00e9 et certificat serveur :<\/span><\/h2>\n<ul>\n<li><code id=\"contenuCoded0e207\" class=\"contenuCode\">G\u00e9n\u00e9ration du <span style=\"color: #99cc00;\">certificat racine<\/span> \"Nomduserveur.cert\" et de la <span style=\"color: #99cc00;\">cl\u00e9 d'autorit\u00e9 de certification racine<\/span> \"Nomduserveur.key\" dans le dossier \/etc\/openvpn\/easy-rsa\/keys.<\/code><\/li>\n<li>Il faut se trouver dans le dossier \/etc\/openvpn\/easy-rsa.\n<ul>\n<li>.\/build-key-server Nomduserveur (ex:svrvpn)\n<ul>\n<li>Au prompt :\n<ul>\n<li>\u00ab\u00a0sign this certificate\u00a0\u00bb, r\u00e9pondre Y<\/li>\n<li>\u00ab\u00a01 out of 1 certificate requests certificated, commit\u00a0\u00bb, r\u00e9pondre Y<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2><span style=\"color: #99cc00;\">6- G\u00e9n\u00e9ration des param\u00e8tres de Diffie-Hellman :<\/span><\/h2>\n<ul>\n<li>G\u00e9n\u00e9ration du fichier <code id=\"contenuCoded0e207\" class=\"contenuCode\">\"<\/code>dh1024.pem<code id=\"contenuCoded0e207\" class=\"contenuCode\">\"<\/code> <code id=\"contenuCoded0e207\" class=\"contenuCode\">dans le dossier \/etc\/openvpn\/easy-rsa\/keys.<\/code><\/li>\n<li>Il faut se trouver dans le dossier \/etc\/openvpn\/easy-rsa.\n<ul>\n<li>.\/build-dh<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2><span style=\"color: #99cc00;\">7- G\u00e9n\u00e9ration d&rsquo;une cl\u00e9 statique :<\/span><\/h2>\n<p>Cette cl\u00e9 permet de pr\u00e9venir les attaques <code id=\"contenuCoded0e207\" class=\"contenuCode\">\"<\/code><span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/fr.wikipedia.org\/wiki\/Attaque_de_l%27homme_du_milieu\" target=\"_blank\">Man in the middle<\/a><\/span><code id=\"contenuCoded0e207\" class=\"contenuCode\">\"<\/code>.<\/p>\n<ul>\n<li>G\u00e9n\u00e9ration d&rsquo;une cl\u00e9 <code id=\"contenuCoded0e207\" class=\"contenuCode\">\"<\/code>ta.key<code id=\"contenuCoded0e207\" class=\"contenuCode\">\"<\/code> <code id=\"contenuCoded0e207\" class=\"contenuCode\">dans le dossier \/etc\/openvpn\/easy-rsa\/keys<\/code>.\n<ul>\n<li>Il faut se trouver dans le dossier \/etc\/openvpn\/easy-rsa.\n<ul>\n<li><code class=\"codecolorer text default\"><span class=\"text\">openvpn --genkey --secret keys\/ta.key<\/span><\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2><span style=\"color: #99cc00;\">\u00a08- Edition du fichier de configuration du serveur :<\/span><\/h2>\n<ul>\n<li>Copier :\n<ul>\n<li>\n<pre class=\"code_uniquement\"><em><code id=\"contenuCoded0e419\" class=\"contenuCode\">cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz \/etc\/openvpn\/<\/code><\/em><\/pre>\n<\/li>\n<li>\n<pre class=\"code_uniquement\"><em><code id=\"contenuCoded0e424\" class=\"contenuCode\">cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/client.conf \/etc\/openvpn\/<\/code><\/em><\/pre>\n<\/li>\n<li>\n<pre class=\"code_uniquement\"><em><code id=\"contenuCoded0e432\" class=\"contenuCode\">gunzip \/etc\/openvpn\/server.conf.gz<\/code><\/em><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>Editer server.conf : nano \/etc\/openvpn\/server.conf<\/li>\n<\/ul>\n<hr \/>\n<p>local \u00ab\u00a0IP du serveur VPN\u00a0\u00bb<br \/>\ndev tun<br \/>\nproto tcp<br \/>\nport 1188<\/p>\n<p>ca \/etc\/openvpn\/easy-rsa\/keys\/ca.crt<br \/>\ncert \/etc\/openvpn\/easy-rsa\/keys\/NomduCertificat.crt<br \/>\nkey \/etc\/openvpn\/easy-rsa\/keys\/NomduCertificat.key<br \/>\ndh \/etc\/openvpn\/easy-rsa\/keys\/dh1024.pem<\/p>\n<p>server 10.8.0.0 255.255.255.0<br \/>\nifconfig 10.8.0.1 10.8.0.2<\/p>\n<p>push \u00ab\u00a0redirect-gateway def1\u00a0\u00bb<br \/>\npush \u00ab\u00a0route 10.8.0.1 255.255.255.255\u00a0\u00bb # route vers le serveur VPN<br \/>\npush \u00ab\u00a0route 10.8.0.0 255.255.255.0\u00a0\u00bb # route vers le sous-r\u00e9seau VPN<br \/>\npush \u00ab\u00a0route 192.168.0.125 255.255.255.0\u00a0\u00bb #sous-r\u00e9seau local &#8211; adaptez l&rsquo;adresse IP locale de votre serveur<br \/>\npush \u00ab\u00a0dhcp-option DNS 89.2.0.1\u00a0\u00bb # Par exemple le serveur dns primaire de Numericable<\/p>\n<p>client-to-client<\/p>\n<p>duplicate-cn<\/p>\n<p>keepalive 10 120<br \/>\ncomp-lzo<\/p>\n<p>persist-key<br \/>\npersist-tun<\/p>\n<p>status \/var\/log\/openvpn-status.log<br \/>\nlog \/var\/log\/openvpn.log<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<ul>\n<li>Editer \/etc\/sysctl.conf afin d&rsquo;<span style=\"color: #ff9900;\">autoriser le<\/span> <em>Forwarding<\/em> IPV4 entre les deux r\u00e9seaux :\n<ul>\n<li>nano \/etc\/sysctl.conf<\/li>\n<li>D\u00e9commenter la ligne :\n<ul>\n<li>Avant : #<strong>net.ipv4.ip_forward=1<\/strong><\/li>\n<li>Apr\u00e8s : <strong>net.ipv4.ip_forward=1<\/strong><\/li>\n<\/ul>\n<\/li>\n<li>Lancer la commander : <code class=\"codecolorer text default\"><span class=\"text\">sysctl -p<\/span><\/code> ou rebooter le serveur.<\/li>\n<\/ul>\n<\/li>\n<li>\n<pre>R\u00e8gle <span style=\"color: #ff9900;\">Firewall<\/span> : Merci pour \u00e0 <a href=\"http:\/\/open-freax.fr\/monter-vpn-openvpn\/\" target=\"_blank\">Open-Freax<\/a>.<\/pre>\n<ul>\n<li>\n<pre>Editer le fichier \/etc\/firewall-openvpn-rules.sh : nano \/etc\/firewall-openvpn-rules.sh<\/pre>\n<ul>\n<li>\n<pre>#!\/bin\/sh<\/pre>\n<pre>iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to-source \"IP de votre serveur VPN\"<\/pre>\n<\/li>\n<li>\n<pre><code class=\"codecolorer text default\"><span class=\"text\">chmod 700 \/etc\/firewall-openvpn-rules.sh<\/span><\/code><\/pre>\n<\/li>\n<li>\n<pre><code class=\"codecolorer text default\"><span class=\"text\">chown root \/etc\/firewall-openvpn-rules.sh<\/span><\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<pre>Editer  : <code class=\"codecolorer text default\"><span class=\"text\">nano \/etc\/network\/interfaces<\/span><\/code><\/pre>\n<ul>\n<li>En ajoutant cette ligne : <code class=\"codecolorer text default\"><span class=\"text\">pre-up \/etc\/firewall-openvpn-rules.sh<\/span><\/code> entre iface eth0 inet static et address X.X.X.X<\/li>\n<\/ul>\n<\/li>\n<li>Reboot du serveur<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2><span style=\"color: #99cc00;\">9- G\u00e9n\u00e9ration cl\u00e9 et certificat client :<\/span><\/h2>\n<ul>\n<li>cd \/etc\/openvpn\/easy-rsa\/<\/li>\n<li>.\/build-key gilles (par exemple)<\/li>\n<\/ul>\n<p>Une fois tous les clients cr\u00e9\u00e9s, il faut transf\u00e9rer dur le poste client:<\/p>\n<ul>\n<li><span style=\"color: #99cc00;\">ca.crt<\/span><\/li>\n<li><span style=\"color: #99cc00;\">USER.crt<\/span><\/li>\n<li><span style=\"color: #99cc00;\">USER.key<\/span><\/li>\n<li><span style=\"color: #99cc00;\">ta.key<\/span><\/li>\n<\/ul>\n<h2><span style=\"color: #99cc00;\">10- Monitoring : Merci <a href=\"http:\/\/www.troublenow.org\/362\/howto-setup-openvpn-in-bridge-mode-on-debian\/\" target=\"_blank\">Troublenow<\/a><\/span><\/h2>\n<p>Cr\u00e9er le fichier openvpn-status en collant le texte ci-dessous : nano \/usr\/local\/bin\/openvpn-status<\/p>\n<hr \/>\n<pre>#!