Creditos e leitura recomendada: http:\/\/blogdonerd.com.br\/2012\/06\/openvpn-servidor-ubuntu-e-clientes-windows-e-linux\/ – Angelo<\/p>\n
Caso o link esteja indispon\u00edvel segue abaixo conte\u00fado em forma texto (sem imagens) adicionado de algumas observa\u00e7oes:<\/p>\n
1. Instala\u00e7\u00e3o do Servidor OpenVPN e Cria\u00e7\u00e3o da CA Local
\nPara instalar o OpenVPN no Ubuntu execute:
\napt-get install openvpn
\nAp\u00f3s a instala\u00e7\u00e3o, copie os arquivos de exemplo de configura\u00e7\u00e3o da pasta \/usr\/share\/doc\/openvpn\/examples\/easy-rsa\/2.0\/ para a pasta \/etc\/openvpn.<\/p>\n
cp \/usr\/share\/doc\/openvpn\/examples\/easy-rsa\/2.0\/* \/etc\/openvpn
\nRenomeie ou crie uma c\u00f3pia do arquivo \/etc\/openvpn\/openssl-1.0.0.cnf para \/etc\/openvpn\/openssl.cnf.<\/p>\n
cp \/etc\/openvpn\/openssl-1.0.0.cnf \/etc\/openvpn\/openssl.cnf
\nEdite o arquivo \/etc\/openvpn\/vars ajustando as \u00faltimas linhas iniciadas por KEY para refletir o seu ambiente.<\/p>\n
\u00c9 interessante, por\u00e9m n\u00e3o obrigat\u00f3rio, que o par\u00e2metro KEY_CN tenha o mesmo valor que o hostname do servidor OpenVPN.<\/p>\n
Se existir, remova as \u00faltimas linhas referentes as chaves PKCS11_MODULE_PATH e PKCS11_PIN. Se existir uma chave duplicada KEY_EMAIL, remova-a tamb\u00e9m.<\/p>\n
O tempo padr\u00e3o para a expira\u00e7\u00e3o do certificado da CA e das chaves a serem geradas \u00e9 de 10 anos (3650 dias). Se preferir altere estes valores editando os par\u00e2metros CA_EXPIRE e KEY_EXPIRE.<\/p>\n
O tamanho da chave de criptografia est\u00e1 definido como 1024 bits. Se quiser mudar este valor edite o par\u00e2metro KEY_SIZE.O conte\u00fado de meu \/etc\/openvpn\/vars segue abaixo:<\/p>\n
# easy-rsa parameter settings
\n# NOTE: If you installed from an RPM,
\n# don’t edit this file in place in
\n# \/usr\/share\/openvpn\/easy-rsa —
\n# instead, you should copy the whole
\n# easy-rsa directory to another location
\n# (such as \/etc\/openvpn) so that your
\n# edits will not be wiped out by a future
\n# OpenVPN package upgrade.<\/p>\n
# This variable should point to
\n# the top level of the easy-rsa
\n# tree.
\nexport EASY_RSA=”`pwd`”<\/p>\n
#
\n# This variable should point to
\n# the requested executables
\n#
\nexport OPENSSL=”openssl”
\nexport PKCS11TOOL=”pkcs11-tool”
\nexport GREP=”grep”<\/p>\n
# This variable should point to
\n# the openssl.cnf file included
\n# with easy-rsa.
\nexport KEY_CONFIG=`$EASY_RSA\/whichopensslcnf $EASY_RSA`<\/p>\n
# Edit this variable to point to
\n# your soon-to-be-created key
\n# directory.
\n#
\n# WARNING: clean-all will do
\n# a rm -rf on this directory
\n# so make sure you define
\n# it correctly!
\nexport KEY_DIR=”$EASY_RSA\/keys”<\/p>\n
# Issue rm -rf warning
\necho NOTE: If you run .\/clean-all, I will be doing a rm -rf on $KEY_DIR<\/p>\n
# PKCS11 fixes
\nexport PKCS11_MODULE_PATH=”dummy”
\nexport PKCS11_PIN=”dummy”<\/p>\n
# Increase this to 2048 if you
\n# are paranoid. This will slow
\n# down TLS negotiation performance
\n# as well as the one-time DH parms
\n# generation process.
