{"id":374,"date":"2016-01-31T21:09:52","date_gmt":"2016-02-01T00:09:52","guid":{"rendered":"http:\/\/wordpress.jpcorp.eti.br\/?p=374"},"modified":"2021-12-26T12:31:33","modified_gmt":"2021-12-26T15:31:33","slug":"openvpn-site-to-client-por-usuario-e-senha-no-centos-7","status":"publish","type":"post","link":"https:\/\/wordpress.jpcorp.eti.br\/?p=374","title":{"rendered":"OpenVPN Site-To-Client por usu\u00e1rio e senha no CentOS 7"},"content":{"rendered":"<h3>1 - Instalando pacotes e preparando o ambiente<\/h3>\n<pre class=\"lang:sh decode:true\">[root@centos7 ~]# cat \/etc\/redhat-release\r\nCentOS Linux release 7.2.1511 (Core)<\/pre>\n<pre class=\"lang:sh decode:true \">[root@centos7 ~]# yum -y install epel-release\r\n<\/pre>\n<pre class=\"lang:sh decode:true \">[root@centos7 ~]# yum -y install openvpn easy-rsa\r\n<\/pre>\n<pre class=\"lang:sh decode:true\" title=\"Easy-rsa\">[root@centos7 ~]# cp -Rfv \/usr\/share\/easy-rsa\/2.0\/ \/etc\/openvpn\/easy-rsa\r\n<\/pre>\n<pre class=\"lang:sh decode:true\" title=\"Libera\u00e7\u00e3o no Firewall\">[root@centos7 ~]# firewall-cmd --add-port=1194\/udp --permanent\r\nsuccess\r\n[root@centos7 ~]# firewall-cmd --reload\r\nsuccess\r\n[root@centos7 ~]# firewall-cmd --list-port\r\n1194\/udp\r\n[root@centos7 ~]# firewall-cmd --list-service\r\ndhcpv6-client ssh\r\n<\/pre>\n<h3>2 - Gerando certificados CA\/CA-SERVER\/DH<\/h3>\n<pre class=\"lang:sh decode:true\">[root@centos7 easy-rsa]# cd \/etc\/openvpn\/easy-rsa\/\r\n[root@centos7 easy-rsa]# vi vars\r\n\r\n# These are the default values for fields\r\n# which will be placed in the certificate.\r\n# Don't leave any of these fields blank.\r\nexport KEY_COUNTRY=\"BR\"\r\nexport KEY_PROVINCE=\"SP\"\r\nexport KEY_CITY=\"RIBEIRAOPRETO\"\r\nexport KEY_ORG=\"JPCORP\"\r\nexport KEY_EMAIL=\"JHONES@JPCORP.ETI.BR\"\r\nexport KEY_OU=\"JPCORP\"\r\n\r\n# X509 Subject Field\r\nexport KEY_NAME=\"CA-JPCORP\"<\/pre>\n<pre class=\"lang:sh decode:true\">[root@centos7 easy-rsa]# source .\/vars\r\nNOTE: If you run .\/clean-all, I will be doing a rm -rf on \/etc\/openvpn\/easy-rsa\/keys<\/pre>\n<pre class=\"lang:sh decode:true \">[root@centos7 easy-rsa]# .\/clean-all\r\n<\/pre>\n<pre class=\"lang:sh decode:true\" title=\"Build CA\">[root@centos7 easy-rsa]# .\/build-ca\r\nGenerating a 2048 bit RSA private key\r\n............................................+++\r\n.........+++\r\nwriting new private key to 'ca.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [BR]:\r\nState or Province Name (full name) [SP]:\r\nLocality Name (eg, city) [RIBEIRAOPRETO]:\r\nOrganization Name (eg, company) [JPCORP]:\r\nOrganizational Unit Name (eg, section) [JPCORP]:\r\nCommon Name (eg, your name or your server's hostname) [JPCORP CA]:\r\nName [CA-JPCORP]:\r\nEmail Address [JHONES@JPCORP.ETI.BR]:<\/pre>\n<pre class=\"lang:sh decode:true \" title=\"Build CA-Server\">[root@centos7 easy-rsa]# .\/build-key-server server\r\nGenerating a 2048 bit RSA private key\r\n.........+++\r\n...........+++\r\nwriting new private key to 'server.