Различия
Показаны различия между двумя версиями страницы.
— | wiki:articles:openvpn [17/03/2020 12:41] (текущий) – создано - внешнее изменение 127.0.0.1 | ||
---|---|---|---|
Строка 1: | Строка 1: | ||
+ | ^ ** OpenVPN ** ^ | ||
+ | \\ | ||
+ | Так как в SlackWare 14.1 // | ||
+ | |||
+ | * eth0(22.22.22.22) - // | ||
+ | * eth1(192.168.10.250) - // | ||
+ | * tap0(192.168.111.1) - //VPN интерфейс и IP-адрес сервера// | ||
+ | * 192.168.10.244 - // | ||
+ | |||
+ | =====Генерация сертификатов и ключей===== | ||
+ | |||
+ | Если у Вас нет необходимости создавать свой центр сертификации, | ||
+ | |||
+ | Для генерации ключей перейдите в каталог /// | ||
+ | < | ||
+ | # cd / | ||
+ | </ | ||
+ | |||
+ | Теперь отредактируйте файл // | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | echo NOTE: when you run ./ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | Этот файл предназначен для установок переменных среды окружения, | ||
+ | < | ||
+ | # . ./vars | ||
+ | NOTE: when you run ./ | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | Теперь запускаем программу очистки (на всякий пожарный, | ||
+ | < | ||
+ | # ./clean-all | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | Осталось запустить процесс генерации ключей и сертификата СА. | ||
+ | < | ||
+ | # ./build-ca | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | | ||
+ | State or Province Name (full name) [RU]: | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | Email Address [it@myorg.ru]: | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | Некоторые поля заполняются автоматически, | ||
+ | |||
+ | В директории /// | ||
+ | Теперь следует создать ключ и сертификат для сервера. | ||
+ | < | ||
+ | # ./ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | | ||
+ | State or Province Name (full name) [RU]: | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | Email Address [it@myorg.ru]: | ||
+ | |||
+ | | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []:password | ||
+ | An optional company name []: | ||
+ | Using configuration from / | ||
+ | Check that the request matches the signature | ||
+ | | ||
+ | The Subject' | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | Sign the certificate? | ||
+ | |||
+ | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
+ | Write out database with 1 new entries | ||
+ | Data Base Updated | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | Сгенерируем сертификаты и ключи для клиентской машины. (для каждой новой машины лучше генерировать сертификат по ее имени) | ||
+ | < | ||
+ | # ./build-key mashina_01 | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | | ||
+ | State or Province Name (full name) [RU]: | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | Email Address [it@myorg.ru]: | ||
+ | |||
+ | | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []:password | ||
+ | An optional company name []: | ||
+ | Using configuration from / | ||
+ | | ||
+ | Check that the request matches the signature | ||
+ | | ||
+ | The Subject' | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | Sign the certificate? | ||
+ | |||
+ | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
+ | Write out database with 1 new entries | ||
+ | Data Base Updated | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | В заключении следует создать //Diffie Hellman// параметры. | ||
+ | < | ||
+ | # ./build-dh | ||
+ | | ||
+ | This is going to take a long time | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | И создать секретный ключ. | ||
+ | < | ||
+ | # openvpn --genkey --secret / | ||
+ | </ | ||
+ | |||
+ | Посмотрим содержимое директории /// | ||
+ | < | ||
+ | # ls / | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | # | ||
+ | </ | ||
+ | Теперь необходимо разобраться какие файлы куда помещать. | ||
+ | |||
+ | ^ ** Файл ** ^ ** Машина ** | ||
+ | |ca.crt | ||
+ | |ca.key | ||
+ | |dh1024.pem | ||
+ | |vpnsrv.myorg.crt | ||
+ | |vpnsrv.myorg.key | ||
+ | |mashina_01.crt | ||
+ | |mashina_01.key | ||
+ | |ta.key | ||
+ | |||
+ | Файлы *.csr можно удалить. | ||
+ | |||
+ | Скопируйте все необходимые файлы на клиенты в директорию /// | ||
+ | |||
+ | На всякий пожарный проверьте действительность создаваемых сертификатов. | ||
+ | < | ||
+ | # | ||
+ | </ | ||
+ | Для сервера следует изменить // | ||
+ | |||
+ | Теперь настраиваем сервер. Для этого создаём файл /// | ||
+ | < | ||
+ | cd / | ||
+ | local 22.22.22.22 # внешний IP-адрес | ||
+ | proto udp # протокол | ||
+ | port 1194 # порт | ||
+ | | ||
+ | verb 3 # уровень логов | ||
+ | | ||
+ | | ||
+ | dev tap0 # интерфейс | ||
+ | | ||
+ | | ||
+ | mode server | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | push "route 192.168.10.0 255.255.255.0 192.168.111.1" | ||
+ | push " | ||
+ | push " | ||
+ | push " | ||
+ | | ||
+ | ca / | ||
+ | dh / | ||
+ | cert / | ||
+ | key / | ||
+ | | ||
+ | user nobody | ||
+ | group nobody | ||
+ | | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | Настраиваем // | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | Создадим стартовый скрипт /// | ||
+ | Пример стартового скрипта можно найти в документации к // | ||
+ | < | ||
+ | # | ||
+ | # | ||
+ | # openvpn | ||
+ | # | ||
+ | # | ||
+ | # description: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # Contributed to the OpenVPN project by | ||
+ | # Douglas Keller < | ||
+ | # 2002.05.15 | ||
+ | # | ||
+ | # To install: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # To uninstall: | ||
+ | # | ||
+ | # | ||
+ | # Author' | ||
+ | # | ||
+ | # I have created an /etc/init.d init script and enhanced openvpn.spec to | ||
+ | # automatically register the init script. | ||
+ | # can start and stop OpenVPN with " | ||
+ | # openvpn stop". | ||
+ | # | ||
+ | # The init script does the following: | ||
+ | # | ||
+ | # - Starts an openvpn process for each .conf file it finds in | ||
+ | # | ||
+ | # | ||
+ | # - If / | ||
+ | # | ||
+ | # | ||
+ | # - In addition to start/stop you can do: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # Modifications: | ||
+ | # | ||
+ | # 2003.05.02 | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # 2005.04.04 | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # 2005.12.13 | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Location of openvpn binary | ||
