Table of Contents

OpenVPN How-To


ToDo Liste


Introduction

Cahier des charges

Architecture

Choix de la technologie du VPN

VPN SSL/TLS

Avantages

Inconvénients

VPN IPSEC

Avantages

Inconvénients

Choix

OpenVPN

Présentation

Installation

Authentification

Clef secrète partagée

$ openvpn --genkey /etc/openvpn/secret.key
secret /etc/openvpn/secret.key
secret /etc/openvpn/secret.key 0

Et dans celui du client par :

secret /etc/openvpn/secret.key 1

Certificats X.509

Scripts easy-rsa

Création de l'AC

# cd /path/to/easy-rsa
# . vars
# ./build-ca
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt 

A l'issue, la clef privée de l'AC - ca.key - et son certificat - ca.crt - sont créés. Seul le certificat doit être exporté vers chaque membre du VPN.

Création des éléments Serveur

Clef privée et certificat
# ./build-key-server nom_du_serveur
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server
openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=FR, ST=ESSONNE, L=ORSAY, O=OpenVPN-TEST, OU=Crypto-Labs,\
          CN=vpn-ac/emailAddress=admin@vpn-ac
        Validity
            Not Before: Feb 20 16:47:51 2006 GMT
            Not After : Feb 18 16:47:51 2016 GMT
        Subject: C=FR, ST=ESSONNE, O=OpenVPN-TEST, OU=Crypto-Labs,\
          CN=vpn-server/emailAddress=admin@vpn-server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b5:06:53:2f:23:d0:3e:cb:6b:e7:07:30:04:d8:
                    ef:4f:5a:a0:26:76:e0:be:25:7f:ca:7f:2f:4f:41:
                    31:7e:36:ac:b8:d7:c1:29:4f:4c:e9:03:ee:1f:1f:
                    8c:91:5a:61:1e:be:8d:b0:6a:c1:83:77:77:25:b5:
                    62:43:c1:94:52:4f:a3:5a:7a:75:14:96:53:f9:10:
                    f6:51:f1:db:b4:17:43:a4:8e:c9:af:da:b6:32:18:
                    ac:ef:c6:0a:af:1c:0b:52:fe:ac:5e:65:4a:2a:2c:
                    3c:de:8e:a0:d3:0c:ae:33:28:4e:cd:0a:b4:d3:a5:
                    6c:04:93:11:d2:77:17:6b:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                47:D9:AA:45:52:DC:A3:56:BF:0A:57:8E:9A:28:C5:57:0B:2B:A0:E9
            X509v3 Authority Key Identifier: 
                keyid:0D:C2:85:03:AB:96:3E:BC:88:31:B3:B6:3F:90:3A:B0:49:56:5B:CE
                DirName:/C=FR/ST=ESSONNE/L=ORSAY/O=OpenVPN-TEST/OU=Crypto-Labs/CN=vpn-ac/\
                  emailAddress=admin@vpn-ac
                serial:8A:4D:56:E5:75:4E:A1:BD
 