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [BR]:\r\nState or Province Name (full name) [SP]:\r\nLocality Name (eg, city) [RIBEIRAOPRETO]:\r\nOrganization Name (eg, company) [JPCORP]:\r\nOrganizational Unit Name (eg, section) [JPCORP]:\r\nCommon Name (eg, your name or your server's hostname) [server]:\r\nName [CA-JPCORP]:\r\nEmail Address [JHONES@JPCORP.ETI.BR]:\r\n\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:\r\nAn optional company name []:\r\nUsing configuration from \/etc\/openvpn\/easy-rsa\/openssl-1.0.0.cnf\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncountryName           :PRINTABLE:'BR'\r\nstateOrProvinceName   :PRINTABLE:'SP'\r\nlocalityName          :PRINTABLE:'RIBEIRAOPRETO'\r\norganizationName      :PRINTABLE:'JPCORP'\r\norganizationalUnitName:PRINTABLE:'JPCORP'\r\ncommonName            :PRINTABLE:'server'\r\nname                  :PRINTABLE:'CA-JPCORP'\r\nemailAddress          :IA5STRING:'JHONES@JPCORP.ETI.BR'\r\nCertificate is to be certified until Jan 28 23:35:47 2026 GMT (3650 days)\r\nSign the certificate? [y\/n]:y\r\n\r\n\r\n1 out of 1 certificate requests certified, commit? [y\/n]y\r\nWrite out database with 1 new entries\r\nData Base Updated<\/pre>\n<pre class=\"lang:sh decode:true\" title=\"Build DH (Diffie Hellman)\">[root@centos7 easy-rsa]# .\/build-dh\r\nGenerating DH parameters, 2048 bit long safe prime, generator 2\r\n................+............<\/pre>\n<pre class=\"lang:sh decode:true \">[root@centos7 easy-rsa]# ll keys\/\r\ntotal 52\r\n-rw-r--r-- 1 root root 5492 Jan 31 20:35 01.pem\r\n-rw-r--r-- 1 root root 1732 Jan 31 20:35 ca.crt\r\n-rw------- 1 root root 1704 Jan 31 20:35 ca.key\r\n-rw-r--r-- 1 root root  424 Jan 31 20:39 dh2048.pem\r\n-rw-r--r-- 1 root root  134 Jan 31 20:35 index.txt\r\n-rw-r--r-- 1 root root   21 Jan 31 20:35 index.txt.attr\r\n-rw-r--r-- 1 root root    0 Jan 31 20:35 index.txt.old\r\n-rw-r--r-- 1 root root    3 Jan 31 20:35 serial\r\n-rw-r--r-- 1 root root    3 Jan 31 20:35 serial.old\r\n-rw-r--r-- 1 root root 5492 Jan 31 20:35 server.crt\r\n-rw-r--r-- 1 root root 1078 Jan 31 20:35 server.csr\r\n-rw------- 1 root root 1708 Jan 31 20:35 server.key<\/pre>\n<pre class=\"lang:sh decode:true\">[root@centos7 easy-rsa]# cd ..\r\n[root@centos7 openvpn]# ln -s \/etc\/openvpn\/easy-rsa\/keys\/ \/etc\/openvpn\/ca-server<\/pre>\n<h3>\u00a03 - Criando o .conf<\/h3>\n<pre class=\"lang:sh decode:true\">[root@centos7 openvpn]# vi site-to-client.conf\r\n\r\nport 1194\r\nproto udp\r\ndev tun\r\nca \/etc\/openvpn\/ca-server\/ca.crt\r\ncert \/etc\/openvpn\/ca-server\/server.crt\r\nkey \/etc\/openvpn\/ca-server\/server.key\r\ndh \/etc\/openvpn\/ca-server\/dh2048.pem\r\nifconfig-pool-persist \/var\/log\/ipp_site-to-client.log\r\n;push \"route 172.16.1.1 255.255.255.0\"\r\nclient-cert-not-required\r\ntls-server\r\nusername-as-common-name\r\nserver 10.10.10.0 255.255.255.0\r\nkeepalive 10 120\r\ncomp-lzo\r\nuser nobody\r\ngroup nobody\r\nplugin \/usr\/lib64\/openvpn\/plugins\/openvpn-plugin-auth-pam.so login\r\npersist-key\r\npersist-tun\r\nstatus \/var\/log\/status_site-to-client.log\r\nlog-append \/var\/log\/site-to-client.log\r\nverb 3\r\n<\/pre>\n<h3>\u00a04 - Ativando o servi\u00e7o, o @site-to-client deve ser o mesmo nome do arquivo .conf criado, aqui neste caso site-to-client.conf<\/h3>\n<pre class=\"lang:sh decode:true\">[root@centos7 openvpn]# systemctl enable openvpn@site-to-client\r\nCreated symlink from \/etc\/systemd\/system\/multi-user.target.wants\/openvpn@site-to-client.service to \/usr\/lib\/systemd\/system\/openvpn@.service.