{"id":1365,"date":"2021-12-25T23:07:06","date_gmt":"2021-12-26T02:07:06","guid":{"rendered":"https:\/\/blog.abratel.com.br\/?p=1365"},"modified":"2021-12-25T23:23:30","modified_gmt":"2021-12-26T02:23:30","slug":"openvpn-linux-resumo-facil-e-agil-das-configuracoes","status":"publish","type":"post","link":"https:\/\/blog.abratel.com.br\/?p=1365","title":{"rendered":"OpenVPN Linux – Resumo facil e agil das configuracoes"},"content":{"rendered":"

Instalar e Criar as chaves<\/p>\n

Minha versao servidor:
\n[root@jupiter openvpn]# openvpn –version
\nOpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH\/PKTINFO] [AEAD] built on Apr 24 2020
\nlibrary versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06<\/p>\n

Minha versao cliente linux:
\n[root@~]# openvpn –version
\nOpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH\/PKTINFO] [AEAD] built on Apr 21 2021
\nlibrary versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06<\/p>\n

Minha versao Windao:
\nOpenVPN GUI v 11.25.0.0<\/p>\n

LADO SERVIDOR:<\/p>\n

1 – Instalar openvpn<\/p>\n

\n[root@jupiter ips]# yum install epel-release -y\n[root@jupiter ips]# yum install -y wget openvpn\n<\/pre>\n
2 – Instalar Easy RSA<\/p>\n
\n[root@jupiter ips]# wget https:\/\/github.com\/OpenVPN\/easy-rsa\/archive\/v3.0.8.tar.gz\n[root@jupiter ips]# tar -xf v3.0.8.tar.gz\n[root@jupiter ips]# cd \/etc\/openvpn\/\n[root@jupiter ips]# mkdir \/etc\/openvpn\/easy-rsa\n[root@jupiter ips]# mv \/root\/easy-rsa-3.0.8 \/etc\/openvpn\/easy-rsa\n\n4 - Criandos as chaves no server, certificados, etc\n\n[root@jupiter ips]# cd \/etc\/ppenvpn\\easy-rsa\n[root@jupiter ips]# . .\/vars\n[root@jupiter ips]# .\/clean-all\n[root@jupiter ips]# .\/build-ca\n[root@jupiter ips]# .\/build-key-server server\n<\/pre>\n
4 – Configuracao do servidor (seu arquivo tem que estar assim)<\/p>\n
\n[root@jupiter ips]# cat \/etc\/openvpn\/server.conf\nport 1195\nproto udp\ndev tun\nca \/etc\/openvpn\/ca.crt\ncert \/etc\/openvpn\/server.crt\nkey \/etc\/openvpn\/server.key\n# range de trabalho da sua VPN\nserver 10.8.0.0 255.255.255.0\npush "route 192.168.254.0 255.255.255.0"\ndh \/etc\/openvpn\/dh2048.pem\npersist-key\npersist-tun\ncomp-lzo\nuser root\ngroup wheel\nclient-to-client\n# setar ip fixo\/ static para os clientes da vpn\nclient-config-dir \/etc\/openvpn\/ips\nmax-clients 10\nstatus \/var\/log\/openvpn\/status.log\nlog         \/var\/log\/openvpn\/openvpn.log\nlog-append  \/var\/log\/openvpn\/openvpn.log\nverb 3\nexplicit-exit-notify 1\n<\/pre>\n
5 – Gerando chaves para o cliente:<\/p>\n
\n[root@jupiter ips]# source .\/vars\n[root@jupiter ips]# .\/build-key client1\n<\/pre>\n
6 – Mostrando as chaves geradas (usuaremos para criar o arquivo na maq cliente):<\/p>\n
\n\n[root@jupiter ips]# cat \/etc\/openvpn\/easy-rsa\/keys\/cliente1.key\n[root@jupiter ips]# cat \/etc\/openvpn\/easy-rsa\/keys\/sanjosepc.crt\n[root@jupiter ips]# cat \/etc\/openvpn\/easy-rsa\/keys\/ca.crt\n<\/pre>\n
7 – Criacao do arquivo tem que ser com o mesmo nome do certificado com o conteudo do ip<\/p>\n
\n[root@jupiter ips]# mkdir \/etc\/openvpn\/ips\n[root@jupiter ips]# cat client1\nifconfig-push 10.8.0.177 10.8.0.178\n<\/pre>\n
8 – Os ips devem seguir a subnet \/30 e os pares de escolha estao abaixo (no exemplo acima escolhi o 177 e 178):<\/p>\n
\n\n[  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]\n[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]\n[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]\n[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]\n[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]\n[101,102] [105,106] [109,110] [113,114] [117,118]\n[121,122] [125,126] [129,130] [133,134] [137,138]\n[141,142] [145,146] [149,150] [153,154] [157,158]\n[161,162] [165,166] [169,170] [173,174] [177,178]\n[181,182] [185,186] [189,190] [193,194] [197,198]\n[201,202] [205,206] [209,210] [213,214] [217,218]\n[221,222] [225,226] [229,230] [233,234] [237,238]\n[241,242] [245,246] [249,250] [253,254]\n\n<\/pre>\n
9 – Criando os arquivos de log<\/p>\n
