1 - Instalando pacotes e preparando o ambiente
1 2 |
[root@centos7 ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) |
1 |
[root@centos7 ~]# yum -y install epel-release |
1 |
[root@centos7 ~]# yum -y install openvpn easy-rsa |
1 |
[root@centos7 ~]# cp -Rfv /usr/share/easy-rsa/2.0/ /etc/openvpn/easy-rsa |
1 2 3 4 5 6 7 8 |
[root@centos7 ~]# firewall-cmd --add-port=1194/udp --permanent success [root@centos7 ~]# firewall-cmd --reload success [root@centos7 ~]# firewall-cmd --list-port 1194/udp [root@centos7 ~]# firewall-cmd --list-service dhcpv6-client ssh |
2 - Gerando certificados CA/CA-SERVER/DH
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[root@centos7 easy-rsa]# cd /etc/openvpn/easy-rsa/ [root@centos7 easy-rsa]# vi vars # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="BR" export KEY_PROVINCE="SP" export KEY_CITY="RIBEIRAOPRETO" export KEY_ORG="JPCORP" export KEY_OU="JPCORP" # X509 Subject Field export KEY_NAME="CA-JPCORP" |
1 2 |
[root@centos7 easy-rsa]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys |
1 |
[root@centos7 easy-rsa]# ./clean-all |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[root@centos7 easy-rsa]# ./build-ca Generating a 2048 bit RSA private key ............................................+++ .........+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BR]: State or Province Name (full name) [SP]: Locality Name (eg, city) [RIBEIRAOPRETO]: Organization Name (eg, company) [JPCORP]: Organizational Unit Name (eg, section) [JPCORP]: Common Name (eg, your name or your server's hostname) [JPCORP CA]: Name [CA-JPCORP]: Email Address [JHONES@JPCORP.ETI.BR]: |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
[root@centos7 easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key .........+++ ...........+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BR]: State or Province Name (full name) [SP]: Locality Name (eg, city) [RIBEIRAOPRETO]: Organization Name (eg, company) [JPCORP]: Organizational Unit Name (eg, section) [JPCORP]: Common Name (eg, your name or your server's hostname) [server]: Name [CA-JPCORP]: Email Address [JHONES@JPCORP.ETI.BR]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'BR' stateOrProvinceName :PRINTABLE:'SP' localityName :PRINTABLE:'RIBEIRAOPRETO' organizationName :PRINTABLE:'JPCORP' organizationalUnitName:PRINTABLE:'JPCORP' commonName :PRINTABLE:'server' name :PRINTABLE:'CA-JPCORP' Certificate is to be certified until Jan 28 23:35:47 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
1 2 3 |
[root@centos7 easy-rsa]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 ................+............ |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[root@centos7 easy-rsa]# ll keys/ total 52 -rw-r--r-- 1 root root 5492 Jan 31 20:35 01.pem -rw-r--r-- 1 root root 1732 Jan 31 20:35 ca.crt -rw------- 1 root root 1704 Jan 31 20:35 ca.key -rw-r--r-- 1 root root 424 Jan 31 20:39 dh2048.pem -rw-r--r-- 1 root root 134 Jan 31 20:35 index.txt -rw-r--r-- 1 root root 21 Jan 31 20:35 index.txt.attr -rw-r--r-- 1 root root 0 Jan 31 20:35 index.txt.old -rw-r--r-- 1 root root 3 Jan 31 20:35 serial -rw-r--r-- 1 root root 3 Jan 31 20:35 serial.old -rw-r--r-- 1 root root 5492 Jan 31 20:35 server.crt -rw-r--r-- 1 root root 1078 Jan 31 20:35 server.csr -rw------- 1 root root 1708 Jan 31 20:35 server.key |
1 2 |
[root@centos7 easy-rsa]# cd .. [root@centos7 openvpn]# ln -s /etc/openvpn/easy-rsa/keys/ /etc/openvpn/ca-server |
3 - Criando o .conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