\r\n[root@centos7 openvpn]# systemctl start openvpn@site-to-client\r\n[root@centos7 openvpn]# systemctl status openvpn@site-to-client\r\n\u25cf openvpn@site-to-client.service - OpenVPN Robust And Highly Flexible Tunneling Application On site\/to\/client\r\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/openvpn@.service; enabled; vendor preset: disabled)\r\n   Active: active (running) since Dom 2016-01-31 20:45:09 BRT; 4s ago\r\n  Process: 1795 ExecStart=\/usr\/sbin\/openvpn --daemon --writepid \/var\/run\/openvpn\/%i.pid --cd \/etc\/openvpn\/ --config %i.conf (code=exited, status=0\/SUCCESS)\r\n Main PID: 1796 (openvpn)\r\n   CGroup: \/system.slice\/system-openvpn.slice\/openvpn@site-to-client.service\r\n           \u251c\u25001796 \/usr\/sbin\/openvpn --daemon --writepid \/var\/run\/openvpn\/site-to-client.pid --cd \/etc\/openvpn\/ --config site-to-cli...\r\n           \u2514\u25001797 \/usr\/sbin\/openvpn --daemon --writepid \/var\/run\/openvpn\/site-to-client.pid --cd \/etc\/openvpn\/ --config site-to-cli...\r\n\r\nJan 31 20:45:09 centos7 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On site\/to\/client...\r\nJan 31 20:45:09 centos7 systemd[1]: PID file \/var\/run\/openvpn\/site-to-client.pid not readable (yet?) after start.\r\nJan 31 20:45:09 centos7 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On site\/to\/client.<\/pre>\n<h3>5 - Criando usu\u00e1rio local<\/h3>\n<pre class=\"lang:sh decode:true \">[root@centos7 openvpn]# adduser -M -s \/sbin\/nologin jhonespetter\r\n[root@centos7 openvpn]# passwd jhonespetter\r\nMudando senha para o usu\u00e1rio jhonespetter.\r\nNova senha:\r\nSENHA INCORRETA: A senha \u00e9 menor do que 8 caracteres\r\nRedigite a nova senha:\r\npasswd: todos os tokens de autentica\u00e7\u00f5es foram atualizados com sucesso.<\/pre>\n<h3>6 - Criando o cliente<\/h3>\n<p style=\"text-align: justify;\">No par\u00e2metro \"remote\" alterar para o ip do server, o arquivo pass.txt deve possuir o usuario e senha, no campo \"&lt;ca&gt;\" coloque o conteudo do CA gerado \"cat \/etc\/openvpn\/ca-server\/ca.crt\". Estes par\u00e2metros para o cliente serve tanto para Linux quanto para rodar no cliente de Windows.<\/p>\n<pre class=\"lang:sh decode:true\">[root@centos7 openvpn]# vi client_model.ovpn\r\n\r\nclient\r\nremote 192.168.1.123 1194\r\nproto udp\r\ndev tun\r\npersist-tun\r\npersist-key\r\nauth-user-pass pass.txt\r\nping 10\r\ncomp-lzo\r\nverb 3\r\nmute 10\r\ntls-client\r\n&lt;ca&gt;\r\n-----BEGIN