wiki v1

User Tools

Site Tools

Trace: instalacaodistribuida ansible_playbooks kubernetes_metallb_baremetal vpn-host-gw-debian-7
wikiv3:vpn-host-gw-debian-7

Table of Contents

OpenVPN Host-to-gateway - Debian 7

No Servidor

root@gateway:~# apt-get install openvpn openssl ntpdate
root@gateway:~# cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/
root@gateway:/etc/openvpn# cd /etc/openvpn/2.0/
root@gateway:/etc/openvpn/2.0# vim vars 
[...]
export KEY_COUNTRY="BR"
export KEY_PROVINCE="PA"
export KEY_CITY="Belem"
export KEY_ORG="Exemplo"
export KEY_EMAIL="admin@exemplo.org"
[...]
root@gateway:/etc/openvpn/2.0# source vars 
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
root@gateway:/etc/openvpn/2.0# ./clean-all
root@gateway:/etc/openvpn/2.0# ./build-ca 
Generating a 1024 bit RSA private key
......++++++
....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Belem]:
Organization Name (eg, company) [Exemplo]:
Organizational Unit Name (eg, section) [changeme]:TI
Common Name (eg, your name or your server's hostname) [changeme]:Exemplo CA
Name [changeme]:Exemplo CA
Email Address [admin@exemplo.org]:
root@gateway:/etc/openvpn/2.0# ./build-key-server gateway
Generating a 1024 bit RSA private key
...++++++
......++++++
writing new private key to 'gateway.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Belem]:
Organization Name (eg, company) [Exemplo]:
Organizational Unit Name (eg, section) [changeme]:TI
Common Name (eg, your name or your server's hostname) [gateway]:
Name [changeme]:Exemplo CA
Email Address [admin@exemplo.org]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'BR'
stateOrProvinceName   :PRINTABLE:'PA'
localityName          :PRINTABLE:'Belem'
organizationName      :PRINTABLE:'Exemplo'
organizationalUnitName:PRINTABLE:'TI'
commonName            :PRINTABLE:'gateway'
name                  :PRINTABLE:'Exemplo CA'
emailAddress          :IA5STRING:'admin@exemplo.org'
Certificate is to be certified until Jul 11 14:55:50 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@gateway:/etc/openvpn/2.0# ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....+........................................................+.+.........................+...................+.........+...........+....+......................+....................+.........................+......................+............+.............................................................................................................+..............................+................+............................................+...........................+..................................................................................................................................+.............................................................................................................................+.......................................+.........+....+....................................................++*++*++*
root@gateway:/etc/openvpn/2.0# ./build-key maq-externa
Generating a 1024 bit RSA private key
.................................++++++
...................++++++
writing new private key to 'maq-externa.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Belem]:
Organization Name (eg, company) [Exemplo]:
Organizational Unit Name (eg, section) [changeme]:TI
Common Name (eg, your name or your server's hostname) [maq-externa]:
Name [changeme]:Exemplo CA
Email Address [admin@exemplo.org]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'BR'
stateOrProvinceName   :PRINTABLE:'PA'
localityName          :PRINTABLE:'Belem'
organizationName      :PRINTABLE:'Exemplo'
organizationalUnitName:PRINTABLE:'TI'
commonName            :PRINTABLE:'maq-externa'
name                  :PRINTABLE:'Exemplo CA'
emailAddress          :IA5STRING:'admin@exemplo.org'
Certificate is to be certified until Jul 11 15:00:03 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@gateway:/etc/openvpn/2.0/keys# cat /etc/openvpn/server.conf 
dev tun
proto udp	
 
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 192.0.2.200"
push "dhcp-option DNS 198.51.210"
push "route 192.0.2.0 255.255.255.0"
push "route 198.51.100.0 255.255.255.0"
 
port 5000
comp-lzo
verb 4
 
keepalive 10 120
persist-key
persist-tun
float
 
user nobody	
group nogroup
tls-server
 
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/gateway.crt
key /etc/openvpn/2.0/keys/gateway.key
dh /etc/openvpn/2.0/keys/dh1024.pem
root@gateway:/etc/openvpn/2.0/keys# service openvpn restart
[ ok ] Stopping virtual private network daemon: server.
[ ok ] Starting virtual private network daemon: server.
root@gateway:/etc/openvpn/2.0/keys# ifconfig tun0
tun0      Link encap:Não Especificado  Endereço de HW 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet end.: 10.8.0.1  P-a-P:10.8.0.2  Masc:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Métrica:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          colisões:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
root@gateway:/etc/openvpn/2.0/keys# mkdir cliente
root@gateway:/etc/openvpn/2.0/keys# cp ca.crt dh1024.pem maq-externa.crt maq-externa.key cliente/
root@gateway:/etc/openvpn/2.0/keys# tar -cvf cliente.tar cliente
cliente/
cliente/ca.crt
cliente/maq-externa.crt
cliente/maq-externa.key
cliente/dh1024.pem
root@gateway:/etc/openvpn/2.0/keys# scp cliente.tar 203.0.113.10:

No cliente

root@maq-exetrna:~# apt-get install openvpn resolvconf ntpdate
root@maq-exetrna:~# mkdir /etc/openvpn/keys
root@maq-exetrna:~# tar -xvf cliente.tar -C /etc/openvpn/keys/
cliente/
cliente/ca.crt
cliente/maq-externa.crt
cliente/maq-externa.key
cliente/dh1024.pem
root@maq-exetrna:~# ls /etc/openvpn/keys/cliente/
ca.crt  dh1024.pem  maq-externa.crt  maq-externa.key
root@maq-exetrna:~# cat /etc/openvpn/client.conf
dev tun
proto udp
client
pull
 
remote 203.0.113.1
port 5000
comp-lzo
 
verb 4
keepalive 10 120
persist-key
persist-tun
float
user nobody
group nogroup
ns-cert-type server
 
tls-client
ca /etc/openvpn/keys/cliente/ca.crt
cert /etc/openvpn/keys/cliente/maq-externa.crt
key /etc/openvpn/keys/cliente/maq-externa.key
dh /etc/openvpn/keys/cliente/dh1024.pem
 
script-security 3 system
 
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
root@maq-exetrna:~# ntpdate -u a.ntp.br
13 Jul 12:48:54 ntpdate[3901]: adjust time server 200.160.0.8 offset -0.019327 sec
root@maq-exetrna:~# service openvpn restart
[ ok ] Stopping virtual private network daemon:.
[ ok ] Starting virtual private network daemon: client.
root@maq-exetrna:~# service resolvconf restart
[ ok ] Restarting resolvconf...done.
root@maq-exetrna:~# ifconfig tun0
tun0      Link encap:Não Especificado  Endereço de HW 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet end.: 10.8.0.6  P-a-P:10.8.0.5  Masc:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Métrica:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          colisões:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
root@maq-exetrna:~# route -n
Tabela de Roteamento IP do Kernel
Destino         Roteador        MáscaraGen.    Opções Métrica Ref   Uso Iface
0.0.0.0         10.0.2.2        0.0.0.0         UG    0      0        0 eth0
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.0.2.0       10.8.0.5        255.255.255.0   UG    0      0        0 tun0
198.51.100.0    10.8.0.5        255.255.255.0   UG    0      0        0 tun0
203.0.113.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
wikiv3/vpn-host-gw-debian-7.txt · Last modified: by 127.0.0.1