VPN Sous Debian

VPN Sous Debian

Nous allons apprendre à mettre en place un serveur VPN en utilisant openvpn sous debian.

Pour la réalisation de notre TP, nous allons suivre les étapes suivantes.

  1. La réalisation des prérequis
  2. La génération des clés avec la PKI
  3. La configuration du Serveur
  4. La configuration du client

 

Prérequis

Pour notre TP nous aurons besoin de 2 machines une qui vont jouer le rôle de serveur et de client. Commencez par renommer la machine serveur en srv-vpn et la cliente en client. Vous pouvez suivre notre tutoriel sur comment renommer une machine Linux.

Le serveur et le client renommé, rassurez-vous que les 2 machines sont sur le même réseau et que la communication passe entre elles (faite un ping).Vous pouvez suivrez notre tuto sur la modification d’adresse IP.

Rassurez-vous que chaque machine possède 2 cartes réseau. Une connecté au NAT et l’autre a un réseau host (avec DHCP activé).

Si l’étape suivante a été effectuée correctement, en tapant la commande

  •   » hostname  » vous devez avoir le résultat suivant :

sur le serveur :

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%24%20hostname%0Asrv-vpn%0Ajoel%40srv-vpn%3A~%24″ message= » » highlight= » » provider= »manual »/]

sur le client

[pastacode lang= »bash » manual= »joel%40client%3A~%24%20hostname%0Aclient%0Ajoel%40client%3A~%24″ message= » » highlight= » » provider= »manual »/]

  •  » ip a » vous devez avoir un résultat similaire sur le serveur et le client :

    [pastacode lang= »bash » manual= »1%3A%20lo%3A%20%3CLOOPBACK%2CUP%2CLOWER_UP%3E%20mtu%2065536%20qdisc%20noqueue%20state%20UNKNOWN%20group%20default%20qlen%201%0A%20%20%20%20link%2Floopback%2000%3A00%3A00%3A00%3A00%3A00%20brd%2000%3A00%3A00%3A00%3A00%3A00%0A%20%20%20%20inet%20127.0.0.1%2F8%20scope%20host%20lo%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A%20%20%20%20inet6%20%3A%3A1%2F128%20scope%20host%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A2%3A%20enp0s3%3A%20%3CBROADCAST%2CMULTICAST%2CUP%2CLOWER_UP%3E%20mtu%201500%20qdisc%20pfifo_fast%20state%20UP%20group%20default%20qlen%201000%0A%20%20%20%20link%2Fether%2008%3A00%3A27%3A74%3A9d%3Acd%20brd%20ff%3Aff%3Aff%3Aff%3Aff%3Aff%0A%20%20%20%20inet%2010.0.2.15%2F24%20brd%2010.0.2.255%20scope%20global%20enp0s3%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A%20%20%20%20inet6%20fe80%3A%3Aa00%3A27ff%3Afe74%3A9dcd%2F64%20scope%20link%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A3%3A%20enp0s8%3A%20%3CBROADCAST%2CMULTICAST%2CUP%2CLOWER_UP%3E%20mtu%201500%20qdisc%20pfifo_fast%20state%20UP%20group%20default%20qlen%201000%0A%20%20%20%20link%2Fether%2008%3A00%3A27%3Ae2%3Ad8%3A41%20brd%20ff%3Aff%3Aff%3Aff%3Aff%3Aff%0A%20%20%20%20inet%20192.168.56.101%2F24%20brd%20192.168.56.255%20scope%20global%20enp0s8%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A%20%20%20%20inet6%20fe80%3A%3Aa00%3A27ff%3Afee2%3Ad841%2F64%20scope%20link%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0Ajoel%40srv-vpn%3A~%24%0A » message= » » highlight= » » provider= »manual »/]

    Les ips seront bien sûr différentes. Mais nous pouvons constater que nous avons 2 cartes réseau par machine.

Installer les paquets openvpn sur les deux machines (srv-vpn et client-vpn)

sudo apt update  && sudo apt install openvpn

 

Génération des clés avec la PKI

Cette étape se déroule entièrement sur le serveur :

Connectez-vous au serveur srv-vpn et ouvrez une invite de commande.  Copier les fichiers de configuration de easy-rsa. Ils sont livrés avec open-vpn lors de son installation et ils contiennent notre PKI. Nous allons les utiliser pour générer nos certificats.

Copier le contenu du répertoire easy-rsa dans votre répertoire courant

[pastacode lang= »bash » manual= »sudo%20cp%20-r%20%20%20%2Fusr%2Fshare%2Feasy-rsa%20%20%20%2Fhome%2Fvotre_nom_utilisateur%2Feasy-rsa » message= » » highlight= » » provider= »manual »/]

Ensuite on se donne les droits sur l’ensemble des fichiers du dossier en tapant la commande suivante :

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%24%20sudo%20chown%20-R%20%24USER%3A%24USER%20easy-rsa%0Ajoel%40srv-vpn%3A~%24%0A » message= » » highlight= » » provider= »manual »/]

Placez-vous dans le répertoire ou vous avez copié easy-rsa

[pastacode lang= »bash » manual= »cd%20%20%20%2Fhome%2Fvotre_nom_utilisateur%2Feasy-rsa » message= » » highlight= » » provider= »manual »/]

Éditer le fichier « vars » et modifier les lignes suivantes :

[pastacode lang= »bash » manual= »sudo%20nano%20vars » message= » » highlight= » » provider= »manual »/]

Modifier les lignes suivantes :

[pastacode lang= »bash » manual= »KEY_COUNTRY%3D%22FR%22%0AKEY_PROVINCE%3D%22ALS%22%0AKEY_CITY%3D%22SaltLakeCity%22%0AKEY_ORG%3D%22Atomit%22%0AKEY_EMAIL%3D%22toto%40atomit.fr%22%0A » message= » » highlight= » » provider= »manual »/]

On donne les droits d’exécution au fichier vars et on charge les variables:

[pastacode lang= »bash » manual= »chmod%20%20%2Bx%20vars%0Asource%20%20.%2Fvars » message= » » highlight= » » provider= »manual »/]

vous devez avoir ceux-ci :

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20ls%0Abuild-ca%20%20%20%20%20%20%20%20%20%20build-key-server%20%20list-crl%20%20%20%20%20%20%20%20%20%20%20sign-req%0Abuild-dh%20%20%20%20%20%20%20%20%20%20build-req%20%20%20%20%20%20%20%20%20openssl-0.9.6.cnf%20%20vars%0Abuild-inter%20%20%20%20%20%20%20build-req-pass%20%20%20%20openssl-0.9.8.cnf%20%20whichopensslcnf%0Abuild-key%20%20%20%20%20%20%20%20%20clean-all%20%20%20%20%20%20%20%20%20openssl-1.0.0.cnf%0Abuild-key-pass%20%20%20%20inherit-inter%20%20%20%20%20pkitool%0Abuild-key-pkcs12%20%20keys%20%20%20%20%20%20%20%20%20%20%20%20%20%20revoke-full%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%20chmod%20%2Bx%20vars%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%20source%20.%2Fvars%0A**************************************************************%0A%20%20No%20%2Fhome%2Fjoel%2Feasy-rsa%2Fopenssl.cnf%20file%20could%20be%20found%0A%20%20Further%20invocations%20will%20fail%0A**************************************************************%0ANOTE%3A%20If%20you%20run%20.%2Fclean-all%2C%20I%20will%20be%20doing%20a%20rm%20-rf%20on%20%2Fhome%2Fjoel%2Feasy-rsa%2Fkeys%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

Nettoyer le dossier où seront générées les clés avec la commande clean-all

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20.%2Fclean-all%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24″ message= » » highlight= » » provider= »manual »/]

Générer le certificat de l’autorité de certification avec./build-ca :

  1. Si vous avez une erreur dans mon cas l’erreur suivante :[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20.%2Fbuild-ca%0Agrep%3A%20%2Fhome%2Fjoel%2Feasy-rsa%2Fopenssl.cnf%3A%20Aucun%20fichier%20ou%20dossier%20de%20ce%20type%0Apkitool%3A%20KEY_CONFIG%20(set%20by%20the%20.%2Fvars%20script)%20is%20pointing%20to%20the%20wrong%0Aversion%20of%20openssl.cnf%3A%20%2Fhome%2Fjoel%2Feasy-rsa%2Fopenssl.cnf%0AThe%20correct%20version%20should%20have%20a%20comment%20that%20says%3A%20easy-rsa%20version%202.x%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

    Cela veut dire que vous n’avez pas configuré le fichier vars ou que vous n’avez pas chargé les sources en fessant « source vars » si vous l’avez fait et que le problème persiste vous pouvez le ressoudre en créant un lien symbolique vers le fichier openssl-1.0.0.cnf et le nommer openssl.cnf.