CERTIFICATE-----\r\nMIIE0zCCA7ugAwIBAgIJAMZ5uHRs0zB7MA0GCSqGSIb3DQEBCwUAMIGhMQswCQYD\r\nVQQGEwJCUjELMAkGA1UECBMCU1AxFjAUBgNVBAcTDVJJQkVJUkFPUFJFVE8xDzAN\r\nBgNVBAoTBkpQQ09SUDEPMA0GA1UECxMGSlBDT1JQMRIwEAYDVQQDEwlKUENPUlAg\r\nQ0ExEjAQBgNVBCkTCUNBLUpQQ09SUDEjMCEGCSqGSIb3DQEJARYUSkhPTkVTQEpQ\r\nQ09SUC5FVEkuQlIwHhcNMTYwMTMxMjMzNTIyWhcNMjYwMTI4MjMzNTIyWjCBoTEL\r\nMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRYwFAYDVQQHEw1SSUJFSVJBT1BSRVRP\r\nMQ8wDQYDVQQKEwZKUENPUlAxDzANBgNVBAsTBkpQQ09SUDESMBAGA1UEAxMJSlBD\r\nIftjAcY3ulrpcRadDH6neY8hdAbueHZlIqBkCG4kthKYaHNlp9n5NEEWRWty6oL+\r\nwcAbeMAU9B0wPldtX4667D6jESKLPV0OvgVJIQKsgk7xjdpeUlXLc\/KMVEoed+bg\r\n7sHRrhYx72aVA28EEFDK7Tl39XlqZAvUgb1LptMCN4\/un2foLdJFtiGODizF\/Iyp\r\nTmtBTYYoFFwCg\/GK3Aah7\/zzA3MHyXNTwFokDBhC8VkmL0ghszU9YUsNX3g5BZnu\r\nOd3U8932zXjWSoN8xCB\/YPqhhD2zL487vv6\/phIYDGBLRmhWpbpJ\r\n-----END CERTIFICATE-----\r\n&lt;\/ca&gt;<\/pre>\n<pre class=\"lang:sh decode:true\">[root@centos7 openvpn]# vi pass.txt\r\n\r\njhonespetter\r\n123456\r\n<\/pre>\n<p>Log cliente Windows:<\/p>\n<pre class=\"lang:sh decode:true \">Sun Jan 31 22:04:46 2016 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015\r\nSun Jan 31 22:04:46 2016 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08\r\nEnter Management Password:\r\nSun Jan 31 22:04:46 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341\r\nSun Jan 31 22:04:46 2016 Need hold release from management interface, waiting...\r\nSun Jan 31 22:04:46 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341\r\nSun Jan 31 22:04:46 2016 MANAGEMENT: CMD 'state on'\r\nSun Jan 31 22:04:46 2016 MANAGEMENT: CMD 'log all on'\r\nSun Jan 31 22:04:46 2016 MANAGEMENT: CMD 'hold off'\r\nSun Jan 31 22:04:46 2016 MANAGEMENT: CMD 'hold release'\r\nSun Jan 31 22:04:46 2016 WARNING: No server certificate verification method has been enabled.  See http:\/\/openvpn.net\/howto.html#mitm for more info.\r\nSun Jan 31 22:04:46 2016 Socket Buffers: R=[65536-&gt;65536] S=[65536-&gt;65536]\r\nSun Jan 31 22:04:46 2016 UDPv4 link local (bound): [undef]\r\nSun Jan 31 22:04:46 2016 UDPv4 link remote: [AF_INET]192.168.1.123:1194\r\nSun Jan 31 22:04:46 2016 MANAGEMENT: &gt;STATE:1454285086,WAIT,,,\r\nSun Jan 31 22:04:46 2016 MANAGEMENT: &gt;STATE:1454285086,AUTH,,,\r\nSun Jan 31 22:04:46 2016 TLS: Initial packet from [AF_INET]192.168.1.123:1194, sid=75cc05c4 bf99cbcf\r\nSun Jan 31 22:04:46 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this\r\nSun Jan 31 22:04:46 2016 VERIFY OK: depth=1, C=BR, ST=SP, L=RIBEIRAOPRETO, O=JPCORP, OU=JPCORP, CN=JPCORP CA, name=CA-JPCORP, emailAddress=JHONES@JPCORP.ETI.BR\r\nSun Jan 31 22:04:46 2016 VERIFY OK: depth=0, C=BR, ST=SP, L=RIBEIRAOPRETO, O=JPCORP, OU=JPCORP, CN=server, name=CA-JPCORP, emailAddress=JHONES@JPCORP.ETI.BR\r\nSun Jan 31 22:04:46 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key\r\nSun Jan 31 22:04:46 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication\r\nSun Jan 31 22:04:46 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key\r\nSun Jan 31 22:04:46 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication\r\nSun Jan 31 22:04:46 2016 Control Channel: TLSv1.2, cipher TLSv1\/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA\r\nSun Jan 31 22:04:46 2016 [server] Peer Connection Initiated with [AF_INET]192.168.1.123:1194\r\nSun Jan 31 22:04:48 2016 MANAGEMENT: &gt;STATE:1454285088,GET_CONFIG,,,\r\nSun Jan 31 22:04:49 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)\r\nSun Jan 31 22:04:49 2016 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.6 10.10.10.5'\r\nSun