\nexport KEY_SIZE=1024<\/p>\n
# In how many days should the root CA key expire?
\nexport CA_EXPIRE=3650<\/p>\n
# In how many days should certificates expire?
\nexport KEY_EXPIRE=3650<\/p>\n
# These are the default values for fields
\n# which will be placed in the certificate.
\n# Don’t leave any of these fields blank.
\nexport KEY_COUNTRY=”BR”
\nexport KEY_PROVINCE=”SP”
\nexport KEY_CITY=”S\u00e3o Paulo”
\nexport KEY_ORG=”Blog do Nerd”
\nexport KEY_EMAIL=”nerd@blogdonerd.email.com”
\nexport KEY_CN=”openvpn”
\nexport KEY_NAME=”Blog do Nerd CA”
\nexport KEY_OU=”Divis\u00e3o de TI”
\nAgora execute os comandos abaixo:<\/p>\n
source \/etc\/openvpn\/vars
\n\/etc\/openvpn\/clean-all
\n\/etc\/openvpn\/build-ca
\n\/etc\/openvpn\/build-dh
\nConfirme os valores solicitados pelo build-ca, que ser\u00e3o os mesmos definidos no arquivo \/etc\/openvpn\/vars.<\/p>\n
A sa\u00edda dos comandos ser\u00e1 semelhante a abaixo:<\/p>\n
root@openvpn:\/etc\/openvpn# source \/etc\/openvpn\/vars
\nNOTE: If you run .\/clean-all, I will be doing a rm -rf on \/etc\/openvpn\/keys
\nroot@openvpn:\/etc\/openvpn# \/etc\/openvpn\/clean-all
\nroot@openvpn:\/etc\/openvpn# \/etc\/openvpn\/build-ca
\nGenerating a 1024 bit RSA private key
\n………..++++++
\n…………++++++
\nwriting new private key to ‘ca.key’
\n—–
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter ‘.’, the field will be left blank.
\n—–
\nCountry Name (2 letter code) [BR]:
\nState or Province Name (full name) [SP]:
\nLocality Name (eg, city) [S\u00e3o Paulo]:
\nOrganization Name (eg, company) [Blog do Nerd]:
\nOrganizational Unit Name (eg, section) [Divis\u00e3o de TI]:
\nCommon Name (eg, your name or your server’s hostname) [openvpn]:
\nName [Blog do Nerd CA]:
\nEmail Address [nerd@blogdonerd.email.com]:
\nroot@openvpn:\/etc\/openvpn# \/etc\/openvpn\/build-dh
\nGenerating DH parameters, 1024 bit long safe prime, generator 2
\nThis is going to take a long time
\n……………+…………………….+…………………………….
\n……………………………+……………………………………
\n…….+…………………………………………………………..
\n………………..+……………………………………..+……….
\n+…………+……………………………………………………..
\n…………………………..+……………………………+………
\n………………+………………….+………..+…..+…………….
\n………………………………………………………………….
\n+………………………………+…………….+…..+……………
\n………………………..+……………………………………..+.
\n………………….+………….+..+………………………………
\n…………….+……………………………………………+……+
\n…….+…………………………+……………………………….
\n…………………………………………..+.++*++*++*
\nroot@openvpn:\/etc\/openvpn#
\nA pasta \/etc\/openvpn\/keys ser\u00e1 gerada e dentro dela, 5 arquivos referentes a nova CA criada:<\/p>\n
ca.crt – Certificado P\u00fablico de sua CA.
\nca.key – Chave Privada de sua CA.
\ndh1024.pem – Par\u00e2metros do Diffie-Hellman.
\nindex.txt – Controle das chaves geradas pela nova CA.
\nserial – Controle de n\u00famero serial das chaves geradas pela nova CA.
\n2. Cria\u00e7\u00e3o do Certificado do Servidor
\n\u00c9 necess\u00e1rio a gera\u00e7\u00e3o de um certificado para o servidor OpenVPN.
\nPara fazer isso execute:<\/p>\n
\/etc\/openvpn\/build-key-server server
\nVoc\u00ea pode substituir a palavra server por outra que desejar, s\u00f3 que se fizer isso, lembre-se de fazer os devidos ajustes no arquivo \/etc\/openvpn\/server.conf que ser\u00e1 configurado no pr\u00f3ximo passo.