+ | | ||
+ | |||
+ | # Lockfile | ||
+ | | ||
+ | |||
+ | # PID directory | ||
+ | | ||
+ | |||
+ | # Our working directory | ||
+ | | ||
+ | |||
+ | # Check that binary exists | ||
+ | if ! [ -f $openvpn ] | ||
+ | then | ||
+ | echo " | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | # See how we were called. | ||
+ | case " | ||
+ | | ||
+ | echo -n $" | ||
+ | |||
+ | / | ||
+ | |||
+ | # From a security perspective, | ||
+ | # sense to remove this, and have users who need | ||
+ | # it explictly enable in their --up scripts or | ||
+ | # firewall setups. | ||
+ | |||
+ | #echo 1 > / | ||
+ | |||
+ | # Run startup script, if defined | ||
+ | if [ -f $work/ | ||
+ | | ||
+ | fi | ||
+ | |||
+ | if [ ! -d $piddir ]; then | ||
+ | mkdir $piddir | ||
+ | fi | ||
+ | |||
+ | if [ -f $lock ]; then | ||
+ | # we were not shut down correctly | ||
+ | for pidf in `/bin/ls $piddir/ | ||
+ | if [ -s $pidf ]; then | ||
+ | kill `cat $pidf` >/ | ||
+ | fi | ||
+ | rm -f $pidf | ||
+ | done | ||
+ | rm -f $lock | ||
+ | sleep 2 | ||
+ | fi | ||
+ | |||
+ | rm -f $piddir/ | ||
+ | cd $work | ||
+ | |||
+ | # Start every .conf in $work and run .sh if exists | ||
+ | | ||
+ | | ||
+ | for c in `/bin/ls *.conf 2>/ | ||
+ | | ||
+ | if [ -f " | ||
+ | . $bn.sh | ||
+ | fi | ||
+ | rm -f $piddir/ | ||
+ | | ||
+ | if [ $? = 0 ]; then | ||
+ | | ||
+ | else | ||
+ | | ||
+ | fi | ||
+ | | ||
+ | |||
+ | if [ $errors = 1 ]; then | ||
+ | echo faliure | ||
+ | else | ||
+ | echo success | ||
+ | fi | ||
+ | |||
+ | if [ $successes = 1 ]; then | ||
+ | touch $lock | ||
+ | fi | ||
+ | ;; | ||
+ | stop) | ||
+ | echo -n $" | ||
+ | for pidf in `/bin/ls $piddir/ | ||
+ | if [ -s $pidf ]; then | ||
+ | kill `cat $pidf` >/ | ||
+ | fi | ||
+ | rm -f $pidf | ||
+ | done | ||
+ | |||
+ | # Run shutdown script, if defined | ||
+ | if [ -f $work/ | ||
+ | | ||
+ | fi | ||
+ | |||
+ | echo success | ||
+ | rm -f $lock | ||
+ | ;; | ||
+ | | ||
+ | $0 stop | ||
+ | sleep 2 | ||
+ | $0 start | ||
+ | ;; | ||
+ | | ||
+ | if [ -f $lock ]; then | ||
+ | for pidf in `/bin/ls $piddir/ | ||
+ | if [ -s $pidf ]; then | ||
+ | kill -HUP `cat $pidf` >/ | ||
+ | fi | ||
+ | done | ||
+ | else | ||
+ | echo " | ||
+ | exit 1 | ||
+ | fi | ||
+ | ;; | ||
+ | | ||
+ | if [ -f $lock ]; then | ||
+ | for pidf in `/bin/ls $piddir/ | ||
+ | if [ -s $pidf ]; then | ||
+ | kill -USR1 `cat $pidf` >/ | ||
+ | fi | ||
+ | done | ||
+ | else | ||
+ | echo " | ||
+ | exit 1 | ||
+ | fi | ||
+ | ;; | ||
+ | | ||
+ | if [ -f $lock ]; then | ||
+ | $0 stop | ||
+ | # avoid race | ||
+ | sleep 2 | ||
+ | $0 start | ||
+ | fi | ||
+ | ;; | ||
+ | | ||
+ | if [ -f $lock ]; then | ||
+ | for pidf in `/bin/ls $piddir/ | ||
+ | if [ -s $pidf ]; then | ||
+ | kill -USR2 `cat $pidf` >/ | ||
+ | fi | ||
+ | done | ||
+ | echo " | ||
+ | else | ||
+ | echo " | ||
+ | exit 1 | ||
+ | fi | ||
+ | ;; | ||
+ | *) | ||
+ | echo " | ||
+ | exit 1 | ||
+ | ;; | ||