Jan 31 22:04:49 2016 OPTIONS IMPORT: timers and\/or timeouts modified\r\nSun Jan 31 22:04:49 2016 OPTIONS IMPORT: --ifconfig\/up options modified\r\nSun Jan 31 22:04:49 2016 OPTIONS IMPORT: route options modified\r\nSun Jan 31 22:04:49 2016 do_ifconfig, tt-&gt;ipv6=0, tt-&gt;did_ifconfig_ipv6_setup=0\r\nSun Jan 31 22:04:49 2016 MANAGEMENT: &gt;STATE:1454285089,ASSIGN_IP,,10.10.10.6,\r\nSun Jan 31 22:04:49 2016 open_tun, tt-&gt;ipv6=0\r\nSun Jan 31 22:04:49 2016 TAP-WIN32 device [Ethernet 3] opened: \\\\.\\Global\\{EDBEF909-0B38-4329-9E9B-37699CBF7E59}.tap\r\nSun Jan 31 22:04:49 2016 TAP-Windows Driver Version 9.21 \r\nSun Jan 31 22:04:49 2016 Notified TAP-Windows driver to set a DHCP IP\/netmask of 10.10.10.6\/255.255.255.252 on interface {EDBEF909-0B38-4329-9E9B-37699CBF7E59} [DHCP-serv: 10.10.10.5, lease-time: 31536000]\r\nSun Jan 31 22:04:49 2016 Successful ARP Flush on interface [6] {EDBEF909-0B38-4329-9E9B-37699CBF7E59}\r\nSun Jan 31 22:04:54 2016 TEST ROUTES: 1\/1 succeeded len=1 ret=1 a=0 u\/d=up\r\nSun Jan 31 22:04:54 2016 MANAGEMENT: &gt;STATE:1454285094,ADD_ROUTES,,,\r\nSun Jan 31 22:04:54 2016 C:\\WINDOWS\\system32\\route.exe ADD 10.10.10.1 MASK 255.255.255.255 10.10.10.5\r\nSun Jan 31 22:04:54 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4\r\nSun Jan 31 22:04:54 2016 Route addition via IPAPI succeeded [adaptive]\r\nSun Jan 31 22:04:54 2016 Initialization Sequence Completed\r\nSun Jan 31 22:04:54 2016 MANAGEMENT: &gt;STATE:1454285094,CONNECTED,SUCCESS,10.10.10.6,192.168.1.123\r\n<\/pre>\n<h3>5 - Troubleshooting<\/h3>\n<ul>\n<li style=\"text-align: justify;\">Se atentar na data e hora do servidor e cliente, pois pode ocorrer do cliente gritar erro de certificado por causa disto, pois o mesmo identifica que a data e hora atual s\u00e3o divergentes da data e hora da gera\u00e7\u00e3o do CA.<\/li>\n<li style=\"text-align: justify;\">Liberar porta e protocolo correto.<\/li>\n<li style=\"text-align: justify;\">Desabilitar Selinux.<\/li>\n<li style=\"text-align: justify;\">Analisar Logs:<\/li>\n<\/ul>\n<pre class=\"lang:sh decode:true\">[root@centos7 openvpn]# cat \/var\/log\/ipp_site-to-client.log\r\njhonespetter,10.10.10.4\r\n[root@centos7 openvpn]# cat \/var\/log\/status_site-to-client.log\r\nOpenVPN CLIENT LIST\r\nUpdated,Sun Jan 31 21:06:27 2016\r\nCommon Name,Real Address,Bytes Received,Bytes Sent,Connected Since\r\njhonespetter,192.168.1.122:1194,7274,4781,Sun Jan 31 21:04:27 2016\r\nROUTING TABLE\r\nVirtual Address,Common Name,Real Address,Last Ref\r\n10.10.10.6,jhonespetter,192.168.1.122:1194,Sun Jan 31 21:04:27 2016\r\nGLOBAL STATS\r\nMax bcast\/mcast queue length,0\r\nEND\r\n[root@centos7 openvpn]# cat \/var\/log\/site-to-client.log\r\nSun Jan 31 20:45:09 2016 OpenVPN 2.3.10 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan  4 2016\r\nSun Jan 31 20:45:09 2016 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06\r\nSun Jan 31 20:45:09 2016 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.