OpenVPN: различия между версиями
Перейти к навигации
Перейти к поиску
Sol (обсуждение | вклад) (Новая страница: «Категория:Linux») |
Sol (обсуждение | вклад) |
||
| (не показаны 2 промежуточные версии этого же участника) | |||
| Строка 1: | Строка 1: | ||
| + | [[Файл:Openvpn.png|right]] | ||
| + | == Описание == | ||
| + | |||
| + | '''OpenVPN''' — свободная реализация технологии виртуальной частной сети [https://ru.wikipedia.org/wiki/VPN (VPN)] с открытым исходным кодом для создания зашифрованных каналов типа точка-точка или сервер-клиенты между компьютерами. Она позволяет устанавливать соединения между компьютерами, находящимися за NAT и сетевым экраном, без необходимости изменения их настроек. OpenVPN была создана Джеймсом Йонаном (James Yonan) и распространяется под лицензией [https://ru.wikipedia.org/wiki/GNU_General_Public_License GNU GPL]. | ||
| + | |||
| + | == Настройка сервера == | ||
| + | |||
| + | ''Справедливо для OpenVPN 2.4.0''<br /> | ||
| + | Конфигурация сервера с реализацией авторизации по логину-паролю без использования pam (системных пользователей). | ||
| + | ''vim /etc/openvpn/server.conf'' | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | # Port Number. | ||
| + | port 1194 | ||
| + | |||
| + | # TCP or UDP server. | ||
| + | proto udp | ||
| + | |||
| + | # Interface type, TUN or TAP. | ||
| + | dev tun | ||
| + | |||
| + | # Certificates. | ||
| + | ca ca.crt | ||
| + | cert SERVERNAME.crt | ||
| + | key SERVERNAME.key # This file should be kept secret | ||
| + | |||
| + | # Diffie hellman parameters. | ||
| + | dh dh2048.pem | ||
| + | |||
| + | # Subnet to use for OpenVPN Connections. | ||
| + | server 10.100.100.0 255.255.255.0 | ||
| + | |||
| + | # Keepalive: send ping every 10 seconds, tunnel down after 120 seconds no response. | ||
| + | keepalive 10 120 | ||
| + | |||
| + | # Route inject | ||
| + | push "route 10.50.50.0 255.255.255.0" | ||
| + | |||
| + | # LZO Compression for the tunnel. | ||
| + | #comp-lzo deprecated | ||
| + | compress | ||
| + | |||
| + | # Drop privileges to user/group nobody. | ||
| + | user nobody | ||
| + | group nogroup | ||
| + | |||
| + | # Makes the link more resistant to connection failures. | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | |||
| + | # Encryption algorithm | ||
| + | cipher AES-256-CBC | ||
| + | |||
| + | # Username and Password authentication. | ||
| + | verify-client-cert none | ||
| + | #client-cert-not-required deprecated | ||
| + | #plugin /usr/lib/openvpn/openvpn-auth-pam.so login # Linux PAM authorization | ||
| + | auth-user-pass-verify /etc/openvpn/verify.sh via-file # Connect authorization script | ||
| + | username-as-common-name | ||
| + | tmp-dir /etc/openvpn/tmp | ||
| + | script-security 2 | ||
| + | |||
| + | # OpenVPN Status Log files. | ||
| + | status openvpn-status.log | ||
| + | |||
| + | # LOG FILE VERBOSITY: | ||
| + | # 0 is silent, except for fatal errors | ||
| + | # 4 is reasonable for general usage | ||
| + | # 5 and 6 can help to debug connection problems | ||
| + | # 9 is extremely verbose | ||
| + | verb 3 | ||
| + | |||
| + | log /var/log/openvpn.log | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Скрипт выполняющий авторизацию клиентов. | ||
| + | ''vim /etc/openvpn/verify.sh'' | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | #!/bin/sh | ||
| + | ## format: username:password username:password ... | ||
| + | ## you can even have same usernames with different passwords | ||
| + | # USERS='user1:pass1 user2:pass2 user3:pass3' | ||
| + | ## you could put username:password in | ||
| + | ## a separate file and read it like this | ||
| + | USERS=`cat /etc/openvpn/user.pass` | ||
| + | vpn_verify() { | ||
| + | if [ ! $1 ] || [ ! $2 ]; then | ||
| + | #echo "No username or password: $*" | ||
| + | exit 1 | ||
| + | fi | ||
| + | ## it can also be done with grep or sed | ||
| + | for i in $USERS; do | ||
| + | if [ "$i" = "$1:$2" ]; then | ||
| + | ## you can add here logging of users | ||
| + | ## if you have enough space for log file | ||
| + | #echo `date` $1:$2 >> your_log_file | ||
| + | exit 0 | ||
| + | fi | ||
| + | done | ||
| + | } | ||
| + | if [ ! $1 ] || [ ! -e $1 ]; then | ||
| + | #echo "No file" | ||
| + | exit 1 | ||
| + | fi | ||
| + | ## $1 is file name which contains | ||
| + | ## passed username and password | ||
| + | vpn_verify `cat $1` | ||
| + | #echo "No user with this password found" | ||
| + | exit 1 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Должен быть исполняемым. | ||
| + | |||
| + | == Настройка клиента == | ||
| + | |||
| + | === Шаблон для клиентского конфига === | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | dev tun | ||