    [pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20ln%20-s%20openssl-1.0.0.cnf%20openssl.cnf%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%20ls%0Abuild-ca%20%20%20%20%20%20%20%20%20%20build-key-server%20%20list-crl%20%20%20%20%20%20%20%20%20%20%20revoke-full%0Abuild-dh%20%20%20%20%20%20%20%20%20%20build-req%20%20%20%20%20%20%20%20%20openssl-0.9.6.cnf%20%20sign-req%0Abuild-inter%20%20%20%20%20%20%20build-req-pass%20%20%20%20openssl-0.9.8.cnf%20%20vars%0Abuild-key%20%20%20%20%20%20%20%20%20clean-all%20%20%20%20%20%20%20%20%20openssl-1.0.0.cnf%20%20whichopensslcnf%0Abuild-key-pass%20%20%20%20inherit-inter%20%20%20%20%20openssl.cnf%0Abuild-key-pkcs12%20%20keys%20%20%20%20%20%20%20%20%20%20%20%20%20%20pkitool%0A » message= » » highlight= » » provider= »manual »/]

    Ensuite vous pouvez continuer

  2. Si vous n’avez pas d’erreur, vous pouvez continuer

Vu que vous avez déjà édité le fichier de variable vous devez juste appuyer sur entrée pour répondre à chaque question, la valeur par défaut (les valeurs que vous avez enregistrées dans le fichier de vars seront utilisé)

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20.%2Fbuild-ca%0AGenerating%20a%202048%20bit%20RSA%20private%20key%0A…………………………………………………………………………..%2B%2B%2B%0A………………………..%2B%2B%2B%0Awriting%20new%20private%20key%20to%20’ca.key’%0A—–%0AYou%20are%20about%20to%20be%20asked%20to%20enter%20information%20that%20will%20be%20incorporated%0Ainto%20your%20certificate%20request.%0AWhat%20you%20are%20about%20to%20enter%20is%20what%20is%20called%20a%20Distinguished%20Name%20or%20a%20DN.%0AThere%20are%20quite%20a%20few%20fields%20but%20you%20can%20leave%20some%20blank%0AFor%20some%20fields%20there%20will%20be%20a%20default%20value%2C%0AIf%20you%20enter%20′.’%2C%20the%20field%20will%20be%20left%20blank.%0A—–%0ACountry%20Name%20(2%20letter%20code)%20%5BFR%5D%3A%0AState%20or%20Province%20Name%20(full%20name)%20%5BALS%5D%3A%0ALocality%20Name%20(eg%2C%20city)%20%5BStrasbourg%5D%3A%0AOrganization%20Name%20(eg%2C%20company)%20%5BATOMIT%5D%3A%0AOrganizational%20Unit%20Name%20(eg%2C%20section)%20%5BATOMIT%5D%3A%0ACommon%20Name%20(eg%2C%20your%20name%20or%20your%20server’s%20hostname)%20%5BATOMIT%20CA%5D%3A%0AName%20%5BEasyRSA%5D%3A%0AEmail%20Address%20%5Bemail%40atomit.fr%5D%3A%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

Une fois les clés de votre CA générer nous allons générer le paramètre diffie-hellman qui sert à sécuriser les 1ers échange lors de la communication (./build-dh)  entre le serveur et le client

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20.%2Fbuild-dh%0AGenerating%20DH%20parameters%2C%202048%20bit%20long%20safe%20prime%2C%20generator%202%0AThis%20is%20going%20to%20take%20a%20long%20time%0A…………………………………………………..%2B…………….%2B………………………………………………………………………..%0A%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

La génération des clés peut prendre plus ou moins du temps en fonction des ressources de votre machine.  Une fois la génération terminée vous pouvez générer les clés pour votre serveur (./build-key-server).

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20.%2Fbuild-key-server%20srv-vpn%0AGenerating%20a%202048%20bit%20RSA%20private%20key%0A………………………………%2B%2B%2B%0A……………………………………………………………….%2B%2B%2B%0Awriting%20new%20private%20key%20to%20’srv-vpn.key’%0A—–%0AYou%20are%20about%20to%20be%20asked%20to%20enter%20information%20that%20will%20be%20incorporated%0Ainto%20your%20certificate%20request.%0AWhat%20you%20are%20about%20to%20enter%20is%20what%20is%20called%20a%20Distinguished%20Name%20or%20a%20DN.%0AThere%20are%20quite%20a%20few%20fields%20but%20you%20can%20leave%20some%20blank%0AFor%20some%20fields%20there%20will%20be%20a%20default%20value%2C%0AIf%20you%20enter%20′.’%2C%20the%20field%20will%20be%20left%20blank.%0A—–%0ACountry%20Name%20(2%20letter%20code)%20%5BFR%5D%3A%0AState%20or%20Province%20Name%20(full%20name)%20%5BALS%5D%3A%0ALocality%20Name%20(eg%2C%20city)%20%5BStrasbourg%5D%3A%0AOrganization%20Name%20(eg%2C%20company)%20%5BATOMIT%5D%3A%0AOrganizational%20Unit%20Name%20(eg%2C%20section)%20%5BATOMIT%5D%3A%0ACommon%20Name%20(eg%2C%20your%20name%20or%20your%20server’s%20hostname)%20%5Bsrv-vpn%5D%3A%0AName%20%5BEasyRSA%5D%3A%0AEmail%20Address%20%5Bemail%40atomit.fr%5D%3A%0A%0APlease%20enter%20the%20following%20’extra’%20attributes%0Ato%20be%20sent%20with%20your%20certificate%20request%0AA%20challenge%20password%20%5B%5D%3A%0AAn%20optional%20company%20name%20%5B%5D%3A%0AUsing%20configuration%20from%20%2Fhome%2Fjoel%2Feasy-rsa%2Fopenssl.cnf%0ACan’t%20open%20%2Fhome%2Fjoel%2Feasy-rsa%2Fkeys%2Findex.txt.attr%20for%20reading%2C%20No%20such%20file%20or%20directory%0A140106726114560%3Aerror%3A02001002%3Asystem%20library%3Afopen%3ANo%20such%20file%20or%20directory%3A..%2Fcrypto%2Fbio%2Fbss_file.c%3A74%3Afopen(‘%2Fhome%2Fjoel%2Feasy-rsa%2Fkeys%2Findex.txt.attr’%2C’r’)%0A140106726114560%3Aerror%3A2006D080%3ABIO%20routines%3ABIO_new_file%3Ano%20such%20file%3A..%2Fcrypto%2Fbio%2Fbss_file.c%3A81%3A%0ACheck%20that%20the%20request%20matches%20the%20signature%0ASignature%20ok%0AThe%20Subject’s%20Distinguished%20Name%20is%20as%20follows%0AcountryName%20%20%20%20%20%20%20%20%20%20%20%3APRINTABLE%3A’FR’%0AstateOrProvinceName%20%20%20%3APRINTABLE%3A’ALS’%0AlocalityName%20%20%20%20%20%20%20%20%20%20%3APRINTABLE%3A’Strasbourg’%0AorganizationName%20%20%20%20%20%20%3APRINTABLE%3A’ATOMIT’%0AorganizationalUnitName%3APRINTABLE%3A’ATOMIT’%0AcommonName%20%20%20%20%20%20%20%20%20%20%20%20%3APRINTABLE%3A’srv-vpn’%0Aname%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3APRINTABLE%3A’EasyRSA’%0AemailAddress%20%20%20%20%20%20%20%20%20%20%3AIA5STRING%3A’email%40atomit.fr’%0ACertificate%20is%20to%20be%20certified%20until%20Nov%2013%2010%3A19%3A32%202027%20GMT%20(3650%20days)%0ASign%20the%20certificate%3F%20%5By%2Fn%5D%3AY%0A%0A%0A1%20out%20of%201%20certificate%20requests%20certified%2C%20commit%3F%20%5By%2Fn%5DY%0AWrite%20out%20database%20with%201%20new%20entries%0AData%20Base%20Updated%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

Tous comme précédemment vous devez juste appuyer sur entrée et répondre Y aux deux questions à la fin. N’indiquer pas de mot de passe lorsqu’il vous le demande le challenge password appuyé juste sur entrée.

On générer ensuite les clés du client avec la commande (./build-key)

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20.%2Fbuild-key%20client%0AGenerating%20a%202048%20bit%20RSA%20private%20key%0A……………………………………………………..%2B%2B%2B%0A….%2B%2B%2B%0Awriting%20new%20private%20key%20to%20’client.key’%0A—–%0AYou%20are%20about%20to%20be%20asked%20to%20enter%20information%20that%20will%20be%20incorporated%0Ainto%20your%20certificate%20request.%0AWhat%20you%20are%20about%20to%20enter%20is%20what%20is%20called%20a%20Distinguished%20Name%20or%20a%20DN.%0AThere%20are%20quite%20a%20few%20fields%20but%20you%20can%20leave%20some%20blank%0AFor%20some%20fields%20there%20will%20be%20a%20default%20value%2C%0AIf%20you%20enter%20′.’%2C%20the%20field%20will%20be%20left%20blank.%0A—–%0ACountry%20Name%20(2%20letter%20code)%20%5BFR%5D%3A%0AState%20or%20Province%20Name%20(full%20name)%20%5BALS%5D%3A%0ALocality%20Name%20(eg%2C%20city)%20%5BStrasbourg%5D%3A%0AOrganization%20Name%20(eg%2C%20company)%20%5BATOMIT%5D%3A%0AOrganizational%20Unit%20Name%20(eg%2C%20section)%20%5BATOMIT%5D%3A%0ACommon%20Name%20(eg%2C%20your%20name%20or%20your%20server’s%20hostname)%20%5Bclient%5D%3A%0AName%20%5BEasyRSA%5D%3A%0AEmail%20Address%20%5Bemail%40atomit.fr%5D%3A%0A%0APlease%20enter%20the%20following%20’extra’%20attributes%0Ato%20be%20sent%20with%20your%20certificate%20request%0AA%20challenge%20password%20%5B%5D%3A%0AAn%20optional%20company%20name%20%5B%5D%3A%0AUsing%20configuration%20from%20%2Fhome%2Fjoel%2Feasy-rsa%2Fopenssl.cnf%0ACheck%20that%20the%20request%20matches%20the%20signature%0ASignature%20ok%0AThe%20Subject’s%20Distinguished%20Name%20is%20as%20follows%0AcountryName%20%20%20%20%20%20%20%20%20%20%20%3APRINTABLE%3A’FR’%0AstateOrProvinceName%20%20%20%3APRINTABLE%3A’ALS’%0AlocalityName%20%20%20%20%20%20%20%20%20%20%3APRINTABLE%3A’Strasbourg’%0AorganizationName%20%20%20%20%20%20%3APRINTABLE%3A’ATOMIT’%0AorganizationalUnitName%3APRINTABLE%3A’ATOMIT’%0AcommonName%20%20%20%20%20%20%20%20%20%20%20%20%3APRINTABLE%3A’client’%0Aname%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3APRINTABLE%3A’EasyRSA’%0AemailAddress%20%20%20%20%20%20%20%20%20%20%3AIA5STRING%3A’email%40atomit.fr’%0ACertificate%20is%20to%20be%20certified%20until%20Nov%2013%2010%3A24%3A44%202027%20GMT%20(3650%20days)%0ASign%20the%20certificate%3F%20%5By%2Fn%5D%3AY%0A%0A%0A1%20out%20of%201%20certificate%20requests%20certified%2C%20commit%3F%20%5By%2Fn%5DY%0AWrite%20out%20database%20with%201%20new%20entries%0AData%20Base%20Updated%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