\nA sa\u00edda do comando ser\u00e1 semelhante a abaixo.
\nAjuste o par\u00e2metro Name para o nome que julgar mais apropriado para seu servidor.
\nRecomendo n\u00e3o atribuir um challenge password.
\nConfirme a assinatura e a atualiza\u00e7\u00e3o do certificado com a tecla ‘y’.<\/p>\n
root@openvpn:\/etc\/openvpn# \/etc\/openvpn\/build-key-server server
\nGenerating a 1024 bit RSA private key
\n……………++++++
\n..++++++
\nwriting new private key to ‘server.key’
\n—–
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter ‘.’, the field will be left blank.
\n—–
\nCountry Name (2 letter code) [BR]:
\nState or Province Name (full name) [SP]:
\nLocality Name (eg, city) [S\u00e3o Paulo]:
\nOrganization Name (eg, company) [Blog do Nerd]:
\nOrganizational Unit Name (eg, section) [Divis\u00e3o de TI]:
\nCommon Name (eg, your name or your server’s hostname) [server]:
\nName [Blog do Nerd CA]:Blog do Nerd – OpenVPN Server
\nEmail Address [nerd@blogdonerd.email.com]:<\/p>\n
Please enter the following ‘extra’ attributes
\nto be sent with your certificate request
\nA challenge password []:
\nAn optional company name []:
\nUsing configuration from \/etc\/openvpn\/openssl.cnf
\nCheck that the request matches the signature
\nSignature ok
\nThe Subject’s Distinguished Name is as follows
\ncountryName : PRINTABLE:’BR’
\nstateOrProvinceName : PRINTABLE:’SP’
\nlocalityName : T61STRING:’Sao Paulo’
\norganizationName : PRINTABLE:’Blog do Nerd’
\norganizationalUnitName: T61STRING:’Divisao de TI’
\ncommonName : PRINTABLE:’server’
\nname : PRINTABLE:’Blog do Nerd – OpenVPN Server’
\nemailAddress : IA5STRING:’nerd@blogdonerd.email.com’
\nCertificate is to be certified until Jun 18 18:57:10 2022 GMT (3650 days)
\nSign the certificate? [y\/n]:y<\/p>\n
1 out of 1 certificate requests certified, commit? [y\/n]y
\nWrite out database with 1 new entries
\nData Base Updated
\nroot@openvpn:\/etc\/openvpn#
\nDois arquivos ser\u00e3o gerados na pasta \/etc\/openvpn\/keys:
\nserver.crt – Certificado p\u00fablico do servidor OpenVPN.
\nserver.key – Chave privada do servidor OpenVPN.
\n3. Configura\u00e7\u00e3o do Servidor OpenVPN
\nGere uma chave TLS (opcional) para aumentar ainda mais a seguran\u00e7a da conex\u00e3o VPN, permitindo a verifica\u00e7\u00e3o de integridade de cada pacote TLS, digitando o seguinte comando:<\/p>\n
openvpn –genkey –secret \/etc\/openvpn\/keys\/ta.key
\nA configura\u00e7\u00e3o do OpenVPN \u00e9 realizada em qualquer arquivo que termine em .conf, localizado na pasta \/etc\/openvpn\/. Neste tutorial iremos usar o arquivo \/etc\/openvpn\/server.conf. Voc\u00ea pode alterar este arquivo para o nome que desejar, desde que ele termine em .conf. Voc\u00ea pode inclusive ter mais de um servi\u00e7o OpenVPN ouvindo em outras portas, basta configurar outro arquivo .conf.<\/p>\n
Crie um \/etc\/openvpn\/server.conf vazio e preencha-o conforme segue.<\/p>\n
Se preferir, voc\u00ea pode iniciar usando o arquivo de configura\u00e7\u00e3o de exemplo do OpenVPN, bastando para isso copiar e descomprimir o arquivo \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz para \/etc\/openvpn\/server.conf:<\/p>\n
zcat \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz > \/etc\/openvpn\/server.conf
\nAjuste o arquivo \/etc\/openvpn\/server.conf conforme abaixo, tomando o cuidado de alterar as linhas destacadas para refletir a realidade de seu ambiente.<\/p>\n
A linha local 10.0.0.1 indica o IP local do servidor em que OpenVPN ir\u00e1 ouvir por novas conex\u00f5es.