    Signature Algorithm: md5WithRSAEncryption
        e2:87:9f:ac:78:c3:c8:1b:36:3d:2b:ef:b1:8a:96:76:78:45:
        15:f2:bb:d0:53:a3:be:3b:1d:63:26:90:72:7e:b5:fe:5a:17:
        6f:51:77:cb:1b:5a:e8:03:5c:f4:db:a3:07:fe:29:73:61:44:
        69:bb:01:88:12:1e:a3:f0:27:7b:46:7b:64:b9:9b:c8:c5:2e:
        22:38:d1:43:26:fc:e9:4b:25:ad:13:0b:39:2f:0a:2d:39:26:
        0f:eb:ea:f5:e4:8f:d0:48:a9:4d:38:03:a5:16:8e:cb:2a:c3:
        58:b8:fc:33:3f:8b:cb:2f:d5:34:53:62:18:83:ef:4f:7c:5d:
        e1:63
-----BEGIN CERTIFICATE-----
MIIDvjCCAyegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBijELMAkGA1UEBhMCRlIx
EDAOBgNVBAgTB0VTU09OTkUxDjAMBgNVBAcTBU9SU0FZMRUwEwYDVQQKEwxPcGVu
VlBOLVRFU1QxFDASBgNVBAsTC0NyeXB0by1MYWJzMQ8wDQYDVQQDEwZ2cG4tYWMx
GzAZBgkqhkiG9w0BCQEWDGFkbWluQHZwbi1hYzAeFw0wNjAyMjAxNjQ3NTFaFw0x
NjAyMTgxNjQ3NTFaMIGCMQswCQYDVQQGEwJGUjEQMA4GA1UECBMHRVNTT05ORTEV
MBMGA1UEChMMT3BlblZQTi1URVNUMRQwEgYDVQQLEwtDcnlwdG8tTGFiczETMBEG
A1UEAxMKdnBuLXNlcnZlcjEfMB0GCSqGSIb3DQEJARYQYWRtaW5AdnBuLXNlcnZl
cjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtQZTLyPQPstr5wcwBNjvT1qg
JnbgviV/yn8vT0ExfjasuNfBKU9M6QPuHx+MkVphHr6NsGrBg3d3JbViQ8GUUk+j
Wnp1FJZT+RD2UfHbtBdDpI7Jr9q2Mhis78YKrxwLUv6sXmVKKiw83o6g0wyuMyhO
zQq006VsBJMR0ncXa/UCAwEAAaOCATgwggE0MAkGA1UdEwQCMAAwEQYJYIZIAYb4
QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2
ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFEfZqkVS3KNWvwpXjpooxVcLK6DpMIG/
BgNVHSMEgbcwgbSAFA3ChQOrlj68iDGztj+QOrBJVlvOoYGQpIGNMIGKMQswCQYD
VQQGEwJGUjEQMA4GA1UECBMHRVNTT05ORTEOMAwGA1UEBxMFT1JTQVkxFTATBgNV
BAoTDE9wZW5WUE4tVEVTVDEUMBIGA1UECxMLQ3J5cHRvLUxhYnMxDzANBgNVBAMT
BnZwbi1hYzEbMBkGCSqGSIb3DQEJARYMYWRtaW5AdnBuLWFjggkAik1W5XVOob0w
DQYJKoZIhvcNAQEEBQADgYEA4oefrHjDyBs2PSvvsYqWdnhFFfK70FOjvjsdYyaQ
cn61/loXb1F3yxta6ANc9NujB/4pc2FEabsBiBIeo/Ane0Z7ZLmbyMUuIjjRQyb8
6UslrRMLOS8KLTkmD+vq9eSP0EipTTgDpRaOyyrDWLj8Mz+Lyy/VNFNiGIPvT3xd
4WM=
-----END CERTIFICATE-----
Paramètres Diffie-Hellman
openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}

Création des éléments Client

# ./build-key nom_du_client

Ce script comporte les lignes suivantes :

openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr
openssl ca -days 3650 -out $1.crt -in $1.csr
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=FR, ST=ESSONNE, L=ORSAY, O=OpenVPN-TEST, OU=Crypto-Labs,\
          CN=vpn-ac/emailAddress=admin@vpn-ac
        Validity
            Not Before: Feb 20 16:51:19 2006 GMT
            Not After : Feb 18 16:51:19 2016 GMT
        Subject: C=FR, ST=ESSONNE, O=OpenVPN-TEST, OU=DAF,\
          CN=vpn-client1/emailAddress=admin@vpn-client1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a9:e1:7b:2f:a0:7d:5f:bf:49:4e:0a:30:1e:94:
                    28:9c:c1:ee:39:11:4c:1e:d3:9e:e6:57:33:0c:ab:
                    15:0f:79:69:59:18:d7:e6:5e:fd:49:f6:27:78:2a:
                    ba:c4:ea:e3:d0:81:0c:84:29:d1:c1:80:c9:42:d9:
                    ca:64:1e:b1:db:47:b6:c7:6c:d2:90:60:30:b8:ef:
                    01:ea:82:15:5a:d0:95:26:43:c5:ae:30:3d:ba:ca:
                    b8:dd:d6:f2:f0:ac:97:08:f8:13:bc:e5:7b:07:8c:
                    5d:33:0f:e6:5c:e5:9a:b5:34:91:3b:c9:b2:ce:c1:
                    0c:fb:dd:ee:f3:ba:61:84:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F8:98:F8:75:9D:D9:D4:1B:03:F3:36:C0:E2:67:19:BD:EC:48:36:0D
            X509v3 Authority Key Identifier: 
                keyid:0D:C2:85:03:AB:96:3E:BC:88:31:B3:B6:3F:90:3A:B0:49:56:5B:CE
                DirName:/C=FR/ST=ESSONNE/L=ORSAY/O=OpenVPN-TEST/OU=Crypto-Labs/CN=vpn-ac/\
                  emailAddress=admin@vpn-ac
                serial:8A:4D:56:E5:75:4E:A1:BD
 