Tous comme précédemment vous devez juste appuyer sur entrée et répondre Y aux deux questions a la fin. N’indiquer pas de mot de passe lorsqu’il vous le demande le challenge password appuyé juste sur entrée. Pour être certain que l’étape s’est bien déroulée, vous devez lister le contenu du répertoire keys :

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20ls%20keys%0A01.pem%20%20ca.key%20%20%20%20%20%20client.key%20%20index.txt.attr%20%20%20%20%20%20serial%20%20%20%20%20%20%20srv-vpn.csr%0A02.pem%20%20client.crt%20%20dh2048.pem%20%20index.txt.attr.old%20%20serial.old%20%20%20srv-vpn.key%0Aca.crt%20%20client.csr%20%20index.txt%20%20%20index.txt.old%20%20%20%20%20%20%20srv-vpn.crt%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

Vous devez absolument avoir les fichiers suivant :  dh2048.pem, srv-vpn.key, srv-vpn.crt, ca.crt,  client.key, client.crt )

Copier les fichiers suivants dans le répertoire de configuration de openvpn sur le serveur :

[pastacode lang= »bash » manual= »sudo%20cp%20keys%2Fdh2048.pem%20keys%2Fsrv-vpn.crt%20keys%2Fsrv-vpn.key%20keys%2Fca.crt%20%2Fetc%2Fopenvpn%2Fserver%2F » message= » » highlight= » » provider= »manual »/]

 

Configuration du Serveur

Cette étape se déroule elle aussi entièrement sur le serveur.

Connecté vous sur le serveur openvpn (srv-vpn). Lors de l’installation de openvn il vient avec des fichiers de configuration par défaut pour le serveur vous devez juste copier ce fichier avec la ligne de commande suivante :

[pastacode lang= »bash » manual= »sudo%20sh%20-c%20%22zcat%20%2Fusr%2Fshare%2Fdoc%2Fopenvpn%2Fexamples%2Fsample-config-files%2Fserver.conf.gz%20%20%3E%20%2Fetc%2Fopenvpn%2Fserver.conf%22″ message= » » highlight= » » provider= »manual »/]

Ensuite nous allons le modifier :

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20nano%20%2Fetc%2Fopenvpn%2Fserver.conf » message= » » highlight= » » provider= »manual »/]

Vous devez juste modifier les lignes suivantes :

[pastacode lang= »bash » manual= »ca%20%2Fetc%2Fopenvpn%2Fserver%2Fca.crt%0Acert%20%2Fetc%2Fopenvpn%2Fserver%2Fsrv-vpn.crt%0Akey%20%2Fetc%2Fopenvpn%2Fserver%2Fsrv-vpn.key%0A%0Adh%20%2Fetc%2Fopenvpn%2Fserver%2Fdh2048.pem%0A%0Apush%20%22redirect-gateway%20def1%20bypass-dhcp%22%0A%0Apush%20%22dhcp-option%20DNS%20208.67.222.222%22%0Apush%20%22dhcp-option%20DNS%20208.67.220.220%22%0A%0A%23tls-auth%20ta.key%200%20%23%20This%20file%20is%20secret%0A » message= » » highlight= » » provider= »manual »/]

Vous pouvez remplacer la 1er ip des serveurs open-dns (208.67.222.222 , 208.67.220.220) par l’ip de votre serveur DNS (celui du serveur)  ou alors remplacer les 2.  Pour trouver l’ip de votre serveur DNS vous pouvez vérifier l’ip envoyé par DHCP dans le fichier resolv.conf

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20cat%20%2Fetc%2Fresolv.conf%0Adomain%20esi-supinfo.com%0Asearch%20esi-supinfo.com%0Anameserver%2010.0.2.3%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

Dans le fichier de configuration server.conf remplacer l’ip  208.67.222.222 par 10.0.2.3. Vous devez avoir ceux-ci au final :

