====== OpenVPN Host-to-gateway - Debian 7 ======
==== No Servidor ====
root@gateway:~# apt-get install openvpn openssl ntpdate
root@gateway:~# cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/
root@gateway:/etc/openvpn# cd /etc/openvpn/2.0/
root@gateway:/etc/openvpn/2.0# vim vars
[...]
export KEY_COUNTRY="BR"
export KEY_PROVINCE="PA"
export KEY_CITY="Belem"
export KEY_ORG="Exemplo"
export KEY_EMAIL="admin@exemplo.org"
[...]
root@gateway:/etc/openvpn/2.0# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
root@gateway:/etc/openvpn/2.0# ./clean-all
root@gateway:/etc/openvpn/2.0# ./build-ca
Generating a 1024 bit RSA private key
......++++++
....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Belem]:
Organization Name (eg, company) [Exemplo]:
Organizational Unit Name (eg, section) [changeme]:TI
Common Name (eg, your name or your server's hostname) [changeme]:Exemplo CA
Name [changeme]:Exemplo CA
Email Address [admin@exemplo.org]:
root@gateway:/etc/openvpn/2.0# ./build-key-server gateway
Generating a 1024 bit RSA private key
...++++++
......++++++
writing new private key to 'gateway.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Belem]:
Organization Name (eg, company) [Exemplo]:
Organizational Unit Name (eg, section) [changeme]:TI
Common Name (eg, your name or your server's hostname) [gateway]:
Name [changeme]:Exemplo CA
Email Address [admin@exemplo.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'BR'
stateOrProvinceName :PRINTABLE:'PA'
localityName :PRINTABLE:'Belem'
organizationName :PRINTABLE:'Exemplo'
organizationalUnitName:PRINTABLE:'TI'
commonName :PRINTABLE:'gateway'
name :PRINTABLE:'Exemplo CA'
emailAddress :IA5STRING:'admin@exemplo.org'
Certificate is to be certified until Jul 11 14:55:50 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@gateway:/etc/openvpn/2.0# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....+........................................................+.+.........................+...................+.........+...........+....+......................+....................+.........................+......................+............+.............................................................................................................+..............................+................+............................................+...........................+..................................................................................................................................+.............................................................................................................................+.......................................+.........+....+....................................................++*++*++*
root@gateway:/etc/openvpn/2.0# ./build-key maq-externa
Generating a 1024 bit RSA private key
.................................++++++
...................++++++
writing new private key to 'maq-externa.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Belem]:
Organization Name (eg, company) [Exemplo]:
Organizational Unit Name (eg, section) [changeme]:TI
Common Name (eg, your name or your server's hostname) [maq-externa]:
Name [changeme]:Exemplo CA
Email Address [admin@exemplo.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'BR'
stateOrProvinceName :PRINTABLE:'PA'
localityName :PRINTABLE:'Belem'
organizationName :PRINTABLE:'Exemplo'
organizationalUnitName:PRINTABLE:'TI'
commonName :PRINTABLE:'maq-externa'
name :PRINTABLE:'Exemplo CA'
emailAddress :IA5STRING:'admin@exemplo.org'
Certificate is to be certified until Jul 11 15:00:03 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@gateway:/etc/openvpn/2.0/keys# cat /etc/openvpn/server.conf
dev tun
proto udp
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 192.0.2.200"
push "dhcp-option DNS 198.51.210"
push "route 192.0.2.0 255.255.255.0"
push "route 198.51.100.0 255.255.255.0"
port 5000
comp-lzo
verb 4
keepalive 10 120
persist-key
persist-tun
float
user nobody
group nogroup
tls-server
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/gateway.crt
key /etc/openvpn/2.0/keys/gateway.key
dh /etc/openvpn/2.0/keys/dh1024.pem
root@gateway:/etc/openvpn/2.0/keys# service openvpn restart
[ ok ] Stopping virtual private network daemon: server.
[ ok ] Starting virtual private network daemon: server.
root@gateway:/etc/openvpn/2.0/keys# ifconfig tun0
tun0 Link encap:Não Especificado Endereço de HW 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet end.: 10.8.0.1 P-a-P:10.8.0.2 Masc:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Métrica:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@gateway:/etc/openvpn/2.0/keys# mkdir cliente
root@gateway:/etc/openvpn/2.0/keys# cp ca.crt dh1024.pem maq-externa.crt maq-externa.key cliente/
root@gateway:/etc/openvpn/2.0/keys# tar -cvf cliente.tar cliente
cliente/
cliente/ca.crt
cliente/maq-externa.crt
cliente/maq-externa.key
cliente/dh1024.pem
root@gateway:/etc/openvpn/2.0/keys# scp cliente.tar 203.0.113.10:
==== No cliente ====
root@maq-exetrna:~# apt-get install openvpn resolvconf ntpdate
root@maq-exetrna:~# mkdir /etc/openvpn/keys
root@maq-exetrna:~# tar -xvf cliente.tar -C /etc/openvpn/keys/
cliente/
cliente/ca.crt
cliente/maq-externa.crt
cliente/maq-externa.key
cliente/dh1024.pem
root@maq-exetrna:~# ls /etc/openvpn/keys/cliente/
ca.crt dh1024.pem maq-externa.crt maq-externa.key
root@maq-exetrna:~# cat /etc/openvpn/client.conf
dev tun
proto udp
client
pull
remote 203.0.113.1
port 5000
comp-lzo
verb 4
keepalive 10 120
persist-key
persist-tun
float
user nobody
group nogroup
ns-cert-type server
tls-client
ca /etc/openvpn/keys/cliente/ca.crt
cert /etc/openvpn/keys/cliente/maq-externa.crt
key /etc/openvpn/keys/cliente/maq-externa.key
dh /etc/openvpn/keys/cliente/dh1024.pem
script-security 3 system
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
root@maq-exetrna:~# ntpdate -u a.ntp.br
13 Jul 12:48:54 ntpdate[3901]: adjust time server 200.160.0.8 offset -0.019327 sec
root@maq-exetrna:~# service openvpn restart
[ ok ] Stopping virtual private network daemon:.
[ ok ] Starting virtual private network daemon: client.
root@maq-exetrna:~# service resolvconf restart
[ ok ] Restarting resolvconf...done.
root@maq-exetrna:~# ifconfig tun0
tun0 Link encap:Não Especificado Endereço de HW 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet end.: 10.8.0.6 P-a-P:10.8.0.5 Masc:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Métrica:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@maq-exetrna:~# route -n
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.0.2.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
198.51.100.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
203.0.113.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1