[root@centos7 openvpn]# vi site-to-client.conf port 1194 proto udp dev tun ca /etc/openvpn/ca-server/ca.crt cert /etc/openvpn/ca-server/server.crt key /etc/openvpn/ca-server/server.key dh /etc/openvpn/ca-server/dh2048.pem ifconfig-pool-persist /var/log/ipp_site-to-client.log ;push "route 172.16.1.1 255.255.255.0" client-cert-not-required tls-server username-as-common-name server 10.10.10.0 255.255.255.0 keepalive 10 120 comp-lzo user nobody group nobody plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login persist-key persist-tun status /var/log/status_site-to-client.log log-append /var/log/site-to-client.log verb 3 |
4 - Ativando o serviço, o @site-to-client deve ser o mesmo nome do arquivo .conf criado, aqui neste caso site-to-client.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@centos7 openvpn]# systemctl enable openvpn@site-to-client Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@site-to-client.service to /usr/lib/systemd/system/openvpn@.service. [root@centos7 openvpn]# systemctl start openvpn@site-to-client [root@centos7 openvpn]# systemctl status openvpn@site-to-client ● openvpn@site-to-client.service - OpenVPN Robust And Highly Flexible Tunneling Application On site/to/client Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled) Active: active (running) since Dom 2016-01-31 20:45:09 BRT; 4s ago Process: 1795 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS) Main PID: 1796 (openvpn) CGroup: /system.slice/system-openvpn.slice/openvpn@site-to-client.service ├─1796 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/site-to-client.pid --cd /etc/openvpn/ --config site-to-cli... └─1797 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/site-to-client.pid --cd /etc/openvpn/ --config site-to-cli... Jan 31 20:45:09 centos7 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On site/to/client... Jan 31 20:45:09 centos7 systemd[1]: PID file /var/run/openvpn/site-to-client.pid not readable (yet?) after start. Jan 31 20:45:09 centos7 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On site/to/client. |
5 - Criando usuário local
1 2 3 4 5 6 7 |
[root@centos7 openvpn]# adduser -M -s /sbin/nologin jhonespetter [root@centos7 openvpn]# passwd jhonespetter Mudando senha para o usuário jhonespetter. Nova senha: SENHA INCORRETA: A senha é menor do que 8 caracteres Redigite a nova senha: passwd: todos os tokens de autenticações foram atualizados com sucesso. |
6 - Criando o cliente
No parâmetro "remote" alterar para o ip do server, o arquivo pass.txt deve possuir o usuario e senha, no campo "<ca>" coloque o conteudo do CA gerado "cat /etc/openvpn/ca-server/ca.crt". Estes parâmetros para o cliente serve tanto para Linux quanto para rodar no cliente de Windows.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
[root@centos7 openvpn]# vi client_model.ovpn client remote 192.168.1.123 1194 proto udp dev tun persist-tun persist-key auth-user-pass pass.txt ping 10 comp-lzo verb 3 mute 10 tls-client <ca> -----BEGIN CERTIFICATE----- MIIE0zCCA7ugAwIBAgIJAMZ5uHRs0zB7MA0GCSqGSIb3DQEBCwUAMIGhMQswCQYD VQQGEwJCUjELMAkGA1UECBMCU1AxFjAUBgNVBAcTDVJJQkVJUkFPUFJFVE8xDzAN BgNVBAoTBkpQQ09SUDEPMA0GA1UECxMGSlBDT1JQMRIwEAYDVQQDEwlKUENPUlAg Q0ExEjAQBgNVBCkTCUNBLUpQQ09SUDEjMCEGCSqGSIb3DQEJARYUSkhPTkVTQEpQ Q09SUC5FVEkuQlIwHhcNMTYwMTMxMjMzNTIyWhcNMjYwMTI4MjMzNTIyWjCBoTEL MAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRYwFAYDVQQHEw1SSUJFSVJBT1BSRVRP MQ8wDQYDVQQKEwZKUENPUlAxDzANBgNVBAsTBkpQQ09SUDESMBAGA1UEAxMJSlBD IftjAcY3ulrpcRadDH6neY8hdAbueHZlIqBkCG4kthKYaHNlp9n5NEEWRWty6oL+ wcAbeMAU9B0wPldtX4667D6jESKLPV0OvgVJIQKsgk7xjdpeUlXLc/KMVEoed+bg 7sHRrhYx72aVA28EEFDK7Tl39XlqZAvUgb1LptMCN4/un2foLdJFtiGODizF/Iyp TmtBTYYoFFwCg/GK3Aah7/zzA3MHyXNTwFokDBhC8VkmL0ghszU9YUsNX3g5BZnu Od3U8932zXjWSoN8xCB/YPqhhD2zL487vv6/phIYDGBLRmhWpbpJ -----END CERTIFICATE----- </ca> |
1 2 3 4 |
[root@centos7 openvpn]# vi pass.txt jhonespetter 123456 |
Log cliente Windows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