\r\nSun Jan 31 20:45:09 2016 PLUGIN_INIT: POST \/usr\/lib64\/openvpn\/plugins\/openvpn-plugin-auth-pam.so '[\/usr\/lib64\/openvpn\/plugins\/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY\r\nSun Jan 31 20:45:09 2016 Diffie-Hellman initialized with 2048 bit key\r\nSun Jan 31 20:45:09 2016 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate\r\nSun Jan 31 20:45:09 2016 Socket Buffers: R=[212992-&gt;212992] S=[212992-&gt;212992]\r\nSun Jan 31 20:45:09 2016 ROUTE_GATEWAY 192.168.1.1\/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:65:d7:b1\r\nSun Jan 31 20:45:09 2016 TUN\/TAP device tun0 opened\r\nSun Jan 31 20:45:09 2016 TUN\/TAP TX queue length set to 100\r\nSun Jan 31 20:45:09 2016 do_ifconfig, tt-&gt;ipv6=0, tt-&gt;did_ifconfig_ipv6_setup=0\r\nSun Jan 31 20:45:09 2016 \/usr\/sbin\/ip link set dev tun0 up mtu 1500\r\nSun Jan 31 20:45:09 2016 \/usr\/sbin\/ip addr add dev tun0 local 10.10.10.1 peer 10.10.10.2\r\nSun Jan 31 20:45:09 2016 \/usr\/sbin\/ip route add 10.10.10.0\/24 via 10.10.10.2\r\nSun Jan 31 20:45:09 2016 GID set to nobody\r\nSun Jan 31 20:45:09 2016 UID set to nobody\r\nSun Jan 31 20:45:09 2016 UDPv4 link local (bound): [undef]\r\nSun Jan 31 20:45:09 2016 UDPv4 link remote: [undef]\r\nSun Jan 31 20:45:09 2016 MULTI: multi_init called, r=256 v=256\r\nSun Jan 31 20:45:09 2016 IFCONFIG POOL: base=10.10.10.4 size=62, ipv6=0\r\nSun Jan 31 20:45:09 2016 IFCONFIG POOL LIST\r\nSun Jan 31 20:45:09 2016 Initialization Sequence Completed\r\nSun Jan 31 21:03:23 2016 192.168.1.122:1194 TLS: Initial packet from [AF_INET]192.168.1.122:1194, sid=32940f01 a16b6492\r\nAUTH-PAM: BACKGROUND: user 'jhonespetter' failed to authenticate: Authentication failure\r\nSun Jan 31 21:03:24 2016 192.168.1.122:1194 PLUGIN_CALL: POST \/usr\/lib64\/openvpn\/plugins\/openvpn-plugin-auth-pam.so\/PLUGIN_AUTH_USER_PASS_VERIFY status=1\r\nSun Jan 31 21:03:24 2016 192.168.1.122:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: \/usr\/lib64\/openvpn\/plugins\/openvpn-plugin-auth-pam.so\r\nSun Jan 31 21:03:24 2016 192.168.1.122:1194 TLS Auth Error: Auth Username\/Password verification failed for peer\r\nSun Jan 31 21:03:24 2016 192.168.1.122:1194 Control Channel: TLSv1.2, cipher TLSv1\/SSLv3 DHE-RSA-AES256-GCM-SHA384\r\nSun Jan 31 21:03:24 2016 192.168.1.122:1194 Peer Connection Initiated with [AF_INET]192.168.1.122:1194\r\nSun Jan 31 21:03:27 2016 192.168.1.122:1194 PUSH: Received control message: 'PUSH_REQUEST'\r\nSun Jan 31 21:03:27 2016 192.168.1.122:1194 Delayed exit in 5 seconds\r\nSun Jan 31 21:03:27 2016 192.168.1.122:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)\r\nSun Jan 31 21:03:29 2016 192.168.1.122:1194 TLS Error: Cannot accept new session request from [AF_INET]192.168.1.122:1194 due to session context expire or --single-session [2]\r\nSun Jan 31 21:03:31 2016 192.168.1.122:1194 TLS Error: Cannot accept new session request from [AF_INET]192.168.1.122:1194 due to session context expire or --single-session [2]\r\nSun Jan 31 21:03:32 2016 192.168.1.122:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting\r\nSun Jan 31 21:04:27 2016 192.168.1.122:1194 TLS: Initial packet from [AF_INET]192.168.1.122:1194, sid=58c95441 97d4166a\r\nSun Jan 31 21:04:27 2016 192.168.1.122:1194 PLUGIN_CALL: POST \/usr\/lib64\/openvpn\/plugins\/openvpn-plugin-auth-pam.so\/PLUGIN_AUTH_USER_PASS_VERIFY