[pastacode lang= »apacheconf » manual= »%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20Sample%20OpenVPN%202.0%20config%20file%20for%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20multi-client%20server.%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20This%20file%20is%20for%20the%20server%20side%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20of%20a%20many-clients%20%3C-%3E%20one-server%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20OpenVPN%20configuration.%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20OpenVPN%20also%20supports%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20single-machine%20%3C-%3E%20single-machine%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20configurations%20(See%20the%20Examples%20page%20%20%20%20%20%20%20%20%20%23%0A%23%20on%20the%20web%20site%20for%20more%20info).%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20This%20config%20should%20work%20on%20Windows%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20or%20Linux%2FBSD%20systems.%20%20Remember%20on%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20Windows%20to%20quote%20pathnames%20and%20use%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20double%20backslashes%2C%20e.g.%3A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20%22C%3A%5C%5CProgram%20Files%5C%5COpenVPN%5C%5Cconfig%5C%5Cfoo.key%22%20%23%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20Comments%20are%20preceded%20with%20’%23’%20or%20’%3B’%20%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%20Which%20local%20IP%20address%20should%20OpenVPN%0A%23%20listen%20on%3F%20(optional)%0A%3Blocal%20a.b.c.d%0A%0A%23%20Which%20TCP%2FUDP%20port%20should%20OpenVPN%20listen%20on%3F%0A%23%20If%20you%20want%20to%20run%20multiple%20OpenVPN%20instances%0A%23%20on%20the%20same%20machine%2C%20use%20a%20different%20port%0A%23%20number%20for%20each%20one.%20%20You%20will%20need%20to%0A%23%20open%20up%20this%20port%20on%20your%20firewall.%0Aport%201194%0A%0A%23%20TCP%20or%20UDP%20server%3F%0A%3Bproto%20tcp%0Aproto%20udp%0A%0A%23%20%22dev%20tun%22%20will%20create%20a%20routed%20IP%20tunnel%2C%0A%23%20%22dev%20tap%22%20will%20create%20an%20ethernet%20tunnel.%0A%23%20Use%20%22dev%20tap0%22%20if%20you%20are%20ethernet%20bridging%0A%23%20and%20have%20precreated%20a%20tap0%20virtual%20interface%0A%23%20and%20bridged%20it%20with%20your%20ethernet%20interface.%0A%23%20If%20you%20want%20to%20control%20access%20policies%0A%23%20over%20the%20VPN%2C%20you%20must%20create%20firewall%0A%23%20rules%20for%20the%20the%20TUN%2FTAP%20interface.%0A%23%20On%20non-Windows%20systems%2C%20you%20can%20give%0A%23%20an%20explicit%20unit%20number%2C%20such%20as%20tun0.%0A%23%20On%20Windows%2C%20use%20%22dev-node%22%20for%20this.%0A%23%20On%20most%20systems%2C%20the%20VPN%20will%20not%20function%0A%23%20unless%20you%20partially%20or%20fully%20disable%0A%23%20the%20firewall%20for%20the%20TUN%2FTAP%20interface.%0A%3Bdev%20tap%0Adev%20tun%0A%0A%23%20Windows%20needs%20the%20TAP-Win32%20adapter%20name%0A%23%20from%20the%20Network%20Connections%20panel%20if%20you%0A%23%20have%20more%20than%20one.%20%20On%20XP%20SP2%20or%20higher%2C%0A%23%20you%20may%20need%20to%20selectively%20disable%20the%0A%23%20Windows%20firewall%20for%20the%20TAP%20adapter.%0A%23%20Non-Windows%20systems%20usually%20don’t%20need%20this.%0A%3Bdev-node%20MyTap%0A%0A%23%20SSL%2FTLS%20root%20certificate%20(ca)%2C%20certificate%0A%23%20(cert)%2C%20and%20private%20key%20(key).%20%20Each%20client%0A%23%20and%20the%20server%20must%20have%20their%20own%20cert%20and%0A%23%20key%20file.%20%20The%20server%20and%20all%20clients%20will%0A%23%20use%20the%20same%20ca%20file.%0A%23%0A%23%20See%20the%20%22easy-rsa%22%20directory%20for%20a%20series%0A%23%20of%20scripts%20for%20generating%20RSA%20certificates%0A%23%20and%20private%20keys.%20%20Remember%20to%20use%0A%23%20a%20unique%20Common%20Name%20for%20the%20server%0A%23%20and%20each%20of%20the%20client%20certificates.%0A%23%0A%23%20Any%20X509%20key%20management%20system%20can%20be%20used.%0A%23%20OpenVPN%20can%20also%20use%20a%20PKCS%20%2312%20formatted%20key%20file%0A%23%20(see%20%22pkcs12%22%20directive%20in%20man%20page).%0Aca%20%2Fetc%2Fopenvpn%2Fserver%2Fca.crt%0Acert%20%2Fetc%2Fopenvpn%2Fserver%2Fsrv-vpn.crt%0Akey%20%2Fetc%2Fopenvpn%2Fserver%2Fsrv-vpn.key%20%20%23%20This%20file%20should%20be%20kept%20secret%0A%0A%23%20Diffie%20hellman%20parameters.%0A%23%20Generate%20your%20own%20with%3A%0A%23%20%20%20openssl%20dhparam%20-out%20dh2048.pem%202048%0Adh%20%2Fetc%2Fopenvpn%2Fserver%2Fdh2048.pem%0A%0A%23%20Network%20topology%0A%23%20Should%20be%20subnet%20(addressing%20via%20IP)%0A%23%20unless%20Windows%20clients%20v2.0.9%20and%20lower%20have%20to%0A%23%20be%20supported%20(then%20net30%2C%20i.e.%20a%20%2F30%20per%20client)%0A%23%20Defaults%20to%20net30%20(not%20recommended)%0A%3Btopology%20subnet%0A%0A%23%20Configure%20server%20mode%20and%20supply%20a%20VPN%20subnet%0A%23%20for%20OpenVPN%20to%20draw%20client%20addresses%20from.%0A%23%20The%20server%20will%20take%2010.8.0.1%20for%20itself%2C%0A%23%20the%20rest%20will%20be%20made%20available%20to%20clients.%0A%23%20Each%20client%20will%20be%20able%20to%20reach%20the%20server%0A%23%20on%2010.8.0.1.%20Comment%20this%20line%20out%20if%20you%20are%0A%23%20ethernet%20bridging.%20See%20the%20man%20page%20for%20more%20info.%0Aserver%2010.8.0.0%20255.255.255.0%0A%0A%23%20Maintain%20a%20record%20of%20client%20%3C-%3E%20virtual%20IP%20address%0A%23%20associations%20in%20this%20file.%20%20If%20OpenVPN%20goes%20down%20or%0A%23%20is%20restarted%2C%20reconnecting%20clients%20can%20be%20assigned%0A%23%20the%20same%20virtual%20IP%20address%20from%20the%20pool%20that%20was%0A%23%20previously%20assigned.%0Aifconfig-pool-persist%20ipp.txt%0A%0A%23%20Configure%20server%20mode%20for%20ethernet%20bridging.%0A%23%20You%20must%20first%20use%20your%20OS’s%20bridging%20capability%0A%23%20to%20bridge%20the%20TAP%20interface%20with%20the%20ethernet%0A%23%20NIC%20interface.%20%20Then%20you%20must%20manually%20set%20the%0A%23%20IP%2Fnetmask%20on%20the%20bridge%20interface%2C%20here%20we%0A%23%20assume%2010.8.0.4%2F255.255.255.0.%20%20Finally%20we%0A%23%20must%20set%20aside%20an%20IP%20range%20in%20this%20subnet%0A%23%20(start%3D10.8.0.50%20end%3D10.8.0.100)%20to%20allocate%0A%23%20to%20connecting%20clients.%20%20Leave%20this%20line%20commented%0A%23%20out%20unless%20you%20are%20ethernet%20bridging.%0A%3Bserver-bridge%2010.8.0.4%20255.255.255.0%2010.8.0.50%2010.8.0.100%0A%0A%23%20Configure%20server%20mode%20for%20ethernet%20bridging%0A%23%20using%20a%20DHCP-proxy%2C%20where%20clients%20talk%0A%23%20to%20the%20OpenVPN%20server-side%20DHCP%20server%0A%23%20to%20receive%20their%20IP%20address%20allocation%0A%23%20and%20DNS%20server%20addresses.%20%20You%20must%20first%20use%0A%23%20your%20OS’s%20bridging%20capability%20to%20bridge%20the%20TAP%0A%23%20interface%20with%20the%20ethernet%20NIC%20interface.%0A%23%20Note%3A%20this%20mode%20only%20works%20on%20clients%20(such%20as%0A%23%20Windows)%2C%20where%20the%20client-side%20TAP%20adapter%20is%0A%23%20bound%20to%20a%20DHCP%20client.%0A%3Bserver-bridge%0A%0A%23%20Push%20routes%20to%20the%20client%20to%20allow%20it%0A%23%20to%20reach%20other%20private%20subnets%20behind%0A%23%20the%20server.%20%20Remember%20that%20these%0A%23%20private%20subnets%20will%20also%20need%0A%23%20to%20know%20to%20route%20the%20OpenVPN%20client%0A%23%20address%20pool%20(10.8.0.0%2F255.255.255.0)%0A%23%20back%20to%20the%20OpenVPN%20server.%0A%3Bpush%20%22route%20192.168.10.0%20255.255.255.0%22%0A%3Bpush%20%22route%20192.168.20.0%20255.255.255.0%22%0A%0A%23%20To%20assign%20specific%20IP%20addresses%20to%20specific%0A%23%20clients%20or%20if%20a%20connecting%20client%20has%20a%20private%0A%23%20subnet%20behind%20it%20that%20should%20also%20have%20VPN%20access%2C%0A%23%20use%20the%20subdirectory%20%22ccd%22%20for%20client-specific%0A%23%20configuration%20files%20(see%20man%20page%20for%20more%20info).%0A%0A%23%20EXAMPLE%3A%20Suppose%20the%20client%0A%23%20having%20the%20certificate%20common%20name%20%22Thelonious%22%0A%23%20also%20has%20a%20small%20subnet%20behind%20his%20connecting%0A%23%20machine%2C%20such%20as%20192.168.40.128%2F255.255.255.248.%0A%23%20First%2C%20uncomment%20out%20these%20lines%3A%0A%3Bclient-config-dir%20ccd%0A%3Broute%20192.168.40.128%20255.255.255.248%0A%23%20Then%20create%20a%20file%20ccd%2FThelonious%20with%20this%20line%3A%0A%23%20%20%20iroute%20192.168.40.128%20255.255.255.248%0A%23%20This%20will%20allow%20Thelonious’%20private%20subnet%20to%0A%23%20access%20the%20VPN.%20%20This%20example%20will%20only%20work%0A%23%20if%20you%20are%20routing%2C%20not%20bridging%2C%20i.e.%20you%20are%0A%23%20using%20%22dev%20tun%22%20and%20%22server%22%20directives.%0A%0A%23%20EXAMPLE%3A%20Suppose%20you%20want%20to%20give%0A%23%20Thelonious%20a%20fixed%20VPN%20IP%20address%20of%2010.9.0.1.%0A%23%20First%20uncomment%20out%20these%20lines%3A%0A%3Bclient-config-dir%20ccd%0A%3Broute%2010.9.0.0%20255.255.255.252%0A%23%20Then%20add%20this%20line%20to%20ccd%2FThelonious%3A%0A%23%20%20%20ifconfig-push%2010.9.0.1%2010.9.0.2%0A%0A%23%20Suppose%20that%20you%20want%20to%20enable%20different%0A%23%20firewall%20access%20policies%20for%20different%20groups%0A%23%20of%20clients.%20%20There%20are%20two%20methods%3A%0A%23%20(1)%20Run%20multiple%20OpenVPN%20daemons%2C%20one%20for%20each%0A%23%20%20%20%20%20group%2C%20and%20firewall%20the%20TUN%2FTAP%20interface%0A%23%20%20%20%20%20for%20each%20group%2Fdaemon%20appropriately.%0A%23%20(2)%20(Advanced)%20Create%20a%20script%20to%20dynamically%0A%23%20%20%20%20%20modify%20the%20firewall%20in%20response%20to%20access%0A%23%20%20%20%20%20from%20different%20clients.%20%20See%20man%0A%23%20%20%20%20%20page%20for%20more%20info%20on%20learn-address%20script.%0A%3Blearn-address%20.%2Fscript%0A%0A%23%20If%20enabled%2C%20this%20directive%20will%20configure%0A%23%20all%20clients%20to%20redirect%20their%20default%0A%23%20network%20gateway%20through%20the%20VPN%2C%20causing%0A%23%20all%20IP%20traffic%20such%20as%20web%20browsing%20and%0A%23%20and%20DNS%20lookups%20to%20go%20through%20the%20VPN%0A%23%20(The%20OpenVPN%20server%20machine%20may%20need%20to%20NAT%0A%23%20or%20bridge%20the%20TUN%2FTAP%20interface%20to%20the%20internet%0A%23%20in%20order%20for%20this%20to%20work%20properly).%0Apush%20%22redirect-gateway%20def1%20bypass-dhcp%22%0A%0A%23%20Certain%20Windows-specific%20network%20settings%0A%23%20can%20be%20pushed%20to%20clients%2C%20such%20as%20DNS%0A%23%20or%20WINS%20server%20addresses.%20%20CAVEAT%3A%0A%23%20http%3A%2F%2Fopenvpn.net%2Ffaq.html%23dhcpcaveats%0A%23%20The%20addresses%20below%20refer%20to%20the%20public%0A%23%20DNS%20servers%20provided%20by%20opendns.com.%0Apush%20%22dhcp-option%20DNS%2010.0.2.3%22%0Apush%20%22dhcp-option%20DNS%20208.67.220.220%22%0A%0A%23%20Uncomment%20this%20directive%20to%20allow%20different%0A%23%20clients%20to%20be%20able%20to%20%22see%22%20each%20other.%0A%23%20By%20default%2C%20clients%20will%20only%20see%20the%20server.%0A%23%20To%20force%20clients%20to%20only%20see%20the%20server%2C%20you%0A%23%20will%20also%20need%20to%20appropriately%20firewall%20the%0A%23%20server’s%20TUN%2FTAP%20interface.%0A%3Bclient-to-client%0A%0A%23%20Uncomment%20this%20directive%20if%20multiple%20clients%0A%23%20might%20connect%20with%20the%20same%20certificate%2Fkey%0A%23%20files%20or%20common%20names.%20%20This%20is%20recommended%0A%23%20only%20for%20testing%20purposes.%20%20For%20production%20use%2C%0A%23%20each%20client%20should%20have%20its%20own%20certificate%2Fkey%0A%23%20pair.%0A%23%0A%23%20IF%20YOU%20HAVE%20NOT%20GENERATED%20INDIVIDUAL%0A%23%20CERTIFICATE%2FKEY%20PAIRS%20FOR%20EACH%20CLIENT%2C%0A%23%20EACH%20HAVING%20ITS%20OWN%20UNIQUE%20%22COMMON%20NAME%22%2C%0A%23%20UNCOMMENT%20THIS%20LINE%20OUT.%0A%3Bduplicate-cn%0A%0A%23%20The%20keepalive%20directive%20causes%20ping-like%0A%23%20messages%20to%20be%20sent%20back%20and%20forth%20over%0A%23%20the%20link%20so%20that%20each%20side%20knows%20when%0A%23%20the%20other%20side%20has%20gone%20down.%0A%23%20Ping%20every%2010%20seconds%2C%20assume%20that%20remote%0A%23%20peer%20is%20down%20if%20no%20ping%20received%20during%0A%23%20a%20120%20second%20time%20period.%0Akeepalive%2010%20120%0A%0A%23%20For%20extra%20security%20beyond%20that%20provided%0A%23%20by%20SSL%2FTLS%2C%20create%20an%20%22HMAC%20firewall%22%0A%23%20to%20help%20block%20DoS%20attacks%20and%20UDP%20port%20flooding.%0A%23%0A%23%20Generate%20with%3A%0A%23%20%20%20openvpn%20–genkey%20–secret%20ta.key%0A%23%0A%23%20The%20server%20and%20each%20client%20must%20have%0A%23%20a%20copy%20of%20this%20key.%0A%23%20The%20second%20parameter%20should%20be%20’0’%0A%23%20on%20the%20server%20and%20’1’%20on%20the%20clients.%0A%23tls-auth%20ta.key%200%20%23%20This%20file%20is%20secret%0A%0A%23%20Select%20a%20cryptographic%20cipher.%0A%23%20This%20config%20item%20must%20be%20copied%20to%0A%23%20the%20client%20config%20file%20as%20well.%0A%23%20Note%20that%202.4%20client%2Fserver%20will%20automatically%0A%23%20negotiate%20AES-256-GCM%20in%20TLS%20mode.%0A%23%20See%20also%20the%20ncp-cipher%20option%20in%20the%20manpage%0Acipher%20AES-256-CBC%0A%0A%23%20Enable%20compression%20on%20the%20VPN%20link%20and%20push%20the%0A%23%20option%20to%20the%20client%20(2.4%2B%20only%2C%20for%20earlier%0A%23%20versions%20see%20below)%0A%3Bcompress%20lz4-v2%0A%3Bpush%20%22compress%20lz4-v2%22%0A%0A%23%20For%20compression%20compatible%20with%20older%20clients%20use%20comp-lzo%0A%23%20If%20you%20enable%20it%20here%2C%20you%20must%20also%0A%23%20enable%20it%20in%20the%20client%20config%20file.%0A%3Bcomp-lzo%0A%0A%23%20The%20maximum%20number%20of%20concurrently%20connected%0A%23%20clients%20we%20want%20to%20allow.%0A%3Bmax-clients%20100%0A%0A%23%20It’s%20a%20good%20idea%20to%20reduce%20the%20OpenVPN%0A%23%20daemon’s%20privileges%20after%20initialization.%0A%23%0A%23%20You%20can%20uncomment%20this%20out%20on%0A%23%20non-Windows%20systems.%0A%3Buser%20nobody%0A%3Bgroup%20nogroup%0A%0A%23%20The%20persist%20options%20will%20try%20to%20avoid%0A%23%20accessing%20certain%20resources%20on%20restart%0A%23%20that%20may%20no%20longer%20be%20accessible%20because%0A%23%20of%20the%20privilege%20downgrade.%0Apersist-key%0Apersist-tun%0A%0A%23%20Output%20a%20short%20status%20file%20showing%0A%23%20current%20connections%2C%20truncated%0A%23%20and%20rewritten%20every%20minute.%0Astatus%20openvpn-status.log%0A%0A%23%20By%20default%2C%20log%20messages%20will%20go%20to%20the%20syslog%20(or%0A%23%20on%20Windows%2C%20if%20running%20as%20a%20service%2C%20they%20will%20go%20to%0A%23%20the%20%22%5CProgram%20Files%5COpenVPN%5Clog%22%20directory).%0A%23%20Use%20log%20or%20log-append%20to%20override%20this%20default.%0A%23%20%22log%22%20will%20truncate%20the%20log%20file%20on%20OpenVPN%20startup%2C%0A%23%20while%20%22log-append%22%20will%20append%20to%20it.%20%20Use%20one%0A%23%20or%20the%20other%20(but%20not%20both).%0A%3Blog%20%20%20%20%20%20%20%20%20openvpn.log%0A%3Blog-append%20%20openvpn.log%0A%0A%23%20Set%20the%20appropriate%20level%20of%20log%0A%23%20file%20verbosity.%0A%23%0A%23%200%20is%20silent%2C%20except%20for%20fatal%20errors%0A%23%204%20is%20reasonable%20for%20general%20usage%0A%23%205%20and%206%20can%20help%20to%20debug%20connection%20problems%0A%23%209%20is%20extremely%20verbose%0Averb%203%0A%0A%23%20Silence%20repeating%20messages.%20%20At%20most%2020%0A%23%20sequential%20messages%20of%20the%20same%20message%0A%23%20category%20will%20be%20output%20to%20the%20log.%0A%3Bmute%2020%0A%0A%23%20Notify%20the%20client%20that%20when%20the%20server%20restarts%20so%20it%0A%23%20can%20automatically%20reconnect.%0AExplicit-exit-notify%201%0A » message= » » highlight= » » provider= »manual »/]