\n\n[root@jupiter ips]# touch \/var\/log\/openvpn\/openvpn.log\n[root@jupiter ips]# touch \/var\/log\/openvpn\/status.log\n\n<\/pre>\n
Ativando no boot e, iniciando (server eh porque demos o nome do arquvio da vpn de server)<\/p>\n
\n[root@jupiter ips]#systemctl enable openvpn@server\n[root@jupiter ips]#systemctl restart openvpn@server\n<\/pre>\n
10 – Firewall adequacoes:<\/p>\n
Obs: minha eth0 eh minha la do servidor (dhcp para rede) e o tun0 eh a openvpn criada<\/p>\n
\n\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\niptables -A INPUT -i tun0 -j ACCEPT\niptables -A OUTPUT -o tun0 -j ACCEPT\niptables -A FORWARD -i tun0 -j ACCEPT\niptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT\niptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT\n\n<\/pre>\n
———————————————————————————-<\/p>\n
LADO CLIENTE:<\/p>\n
Windows:<\/p>\n
1 – baixar o openvpn, criar um atalho na area de trabalho e IMPORTANTE nas propriedades setar para abrir como Administrador (caso contrario algumas vezes a rota nao eh criada corretamente no windows).
\n2 – Ir em C:\\Program Files\\OpenVPN\\config  criar um diretorio com o nome da sua VPN, exemplo Escritorio
\n3 – Criar um arquivo chamado escritorio.ovpv dentro de C:\\Program Files\\OpenVPN\\config\\Escritorio contendo:<\/p>\n
\n\nclient\ndev tun\nproto tcp-client\n# ip fixo ou dns do seu servidor openvpn\nremote servidor.dns.com.br\nport 1190\nnobind\npersist-key\npersist-tun\ntls-client\nremote-cert-tls server\nverb 1\n# as redes do outro lado que quer atingir\nroute 10.66.0.0 255.255.255.0\nroute 192.168.2.0 255.255.255.0\nmute 10\ncipher AES-256-CBC\nauth SHA1\nauth-nocache\n# se tivesse autenticacao de usuario e senha habilitariamos abaixo\n#auth-user-pass\n\n#auth-user-pass secret\n\n&lt;ca&gt;\n-----BEGIN CERTIFICATE-----\ncalo seu certificado CA aqui\n-----END CERTIFICATE-----\n&lt;\/ca&gt;\n&lt;cert&gt;\n-----BEGIN CERTIFICATE-----\ncola seu certificado do client1 aqui (as vezes tem algo mais nesse arquivo mas eh necessarios somente colar o Begin ao END\n-----END CERTIFICATE-----\n&lt;\/cert&gt;\n&lt;key&gt;\n-----BEGIN ENCRYPTED PRIVATE KEY-----\ncola a key do client1 aqui\n-----END ENCRYPTED PRIVATE KEY-----\n&lt;\/key&gt;\n<\/pre>\n
4 – Abre a OpenVPN gui e com botao direito localiza escritorio e mande conectar<\/p>\n
NO LINUX:
\n1 – Depois de instalar openvpn
\n2 – Criar o arquivo cliente<\/p>\n
\n[root@client1 ~]# cat \/etc\/openvpn\/escritorio.conf\nclient\ndev tun\nproto udp\n# ip ou dns do servidor openvpn\nremote servidor.dns.com.br\nport 1195\nnobind\npersist-key\npersist-tun\nremote-cert-tls escritorio\nresolv-retry infinite\ncomp-lzo\nkeepalive 10 120\nca \/etc\/openvpn\/client\/ca.crt\ncert \/etc\/openvpn\/client\/escritorio.crt\nkey \/etc\/openvpn\/client\/escritorio.key\n<\/pre>\n
2 – Disponibilizar os arquivos como listados:<\/p>\n
\n[root@client1 ~]# ls \/etc\/openvpn\/client\/\nca.crt\nescritorio.crt\nescritorio.key\n<\/pre>\n
3 – Iniciar o servico<\/p>\n
\n[root@client1 ips]#systemctl enable openvpn@escritorio\n[root@client1 ips]#systemctl restart openvpn@escritorio\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Instalar e Criar as chaves Minha versao servidor: [root@jupiter openvpn]# openvpn –version OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH\/PKTINFO] [AEAD] built on Apr 24 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Minha versao cliente linux: [root@~]#…<\/p>\n","protected":false},"author":1,"featured_media":1369,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[7],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/1365"}],"collection":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1365"}],"version-history":[{"count":12,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/1365\/revisions"}],"predecessor-version":[{"id":1381,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/1365\/revisions\/1381"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/media\/1369"}],"wp:attachment":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}