status=0\r\nSun Jan 31 21:04:27 2016 192.168.1.122:1194 TLS: Username\/Password authentication succeeded for username 'jhonespetter' [CN SET]\r\nSun Jan 31 21:04:27 2016 192.168.1.122:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key\r\nSun Jan 31 21:04:27 2016 192.168.1.122:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication\r\nSun Jan 31 21:04:27 2016 192.168.1.122:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key\r\nSun Jan 31 21:04:27 2016 192.168.1.122:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication\r\nSun Jan 31 21:04:27 2016 192.168.1.122:1194 Control Channel: TLSv1.2, cipher TLSv1\/SSLv3 DHE-RSA-AES256-GCM-SHA384\r\nSun Jan 31 21:04:27 2016 192.168.1.122:1194 [jhonespetter] Peer Connection Initiated with [AF_INET]192.168.1.122:1194\r\nSun Jan 31 21:04:27 2016 jhonespetter\/192.168.1.122:1194 MULTI_sva: pool returned IPv4=10.10.10.6, IPv6=(Not enabled)\r\nSun Jan 31 21:04:27 2016 jhonespetter\/192.168.1.122:1194 MULTI: Learn: 10.10.10.6 -&gt; jhonespetter\/192.168.1.122:1194\r\nSun Jan 31 21:04:27 2016 jhonespetter\/192.168.1.122:1194 MULTI: primary virtual IP for jhonespetter\/192.168.1.122:1194: 10.10.10.6\r\nSun Jan 31 21:04:29 2016 jhonespetter\/192.168.1.122:1194 PUSH: Received control message: 'PUSH_REQUEST'\r\nSun Jan 31 21:04:29 2016 jhonespetter\/192.168.1.122:1194 send_push_reply(): safe_cap=940\r\nSun Jan 31 21:04:29 2016 jhonespetter\/192.168.1.122:1194 SENT CONTROL [jhonespetter]: 'PUSH_REPLY,route 10.10.10.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.6 10.10.10.5' (status=1)\r\n<\/pre>\n<p>&nbsp;<\/p>\n<h3>7 - Autentica\u00e7\u00e3o via LDAP<\/h3>\n<pre class=\"lang:sh decode:true \"># yum install openvpn-auth-ldap\r\n\r\n# vim \/etc\/openvpn\/server.conf\r\n\r\nplugin \/usr\/lib64\/openvpn\/plugin\/lib\/openvpn-auth-ldap.so \/etc\/openvpn\/auth\/ldap.conf\r\nclient-cert-not-required\r\n\r\n# vim \/etc\/openvpn\/auth\/ldap.conf\r\n\r\n&lt;LDAP&gt;\r\n\t# LDAP server URL\r\n\tURL\t\tldap:\/\/10.13.31.2:389\r\n\r\n\t# Bind DN (If your LDAP server doesn't support anonymous binds)\r\n\tBindDN \t\t\tuservpn@jpcorp.eti.br\r\n\r\n\t# Bind Password\r\n\t# Password\tSecretPassword\r\n\tPassword\t\"SENHA\"\r\n\r\n\t# Network timeout (in seconds)\r\n\tTimeout\t\t15\r\n\r\n\t# Enable Start TLS\r\n\tTLSEnable\tno\r\n\t#TLSEnable\tyes\r\n\r\n\t# Follow LDAP Referrals (anonymously)\r\n\tFollowReferrals yes\r\n\r\n\t# TLS CA Certificate File\r\n\tTLSCACertFile\t\/usr\/local\/etc\/ssl\/ca.pem\r\n\r\n\t# TLS CA Certificate Directory\r\n\tTLSCACertDir\t\/etc\/ssl\/certs\r\n\r\n\t# Client Certificate and key\r\n\t# If TLS client authentication is required\r\n\tTLSCertFile\t\/usr\/local\/etc\/ssl\/client-cert.pem\r\n\tTLSKeyFile\t\/usr\/local\/etc\/ssl\/client-key.pem\r\n\r\n&lt;\/LDAP&gt;\r\n\r\n&lt;Authorization&gt;\r\n\t# Base DN\r\n\tBaseDN\t\t\"dc=jpcorp,dc=eti,dc=br\"\r\n\r\n\t# User Search Filter\r\n\tSearchFilter \"(&amp;(sAMAccountName=%u))\"\r\n\r\n\t# Require Group Membership\r\n\tRequireGroup\tfalse\r\n\r\n&lt;\/Authorization&gt;\r\n\r\n\r\n<\/pre>\n<p>&nbsp;<\/p>\n<h3>8 - Easy-RSA 3.0<\/h3>\n<pre class=\"lang:sh decode:true\">## CA\/CE Server\/DH\r\n[root@centos7]# cd \/etc\/openvpn\/easy-rsa\/\r\n[root@centos7]# .