OS-sw ver.: CCBot/2.0 (https://commoncrawl.org/faq/)
Login date: 21 May 19 - 11:43:59
IP Address: 3.85.143.239Cursore

Registrati

Installiamo configuriamo e utilizziamo questo software opensource per connetterci ovunque noi siamo alla nostra rete di casa.

---------------------------------------------------------------------------------
1. Installazione
---------------------------------------------------------------------------------

installare i seguanti pacchetti

opkg update opkg install openvpn openvpn-easy-rsa



---------------------------------------------------------------------------------
2. Configurazione server openvpn
---------------------------------------------------------------------------------

modificare la configurazione di easy rsa per settare i valori delle chiavi che verranno generate in seguito, io ho lasciato tutto di default tranne la durata della chiave generata, impostata a 35 giorni

vi /etc/easy-rsa/vars



modificando le seguenti righe

...
# In how many days should the root CA key expire?
export CA_EXPIRE=35
# In how many days should certificates expire?
export KEY_EXPIRE=35
....

Ora non resta altro che generare le chiavi, io ho fatto degli script che vengono lanciati da cron e deposito le chiavi in uno spazio condiviso, di seguito invece la configurazione standard con generazione manuale delle stesse:

clean-all build-ca build-dh
build-key-server server
build-key Jimmy build-key Sara build-key Soandso ...
build-key-pkcs12 Jimmy build-key-pkcs12 Sara build-key-pkcs12 Soandso ...
cd /etc/easy-rsa/keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/s



Ora passiamo a configurare il demone openvpn, io ho fatto la configurazione con luci, volendo si può farla anche manualmente usando direttamente i file di cfg di openvpn.

Andiamo con vi a modificare /etc/config/openvpn

config 'openvpn' 'lan'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tap0'
#       option 'ifconfig' '192.168.0.1 255.255.255.0'
        option 'ca' '/etc/easy-rsa/keys/ca.crt'
        option 'cert' '/etc/easy-rsa/keys/server.crt'
        option 'key' '/etc/easy-rsa/keys/server.key'
        option 'dh' '/etc/easy-rsa/keys/dh1024.pem'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'status' '/tmp/openvpn-status.log'
        option 'verb' '3'
        option 'server_bridge' '192.168.0.1 255.255.255.0 192.168.0.110 192.168.0.120'
        option 'push' 'route 192.168.0.0 255.255.255.0'
        option 'push' 'route 192.168.1.0 255.255.255.0'
#        list 'push' 'route 192.168.0.0 255.255.255.0'
config 'openvpn' 'client_tap_bridge'
        option 'float' '1'
        option 'client' '1'
        option 'comp_lzo' '1'
        option 'dev' 'tap'
        option 'management' '127.0.0.1 31194'
        option 'reneg_sec' '0'
        option 'verb' '3'
        option 'persist_key' '1'
        option 'nobind' '1'
        list 'remote' 'vpnserver.example.org'
        option 'remote_cert_tls' 'server'

Nella riga push route diamo la route al client per raggiungere altre sottoreti, nel mio caso la 192.168.1.x. Nella riga server bridge gli dico chi fa da bridge e gli assegno un range di ip da usare (192.168.0.110 192.168.0.120).

N.B. la configurazione è in bridge mode, quindi i client si connetteranno con ip della mia sottorete.

---------------------------------------------------------------------------------
3.Configurazione firewall
---------------------------------------------------------------------------------

Apriamo la porta del firewall per poter accedere da internet al servizio openvpn:

vi /etc/config/firewall



inseriamo le seguenti righe:

config 'rule' option 'target' 'ACCEPT' option 'dest_port' '1194' option 'src' 'wan' option 'proto' 'tcpudp' option 'family' 'ipv4'

chiudiamo e riavviamo il demone.

/etc/init.d/firewall restart



Lanciamo il demone di openvpn (/etc/init.d/openvpn start)Andare poi con il browser su Rete-Interfacce-LAN-Physical settings e controllare se è stata creata l'interfaccia di rete tap0 (o tun0)

Ok ora che abbiamo messo in piedi il nostro server openvpn possiamo abilitarlo come demone al boot:

cd /etc/init.d/
./openvpn enable



[titolo]4. Configurazione client openvpn[titolo]

Per quanto rigurada il client dobbiamo installarci il sw openvpn, che rimando alle note de sistema operativo che usate. Fate riferimento in caso al sito http://openvpn.net/. Vi riporto la configurazione che ho su windows (7-64bit):

andare in

C:\Program Files (x86)\OpenVPN\config

create un file vostronome.ovpn

inserendo quanto segue:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote nomedelvostroserver 1194
# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
ca "C:\\Program Files (x86)\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\config\\client.crt"
key "C:\\Program Files (x86)\\OpenVPN\\config\\client.key"
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20

Copiate le chiavi che avevamo generato in precedenza (sul nostro server: /etc/easy-rsa/keys/ca.crt - client.crt - client.key sotto la C:\Program Files (x86)\OpenVPN\config

Riferimenti

https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/231199

http://wiki.openwrt.org/doc/howto/vpn.openvpn

Visite totali71547
Questo sito web usa i cookies per gestire alcune funzionalità, quali navigazione, autenticazione, commenti, etc. Utilizzando il nostro sito web, accetti l'utilizzo dei cookies.