Sun Jan 31 22:04:46 2016 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015 Sun Jan 31 22:04:46 2016 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08 Enter Management Password: Sun Jan 31 22:04:46 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341 Sun Jan 31 22:04:46 2016 Need hold release from management interface, waiting... Sun Jan 31 22:04:46 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341 Sun Jan 31 22:04:46 2016 MANAGEMENT: CMD 'state on' Sun Jan 31 22:04:46 2016 MANAGEMENT: CMD 'log all on' Sun Jan 31 22:04:46 2016 MANAGEMENT: CMD 'hold off' Sun Jan 31 22:04:46 2016 MANAGEMENT: CMD 'hold release' Sun Jan 31 22:04:46 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sun Jan 31 22:04:46 2016 Socket Buffers: R=[65536->65536] S=[65536->65536] Sun Jan 31 22:04:46 2016 UDPv4 link local (bound): [undef] Sun Jan 31 22:04:46 2016 UDPv4 link remote: [AF_INET]192.168.1.123:1194 Sun Jan 31 22:04:46 2016 MANAGEMENT: >STATE:1454285086,WAIT,,, Sun Jan 31 22:04:46 2016 MANAGEMENT: >STATE:1454285086,AUTH,,, Sun Jan 31 22:04:46 2016 TLS: Initial packet from [AF_INET]192.168.1.123:1194, sid=75cc05c4 bf99cbcf Sun Jan 31 22:04:46 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sun Jan 31 22:04:46 2016 VERIFY OK: depth=1, C=BR, ST=SP, L=RIBEIRAOPRETO, O=JPCORP, OU=JPCORP, CN=JPCORP CA, name=CA-JPCORP, emailAddress=JHONES@JPCORP.ETI.BR Sun Jan 31 22:04:46 2016 VERIFY OK: depth=0, C=BR, ST=SP, L=RIBEIRAOPRETO, O=JPCORP, OU=JPCORP, CN=server, name=CA-JPCORP, emailAddress=JHONES@JPCORP.ETI.BR Sun Jan 31 22:04:46 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 31 22:04:46 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 31 22:04:46 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 31 22:04:46 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 31 22:04:46 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sun Jan 31 22:04:46 2016 [server] Peer Connection Initiated with [AF_INET]192.168.1.123:1194 Sun Jan 31 22:04:48 2016 MANAGEMENT: >STATE:1454285088,GET_CONFIG,,, Sun Jan 31 22:04:49 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sun Jan 31 22:04:49 2016 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.6 10.10.10.5' Sun Jan 31 22:04:49 2016 OPTIONS IMPORT: timers and/or timeouts modified Sun Jan 31 22:04:49 2016 OPTIONS IMPORT: --ifconfig/up options modified Sun Jan 31 22:04:49 2016 OPTIONS IMPORT: route options modified Sun Jan 31 22:04:49 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Sun Jan 31 22:04:49 2016 MANAGEMENT: >STATE:1454285089,ASSIGN_IP,,10.10.10.6, Sun Jan 31 22:04:49 2016 open_tun, tt->ipv6=0 Sun Jan 31 22:04:49 2016 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{EDBEF909-0B38-4329-9E9B-37699CBF7E59}.tap Sun Jan 31 22:04:49 2016 TAP-Windows Driver Version 9.21 Sun Jan 31 22:04:49 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.10.6/255.255.255.252 on interface {EDBEF909-0B38-4329-9E9B-37699CBF7E59} [DHCP-serv: 10.10.10.5, lease-time: 31536000] Sun Jan 31 22:04:49 2016 Successful ARP Flush on interface [6] {EDBEF909-0B38-4329-9E9B-37699CBF7E59} Sun Jan 31 22:04:54 2016 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up Sun Jan 31 22:04:54 2016 MANAGEMENT: >STATE:1454285094,ADD_ROUTES,,, Sun Jan 31 22:04:54 2016 C:\WINDOWS\system32\route.exe ADD 10.10.10.1 MASK 255.255.255.255 10.10.10.5 Sun Jan 31 22:04:54 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Sun Jan 31 22:04:54 2016 Route addition via IPAPI succeeded [adaptive] Sun Jan 31 22:04:54 2016 Initialization Sequence Completed Sun Jan 31 22:04:54 2016 MANAGEMENT: >STATE:1454285094,CONNECTED,SUCCESS,10.10.10.6,192.168.1.123 |
5 - Troubleshooting
- Se atentar na data e hora do servidor e cliente, pois pode ocorrer do cliente gritar erro de certificado por causa disto, pois o mesmo identifica que a data e hora atual são divergentes da data e hora da geração do CA.