| + | proto udp | ||
| + | # Внешний IP сервера OpenVPN | ||
| + | remote 172.16.111.166 | ||
| + | # Port сервера | ||
| + | port 1200 | ||
| + | client | ||
| + | resolv-retry infinite | ||
| + | tls-client | ||
| + | key-direction 1 | ||
| + | auth SHA1 | ||
| + | cipher BF-CBC | ||
| + | #comp-lzo | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | # | ||
| + | auth-user-pass c:/temp/pass.txt | ||
| + | # | ||
| + | # just create a file with name pass.txt | ||
| + | # and put to it two lines | ||
| + | # ------------- | ||
| + | #username | ||
| + | #password | ||
| + | # ------------- | ||
| + | #auth-user-pass | ||
| + | verb 3 | ||
| + | <ca> | ||
| + | -----BEGIN CERTIFICATE----- | ||
| + | MIIE5jCCA86gAwIBAgIJAOt3kFH7PxA0MA0GCSqGSIb3DQEBCwUAMIGjMQswCQYD | ||
| + | .... | ||
| + | -----END CERTIFICATE----- | ||
| + | </ca> | ||
| + | <tls-auth> | ||
| + | -----BEGIN OpenVPN Static key V1----- | ||
| + | 83ddd29fa82212f3059d85a41490134c | ||
| + | .... | ||
| + | a4f2c7df3a22364a49093bca102dedeb | ||
| + | -----END OpenVPN Static key V1----- | ||
| + | </tls-auth> | ||
| + | </syntaxhighlight> | ||
[[Категория:Linux]] | [[Категория:Linux]] | ||
Текущая версия на 14:33, 15 января 2019
Описание
OpenVPN — свободная реализация технологии виртуальной частной сети (VPN) с открытым исходным кодом для создания зашифрованных каналов типа точка-точка или сервер-клиенты между компьютерами. Она позволяет устанавливать соединения между компьютерами, находящимися за NAT и сетевым экраном, без необходимости изменения их настроек. OpenVPN была создана Джеймсом Йонаном (James Yonan) и распространяется под лицензией GNU GPL.
Настройка сервера
Справедливо для OpenVPN 2.4.0
Конфигурация сервера с реализацией авторизации по логину-паролю без использования pam (системных пользователей).
vim /etc/openvpn/server.conf
# Port Number.
port 1194
# TCP or UDP server.
proto udp
# Interface type, TUN or TAP.
dev tun
# Certificates.
ca ca.crt
cert SERVERNAME.crt
key SERVERNAME.key # This file should be kept secret
# Diffie hellman parameters.
dh dh2048.pem
# Subnet to use for OpenVPN Connections.
server 10.100.100.0 255.255.255.0
# Keepalive: send ping every 10 seconds, tunnel down after 120 seconds no response.
keepalive 10 120
# Route inject
push "route 10.50.50.0 255.255.255.0"
# LZO Compression for the tunnel.
#comp-lzo deprecated
compress
# Drop privileges to user/group nobody.
user nobody
group nogroup
# Makes the link more resistant to connection failures.
persist-key
persist-tun
# Encryption algorithm
cipher AES-256-CBC
# Username and Password authentication.
verify-client-cert none
#client-cert-not-required deprecated
#plugin /usr/lib/openvpn/openvpn-auth-pam.so login # Linux PAM authorization
auth-user-pass-verify /etc/openvpn/verify.sh via-file # Connect authorization script
username-as-common-name
tmp-dir /etc/openvpn/tmp
script-security 2
# OpenVPN Status Log files.
status openvpn-status.log
# LOG FILE VERBOSITY:
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
log /var/log/openvpn.log
Скрипт выполняющий авторизацию клиентов. vim /etc/openvpn/verify.sh
#!/bin/sh
## format: username:password username:password ...
## you can even have same usernames with different passwords
# USERS='user1:pass1 user2:pass2 user3:pass3'
## you could put username:password in
## a separate file and read it like this
USERS=`cat /etc/openvpn/user.pass`
vpn_verify() {
if [ ! $1 ] || [ ! $2 ]; then
#echo "No username or password: $*"
exit 1
fi
## it can also be done with grep or sed
for i in $USERS; do
if [ "$i" = "$1:$2" ]; then
## you can add here logging of users
## if you have enough space for log file
#echo `date` $1:$2 >> your_log_file
exit 0
fi
done
}
if [ ! $1 ] || [ ! -e $1 ]; then
#echo "No file"
exit 1
fi
## $1 is file name which contains
## passed username and password
vpn_verify `cat $1`
#echo "No user with this password found"
exit 1
Должен быть исполняемым.
Настройка клиента
Шаблон для клиентского конфига
dev tun
proto udp
# Внешний IP сервера OpenVPN
remote 172.16.111.166
# Port сервера
port 1200
client
resolv-retry infinite
tls-client
key-direction 1
auth SHA1
cipher BF-CBC
#comp-lzo
persist-key
persist-tun
#
auth-user-pass c:/temp/pass.txt
#
# just create a file with name pass.txt
# and put to it two lines
# -------------
#username
#password
# -------------
#auth-user-pass
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIE5jCCA86gAwIBAgIJAOt3kFH7PxA0MA0GCSqGSIb3DQEBCwUAMIGjMQswCQYD
....
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
83ddd29fa82212f3059d85a41490134c
....
a4f2c7df3a22364a49093bca102dedeb
-----END OpenVPN Static key V1-----
</tls-auth>