\nA configura\u00e7\u00e3o server 10.15.0.0 255.255.255.0 informa ao servidor OpenVPN que a rede VPN ser\u00e1 10.15.0.0\/24. Altere para a rede que definiu durante a fase de pr\u00e9-requisitos. O primeiro IP dessa rede ser\u00e1 o IP do servidor OpenVPN.
\nSe desejar voc\u00ea pode ajustar a linha push “route 10.0.0.0 255.0.0.0” informando ao OpenVPN para adicionar uma rota na tabela de rotas dos clientes VPN no momento da conex\u00e3o. Neste caso todo o tr\u00e1fego para a rede 10.0.0.0\/8 ser\u00e1 redirecionado pela VPN. Voc\u00ea pode ser mais radical e direcionar todo o tr\u00e1fego de rede pela VPN, incluindo o tr\u00e1fego de Internet. Para fazer isso, substitua a linha push “route 10.0.0.0 255.0.0.0” por push “redirect-gateway def1”.
\nAs configura\u00e7\u00f5es push “dhcp-option” s\u00e3o opcionais e relativas aos par\u00e2metros de DNS a serem informados para o computador cliente. Voc\u00ea pode informar os servidores de DNS locais da rede da sede para que os clientes possam resolver nomes de dom\u00ednio e acessar os servi\u00e7os internos com maior facilidade.
\nMuitos dos par\u00e2metros s\u00e3o opcionais e o OpenVPN \u00e9 extremamente vers\u00e1til e se adapta a praticamente qualquer ambiente. Voc\u00ea pode verificar o manual do OpenVPN para explorar outras configura\u00e7\u00f5es.
\nO arquivo \/etc\/openvpn\/server.conf sugerido \u00e9 o seguinte:<\/p>\n
######################################################################################
\n# OpenVPN 2.0 – Arquivo de configura\u00e7\u00e3o do servidor
\n######################################################################################<\/p>\n
# Which local IP address should OpenVPN
\n# listen on? (optional)
\nlocal 10.0.0.1<\/p>\n
# Which TCP\/UDP port should OpenVPN listen on?
\nport 1194<\/p>\n
# TCP or UDP server?
\nproto udp<\/p>\n
# “dev tun” will create a routed IP tunnel,
\n# “dev tap” will create an ethernet tunnel.
\ndev tun0<\/p>\n
# SSL\/TLS root certificate (ca), certificate
\n# (cert), and private key (key). Each client
\n# and the server must have their own cert and
\n# key file. The server and all clients will
\n# use the same ca file.
\nca \/etc\/openvpn\/keys\/ca.crt
\ncert \/etc\/openvpn\/keys\/server.crt
\nkey \/etc\/openvpn\/keys\/server.key # This file should be kept secret<\/p>\n
# Diffie hellman parameters.
\ndh \/etc\/openvpn\/keys\/dh1024.pem<\/p>\n
# Configure server mode and supply a VPN subnet
\n# for OpenVPN to draw client addresses from.
\nserver 10.15.0.0 255.255.255.0<\/p>\n
# Maintain a record of client virtual IP address
\n# associations in this file. If OpenVPN goes down or
\n# is restarted, reconnecting clients can be assigned
\n# the same virtual IP address from the pool that was
\n# previously assigned.
\nifconfig-pool-persist ipp.txt<\/p>\n
# Push routes to the client to allow it
\n# to reach other private subnets behind
\n# the server. Remember that these
\n# private subnets will also need
\n# to know to route the OpenVPN client
\n# address pool (10.8.0.0\/255.255.255.0)
\n# back to the OpenVPN server.
\npush “route 10.0.0.0 255.0.0.0”<\/p>\n
# Certain Windows-specific network settings
\n# can be pushed to clients, such as DNS
\n# or WINS server addresses. CAVEAT:
\n# http:\/\/openvpn.net\/faq.html#dhcpcaveats
\npush “dhcp-option DNS 10.0.0.10”
\npush “dhcp-option DNS 10.0.0.11”
\npush “dhcp-option DOMAIN blogdonerd.com.br”<\/p>\n
# The keepalive directive causes ping-like
\n# messages to be sent back and forth over
\n# the link so that each side knows when
\n# the other side has gone down.
