OpenVPN uses Public Key Infrastructure (PKI) to encrypt VPN traffic between nodes. A simple way of setting up a VPN with OpenVPN is to connect the clients through a bridge interface on the VPN server. This guide will assume that one VPN node, the server in this case, has a bridge interface configured. For more information on setting up a bridge see “Bridging”.
To install openvpn in a terminal enter:
sudo apt-get install openvpn
Ara que heu instal·lat el paquet openvpn, heu de crear els certificats per al servidor VPN.
Primer, copieu el directori easy-rsa a /etc/openvpn. Això assegurarà que qualsevol canvi dels scripts no es perdi quan s'actualitzin els paquets. En un terminal introduïu:
sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/
Després editeu el fitxer /etc/openvpn/easy-rsa/vars i ajusteu el següent al vostre entorn:
export KEY_COUNTRY="US" export KEY_PROVINCE="NC" export KEY_CITY="Winston-Salem" export KEY_ORG="Example Company" export KEY_EMAIL="steve@example.com"
Enter the following to create the server certificates:
cd /etc/openvpn/easy-rsa/easy-rsa source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
El client de la VPN també necessita un certificat per autenticar-se al servidor. Per a crear el certificat, introduïu el següent en un terminal:
cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname
![[Nota]](../../libs/admon/note.png)
|
|
|
Reemplaceu hostname amb el nom actual de l'amfitrió de la màquina connectada a la VPN. |
Copy the following files to the client:
-
/etc/openvpn/easy-rsa/hostname.ovpn
-
/etc/openvpn/easy-rsa/ca.crt
-
/etc/openvpn/easy-rsa/hostname.crt
-
/etc/openvpn/easy-rsa/hostname.key
-
/etc/openvpn/easy-rsa/ta.key
|
|
|
|
Remember to adjust the above file names for your client machine's hostname. |
It is best to use a secure method to copy the certificate and key files. The scp utility is a good choice, but copying the files to removable media then to the client, also works well.
Ara configureu el servidor openvpn tot creant /etc/openvpn/server.conf a partir del fitxer d'exemple. En un terminal, introduïu:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz
Editeu el fitxer etc/openvpn/server.conf i canvieu-ne les opcions següents:
local 172.18.100.101 dev tap0 server-bridge 172.18.100.101 255.255.255.0 172.18.100.105 172.18.100.200 push "route 172.18.100.1 255.255.255.0" push "dhcp-option DNS 172.18.100.20" push "dhcp-option DOMAIN example.com" tls-auth ta.key 0 # This file is secret user nobody group nogroup
-
local: is the IP address of the bridge interface.
-
server-bridge: needed when the configuration uses bridging. The 172.18.100.101 255.255.255.0 portion is the bridge interface and mask. The IP range 172.18.100.105 172.18.100.200 is the range of IP addresses that will be assigned to clients.
-
push: són directives per afegir opcions de xarxa per als clients.
-
user and group: configure which user and group the openvpn daemon executes as.
|
|
|
|
Replace all IP addresses and domain names above with those of your network. |
Ara creeu un parell d'scripts d'ajuda per afegir la interfície tap al pont. Creeu l'script /etc/openvpn/up.sh:
#!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /usr/sbin/brctl addif $BR $DEV
I /etc/openvpn/down.sh:
#!/bin/sh BR=$1 DEV=$2 /usr/sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down
Then make them executable:
sudo chmod 755 /etc/openvpn/down.sh sudo chmod 755 /etc/openvpn/up.sh
Després de configurar el servidor, reinicieu l'openvpn tot introduïnt:
sudo /etc/init.d/openvpn restart
With the server configured and the client certificates copied over, create a client configuration file by copying the example. In a terminal on the client machine enter:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
Ara editeu el fitxer /etc/openvpn/client.conf i canvieu-ne les opcions següents:
dev tap remote vpn.example.com 1194 cert hostname.crt key hostname.key tls-auth ta.key 1
|
|
|
|
Replace vpn.example.com with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames. |
Finalment, reinicieu l'openvpn:
sudo /etc/init.d/openvpn restart
Ara hauria de ser possible connectar-se a la LAN remota mitjançant la VPN.
-
Per a obtenir més informació, vegeu el lloc web de l'OpenVPN
-
Also, Pakt's OpenVPN: Building and Integrating Virtual Private Networks is a good resource.