Nous allons maintenant tester les configurations de notre fichier de conf. Nous allons commencer par stopper le service openvpn :

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20sudo%20systemctl%20stop%20openvpn » message= » » highlight= » » provider= »manual »/]

Tester avec la commande suivante :

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20sudo%20openvpn%20%2Fetc%2Fopenvpn%2Fserver.conf%0AWed%20Nov%2015%2012%3A00%3A36%202017%20OpenVPN%202.4.0%20x86_64-pc-linux-gnu%20%5BSSL%20(OpenSSL)%5D%20%5BLZO%5D%20%5BLZ4%5D%20%5BEPOLL%5D%20%5BPKCS11%5D%20%5BMH%2FPKTINFO%5D%20%5BAEAD%5D%20built%20on%20Jul%2018%202017%0AWed%20Nov%2015%2012%3A00%3A36%202017%20library%20versions%3A%20OpenSSL%201.0.2l%20%2025%20May%202017%2C%20LZO%202.08%0AWed%20Nov%2015%2012%3A00%3A36%202017%20Diffie-Hellman%20initialized%20with%202048%20bit%20key%0AWed%20Nov%2015%2012%3A00%3A36%202017%20ROUTE_GATEWAY%2010.0.2.2%2F255.255.255.0%20IFACE%3Denp0s3%20HWADDR%3D08%3A00%3A27%3A74%3A9d%3Acd%0AWed%20Nov%2015%2012%3A00%3A36%202017%20TUN%2FTAP%20device%20tun0%20opened%0AWed%20Nov%2015%2012%3A00%3A36%202017%20TUN%2FTAP%20TX%20queue%20length%20set%20to%20100%0AWed%20Nov%2015%2012%3A00%3A36%202017%20do_ifconfig%2C%20tt-%3Edid_ifconfig_ipv6_setup%3D0%0AWed%20Nov%2015%2012%3A00%3A36%202017%20%2Fsbin%2Fip%20link%20set%20dev%20tun0%20up%20mtu%201500%0AWed%20Nov%2015%2012%3A00%3A36%202017%20%2Fsbin%2Fip%20addr%20add%20dev%20tun0%20local%2010.8.0.1%20peer%2010.8.0.2%0AWed%20Nov%2015%2012%3A00%3A36%202017%20%2Fsbin%2Fip%20route%20add%2010.8.0.0%2F24%20via%2010.8.0.2%0AWed%20Nov%2015%2012%3A00%3A36%202017%20Could%20not%20determine%20IPv4%2FIPv6%20protocol.%20Using%20AF_INET%0AWed%20Nov%2015%2012%3A00%3A36%202017%20Socket%20Buffers%3A%20R%3D%5B212992-%3E212992%5D%20S%3D%5B212992-%3E212992%5D%0AWed%20Nov%2015%2012%3A00%3A36%202017%20UDPv4%20link%20local%20(bound)%3A%20%5BAF_INET%5D%5Bundef%5D%3A1194%0AWed%20Nov%2015%2012%3A00%3A36%202017%20UDPv4%20link%20remote%3A%20%5BAF_UNSPEC%5D%0AWed%20Nov%2015%2012%3A00%3A36%202017%20MULTI%3A%20multi_init%20called%2C%20r%3D256%20v%3D256%0AWed%20Nov%2015%2012%3A00%3A36%202017%20IFCONFIG%20POOL%3A%20base%3D10.8.0.4%20size%3D62%2C%20ipv6%3D0%0AWed%20Nov%2015%2012%3A00%3A36%202017%20IFCONFIG%20POOL%20LIST%0AWed%20Nov%2015%2012%3A00%3A36%202017%20Initialization%20Sequence%20Completed%0A » message= » » highlight= » » provider= »manual »/]