+ | esac | ||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | Если необходим автоматический старт при запуске системы вручную добавьте в скрипт /// | ||
+ | < | ||
+ | # Open VPN | ||
+ | if [ -x / | ||
+ | / | ||
+ | fi | ||
+ | </ | ||
+ | |||
+ | И сразу же запустим «в ручную»: | ||
+ | < | ||
+ | # / | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ===== Настраиваем клиента (Windows) ===== | ||
+ | |||
+ | Скачиваем [[https:// | ||
+ | Устанавливаем в каталог, | ||
+ | |||
+ | В каталоге // | ||
+ | < | ||
+ | | ||
+ | dev tap | ||
+ | proto udp | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ca C: | ||
+ | cert C: | ||
+ | key C: | ||
+ | | ||
+ | | ||
+ | | ||
+ | verb 3 | ||
+ | mute 5 | ||
+ | ping 10 | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | pull | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | И соединяемся… | ||
+ | Всё, дальше работаем как с локалкой. | ||
+ | |||
+ | ===== Настраиваем клиента (Linux Slackware) ===== | ||
+ | |||
+ | Скачиваем [[http:// | ||
+ | В каталог /// | ||
+ | И создаем файл /// | ||
+ | < | ||
+ | | ||
+ | dev tap0 | ||
+ | proto udp | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ca / | ||
+ | cert / | ||
+ | key / | ||
+ | | ||
+ | | ||
+ | | ||
+ | verb 3 | ||
+ | mute 5 | ||
+ | ping 10 | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | pull | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | Запускаем //KVpnc// и импортируем наш файл // | ||
+ | {{http:// | ||
+ | |||
+ | Указываем его место расположение \\ | ||
+ | {{http:// | ||
+ | |||
+ | И получив сообщение об успешном импорте, | ||
+ | {{http:// | ||
+ | |||
+ | Если все верно, должно пройти соединение и дальше можно работать как в локальной сети.\\ | ||
+ | Если же соединение не получилось, | ||
+ | |||
+ | В принципе, | ||
+ | |||
+ | ===== Аутентификация по логину и паролю ===== | ||
+ | |||
+ | Для аутентификации будем использовать файл с хешироваными по md5 паролями. | ||
+ | |||
+ | Сначала создадим каталог для скрипта авторизации: | ||
+ | < | ||
+ | # mkdir / | ||
+ | </ | ||
+ | |||
+ | Затем, в этом каталоге, | ||
+ | < | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # $Id$ | ||
+ | # | ||
+ | # Кравчук Сергей, | ||
+ | # | ||
+ | |||
+ | use strict; | ||
+ | use warnings; | ||
+ | use Digest:: | ||
+ | use version; our $VERSION = qv(0.01); | ||
+ | |||
+ | my $password_file = '/ | ||
+ | my $ARG = undef; | ||
+ | if ( $ARG = shift @ARGV ) { | ||
+ | if ( !open( UPFILE, "< | ||
+ | print "Could not open username/ | ||
+ | exit 1; | ||
+ | } | ||
+ | } | ||
+ | else { | ||
+ | print "No username/ | ||
+ | exit 1; | ||
+ | } | ||
+ | |||
+ | my $username = < | ||
+ | my $password = < | ||
+ | |||
+ | if ( !$username || !$password ) { | ||
+ | print " | ||
+ | exit 1; | ||
+ | } | ||
+ | |||
+ | chomp $username; | ||
+ | chomp $password; | ||
+ | |||
+ | close(UPFILE); | ||
+ | |||
+ | if ( !open( USER_PASSWORD, | ||
+ | print "Could not open username/ | ||
+ | exit 1; | ||
+ | } | ||
+ | foreach my $line (< | ||
+ | chomp($line); | ||
+ | my ( $read_user, $read_password ) = split(/:/, $line); | ||
+ | if ( $read_user eq $username ) { | ||
+ | my $hex_password = md5_hex $password; | ||
