Blog di Un Utente Linux

openvpn

Introduzione

OpenVPN è un sistema di rete privata virtuale (VPN) che implementa tecniche per creare connessioni sicure da punto a punto o da sito a sito in configurazioni instradate o con ponte e strutture di accesso remoto. Implementa applicazioni client e server.

Installazione e Configurazione

Installo i pacchetti necessari

$ apt install openvpn easy-rsa

Configurazione del Server

Mi sposto nella cartella di configurazione:

$ cd /etc/openvpn/

Mi assicuro che le l’ambiente di lavoro sia pultio:

$ /usr/share/easy-rsa/easyrsa clean-all

Inizializzo l’ambiente di lavoro:

/usr/share/easy-rsa/easyrsa init-pki

Genero vari certificati lato server:

$ /usr/share/easy-rsa/easyrsa build-ca nopass
$ /usr/share/easy-rsa/easyrsa build-server-full server nopass
$ /usr/share/easy-rsa/easyrsa gen-dh
$ openvpn --genkey secret pki/ta.key

Scrivo il file di configurazione del server:

port 1192
proto udp
dev tun

ca /etc/openvpn/pki/ca.crt # generated keys
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key # keep secret
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key

server 10.10.10.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun

#push "dhcp-option DNS 192.168.0.200"
#push "dhcp-option DOMAIN stobi-vpn.local"
#push "route 192.168.0.0 255.255.255.0"

status /var/log/openvpn-status.log

verb 3 # verbose mode

Abilito e avvio il servizio:

systemctl enable openvpn-server@.service
systemctl start openvpn@server.service 

Profili utente

Generatore di profili

Creo la cartella dedicata ai profili:

$ mkdir -p /etc/openvpn/profiles/

Scrivo la configurazione di default /etc/openvpn/profiles/inline_client.conf:

client
dev tun
proto udp
remote server port
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3
;mute 20

# ca [inline]
# cert [inline]
# key [inline]
# tls-auth [inline] 1

Scrivo lo scrip di generazione dei profili: /etc/openvpn/profiles/make-profile.sh:

#!/bin/bash

# Default Variable Declarations

DEFAULT="/etc/openvpn/profiles/inline_client.conf"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".key"
CA="/etc/openvpn/pki/ca.crt"
TA="/etc/openvpn/pki/ta.key"

key_path="/etc/openvpn/pki/private/"
cer_path="/etc/openvpn/pki/issued/"


#Ask for a Client name
#echo "Please enter an existing Client Name:"
#read NAME
NAME=$1

#echo "Please enter an Name for the output file"
#read ovpnName
ovpnName=$1

#1st Verify that client's Public Key Exists
if [ ! -f $cer_path$NAME$CRT ]; then
   echo "[ERROR]: Client Public Key Certificate not found: $cer_path$NAME$CRT"
   exit
fi
echo "Client's cert found: $cer_path$NAME$CRT"

#Then, verify that there is a private key for that client
if [ ! -f $key_path$NAME$KEY ]; then
   echo "[ERROR]: Client 3des Private Key not found: $key_path$NAME$KEY"
   exit
fi
echo "Client's Private Key found: $key_path$NAME$KEY"


#Confirm the CA public key exists
if [ ! -f $CA ]; then
   echo "[ERROR]: CA Public Key not found: $CA"
   exit
fi
echo "CA public Key found: $CA"

#Confirm the tls-auth ta key file exists
if [ ! -f $TA ]; then
   echo "[ERROR]: tls-auth Key not found: $TA"
   exit
fi
echo "tls-auth Private Key found: $TA"

#Ready to make a new .opvn file - Start by populating with the

cat $DEFAULT > $ovpnName$FILEEXT

#Now, append the CA Public Cert
echo "<ca>" >> $ovpnName$FILEEXT
cat $CA | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnName$FILEEXT
echo "</ca>" >> $ovpnName$FILEEXT

#Next append the client Public Cert
echo "<cert>" >> $ovpnName$FILEEXT
cat $cer_path$NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnName$FILEEXT
echo "</cert>" >> $ovpnName$FILEEXT

#Then, append the client Private Key
echo "<key>" >> $ovpnName$FILEEXT
cat $key_path$NAME$KEY >> $ovpnName$FILEEXT
echo "</key>" >> $ovpnName$FILEEXT

#Finally, append the TA Private Key
echo "<tls-auth>" >> $ovpnName$FILEEXT
cat $TA >> $ovpnName$FILEEXT
echo "</tls-auth>" >> $ovpnName$FILEEXT

echo "Done! $ovpnName$FILEEXT Successfully Created."

Lo rendo eseguibile:

chmod  +x /etc/openvpn/profiles/make-profile.sh

Generare il profilo

Mi sposto nella cartella dei profili:

$ cd /etc/openvpn/profiles/

Genero le chiavi:

/usr/share/easy-rsa/easyrsa build-client-full client01 nopass

genero il file ovpn:

$ ./make-profile.sh client01

Riferimenti

Powered by Soopr   •  Theme  Moonwalk