Vous devez obtenir un résultat similaire au mien. Si vous ouvrez un 2ie terminal sur votre serveur en parallèle et que vous tapez   » ip a » vous verrez qu’une nouvelle carte réseau nommé tun0 à apparue.

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%24%20ip%20a%0A1%3A%20lo%3A%20%3CLOOPBACK%2CUP%2CLOWER_UP%3E%20mtu%2065536%20qdisc%20noqueue%20state%20UNKNOWN%20group%20default%20qlen%201%0A%20%20%20%20link%2Floopback%2000%3A00%3A00%3A00%3A00%3A00%20brd%2000%3A00%3A00%3A00%3A00%3A00%0A%20%20%20%20inet%20127.0.0.1%2F8%20scope%20host%20lo%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A%20%20%20%20inet6%20%3A%3A1%2F128%20scope%20host%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A2%3A%20enp0s3%3A%20%3CBROADCAST%2CMULTICAST%2CUP%2CLOWER_UP%3E%20mtu%201500%20qdisc%20pfifo_fast%20state%20UP%20group%20default%20qlen%201000%0A%20%20%20%20link%2Fether%2008%3A00%3A27%3A74%3A9d%3Acd%20brd%20ff%3Aff%3Aff%3Aff%3Aff%3Aff%0A%20%20%20%20inet%2010.0.2.15%2F24%20brd%2010.0.2.255%20scope%20global%20enp0s3%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A%20%20%20%20inet6%20fe80%3A%3Aa00%3A27ff%3Afe74%3A9dcd%2F64%20scope%20link%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A3%3A%20enp0s8%3A%20%3CBROADCAST%2CMULTICAST%2CUP%2CLOWER_UP%3E%20mtu%201500%20qdisc%20pfifo_fast%20state%20UP%20group%20default%20qlen%201000%0A%20%20%20%20link%2Fether%2008%3A00%3A27%3Ae2%3Ad8%3A41%20brd%20ff%3Aff%3Aff%3Aff%3Aff%3Aff%0A%20%20%20%20inet%20192.168.56.101%2F24%20brd%20192.168.56.255%20scope%20global%20enp0s8%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A%20%20%20%20inet6%20fe80%3A%3Aa00%3A27ff%3Afee2%3Ad841%2F64%20scope%20link%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A5%3A%20tun0%3A%20%3CPOINTOPOINT%2CMULTICAST%2CNOARP%2CUP%2CLOWER_UP%3E%20mtu%201500%20qdisc%20pfifo_fast%20state%20UNKNOWN%20group%20default%20qlen%20100%0A%20%20%20%20link%2Fnone%0A%20%20%20%20inet%2010.8.0.1%20peer%2010.8.0.2%2F32%20scope%20global%20tun0%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A%20%20%20%20inet6%20fe80%3A%3Ac217%3Aa6d3%3A1e15%3A8b9d%2F64%20scope%20link%20flags%20800%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0Ajoel%40srv-vpn%3A~%24%0A » message= » » highlight= » » provider= »manual »/]

Ensuite vous pouvez lancer le service openvpn et le laisser tourner :

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20sudo%20systemctl%20start%20openvpn%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

Nous allons activer le routage des paquets ip. Afin que les paquets provenant des machines connectées en vpn puissent être routés.

Tester si l’IP forwarding est activé avec la commande :

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20sudo%20sysctl%20net.ipv4.ip_forward%0A%5Bsudo%5D%20Mot%20de%20passe%20de%20joel%20%3A%20%0Anet.ipv4.ip_forward%20%3D%200%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

La commande retourne 0 donc il n’est pas activé nous allons donc l’activer de manier permanente en modifiant le fichier sysctl.conf:

[pastacode lang= »bash » manual= »nano%20%2Fetc%2Fsysctl.conf » message= » » highlight= » » provider= »manual »/]

Modifier juste la ligne suivante en changeant la valeur 0 à 1 et en décommettant cette ligne dans le fichier de conf. Vous devez avoir ces lignes ci :

[pastacode lang= »bash » manual= »%23%20Uncomment%20the%20next%20line%20to%20enable%20packet%20forwarding%20for%20IPv4%0Anet.ipv4.ip_forward%3D1%0A » message= » » highlight= » » provider= »manual »/]

Ensuite l’on ajoute des règles Iptables pour le filtrage des paquets issue du réseau VPN.

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20sudo%20iptables%20-t%20filter%20-P%20FORWARD%20ACCEPT%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%20sudo%20iptables%20-t%20filter%20-A%20INPUT%20-p%20udp%20–dport%201194%20-j%20ACCEPT%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%20sudo%20iptables%20-t%20nat%20-A%20POSTROUTING%20-o%20enp0s8%20-j%20MASQUERADE%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%20sudo%20iptables%20-t%20nat%20-A%20POSTROUTING%20-s%2010.8.0.0%2F24%20-o%20eth0%20-j%20MASQUERADE%0A » message= » » highlight= » » provider= »manual »/]

Dans notre cas nos clients sont connectés au serveur VPN via la carte réseau enp0s8 car et l’autre carte réseau est celle qui nous fournit internet sur le serveur VPN à internet. Si dans votre cas les 2 cartes sont identiques, mettez le nom de la carte réseau que vous avez. N’oubliez surtout pas d’enregistrer vos configurations iptables sinon elles disparaîtront après le reboot.

[pastacode lang= »bash » manual= »joel%40srv-vpn%3A~%2Feasy-rsa%24%20sudo%20sh%20-c%20%22iptables-save%20%3E%20%2Fetc%2Fiptables.rules%22%0Ajoel%40srv-vpn%3A~%2Feasy-rsa%24%0A » message= » » highlight= » » provider= »manual »/]

 

Configuration du client

Cette étape se déroule entièrement sur le client. Nous allons copier les clés du client que nous avons précédemment généré sur le serveur à l’étape de génération des clés ainsi que le fichier de configuration par défaut du client

[pastacode lang= »bash » manual= »sudo%20scp%20%20joel%40ip_du_serveur%3A%2Fhome%2Fnom_utilisateur%2Feasy-rsa%2Fkeys%2Fclient.key%20%20%2Fetc%2Fopenvpn%2Fclient%2F%0Asudo%20scp%20%20joel%40ip_du_serveur%3A%2Fhome%2Fnom_utilisateur%2Feasy-rsa%2Fkeys%2Fclient.crt%20%20%2Fetc%2Fopenvpn%2Fclient%2F%0Asudo%20scp%20%20joel%40ip_du_serveur%3A%2Fhome%2Fnom_utilisateur%2Feasy-rsa%2Fkeys%2Fca.crt%20%20%2Fetc%2Fopenvpn%2Fclient%2F%0Asudo%20cp%20%2Fusr%2Fshare%2Fdoc%2Fopenvpn%2Fexamples%2Fsample-config-files%2Fclient.conf%20%20%20%2Fetc%2Fopenvpn%2F » message= » » highlight= » » provider= »manual »/]

nous allons éditer le fichier de configuration et changer les chemins d’accès aux clés

[pastacode lang= »bash » manual= »nano%20%2Fetc%2Fopenvpn%2Fclient.conf » message= » » highlight= » » provider= »manual »/]

Éditez le et modifier les lignes suivantes :

[pastacode lang= »bash » manual= »remote%20ip_du_serveur1194%0A%3Bremote%20my-server-2%201194%0A%0Aca%20%2Fetc%2Fopenvpn%2Fclient%2Fca.crt%0Acert%20%2Fetc%2Fopenvpn%2Fclient%2Fclient.crt%0Akey%20%2Fetc%2Fopenvpn%2Fclient%2Fclient.key%0A%0A%23tls-auth%20ta.key%201%0A%0Aredirect-gateway%20def1%0A » message= » » highlight= » » provider= »manual »/]