\/easyrsa init-pki\r\n[root@centos7]# .\/easyrsa build-ca nopass\r\n[root@centos7]# .\/easyrsa build-server-full server nopass\r\n[root@centos7]# .\/easyrsa gen-dh\r\n[root@centos7]# cd \/etc\/openvpn\/easy-rsa\/pki\/\r\n\r\nca \/etc\/openvpn\/easy-rsa\/pki\/ca.crt\r\ncert \/etc\/openvpn\/easy-rsa\/pki\/issued\/server.crt\r\nkey \/etc\/openvpn\/easy-rsa\/pki\/private\/server.key\r\ndh \/etc\/openvpn\/easy-rsa\/pki\/dh.pem\r\n\r\n## CE Client\r\n[root@centos7]# cd \/etc\/openvpn\/easy-rsa\/\r\n[root@centos7]# .\/easyrsa build-client-full client1 nopass\r\n\r\nclient-ca \/etc\/openvpn\/easy-rsa\/pki\/issued\/client1.crt\r\nclient-key \/etc\/openvpn\/easy-rsa\/pki\/private\/client1.key<\/pre>\n<p>&nbsp;<\/p>\n<h3>9 - Revogar certificado<\/h3>\n<pre class=\"lang:sh decode:true \"># .\/easyrsa gen-crl\r\n\r\nAdicionar no .conf\r\ncrl-verify \/etc\/openvpn\/easy-rsa\/3.0\/pki\/crl.pem\r\n\r\n# .\/easyrsa revoke jpcorp-host2\r\n# .\/easyrsa gen-crl\r\n# systemctl restart openvpn@server\r\n<\/pre>\n<p>&nbsp;<\/p>\n<h3>Refer\u00eancias:<\/h3>\n<p><a href=\"https:\/\/openvpn.net\/index.php\/component\/content\/article\/55.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/openvpn.net\/index.php\/component\/content\/article\/55.html<\/a><\/p>\n<p><a href=\"https:\/\/openvpn.net\/index.php\/open-source\/documentation\/howto.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/openvpn.net\/index.php\/open-source\/documentation\/howto.html<\/a><\/p>\n<p><a href=\"https:\/\/openvpn.net\/index.php\/open-source\/documentation\/miscellaneous\/88-1xhowto.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/openvpn.net\/index.php\/open-source\/documentation\/miscellaneous\/88-1xhowto.html<\/a><\/p>\n<p><a href=\"https:\/\/wiki.gentoo.org\/wiki\/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts\">https:\/\/wiki.gentoo.org\/wiki\/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1 &#8211; Instalando pacotes e preparando o ambiente [root@centos7 ~]# cat \/etc\/redhat-release CentOS Linux release 7.2.1511 (Core) [root@centos7 ~]# yum -y install epel-release [root@centos7 ~]# yum -y install openvpn easy-rsa [root@centos7 ~]# cp -Rfv \/usr\/share\/easy-rsa\/2.0\/ \/etc\/openvpn\/easy-rsa [root@centos7 ~]# firewall-cmd &#8211;add-port=1194\/udp &#8211;permanent success [root@centos7 ~]# firewall-cmd &#8211;reload success [root@centos7 ~]# firewall-cmd &#8211;list-port 1194\/udp [root@centos7 ~]# firewall-cmd&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[118,9,33],"class_list":["post-374","post","type-post","status-publish","format-standard","hentry","category-linux","tag-easy-rsa","tag-linux","tag-openvpn"],"_links":{"self":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts\/374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=374"}],"version-history":[{"count":12,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts\/374\/revisions"}],"predecessor-version":[{"id":1474,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts\/374\/revisions\/1474"}],"wp:attachment":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}