+ | if ( $hex_password eq $read_password) { | ||
+ | close(USER_PASSWORD); | ||
+ | exit 0; | ||
+ | } | ||
+ | exit 1; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | close(USER_PASSWORD); | ||
+ | |||
+ | exit 1; | ||
+ | </ | ||
+ | |||
+ | Далее хешируем пароли для пользователей: | ||
+ | Graf - MySuperPassword\\ | ||
+ | v_pupkin - Vasiliy123 | ||
+ | |||
+ | < | ||
+ | # echo -n ' | ||
+ | b742afa4446f65e348ad07d05f154cc3 | ||
+ | |||
+ | # echo -n ' | ||
+ | 4799f3cc499f7257dd4091c71d9333cb | ||
+ | </ | ||
+ | |||
+ | и прописываем их в файл /// | ||
+ | < | ||
+ | Graf: | ||
+ | v_pupkin: | ||
+ | |||
+ | </ | ||
+ | **Последний перевод строки обязателен!** | ||
+ | |||
+ | Ну, и файл /// | ||
+ | < | ||
+ | cd/ | ||
+ | local 22.22.22.22 | ||
+ | proto udp | ||
+ | port 1194 | ||
+ | comp-lzo | ||
+ | verb 3 | ||
+ | status / | ||
+ | log / | ||
+ | tmp-dir /tmp | ||
+ | dev tap0 | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | mode server | ||
+ | tls-server | ||
+ | tls-timeout 120 | ||
+ | ifconfig-pool 192.168.111.2 192.168.111.52 | ||
+ | ifconfig 192.168.111.1 255.255.255.0 | ||
+ | push "route 192.168.10.0 255.255.255.0 192.168.111.1 192.168.10.250" | ||
+ | ca / | ||
+ | dh / | ||
+ | cert / | ||
+ | key / | ||
+ | tls-auth / | ||
+ | client-cert-not-required | ||
+ | cipher DES-EDE3-CBC | ||
+ | keepalive 10 600 | ||
+ | max-clients 100 | ||
+ | user nobody | ||
+ | group nogroup | ||
+ | auth MD5 | ||
+ | auth-user-pass-verify / | ||
+ | </ | ||
+ | |||
+ | и файл конфигурации для Linux клиента: | ||
+ | < | ||
+ | auth-user-pass | ||
+ | dev tap0 | ||
+ | proto udp | ||
+ | remote 22.22.22.22 | ||
+ | port 1194 | ||
+ | client | ||
+ | resolv-retry infinite | ||
+ | ca / | ||
+ | cert / | ||
+ | key / | ||
+ | tls-auth / | ||
+ | tls-client | ||
+ | auth MD5 | ||
+ | cipher DES-EDE3-CBC | ||
+ | ns-cert-type server | ||
+ | comp-lzo | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | verb 3 | ||
+ | mute 5 | ||
+ | ping 10 | ||
+ | tun-mtu 1500 | ||
+ | tun-mtu-extra 32 | ||
+ | mssfix 1450 | ||
+ | pull | ||
+ | route-method exe | ||
+ | explicit-exit-notify 10 | ||
+ | </ | ||
+ | |||
+ | и файл конфигурации для Windows клиента: | ||
+ | < | ||
+ | auth-user-pass | ||
+ | dev tap0 | ||
+ | proto udp | ||
+ | remote 22.22.22.22 | ||
+ | port 1194 | ||
+ | client | ||
+ | nobind | ||
+ | resolv-retry infinite | ||
+ | ca " | ||
+ | cert " | ||
+ | key " | ||
+ | tls-auth " | ||
+ | tls-client | ||
+ | auth MD5 | ||
+ | cipher DES-EDE3-CBC | ||
+ | ns-cert-type server | ||
+ | comp-lzo | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | verb 3 | ||
+ | mute 5 | ||
+ | ping 10 | ||
+ | tun-mtu 1500 | ||
+ | tun-mtu-extra 32 | ||
+ | mssfix 1450 | ||
+ | pull | ||
+ | route-method exe | ||
+ | explicit-exit-notify 10 | ||
+ | show-net-up | ||
+ | </ | ||
+ | |||
+ | Вот и всё :) \\ | ||
+ | После ввода логина и пароля, | ||
+ | |||
+ | |||
+ | |||
+ | === Ссылался на.... ==== | ||
+ | ---- | ||
+ | http:// | ||
+ | http:// | ||
+ | http:// | ||
+ | http:// | ||
+ | \\ | ||
+ | \\ | ||
+ | [[http:// | ||