Au final vous devez avoir ceux-ci dans le fichier client.conf

[pastacode lang= »apacheconf » manual= »%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20Sample%20client-side%20OpenVPN%202.0%20config%20file%20%23%0A%23%20for%20connecting%20to%20multi-client%20server.%20%20%20%20%20%23%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20This%20configuration%20can%20be%20used%20by%20multiple%20%23%0A%23%20clients%2C%20however%20each%20client%20should%20have%20%20%20%23%0A%23%20its%20own%20cert%20and%20key%20files.%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%20On%20Windows%2C%20you%20might%20want%20to%20rename%20this%20%20%23%0A%23%20file%20so%20it%20has%20a%20.ovpn%20extension%20%20%20%20%20%20%20%20%20%20%20%23%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%0A%23%20Specify%20that%20we%20are%20a%20client%20and%20that%20we%0A%23%20will%20be%20pulling%20certain%20config%20file%20directives%0A%23%20from%20the%20server.%0Aclient%0A%0A%23%20Use%20the%20same%20setting%20as%20you%20are%20using%20on%0A%23%20the%20server.%0A%23%20On%20most%20systems%2C%20the%20VPN%20will%20not%20function%0A%23%20unless%20you%20partially%20or%20fully%20disable%0A%23%20the%20firewall%20for%20the%20TUN%2FTAP%20interface.%0A%3Bdev%20tap%0Adev%20tun%0A%0A%23%20Windows%20needs%20the%20TAP-Win32%20adapter%20name%0A%23%20from%20the%20Network%20Connections%20panel%0A%23%20if%20you%20have%20more%20than%20one.%20%20On%20XP%20SP2%2C%0A%23%20you%20may%20need%20to%20disable%20the%20firewall%0A%23%20for%20the%20TAP%20adapter.%0A%3Bdev-node%20MyTap%0A%0A%23%20Are%20we%20connecting%20to%20a%20TCP%20or%0A%23%20UDP%20server%3F%20%20Use%20the%20same%20setting%20as%0A%23%20on%20the%20server.%0A%3Bproto%20tcp%0Aproto%20udp%0A%0A%23%20The%20hostname%2FIP%20and%20port%20of%20the%20server.%0A%23%20You%20can%20have%20multiple%20remote%20entries%0A%23%20to%20load%20balance%20between%20the%20servers.%0Aremote%20192.168.56.101%201194%0A%3Bremote%20my-server-2%201194%0A%0A%23%20Choose%20a%20random%20host%20from%20the%20remote%0A%23%20list%20for%20load-balancing.%20%20Otherwise%0A%23%20try%20hosts%20in%20the%20order%20specified.%0A%3Bremote-random%0A%0A%23%20Keep%20trying%20indefinitely%20to%20resolve%20the%0A%23%20host%20name%20of%20the%20OpenVPN%20server.%20%20Very%20useful%0A%23%20on%20machines%20which%20are%20not%20permanently%20connected%0A%23%20to%20the%20internet%20such%20as%20laptops.%0Aresolv-retry%20infinite%0A%0A%23%20Most%20clients%20don’t%20need%20to%20bind%20to%0A%23%20a%20specific%20local%20port%20number.%0Anobind%0A%0A%23%20Downgrade%20privileges%20after%20initialization%20(non-Windows%20only)%0A%3Buser%20nobody%0A%3Bgroup%20nogroup%0A%0A%23%20Try%20to%20preserve%20some%20state%20across%20restarts.%0Apersist-key%0Apersist-tun%0A%0A%23%20If%20you%20are%20connecting%20through%20an%0A%23%20HTTP%20proxy%20to%20reach%20the%20actual%20OpenVPN%0A%23%20server%2C%20put%20the%20proxy%20server%2FIP%20and%0A%23%20port%20number%20here.%20%20See%20the%20man%20page%0A%23%20if%20your%20proxy%20server%20requires%0A%23%20authentication.%0A%3Bhttp-proxy-retry%20%23%20retry%20on%20connection%20failures%0A%3Bhttp-proxy%20%5Bproxy%20server%5D%20%5Bproxy%20port%20%23%5D%0A%0A%23%20Wireless%20networks%20often%20produce%20a%20lot%0A%23%20of%20duplicate%20packets.%20%20Set%20this%20flag%0A%23%20to%20silence%20duplicate%20packet%20warnings.%0A%3Bmute-replay-warnings%0A%0A%23%20SSL%2FTLS%20parms.%0A%23%20See%20the%20server%20config%20file%20for%20more%0A%23%20description.%20%20It’s%20best%20to%20use%0A%23%20a%20separate%20.crt%2F.key%20file%20pair%0A%23%20for%20each%20client.%20%20A%20single%20ca%0A%23%20file%20can%20be%20used%20for%20all%20clients.%0Aca%20%2Fetc%2Fopenvpn%2Fclient%2Fca.crt%0Acert%20%2Fetc%2Fopenvpn%2Fclient%2Fclient.crt%0Akey%20%2Fetc%2Fopenvpn%2Fclient%2Fclient.key%0A%0A%23%20Verify%20server%20certificate%20by%20checking%20that%20the%0A%23%20certicate%20has%20the%20correct%20key%20usage%20set.%0A%23%20This%20is%20an%20important%20precaution%20to%20protect%20against%0A%23%20a%20potential%20attack%20discussed%20here%3A%0A%23%20%20http%3A%2F%2Fopenvpn.net%2Fhowto.html%23mitm%0A%23%0A%23%20To%20use%20this%20feature%2C%20you%20will%20need%20to%20generate%0A%23%20your%20server%20certificates%20with%20the%20keyUsage%20set%20to%0A%23%20%20%20digitalSignature%2C%20keyEncipherment%0A%23%20and%20the%20extendedKeyUsage%20to%0A%23%20%20%20serverAuth%0A%23%20EasyRSA%20can%20do%20this%20for%20you.%0Aremote-cert-tls%20server%0A%0A%23%20If%20a%20tls-auth%20key%20is%20used%20on%20the%20server%0A%23%20then%20every%20client%20must%20also%20have%20the%20key.%0A%3Btls-auth%20ta.key%201%0A%0A%23%20Select%20a%20cryptographic%20cipher.%0A%23%20If%20the%20cipher%20option%20is%20used%20on%20the%20server%0A%23%20then%20you%20must%20also%20specify%20it%20here.%0A%23%20Note%20that%202.4%20client%2Fserver%20will%20automatically%0A%23%20negotiate%20AES-256-GCM%20in%20TLS%20mode.%0A%23%20See%20also%20the%20ncp-cipher%20option%20in%20the%20manpage%0Acipher%20AES-256-CBC%0A%0A%23%20Enable%20compression%20on%20the%20VPN%20link.%0A%23%20Don’t%20enable%20this%20unless%20it%20is%20also%0A%23%20enabled%20in%20the%20server%20config%20file.%0A%23comp-lzo%0A%0A%23%20Set%20log%20file%20verbosity.%0Averb%203%0A%0A%23%20Silence%20repeating%20messages%0A%3Bmute%2020%0A%0Aredirect-gateway%20def1%0A » message= » » highlight= » » provider= »manual »/]

 

pour tester si tous est OK, sur le client lancer la commande : sudo openvpn  /etc/openvpn/client.conf

vous devez obtenir un résultat similaire au mien avec à la fin Initialization Sequence Completed.

si se n’est pas le cas, aller sur le serveur et lancer la commande (sudo openvpn  /etc/openvpn/server.conf ).

revenez sur le client:  stoppez et relancez la commande précédente. Vous devez obtenir un résultat similaire :

[pastacode lang= »bash » manual= »joel%40debian%3A~%24%20sudo%20openvpn%20%20%2Fetc%2Fopenvpn%2Fclient.conf%0AWed%20Nov%2015%2014%3A18%3A24%202017%20OpenVPN%202.4.0%20x86_64-pc-linux-gnu%20%5BSSL%20(OpenSSL)%5D%20%5BLZO%5D%20%5BLZ4%5D%20%5BEPOLL%5D%20%5BPKCS11%5D%20%5BMH%2FPKTINFO%5D%20%5BAEAD%5D%20built%20on%20Jul%2018%202017%0AWed%20Nov%2015%2014%3A18%3A24%202017%20library%20versions%3A%20OpenSSL%201.0.2l%20%2025%20May%202017%2C%20LZO%202.08%0AWed%20Nov%2015%2014%3A18%3A24%202017%20TCP%2FUDP%3A%20Preserving%20recently%20used%20remote%20address%3A%20%5BAF_INET%5D192.168.56.101%3A1194%0AWed%20Nov%2015%2014%3A18%3A24%202017%20Socket%20Buffers%3A%20R%3D%5B212992-%3E212992%5D%20S%3D%5B212992-%3E212992%5D%0AWed%20Nov%2015%2014%3A18%3A24%202017%20UDP%20link%20local%3A%20(not%20bound)%0AWed%20Nov%2015%2014%3A18%3A24%202017%20UDP%20link%20remote%3A%20%5BAF_INET%5D192.168.56.101%3A1194%0AWed%20Nov%2015%2014%3A18%3A24%202017%20TLS%3A%20Initial%20packet%20from%20%5BAF_INET%5D192.168.56.101%3A1194%2C%20sid%3D35ef46d3%20186351f9%0AWed%20Nov%2015%2014%3A18%3A24%202017%20VERIFY%20OK%3A%20depth%3D1%2C%20C%3DFR%2C%20ST%3DALS%2C%20L%3DStrasbourg%2C%20O%3DATOMIT%2C%20OU%3DATOMIT%2C%20CN%3DATOMIT%20CA%2C%20name%3DEasyRSA%2C%20emailAddress%3Demail%40atomit.fr%0AWed%20Nov%2015%2014%3A18%3A24%202017%20Validating%20certificate%20key%20usage%0AWed%20Nov%2015%2014%3A18%3A24%202017%20%2B%2B%20Certificate%20has%20key%20usage%20%2000a0%2C%20expects%2000a0%0AWed%20Nov%2015%2014%3A18%3A24%202017%20VERIFY%20KU%20OK%0AWed%20Nov%2015%2014%3A18%3A24%202017%20Validating%20certificate%20extended%20key%20usage%0AWed%20Nov%2015%2014%3A18%3A24%202017%20%2B%2B%20Certificate%20has%20EKU%20(str)%20TLS%20Web%20Server%20Authentication%2C%20expects%20TLS%20Web%20Server%20Authentication%0AWed%20Nov%2015%2014%3A18%3A24%202017%20VERIFY%20EKU%20OK%0AWed%20Nov%2015%2014%3A18%3A24%202017%20VERIFY%20OK%3A%20depth%3D0%2C%20C%3DFR%2C%20ST%3DALS%2C%20L%3DStrasbourg%2C%20O%3DATOMIT%2C%20OU%3DATOMIT%2C%20CN%3Dsrv-vpn%2C%20name%3DEasyRSA%2C%20emailAddress%3Demail%40atomit.fr%0AWed%20Nov%2015%2014%3A18%3A24%202017%20Control%20Channel%3A%20TLSv1.2%2C%20cipher%20TLSv1%2FSSLv3%20ECDHE-RSA-AES256-GCM-SHA384%2C%202048%20bit%20RSA%0AWed%20Nov%2015%2014%3A18%3A24%202017%20%5Bsrv-vpn%5D%20Peer%20Connection%20Initiated%20with%20%5BAF_INET%5D192.168.56.101%3A1194%0AWed%20Nov%2015%2014%3A18%3A25%202017%20SENT%20CONTROL%20%5Bsrv-vpn%5D%3A%20’PUSH_REQUEST’%20(status%3D1)%0AWed%20Nov%2015%2014%3A18%3A25%202017%20PUSH%3A%20Received%20control%20message%3A%20’PUSH_REPLY%2Credirect-gateway%20def1%20bypass-dhcp%2Cdhcp-option%20DNS%2010.0.2.3%2Cdhcp-option%20DNS%20208.67.220.220%2Croute%2010.8.0.1%2Ctopology%20net30%2Cping%2010%2Cping-restart%20120%2Cifconfig%2010.8.0.6%2010.8.0.5%2Cpeer-id%201%2Ccipher%20AES-256-GCM’%0AWed%20Nov%2015%2014%3A18%3A25%202017%20OPTIONS%20IMPORT%3A%20timers%20and%2For%20timeouts%20modified%0AWed%20Nov%2015%2014%3A18%3A25%202017%20OPTIONS%20IMPORT%3A%20–ifconfig%2Fup%20options%20modified%0AWed%20Nov%2015%2014%3A18%3A25%202017%20OPTIONS%20IMPORT%3A%20route%20options%20modified%0AWed%20Nov%2015%2014%3A18%3A25%202017%20OPTIONS%20IMPORT%3A%20–ip-win32%20and%2For%20–dhcp-option%20options%20modified%0AWed%20Nov%2015%2014%3A18%3A25%202017%20OPTIONS%20IMPORT%3A%20peer-id%20set%0AWed%20Nov%2015%2014%3A18%3A25%202017%20OPTIONS%20IMPORT%3A%20adjusting%20link_mtu%20to%201624%0AWed%20Nov%2015%2014%3A18%3A25%202017%20OPTIONS%20IMPORT%3A%20data%20channel%20crypto%20options%20modified%0AWed%20Nov%2015%2014%3A18%3A25%202017%20Data%20Channel%20Encrypt%3A%20Cipher%20’AES-256-GCM’%20initialized%20with%20256%20bit%20key%0AWed%20Nov%2015%2014%3A18%3A25%202017%20Data%20Channel%20Decrypt%3A%20Cipher%20’AES-256-GCM’%20initialized%20with%20256%20bit%20key%0AWed%20Nov%2015%2014%3A18%3A25%202017%20ROUTE_GATEWAY%20ON_LINK%0AWed%20Nov%2015%2014%3A18%3A25%202017%20TUN%2FTAP%20device%20tun1%20opened%0AWed%20Nov%2015%2014%3A18%3A25%202017%20TUN%2FTAP%20TX%20queue%20length%20set%20to%20100%0AWed%20Nov%2015%2014%3A18%3A25%202017%20do_ifconfig%2C%20tt-%3Edid_ifconfig_ipv6_setup%3D0%0AWed%20Nov%2015%2014%3A18%3A25%202017%20%2Fsbin%2Fip%20link%20set%20dev%20tun1%20up%20mtu%201500%0AWed%20Nov%2015%2014%3A18%3A25%202017%20%2Fsbin%2Fip%20addr%20add%20dev%20tun1%20local%2010.8.0.6%20peer%2010.8.0.5%0AWed%20Nov%2015%2014%3A18%3A25%202017%20%2Fsbin%2Fip%20route%20add%20192.168.56.101%2F32%20dev%0ACannot%20find%20device%20%22%22%0AWed%20Nov%2015%2014%3A18%3A25%202017%20ERROR%3A%20Linux%20route%20add%20command%20failed%3A%20external%20program%20exited%20with%20error%20status%3A%201%0AWed%20Nov%2015%2014%3A18%3A25%202017%20%2Fsbin%2Fip%20route%20add%200.0.0.0%2F1%20via%2010.8.0.5%0AWed%20Nov%2015%2014%3A18%3A25%202017%20%2Fsbin%2Fip%20route%20add%20128.0.0.0%2F1%20via%2010.8.0.5%0AWed%20Nov%2015%2014%3A18%3A25%202017%20%2Fsbin%2Fip%20route%20add%2010.8.0.1%2F32%20via%2010.8.0.5%0ARTNETLINK%20answers%3A%20File%20exists%0AWed%20Nov%2015%2014%3A18%3A25%202017%20ERROR%3A%20Linux%20route%20add%20command%20failed%3A%20external%20program%20exited%20with%20error%20status%3A%202%0AWed%20Nov%2015%2014%3A18%3A25%202017%20Initialization%20Sequence%20Completed%0A » message= » » highlight= » » provider= »manual »/]

Si vous avez encore des erreurs et même si vous n’en avez pas redémarrer le serveur et le client.

[pastacode lang= »bash » manual= »sudo%20reboot » message= » » highlight= » » provider= »manual »/]

Le service openvpn devrait se lancer au redémarrage automatiquement.
Pour vérifier que tous fonctionne bien, taper la commande  » ip a » sur le serveur et sur le client vous devrez obtenir un résultat similaire a celui-ci :

[pastacode lang= »bash » manual= »joel%40debian%3A~%24%20ip%20a%0A1%3A%20lo%3A%20%3CLOOPBACK%2CUP%2CLOWER_UP%3E%20mtu%2065536%20qdisc%20noqueue%20state%20UNKNOWN%20group%20default%20qlen%201%0A%20%20%20%20link%2Floopback%2000%3A00%3A00%3A00%3A00%3A00%20brd%2000%3A00%3A00%3A00%3A00%3A00%0A%20%20%20%20inet%20127.0.0.1%2F8%20scope%20host%20lo%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A%20%20%20%20inet6%20%3A%3A1%2F128%20scope%20host%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A2%3A%20enp0s3%3A%20%3CNO-CARRIER%2CBROADCAST%2CMULTICAST%2CUP%3E%20mtu%201500%20qdisc%20pfifo_fast%20state%20DOWN%20group%20default%20qlen%201000%0A%20%20%20%20link%2Fether%2008%3A00%3A27%3Aca%3A89%3A43%20brd%20ff%3Aff%3Aff%3Aff%3Aff%3Aff%0A%20%20%20%20inet%20169.254.7.32%2F16%20brd%20169.254.255.255%20scope%20link%20enp0s3%3Aavahi%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A3%3A%20enp0s8%3A%20%3CBROADCAST%2CMULTICAST%2CUP%2CLOWER_UP%3E%20mtu%201500%20qdisc%20pfifo_fast%20state%20UP%20group%20default%20qlen%201000%0A%20%20%20%20link%2Fether%2008%3A00%3A27%3A40%3Afb%3A2a%20brd%20ff%3Aff%3Aff%3Aff%3Aff%3Aff%0A%20%20%20%20inet%20192.168.56.103%2F24%20brd%20192.168.56.255%20scope%20global%20enp0s8%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A%20%20%20%20inet6%20fe80%3A%3Aa00%3A27ff%3Afe40%3Afb2a%2F64%20scope%20link%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A4%3A%20tun0%3A%20%3CPOINTOPOINT%2CMULTICAST%2CNOARP%2CUP%2CLOWER_UP%3E%20mtu%201500%20qdisc%20pfifo_fast%20state%20UNKNOWN%20group%20default%20qlen%20100%0A%20%20%20%20link%2Fnone%0A%20%20%20%20inet%2010.8.0.6%20peer%2010.8.0.5%2F32%20scope%20global%20tun0%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0A%20%20%20%20inet6%20fe80%3A%3Aaa45%3A8779%3A2353%3A3f64%2F64%20scope%20link%20flags%20800%0A%20%20%20%20%20%20%20valid_lft%20forever%20preferred_lft%20forever%0Ajoel%40debian%3A~%24″ message= » » highlight= » » provider= »manual »/]

 

Vous pouvez constater qu’il y a une nouvelle interface tun0 qui possède l’ip du VPN.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

joel

Laisser un commentaire

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.