Installazione OpenVPN su Debian
Configurazione Server Linux
Installare il pacchetto:
apt-get install openvpn Debian Configuration ???????????????????????????? Configuring openvpn ???????????????????????????? ? ? ? If you accept here, the package will make a special device called ? ? /dev/net/tun for openvpn's use. If you refuse, the device won't be made ? ? now. Read README.Debian for details on how to make it. If you are using ? ? devfs refuse here. ? ? ? ? Would you like a TUN/TAP device to be created? ? ? ? ? <Yes> ? ? ? ????????????????????????????????????????????????????????????????????????????? - Debian Configuration ???????????????????????????? Configuring openvpn ???????????????????????????? ? ? ? In some cases you may be upgrading openvpn in a remote server using a ? ? VPN to do so. The upgrade process stops the running daemon before ? ? installing the new version, in that case you may lose your connection, ? ? the upgrade may be interrupted, and you may not be able to reconnect to ? ? the remote host. ? ? ? ? Unless you do your upgrades locally, it is advised NOT to stop openvpn ? ? before it gets upgraded. The installation process will restart it once ? ? it's done. ? ? ? ? This option will take effect in your next upgrade. ? ? ? ? Would you like to stop openvpn before it gets upgraded? ? ? ? ? <Yes> ? ? ? ????????????????????????????????????????????????????????????????????????????? -
Creare il certificato DH:
cd /etc/openvpn mkdir certs cd certs openssl dhparam -out dh1024.pem 1024
Creare i certificati con Xca, e copiarli nella stessa directory.
fire.leman.it.crt fire.leman.it.pem ca.fire.leman.it.crl ca.fire.leman.it.crt
customizzare i seguenti valori e settarli in una shell:
export LOCAL_NET=192.168.150 export LOCAL_IP=$LOCAL_NET.100 export NAMESERVER=$LOCAL_NET.100 export VPN_NET=10.0.150 export VPN_IP=$VPN_NET.254 export SERVERNAME=fire.leman.it export PORT=40000 export DEVICE=tap0
Creare il file di configurazione dalla stessa shell precedente:
cd /etc/openvpn cat > /etc/openvpn/roadwarriors.conf <<EOFile # local networking settings dev $DEVICE port $PORT local $LOCAL_IP # vpn networking settings mode server client-to-client #permette a due client vpn di vedersi ifconfig $VPN_IP 255.255.255.0 ifconfig-pool $VPN_NET.1 $VPN_NET.253 255.255.255.0 push "route-gateway $VPN_NET.254" push "route $LOCAL_NET.0 255.255.255.0" push "dhcp-option DNS $NAMESERVER" push "dhcp-option WINS $NAMESERVER" # logging status /var/log/openvpn-status.log log-append /var/log/openvpn.log ifconfig-pool-persist /var/log/openvpn-ip.log mute 3 # tewaks comp-lzo tun-mtu 1500 keepalive 10 120 #authentications tls-server dh /etc/openvpn/certs/dh1024.pem ca /etc/openvpn/certs/ca.$SERVERNAME.crt cert /etc/openvpn/certs/$SERVERNAME.crt key /etc/openvpn/certs/$SERVERNAME.pem crl-verify /etc/openvpn/certs/ca.$SERVERNAME.crl EOFile
Verificare che parta openvpn:
/etc/init.d/openvpn start Stopping virtual private network daemon:. Starting virtual private network daemon: roadwarriors. netstat -anp | grep openvpn udp 0 0 192.168.150.100:40000 0.0.0.0:* 3719/openvpn
Se non dovesse funzionare, vedere il log /var/log/openvpn.log
Configurazione Client Windows
Installare OpenVPN Gui
Creare il file di configurazione come da template e copiare file e cartella coi certificati sul client.
Caso di server VPN NON default gateway
Se il server VPN NON è il default gateway della LAN, occorre impostare la route statica verso la netwok vpn sul router defualt gateway.
Nel caso di Eicon DIVA 2440:
-->LAN LAN>ADD IP ROUTE 10.0.150.0 255.255.255.0 192.168.150.100 LAN>SAVE LAN>EXIT
Controllare anche che l'IP Forwarding sia attivato sul server vpn Attivazione_ip_forward