    Signature Algorithm: md5WithRSAEncryption
        8c:72:10:97:7d:ba:45:72:fe:ff:e6:37:0a:cb:fe:a0:19:02:
        4a:03:86:a5:9c:72:1c:59:e0:c3:58:2f:52:4f:9d:f7:cd:54:
        0b:97:b9:da:40:6d:6c:c0:07:51:c6:08:71:73:b5:08:8e:b1:
        8f:c9:3f:e2:8e:b2:d7:f4:41:63:e7:c8:6b:dc:49:bc:ca:0e:
        58:cb:8a:3f:ed:9e:f3:bc:79:4e:6c:0c:5b:d8:fc:07:4d:21:
        72:96:b4:56:60:f6:ff:73:e8:a6:f8:ef:cd:39:9e:63:bc:99:
        b7:95:5e:d1:15:ab:f9:26:8c:f8:6d:45:e3:05:89:65:39:d1:
        02:b6
-----BEGIN CERTIFICATE-----
MIIDnTCCAwagAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBijELMAkGA1UEBhMCRlIx
EDAOBgNVBAgTB0VTU09OTkUxDjAMBgNVBAcTBU9SU0FZMRUwEwYDVQQKEwxPcGVu
VlBOLVRFU1QxFDASBgNVBAsTC0NyeXB0by1MYWJzMQ8wDQYDVQQDEwZ2cG4tYWMx
GzAZBgkqhkiG9w0BCQEWDGFkbWluQHZwbi1hYzAeFw0wNjAyMjAxNjUxMTlaFw0x
NjAyMTgxNjUxMTlaMHwxCzAJBgNVBAYTAkZSMRAwDgYDVQQIEwdFU1NPTk5FMRUw
EwYDVQQKEwxPcGVuVlBOLVRFU1QxDDAKBgNVBAsTA0RBRjEUMBIGA1UEAxMLdnBu
LWNsaWVudDExIDAeBgkqhkiG9w0BCQEWEWFkbWluQHZwbi1jbGllbnQxMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp4XsvoH1fv0lOCjAelCicwe45EUwe057m
VzMMqxUPeWlZGNfmXv1J9id4KrrE6uPQgQyEKdHBgMlC2cpkHrHbR7bHbNKQYDC4
7wHqghVa0JUmQ8WuMD26yrjd1vLwrJcI+BO85XsHjF0zD+Zc5Zq1NJE7ybLOwQz7
3e7zumGEwQIDAQABo4IBHjCCARowCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPiY+HWd2dQb
A/M2wOJnGb3sSDYNMIG/BgNVHSMEgbcwgbSAFA3ChQOrlj68iDGztj+QOrBJVlvO
oYGQpIGNMIGKMQswCQYDVQQGEwJGUjEQMA4GA1UECBMHRVNTT05ORTEOMAwGA1UE
BxMFT1JTQVkxFTATBgNVBAoTDE9wZW5WUE4tVEVTVDEUMBIGA1UECxMLQ3J5cHRv
LUxhYnMxDzANBgNVBAMTBnZwbi1hYzEbMBkGCSqGSIb3DQEJARYMYWRtaW5AdnBu
LWFjggkAik1W5XVOob0wDQYJKoZIhvcNAQEEBQADgYEAjHIQl326RXL+/+Y3Csv+
oBkCSgOGpZxyHFngw1gvUk+d981UC5e52kBtbMAHUcYIcXO1CI6xj8k/4o6y1/RB
Y+fIa9xJvMoOWMuKP+2e87x5TmwMW9j8B00hcpa0VmD2/3PopvjvzTmeY7yZt5Ve
0RWr+SaM+G1F4wWJZTnRArY=
-----END CERTIFICATE-----

Rappels sur les clefs

Révocation d'un certificat

# cd /path/to/easy-rsa
# . vars
# ./revoke-full common-name

Où common-name est la valeur du CommonName (étonnant, non ? :-)) du certificat que l'on souhaite révoquer.

Type de tunnel

Pont Ethernet

Tunnel IP

Récapitulatif

  1. Tunnel IP.
  2. Authentification par certificats X.509.
  3. Les postes nomades ne seront autorisés à se connecter qu'au serveur VPN.
  4. Le VPN fonctionnera en “étoile” : les clients ne pourront pas communiquer entre eux, les tunnels VPN seront cloisonnés par défaut.
  5. Les postes nomades une fois connectés au VPN ne pourront plus dialoguer qu'avec le serveur VPN ; leur routage sera modifié lors de la création du tunnel.
  6. L'identité des utilisateurs des postes nomades sera vérifiée côté serveur, indépendamment des éventuelles “pass phrase” des clefs privées installées sur ces postes.

Configuration du serveur

Paramètres généraux

mode server
tls-server
local 192.168.0.1
dev tun
proto udp
port 1194
user nobody
group nobody

Journalisation

verb 4
log /var/openvpn/openvpn.log
status /var/openvpn/openvpn-status.log

Paramètres d'authentification

ca ca.crt
cert server.crt
key server.key 
dh dh1024.pem

Options Réseau

Adressage IP

server 10.8.0.0 255.255.255.0

Le paramètre server est suivi par la première adresse de la plage et son masque. Le serveur s'attribue l'adresse IP juste au-dessus de la première (soit 10.8.0.1 dans notre exemple). Les clients se verront attribuer les adresses IP suivantes jusqu'à épuisement de la plage.

Routage

push "route 192.168.10.0 255.255.255.0"

et peut aussi modifier la passerelle par défaut :

push "redirect-gateway def1"
  1. Une route statique est créée pour rediriger le trafic vers la route par défaut pré-existante, afin d'éviter que ne se forme une loop après l'étape 3.
  2. La route par défaut est effacée.
  3. L'adresse du tunnel devient la route par défaut.

Options DHCP

push dhcp-option "type_of_option value"

Les types d'options supportées sont les suivants :

  1. DOMAIN nom_de_domaine : quite self-understanding, ins't it ? :-)
  2. DNS a.b.c.d : adresse du serveur DNS primaire.
  3. WINS a.b.c.d : adresse du serveur WINS primaire.
  4. NBDD a.b.c.d : adresse du serveur NBDD (NetBIOS over TCP/IP Name Server) primaire.
  5. NTP a.b.c.d : adresse du serveur NTP (horodatage réseau).
  6. NBT type : type de dialogue NetBIOS/TCP avec type = 1 pour désigner le type b-node (broadcast), 2 pour p-node (liaison point-à-point pour les requêtes destinées à un serveur WINS), 4 pour m-node (broadcast puis requête au serveur de nom) et 8 pour h-node (requête au serveur puis broadcast).
  7. NBS scope-id : définit le périmètre NetBIOS, ce qui permet de limiter au seul scope-id le trafic NetBIOS.
push dhcp-option "DNS 10.8.0.10" // serveur DNS primaire
push dhcp-option "DNS 10.8.0.20" // serveur DNS secondaire

Cela s'applique aux options DHCP DNS, WINS, NTP et NBDD.

Contrôle d'accès

Vérification du certificat Client

  1. Envoi du certificat du serveur au client conformément au protocole SSL/TLS ;
  2. Demande du certificat client par le serveur ;
  3. Lecture du fichier CRL si il existe par chaque partie ;
  4. Vérification de la validité du certificat client et serveur.