- Liberar porta e protocolo correto.
- Desabilitar Selinux.
- Analisar Logs:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
[root@centos7 openvpn]# cat /var/log/ipp_site-to-client.log jhonespetter,10.10.10.4 [root@centos7 openvpn]# cat /var/log/status_site-to-client.log OpenVPN CLIENT LIST Updated,Sun Jan 31 21:06:27 2016 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since jhonespetter,192.168.1.122:1194,7274,4781,Sun Jan 31 21:04:27 2016 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 10.10.10.6,jhonespetter,192.168.1.122:1194,Sun Jan 31 21:04:27 2016 GLOBAL STATS Max bcast/mcast queue length,0 END [root@centos7 openvpn]# cat /var/log/site-to-client.log Sun Jan 31 20:45:09 2016 OpenVPN 2.3.10 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 4 2016 Sun Jan 31 20:45:09 2016 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 Sun Jan 31 20:45:09 2016 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Sun Jan 31 20:45:09 2016 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY Sun Jan 31 20:45:09 2016 Diffie-Hellman initialized with 2048 bit key Sun Jan 31 20:45:09 2016 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate Sun Jan 31 20:45:09 2016 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jan 31 20:45:09 2016 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:65:d7:b1 Sun Jan 31 20:45:09 2016 TUN/TAP device tun0 opened Sun Jan 31 20:45:09 2016 TUN/TAP TX queue length set to 100 Sun Jan 31 20:45:09 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Sun Jan 31 20:45:09 2016 /usr/sbin/ip link set dev tun0 up mtu 1500 Sun Jan 31 20:45:09 2016 /usr/sbin/ip addr add dev tun0 local 10.10.10.1 peer 10.10.10.2 Sun Jan 31 20:45:09 2016 /usr/sbin/ip route add 10.10.10.0/24 via 10.10.10.2 Sun Jan 31 20:45:09 2016 GID set to nobody Sun Jan 31 20:45:09 2016 UID set to nobody Sun Jan 31 20:45:09 2016 UDPv4 link local (bound): [undef] Sun Jan 31 20:45:09 2016 UDPv4 link remote: [undef] Sun Jan 31 20:45:09 2016 MULTI: multi_init called, r=256 v=256 Sun Jan 31 20:45:09 2016 IFCONFIG POOL: base=10.10.10.4 size=62, ipv6=0 Sun Jan 31 20:45:09 2016 IFCONFIG POOL LIST Sun Jan 31 20:45:09 2016 Initialization Sequence Completed Sun Jan 31 21:03:23 2016 192.168.1.122:1194 TLS: Initial packet from [AF_INET]192.168.1.122:1194, sid=32940f01 a16b6492 AUTH-PAM: BACKGROUND: user 'jhonespetter' failed to authenticate: Authentication failure Sun Jan 31 21:03:24 2016 192.168.1.122:1194 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 Sun Jan 31 21:03:24 2016 192.168.1.122:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so Sun Jan 31 21:03:24 2016 192.168.1.122:1194 TLS Auth Error: Auth Username/Password verification failed for peer Sun Jan 31 21:03:24 2016 192.168.1.122:1194 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 Sun Jan 31 21:03:24 2016 192.168.1.122:1194 Peer Connection Initiated with [AF_INET]192.168.1.122:1194 Sun Jan 31 21:03:27 2016 192.168.1.122:1194 PUSH: Received control message: 'PUSH_REQUEST' Sun Jan 31 21:03:27 2016 192.168.1.122:1194 Delayed exit in 5 seconds Sun Jan 31 21:03:27 2016 192.168.1.122:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) Sun Jan 31 21:03:29 2016 192.168.1.122:1194 TLS Error: Cannot accept new session request from [AF_INET]192.168.1.122:1194 due to session context expire or --single-session [2] Sun Jan 31 21:03:31 2016 192.168.1.122:1194 TLS Error: Cannot accept new session request from [AF_INET]192.168.1.122:1194 due to session context expire or --single-session [2] Sun Jan 31 21:03:32 2016 192.168.1.122:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting Sun Jan 31 21:04:27 2016 192.168.1.122:1194 TLS: Initial packet from [AF_INET]192.168.1.122:1194, sid=58c95441 97d4166a Sun Jan 31 21:04:27 2016 192.168.1.122:1194 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 Sun Jan 31 21:04:27 2016 192.168.1.122:1194 TLS: Username/Password authentication succeeded for username 'jhonespetter' [CN SET] Sun Jan 31 21:04:27 2016 192.168.1.122:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 31 21:04:27 2016 192.168.1.122:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 31 21:04:27 2016 192.168.1.122:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 31 21:04:27 2016 192.168.1.122:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 31 21:04:27 2016 192.168.1.122:1194 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 Sun Jan 31 21:04:27 2016 192.168.1.122:1194 [jhonespetter] Peer Connection Initiated with [AF_INET]192.168.1.122:1194 Sun Jan 31 21:04:27 2016 jhonespetter/192.168.1.122:1194 MULTI_sva: pool returned IPv4=10.10.10.6, IPv6=(Not enabled) Sun Jan 31 21:04:27 2016 jhonespetter/192.168.1.122:1194 MULTI: Learn: 10.10.10.6 -> jhonespetter/192.168.1.122:1194 Sun Jan 31 21:04:27 2016 jhonespetter/192.168.1.122:1194 MULTI: primary virtual IP for jhonespetter/192.168.1.122:1194: 10.10.10.6 Sun Jan 31 21:04:29 2016 jhonespetter/192.168.1.122:1194 PUSH: Received control message: 'PUSH_REQUEST' Sun Jan 31 21:04:29 2016 jhonespetter/192.168.1.122:1194 send_push_reply(): safe_cap=940 Sun Jan 31 21:04:29 2016 jhonespetter/192.168.1.122:1194 SENT CONTROL [jhonespetter]: 'PUSH_REPLY,route 10.10.10.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.6 10.10.10.5' (status=1) |
7 - Autenticação via LDAP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
# yum install openvpn-auth-ldap # vim /etc/openvpn/server.conf plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf client-cert-not-required # vim /etc/openvpn/auth/ldap.conf <LDAP> # LDAP server URL URL ldap://10.13.31.2:389 # Bind DN (If your LDAP server doesn't support anonymous binds) BindDN uservpn@jpcorp.eti.br # Bind Password # Password SecretPassword Password "SENHA" # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no #TLSEnable yes # Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem </LDAP> <Authorization> # Base DN BaseDN "dc=jpcorp,dc=eti,dc=br" # User Search Filter SearchFilter "(&(sAMAccountName=%u))" # Require Group Membership RequireGroup false </Authorization> |
8 - Easy-RSA 3.0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
## CA/CE Server/DH [root@centos7]# cd /etc/openvpn/easy-rsa/ [root@centos7]# ./easyrsa init-pki [root@centos7]# ./easyrsa build-ca nopass [root@centos7]# ./easyrsa build-server-full server nopass [root@centos7]# ./easyrsa gen-dh [root@centos7]# cd /etc/openvpn/easy-rsa/pki/ ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem ## CE Client [root@centos7]# cd /etc/openvpn/easy-rsa/ [root@centos7]# ./easyrsa build-client-full client1 nopass client-ca /etc/openvpn/easy-rsa/pki/issued/client1.crt client-key /etc/openvpn/easy-rsa/pki/private/client1.key |
9 - Revogar certificado
1 2 3 4 5 6 7 8 |
# ./easyrsa gen-crl Adicionar no .conf crl-verify /etc/openvpn/easy-rsa/3.0/pki/crl.pem # ./easyrsa revoke jpcorp-host2 # ./easyrsa gen-crl # systemctl restart openvpn@server |
Referências:
https://openvpn.net/index.php/component/content/article/55.html
https://openvpn.net/index.php/open-source/documentation/howto.html
https://openvpn.net/index.php/open-source/documentation/miscellaneous/88-1xhowto.html
https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts