This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
пакет_openvpn [2020/04/19 13:21] val [Использование PAM аутентификации вместо клиентских сертификатов] |
пакет_openvpn [2024/06/14 07:00] val |
||
---|---|---|---|
Line 8: | Line 8: | ||
<code> | <code> | ||
# apt install openvpn | # apt install openvpn | ||
- | |||
- | # cd /etc/openvpn/ | ||
</code> | </code> | ||
Line 27: | Line 25: | ||
=== Настройка сервера === | === Настройка сервера === | ||
<code> | <code> | ||
- | # cp ca.crt /etc/ssl/certs/ | + | # cp ca.* /etc/ssl/certs/ |
# cp gate.crt /etc/ssl/certs/ | # cp gate.crt /etc/ssl/certs/ | ||
# cp gate.key /etc/ssl/private/ | # cp gate.key /etc/ssl/private/ | ||
- | gate# cat /etc/openvpn/openvpn.conf | + | gate# cat /etc/openvpn/openvpn1.conf |
</code><code> | </code><code> | ||
dev tun | dev tun | ||
Line 39: | Line 37: | ||
server 192.168.200+X.0 255.255.255.0 | server 192.168.200+X.0 255.255.255.0 | ||
push "route 192.168.100+X.0 255.255.255.0" | push "route 192.168.100+X.0 255.255.255.0" | ||
- | dh dh2048.pem | + | |
+ | #push "route 192.168.X.0 255.255.255.0" | ||
+ | #push "dhcp-option DNS 192.168.X.10" | ||
+ | #push "block-outside-dns" | ||
+ | #push "dhcp-option DOMAIN corpX.un" | ||
+ | |||
+ | dh /etc/openvpn/dh2048.pem | ||
ca /etc/ssl/certs/ca.crt | ca /etc/ssl/certs/ca.crt | ||
crl-verify /etc/ssl/certs/ca.crl | crl-verify /etc/ssl/certs/ca.crl | ||
cert /etc/ssl/certs/gate.crt | cert /etc/ssl/certs/gate.crt | ||
key /etc/ssl/private/gate.key | key /etc/ssl/private/gate.key | ||
- | status /var/log/openvpn-status.log | + | |
+ | status /var/log/openvpn1-status.log | ||
</code> | </code> | ||
- | Тестирование конфигурации | + | === Тестирование конфигурации === |
<code> | <code> | ||
- | # openvpn --config /etc/openvpn/openvpn.conf | + | # openvpn --config /etc/openvpn/openvpn1.conf |
+ | |||
+ | # timeout 5 openvpn --port 65500 --config /etc/openvpn/openvpn1.conf; test $? -eq 124 && echo OK | ||
</code> | </code> | ||
- | Включение и запуск | + | === Включение и запуск === |
<code> | <code> | ||
- | # systemctl enable openvpn@openvpn | + | # systemctl enable openvpn@openvpn1 |
- | # systemctl start openvpn@openvpn | + | # systemctl start openvpn@openvpn1 |
</code> | </code> | ||
- | === Настройка клиента === | + | ==== Настройка клиента ==== |
+ | |||
+ | === Windows === | ||
* [[https://mail.bmstu.ru/~postmaster/openvpn-install-2.4.0-I601.exe]] | * [[https://mail.bmstu.ru/~postmaster/openvpn-install-2.4.0-I601.exe]] | ||
+ | * [[https://openvpn.net/community-downloads/|OpenVPN community downloads]] | ||
* Начиная с Windows 7 необходимо запускать OpenVPN с правами администратора | * Начиная с Windows 7 необходимо запускать OpenVPN с правами администратора | ||
* [[Пакет OpenSSL#Создание пользовательского сертификата, подписанного CA]] | * [[Пакет OpenSSL#Создание пользовательского сертификата, подписанного CA]] | ||
<code> | <code> | ||
+ | Start OpenVPN GUI | ||
+ | |||
C:\>notepad C:\Users\student\OpenVPN\config\user1.ovpn | C:\>notepad C:\Users\student\OpenVPN\config\user1.ovpn | ||
</code><code> | </code><code> | ||
Line 78: | Line 91: | ||
cert user1.crt | cert user1.crt | ||
key user1.key | key user1.key | ||
+ | </code> | ||
+ | |||
+ | === Linux === | ||
+ | |||
+ | <code> | ||
+ | debian:~# apt install openvpn resolvconf wget | ||
+ | |||
+ | debian:~# openvpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf --config user1.ovpn | ||
</code> | </code> | ||
Line 85: | Line 106: | ||
<code> | <code> | ||
- | gate# cat openvpn.conf | + | gate# cat /etc/openvpn/openvpn1.conf |
</code><code> | </code><code> | ||
... | ... | ||
client-config-dir ccd | client-config-dir ccd | ||
+ | #route 192.168.100+Y.0 255.255.255.0 | ||
... | ... | ||
</code><code> | </code><code> | ||
- | gate# cat ccd/userN | + | gate# cat /etc/openvpn/ccd/userN |
</code><code> | </code><code> | ||
ifconfig-push 192.168.200+X.4*N+2 192.168.200+X.4*N+1 | ifconfig-push 192.168.200+X.4*N+2 192.168.200+X.4*N+1 | ||
+ | #iroute 192.168.100+Y.0 255.255.255.0 | ||
</code> | </code> | ||
- | ==== Использование PAM аутентификации вместо клиентских сертификатов ==== | + | ==== Использование PAM аутентификации ==== |
* [[https://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module|Setup PAM authentication with OpenVPN's auth-pam module]] | * [[https://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module|Setup PAM authentication with OpenVPN's auth-pam module]] | ||
* [[https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam|openvpn/src/plugins/auth-pam/]] | * [[https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam|openvpn/src/plugins/auth-pam/]] | ||
+ | * [[https://openvpn.net/community-resources/using-alternative-authentication-methods/|OpenVPN Using alternative authentication methods]] | ||
+ | * [[Пакет OpenSSL#Создание самоподписанного сертификата]] | ||
<code> | <code> | ||
- | server# cat /etc/pam.d/login | + | gate# less /etc/pam.d/login |
- | server# cat openvpn.conf | + | gate# cat /etc/openvpn/openvpn1.conf |
</code><code> | </code><code> | ||
... | ... | ||
+ | #### crl-verify ... | ||
+ | |||
ca /etc/ssl/certs/server.crt | ca /etc/ssl/certs/server.crt | ||
cert /etc/ssl/certs/server.crt | cert /etc/ssl/certs/server.crt | ||
Line 113: | Line 140: | ||
verify-client-cert none | verify-client-cert none | ||
username-as-common-name | username-as-common-name | ||
+ | #duplicate-cn #несколько подключений под одной учетной записью | ||
</code><code> | </code><code> | ||
- | C:\>notepad C:\Program Files\OpenVPN\config\client.ovpn | + | cmd run as admin C:\>notepad C:\Program Files\OpenVPN\config\client.ovpn |
</code><code> | </code><code> | ||
- | dev tun | + | ... |
- | client | + | |
- | remote 172.16.1.X | + | |
auth-user-pass | auth-user-pass | ||
<ca> | <ca> | ||
Line 131: | Line 157: | ||
===== Настройка peer2peer конфигурации ===== | ===== Настройка peer2peer конфигурации ===== | ||
+ | |||
+ | * В новых версиях (с Debian12) теперь так: [[https://wiki.gentoo.org/wiki/OpenVPN/fingerprint-authentication|OpenVPN/fingerprint-authentication]] | ||
==== Debian/Ubuntu/FreeBSD ==== | ==== Debian/Ubuntu/FreeBSD ==== | ||
<code> | <code> | ||
+ | gate.corpX.un# cd /etc/openvpn/ | ||
+ | |||
gate.corpX.un# openvpn --genkey --secret static.key | gate.corpX.un# openvpn --genkey --secret static.key | ||
- | gate.corpX.un# scp static.key gate.corpY.un: | + | gate.corpX.un# scp static.key gate.corpY.un:/etc/openvpn/ |
gate.corpX.un# cat connect_to_Y.conf | gate.corpX.un# cat connect_to_Y.conf | ||
Line 147: | Line 177: | ||
ifconfig 192.168.X+Y.X 192.168.X+Y.Y | ifconfig 192.168.X+Y.X 192.168.X+Y.Y | ||
route 192.168.100+Y.0 255.255.255.0 | route 192.168.100+Y.0 255.255.255.0 | ||
- | secret /root/static.key | + | secret /etc/openvpn/static.key |
</code> | </code> | ||
Line 161: | Line 191: | ||
</code> | </code> | ||
- | ===== Запуск сервиса ===== | ||
- | |||
- | ==== Debian/Ubuntu ==== | ||
- | <code> | ||
- | # service openvpn@openvpn start | ||
- | </code> | ||
===== Мониторинг сервиса ===== | ===== Мониторинг сервиса ===== | ||
<code> | <code> | ||
- | gate# cat /var/log/openvpn-status.log | + | gate# cat /var/log/openvpn1-status.log |
gate# tail -f /var/log/syslog | gate# tail -f /var/log/syslog | ||
- | gate# cat openvpn.conf | + | gate# cat /etc/openvpn/openvpn1.conf |
</code><code> | </code><code> | ||
... | ... | ||
management localhost 7505 | management localhost 7505 | ||
+ | # management 0.0.0.0 7505 | ||
... | ... | ||
</code><code> | </code><code> | ||
Line 183: | Line 208: | ||
</code><code> | </code><code> | ||
status | status | ||
+ | |||
+ | kill user1 | ||
</code> | </code> | ||