Vérification Utilisateur

auth-user-pass-verify /path/to/script via-env
#!/bin/sh
#
# a simple ldap auth script for openvpn
#
LDAP_HOST=a.b.c.d
 
# check if username/password is empty or anonymous
#
if [ "$username" = "anonymous" || -z "$username" || -z "$password" ] ; then
   exit 1;
fi
 
#
ldapwhoami -x -h $LDAP_HOST -D uid=$username,ou=users,dc=example,dc=com \
           -w $password
#
if [ "$?" = "0" ]; then
   exit 0;
else
   exit 1;
fi
exit 1;
#!/usr/bin/perl -t
 
# OpenVPN PAM AUTHENTICATON
#   This script can be used to add PAM-based authentication
#   to OpenVPN 2.0.  The OpenVPN client must provide
#   a username/password, using the --auth-user-pass directive.
#   The OpenVPN server should specify --auth-user-pass-verify
#   with this script as the argument and the 'via-file' method
#   specified.  The server can also optionally specify
#   --client-cert-not-required and/or --username-as-common-name.
 
# SCRIPT OPERATION
#   Return success or failure status based on whether or not a
#   given username/password authenticates using PAM.
#   Caller should write username/password as two lines in a file
#   which is passed to this script as a command line argument.
 
# CAVEATS
#   * Requires Authen::PAM module, which may also
#     require the pam-devel package.
#   * May need to be run as root in order to
#     access username/password file.
 
# NOTES
#   * This script is provided mostly as a demonstration of the
#     --auth-user-pass-verify script capability in OpenVPN.
#     For real world usage, see the auth-pam module in the plugin
#     folder.
 
use Authen::PAM;
use POSIX;
 
# This "conversation function" will pass
# $password to PAM when it asks for it.
 
sub my_conv_func {
    my @res;
    while ( @_ ) {
        my $code = shift;
        my $msg = shift;
        my $ans = "";
 
        $ans = $password if $msg =~ /[Pp]assword/;
 
        push @res, (PAM_SUCCESS(),$ans);
    }
    push @res, PAM_SUCCESS();
    return @res;
}
 
# Identify service type to PAM
$service = "login";
 
# Get username/password from file
 
if ($ARG = shift @ARGV) {
    if (!open (UPFILE, "<$ARG")) {
        print "Could not open username/password file: $ARG\n";
        exit 1;
    }
} else {
    print "No username/password file specified on command line\n";
    exit 1;
}
 
$username = <UPFILE>;
$password = <UPFILE>;
 
if (!$username || !$password) {
    print "Username/password not found in file: $ARG\n";
    exit 1;
}
 
chomp $username;
chomp $password;
 
close (UPFILE);
 
# Initialize PAM object
 
if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) {
    print "Authen::PAM init failed\n";
    exit 1;
}
 
# Authenticate with PAM
 
$res = $pamh->pam_authenticate;
 
# Return success or failure
 
if ($res == PAM_SUCCESS()) {
    exit 0;
} else {
    print "Auth '$username' failed, PAM said: ", $pamh->pam_strerror($res), "\n";
    exit 1;
}

Sécurité du service

Disponibilité

  1. la redondance de machines ;
  2. la redondance du service.
Redondance de machines
vpn.acme.fr  IN A a.b.c.d
             IN A a.b.c.e

Dans le cas où le service DNS s'appuie sur le serveur BIND9, celui-ci répondra aux requêtes en résolution du nom vpn.acme.fr en renvoyant tantôt l'adresse IP a.b.c.d, tantôt l'adresse IP a.b.c.e.

remote a.b.c.d
remote a.b.c.e

Par défaut, le client tentera de se connecter au serveur d'adresse IP a.b.c.d ou, en cas d'échec, à celui d'adresse IP a.b.c.e. Ce mode de redondance n'assure cependant aucune répartition de charge : tant que le premier serveur répond aux requêtes, c'est lui qui est utilisé exclusivement.

remote-random
Redondance de service
remote a.b.c.d
remote a.b.c.d:8181
remote a.b.c.d:443

Dans cet exemple, trois démons OpenVPN s'exécutent sur le serveur d'adresse IP a.b.c.d : un démon sur le port standard, un sur le port 8181 et un troisième sur le port 443.

Redondance mixte
remote a.b.c.d
remote a.b.c.e
remote a.b.c.d:8181
remote a.b.c.e:8181
etc.