\n# Ping every 10 seconds, assume that remote
\n# peer is down if no ping received during
\n# a 120 second time period.
\nkeepalive 10 120<\/p>\n
# For extra security beyond that provided
\n# by SSL\/TLS, create an “HMAC firewall”
\n# to help block DoS attacks and UDP port flooding.
\ntls-auth \/etc\/openvpn\/keys\/ta.key 0 # This file is secret<\/p>\n
# Select a cryptographic cipher.
\n# This config item must be copied to
\n# the client config file as well.
\ncipher AES-128-CBC # AES<\/p>\n
# Enable compression on the VPN link.
\n# If you enable it here, you must also
\n# enable it in the client config file.
\ncomp-lzo<\/p>\n
# The maximum number of concurrently connected
\n# clients we want to allow.
\nmax-clients 100<\/p>\n
# It’s a good idea to reduce the OpenVPN
\n# daemon’s privileges after initialization.
\nuser nobody
\ngroup nogroup<\/p>\n
# The persist options will try to avoid
\n# accessing certain resources on restart
\n# that may no longer be accessible because
\n# of the privilege downgrade.
\npersist-key
\npersist-tun<\/p>\n
# Output a short status file showing
\n# current connections, truncated
\n# and rewritten every minute.
\nstatus \/var\/log\/openvpn\/openvpn-status.log<\/p>\n
# By default, log messages will go to the syslog (or
\n# on Windows, if running as a service, they will go to
\n# the “\\Program Files\\OpenVPN\\log” directory).
\nlog-append \/var\/log\/openvpn\/openvpn.log<\/p>\n
# Set the appropriate level of log
\n# file verbosity.
\nverb 3
\nCrie a pasta \/var\/log\/openvpn para manter os logs do OpenVPN:<\/p>\n
1
\nmkdir \/var\/log\/openvpn
\nSe desejar crie o arquivo \/etc\/logrotate.d\/openvpn com o conte\u00fado a seguir para fazer uma rota\u00e7\u00e3o autom\u00e1tica dos logs do OpenVPN:<\/p>\n
\/var\/log\/openvpn\/*.log {
\n daily
\n rotate 365
\n compress
\n missingok
\n create 0640 root adm
\n missingok
\n postrotate
\n service openvpn reload
\n endscript
\n}
\nInicie o OpenVPN executando:<\/p>\n
1
\nservice openvpn start
\nVerifique se o servi\u00e7o est\u00e1 em execu\u00e7\u00e3o com o comando:<\/p>\n
1
\nservice openvpn status
\nSe tudo ocorreu com sucesso, a sa\u00edda ser\u00e1 semelhante a seguinte:<\/p>\n
root@openvpn:\/etc\/openvpn# service openvpn start
\n * Starting virtual private network daemon(s)…
\n * Autostarting VPN ‘server’
\nroot@openvpn:\/etc\/openvpn# service openvpn status
\n * VPN ‘server’ is running
\nroot@openvpn:\/etc\/openvpn#
\nSe ocorreu algum problema, verifique o arquivo \/var\/log\/openvpn.log:<\/p>\n
root@openvpn:\/etc\/openvpn# cat \/var\/log\/openvpn\/openvpn.log
\nWed Jun 20 16:16:40 2012 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012
\nWed Jun 20 16:16:40 2012 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
\nWed Jun 20 16:16:40 2012 Diffie-Hellman initialized with 1024 bit key
\nWed Jun 20 16:16:40 2012 Control Channel Authentication: using ‘\/etc\/openvpn\/keys\/ta.key’ as a OpenVPN static key file
\nWed Jun 20 16:16:40 2012 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
\nWed Jun 20 16:16:40 2012 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
\nWed Jun 20 16:16:40 2012 TLS-Auth MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
\nWed Jun 20 16:16:40 2012 Socket Buffers: R=[229376->131072] S=[229376->131072]
\nWed Jun 20 16:16:40 2012 ROUTE default_gateway=10.0.0.1