\/usr\/bin\/env python\r\n# -*- coding: utf-8 -*-\r\n\u00a0\r\nSTATUS = \"\/var\/log\/openvpn-status.log\"\r\n\u00a0\r\nstatus_file = open(STATUS, 'r')\r\nstats = status_file.readlines()\r\nstatus_file.close()\r\n\u00a0\r\nhosts = []\r\n\u00a0\r\nheaders = {\r\n    'cn':    'Common Name',\r\n    'virt':  'Virtual Address',\r\n    'real':  'Real Address',\r\n    'sent':  'Sent',\r\n    'recv':  'Received',\r\n    'since': 'Connected Since'\r\n}\r\n\u00a0\r\nsizes = [\r\n    (1&lt;&lt;50L, 'PB'),\r\n    (1&lt;&lt;40L, 'TB'),\r\n    (1&lt;&lt;30L, 'GB'),\r\n    (1&lt;&lt;20L, 'MB'),\r\n    (1&lt;&lt;10L, 'KB'),\r\n    (1,       'B')\r\n]\r\n\u00a0\r\ndef byte2str(size):\r\n    for f, suf in sizes:\r\n        if size &gt;= f:\r\n            break\r\n\u00a0\r\n    return \"%.2f %s\" % (size \/ float(f), suf)\r\n\u00a0\r\nfor line in stats:\r\n    cols = line.split(',')\r\n\u00a0\r\n    if len(cols) == 5 and not line.startswith('Common Name'):\r\n        host  = {}\r\n        host['cn']    = cols[0]\r\n        host['real']  = cols[1].split(':')[0]\r\n        host['recv']  = byte2str(int(cols[2]))\r\n        host['sent']  = byte2str(int(cols[3]))\r\n        host['since'] = cols[4].strip()\r\n        hosts.append(host)\r\n\u00a0\r\n    if len(cols) == 4 and not line.startswith('Virtual Address'):\r\n        for h in hosts:\r\n            if h['cn'] == cols[1]:\r\n                h['virt'] = cols[0]\r\n\u00a0\r\nfmt = \"%(cn)-25s %(virt)-18s %(real)-15s %(sent)13s %(recv)13s %(since)25s\"\r\nprint fmt % headers\r\nprint \"\\n\".join([fmt % h for h in hosts])<\/pre>\n<hr \/>\n<ul>\n<li>\n<pre class=\"bash\">chmod 700 \/usr\/local\/bin\/openvpn-status<\/pre>\n<\/li>\n<li>Pour visualiser lancer la commande :\n<pre class=\"bash\">chmod 700 \/usr\/local\/bin\/openvpn-status<\/pre>\n<\/li>\n<\/ul>\n<h2><span style=\"color: #99cc00;\">\u00a0La suite plus tard &#8230;&#8230;&#8230;.<\/span><\/h2>\n","protected":false},"excerpt":{"rendered":"<p>Installation OpenVPN : Article non finalis\u00e9 !! Vous pouvez installer Webmin en premier. 1- Installation OpenVPN : &#8211; apt-get install openvpn openssl 2- Pr\u00e9paration du serveur : &#8211; Cr\u00e9er le dossier easy-rsa : mkdir \/etc\/openvpn\/easy-rsa\/ &#8211; Copier les fichiers de configuration : cp -r \/usr\/share\/doc\/openvpn\/examples\/easy-rsa\/2.0\/* \/etc\/openvpn\/easy-rsa\/ 3- Configuration du serveur : &#8211; \u00c9diter le fichier&#8230; <a href=\"https:\/\/memo.xtranet.info\/?p=46\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">OpenVPN<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,10],"tags":[],"class_list":["post-46","post","type-post","status-publish","format-standard","hentry","category-linux","category-openvpn"],"_links":{"self":[{"href":"https:\/\/memo.xtranet.info\/index.php?rest_route=\/wp\/v2\/posts\/46","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/memo.xtranet.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/memo.xtranet.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/memo.xtranet.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/memo.xtranet.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=46"}],"version-history":[{"count":43,"href":"https:\/\/memo.xtranet.info\/index.php?rest_route=\/wp\/v2\/posts\/46\/revisions"}],"predecessor-version":[{"id":116,"href":"https:\/\/memo.xtranet.info\/index.php?rest_route=\/wp\/v2\/posts\/46\/revisions\/116"}],"wp:attachment":[{"href":"https:\/\/memo.xtranet.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=46"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/memo.xtranet.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=46"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/memo.xtranet.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=46"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}