Sécurisation du HandShake SSL/TLS

// Génération de la clef partagée
openvpn --genkey --secret nom_de_fichier.key
tls-auth nom_de_fichier.key 0
tls-auth nom_de_fichier.key 1
replay-persist /path/to/fichier

Récapitulatif

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of ACME VPN.                                  #
#                                               #                                               
# Comments are preceded with '#' or ';'         #
#################################################
 
# Server or Client ?
mode server
tls-server
 
# Which local IP address should OpenVPN
# listen on? (optional)
local a.b.c.d
 
# Which TCP/UDP port should OpenVPN listen on?
port 1194
 
# TCP or UDP server?
proto udp
 
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
dev tun
 
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
ca ca.crt
cert server.crt
key server.key
 
# Where is the CRL ?
# This file is read each time a new sessions begins.
crl-verify crl.pem
 
# Diffie hellman parameters.
dh dh1024.pem
 
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
 
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
push "redirect-gateway def1"
 
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option WINS 10.8.0.1"
 
# Uncomment this directive to allow different
# clients to be able to "see" each other.
;client-to-client
 
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
 
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
tls-auth tls-auth.key 0
replay-persist tls-auth.log
 
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
 
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
 
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 100
 
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
user nobody
group nobody
 
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
 
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
 
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4
 
# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

Administration du démon OpenVPN

management 127.0.0.1 7505

Dans cet exemple, le port de management TCP/7505 sera affecté à l'interface de bouclage.

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0 i386-pc-linux [SSL] [LZO] [EPOLL] built on Nov  3 2005
Commands:
echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
exit|quit              : Close management session.
help                   : Print this message.
hold [on|off|release]  : Set/show hold flag to on/off state, or
                         release current hold and start tunnel.
kill cn                : Kill the client instance(s) having common name cn.
kill IP:port           : Kill the client instance connecting from IP:port.
log [on|off] [N|all]   : Turn on/off realtime log display
                         + show last N lines or 'all' for entire history.
mute [n]               : Set log mute level to n, or show level if n is absent.
net                    : (Windows only) Show network info and routing table.
password type p        : Enter password p for a queried OpenVPN password.
signal s               : Send signal s to daemon,
                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n]             : Show current daemon status info using format #n.
test n                 : Produce n lines of output for testing/debugging.
username type u        : Enter username u for a queried OpenVPN username.
verb [n]               : Set log verbosity level to n, or show if n is absent.
version                : Show current version number.
END

Lancement du démon OpenVPN

#!/bin/sh
#
# openvpn       This shell script takes care of starting and stopping
#               openvpn on RedHat or other chkconfig-based system.
#
# chkconfig: 345 24 76
#
# description: OpenVPN is a robust and highly flexible tunneling application that
#              uses all of the encryption, authentication, and certification features
#              of the OpenSSL library to securely tunnel IP networks over a single
#              UDP port.
#

# Contributed to the OpenVPN project by
# Douglas Keller <doug@voidstar.dyndns.org>
# 2002.05.15

# To install:
#   copy this file to /etc/rc.d/init.d/openvpn
#   shell> chkconfig --add openvpn
#   shell> mkdir /etc/openvpn
#   make .conf or .sh files in /etc/openvpn (see below)

# To uninstall:
#   run: chkconfig --del openvpn

# Author's Notes:
#
# I have created an /etc/init.d init script and enhanced openvpn.spec to
# automatically register the init script.  Once the RPM is installed you
# can start and stop OpenVPN with "service openvpn start" and "service
# openvpn stop".
#
# The init script does the following:
#
# - Starts an openvpn process for each .conf file it finds in
#   /etc/openvpn.
#
# - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes
#   it before starting openvpn (useful for doing openvpn --mktun...).
#
# - In addition to start/stop you can do:
#
#   service openvpn reload - SIGHUP
#   service openvpn reopen - SIGUSR1
#   service openvpn status - SIGUSR2
#
# Modifications:
#
# 2003.05.02
#   * Changed == to = for sh compliance (Bishop Clark).
#   * If condrestart|reload|reopen|status, check that we were
#     actually started (James Yonan).
#   * Added lock, piddir, and work variables (James Yonan).
#   * If start is attempted twice, without an intervening stop, or
#     if start is attempted when previous start was not properly
#     shut down, then kill any previously started processes, before
#     commencing new start operation (James Yonan).
#   * Do a better job of flagging errors on start, and properly
#     returning success or failure status to caller (James Yonan).
#
# 2005.04.04
#   * Added openvpn-startup and openvpn-shutdown script calls
#     (James Yonan).
#

# Location of openvpn binary
openvpn=""
openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
for location in $openvpn_locations
do
  if [ -f "$location" ]
  then
    openvpn=$location
  fi
done

# Lockfile
lock="/var/lock/subsys/openvpn"

# PID directory
piddir="/var/run/openvpn"

# Our working directory
work=/etc/openvpn

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
  echo "Networking is down"
  exit 0
fi

# Check that binary exists
if ! [ -f  $openvpn ] 
then
  echo "openvpn binary not found"
  exit 0
fi

# See how we were called.
case "$1" in
  start)
        echo -n $"Starting openvpn: "

        /sbin/modprobe tun >/dev/null 2>&1

        # From a security perspective, I think it makes
        # sense to remove this, and have users who need
        # it explictly enable in their --up scripts or
        # firewall setups.

        #echo 1 > /proc/sys/net/ipv4/ip_forward

        # Run startup script, if defined
        if [ -f $work/openvpn-startup ]; then
            $work/openvpn-startup
        fi

        if [ ! -d  $piddir ]; then
            mkdir $piddir
        fi

        if [ -f $lock ]; then
            # we were not shut down correctly
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
              if [ -s $pidf ]; then
                kill `cat $pidf` >/dev/null 2>&1
              fi
              rm -f $pidf
            done
            rm -f $lock
            sleep 2
        fi

        rm -f $piddir/*.pid
        cd $work

        # Start every .conf in $work and run .sh if exists
        errors=0
        successes=0
        for c in `/bin/ls *.conf 2>/dev/null`; do
            bn=${c%%.conf}
            if [ -f "$bn.sh" ]; then
                . $bn.sh
            fi
            rm -f $piddir/$bn.pid
            $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work
            if [ $? = 0 ]; then
                successes=1
            else
                errors=1
            fi
        done

        if [ $errors = 1 ]; then
            failure; echo
        else
            success; echo
        fi

        if [ $successes = 1 ]; then
            touch $lock
        fi
        ;;
  stop)
        echo -n $"Shutting down openvpn: "
        for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
          if [ -s $pidf ]; then
            kill `cat $pidf` >/dev/null 2>&1
          fi
          rm -f $pidf
        done

        # Run shutdown script, if defined
        if [ -f $work/openvpn-shutdown ]; then
            $work/openvpn-shutdown
        fi

        success; echo
        rm -f $lock
        ;;
  restart)
        $0 stop
        sleep 2
        $0 start
        ;;
  reload)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -HUP `cat $pidf` >/dev/null 2>&1
                fi
            done
        else
            echo "openvpn: service not started"
            exit 1
        fi
        ;;
  reopen)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -USR1 `cat $pidf` >/dev/null 2>&1
                fi
            done
        else
            echo "openvpn: service not started"
            exit 1
        fi
        ;;
  condrestart)
        if [ -f $lock ]; then
            $0 stop
            # avoid race
            sleep 2
            $0 start
        fi
        ;;
  status)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -USR2 `cat $pidf` >/dev/null 2>&1
                fi
            done
            echo "Status written to /var/log/messages"
        else
            echo "openvpn: service not started"
            exit 1
        fi
        ;;
  *)
        echo "Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}"
        exit 1
        ;;
esac
exit 0
#!/bin/sh -e
#
# Original version by Robert Leslie
# <rob@mars.org>, edited by iwj and cs
# Modified for openvpn by Alberto Gonzalez Iniesta <agi@inittab.org>
# Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net>

test $DEBIAN_SCRIPT_DEBUG && set -v -x

DAEMON=/usr/sbin/openvpn
DESC="virtual private network daemon"
CONFIG_DIR=/etc/openvpn
test -x $DAEMON || exit 0
test -d $CONFIG_DIR || exit 0

# Source defaults file; edit that file to configure this script.
AUTOSTART="all"
STATUSREFRESH=10
if test -e /etc/default/openvpn ; then
  . /etc/default/openvpn
fi

start_vpn () {
    if grep -q '^[       ]*daemon' $CONFIG_DIR/$NAME.conf ; then
      # daemon already given in config file
      DAEMONARG=
    else
      # need to daemonize
      DAEMONARG="--daemon ovpn-$NAME"
    fi

    if grep -q '^[       ]*status ' $CONFIG_DIR/$NAME.conf ; then
      # status file already given in config file
      STATUSARG=""
    elif test $STATUSREFRESH -eq 0 ; then
      # default status file disabled in /etc/default/openvpn
      STATUSARG=""
    else
      # prepare default status file
      STATUSARG="--status /var/run/openvpn.$NAME.status $STATUSREFRESH"
    fi

    $DAEMON --writepid /var/run/openvpn.$NAME.pid \
            $DAEMONARG $STATUSARG --cd $CONFIG_DIR \
            --config $CONFIG_DIR/$NAME.conf || echo -n " FAILED->"
    echo -n " $NAME"
}
stop_vpn () {
   kill `cat $PIDFILE` || true
  rm $PIDFILE
  [ -e /var/run/openvpn.$NAME.status ] \
    && rm /var/run/openvpn.$NAME.status
}

case "$1" in
start)
  echo -n "Starting $DESC:"

  # autostart VPNs
  if test -z "$2" ; then
    # check if automatic startup is disabled by AUTOSTART=none
    if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then
      echo " Autostart disabled."
      exit 0
    fi
    if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then
      # all VPNs shall be started automatically
      for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
        NAME=${CONFIG%%.conf}
        start_vpn
      done
    else
      # start only specified VPNs
      for NAME in $AUTOSTART ; do
        if test -e $CONFIG_DIR/$NAME.conf ; then
          start_vpn
        else
          echo -n " (failure: No such VPN: $NAME)"
        fi
      done
    fi
  #start VPNs from command line
  else
    while shift ; do
      [ -z "$1" ] && break
      if test -e $CONFIG_DIR/$1.conf ; then
        NAME=$1
        start_vpn
      else
        echo -n " (failure: No such VPN: $1)"
      fi
    done
  fi
  echo "."

  ;;
stop)
  echo -n "Stopping $DESC:"

  if test -z "$2" ; then
    for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
      NAME=`echo $PIDFILE | cut -c18-`
      NAME=${NAME%%.pid}
      stop_vpn
      echo -n " $NAME"
    done
  else
    while shift ; do
      [ -z "$1" ] && break
      if test -e /var/run/openvpn.$1.pid ; then
        PIDFILE=`ls /var/run/openvpn.$1.pid 2> /dev/null`
        NAME=`echo $PIDFILE | cut -c18-`
        NAME=${NAME%%.pid}
        stop_vpn
        echo -n " $NAME"
      else
        echo -n " (failure: No such VPN is running: $1)"
      fi
    done
  fi
  echo "."
  ;;
# We only 'reload' for running VPNs. New ones will only start with 'start' or 'restart'.
reload|force-reload)
  echo -n "Reloading $DESC:"
  for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
    NAME=`echo $PIDFILE | cut -c18-`
    NAME=${NAME%%.pid}
# If openvpn if running under a different user than root we'll need to restart
    if egrep '^( |\t)*user' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then
      stop_vpn
      sleep 1
      start_vpn
      echo -n "(restarted)"
    else
      kill -HUP `cat $PIDFILE` || true
    echo -n " $NAME"
    fi
  done
  echo "."
  ;;

restart)
  shift
  $0 stop ${@}
  sleep 1
  $0 start ${@}
  ;;
cond-restart)
  echo -n "Restarting $DESC:"
  for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
    NAME=`echo $PIDFILE | cut -c18-`
    NAME=${NAME%%.pid}
    stop_vpn
    sleep 1
    start_vpn
  done
  echo "."
  ;;
*)
  echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart}" >&2
  exit 1
  ;;
esac

exit 0

Configuration des postes nomades

Généralités

Les différents clients OpenVPN

Postes sous MS Windows

Puis :

Puis :

Postes sous Mac OS X

Tunnelblick pour Mac OS X 10.3 et 10.4
OpenVPN pour Mac OS X 10.2

Postes sous Unix

Paramètres de configuration Client

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
dev tun

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
mute 20

Références documentaires & Liens