\nWed Jun 20 16:16:40 2012 TUN\/TAP device tun0 opened
\nWed Jun 20 16:16:40 2012 TUN\/TAP TX queue length set to 100
\nWed Jun 20 16:16:40 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
\nWed Jun 20 16:16:40 2012 \/sbin\/ifconfig tun0 10.15.0.1 pointopoint 10.15.0.2 mtu 1500
\nWed Jun 20 16:16:40 2012 \/sbin\/route add -net 10.15.0.0 netmask 255.255.255.0 gw 10.15.0.2
\nWed Jun 20 16:16:40 2012 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3\/1 ]
\nWed Jun 20 16:16:40 2012 GID set to nogroup
\nWed Jun 20 16:16:40 2012 UID set to nobody
\nWed Jun 20 16:16:40 2012 UDPv4 link local (bound): [AF_INET]10.9.0.172:1194
\nWed Jun 20 16:16:40 2012 UDPv4 link remote: [undef]
\nWed Jun 20 16:16:40 2012 MULTI: multi_init called, r=256 v=256
\nWed Jun 20 16:16:40 2012 IFCONFIG POOL: base=10.15.0.4 size=62, ipv6=0
\nWed Jun 20 16:16:40 2012 IFCONFIG POOL LIST
\nWed Jun 20 16:16:40 2012 Initialization Sequence Completed
\nUma nova interface de rede (tun0) ser\u00e1 criada, conforme ilustra a execu\u00e7\u00e3o do comando ifconfig abaixo.<\/p>\n
root@openvpn:\/etc\/openvpn# ifconfig
\neth0 Link encap:Ethernet HWaddr 00:50:56:be:46:45
\n inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
\n inet6 addr: fe80::250:56ff:febe:4645\/64 Scope:Link
\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
\n RX packets:135820 errors:0 dropped:0 overruns:0 frame:0
\n TX packets:58093 errors:0 dropped:0 overruns:0 carrier:0
\n collisions:0 txqueuelen:1000
\n RX bytes:149189479 (149.1 MB) TX bytes:5400632 (5.4 MB)<\/p>\n
lo Link encap:Local Loopback
\n inet addr:127.0.0.1 Mask:255.0.0.0
\n inet6 addr: ::1\/128 Scope:Host
\n UP LOOPBACK RUNNING MTU:16436 Metric:1
\n RX packets:14 errors:0 dropped:0 overruns:0 frame:0
\n TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
\n collisions:0 txqueuelen:0
\n RX bytes:1176 (1.1 KB) TX bytes:1176 (1.1 KB)<\/p>\n
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
\n inet addr:10.15.0.1 P-t-P:10.15.0.2 Mask:255.255.255.255
\n UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0
\n TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
\n collisions:0 txqueuelen:100
\n RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<\/p>\n
root@openvpn:\/etc\/openvpn#
\nO servidor j\u00e1 est\u00e1 no ar. Agora precisamos configurar regras de firewall, se necess\u00e1rio, criar as chaves para os clientes e configur\u00e1-los.<\/p>\n
4. Regras de Firewall
\nSe seu servidor OpenVPN est\u00e1 configurado no mesmo equipamento que seu firewall, ou se a comunica\u00e7\u00e3o precisa atravessar por um firewall para chegar at\u00e9 o servidor OpenVPN, \u00e9 importante configurar as regras adequadamente.<\/p>\n
N\u00e3o vou ensinar aqui a criar as regras para um ambiente espec\u00edfico, pois existe uma diversidade enorme de ferramentas para gerenciar regras de firewall e cada caso \u00e9 um caso.<\/p>\n
Vou tratar apenas de regras de uma forma gen\u00e9rica.<\/p>\n
Vamos ao pontos importantes:<\/p>\n
O primeiro IP definido no par\u00e2metro server do \/etc\/openvpn\/server.conf \u00e9 o IP local do OpenVPN e o segundo IP \u00e9 o endere\u00e7o considerado remoto. No exemplo deste tutorial:
\nO endere\u00e7o da rede \u00e9 10.15.0.0 com m\u00e1scara 255.255.255.0.
\nO endere\u00e7o 10.15.0.0 \u00e9 o endere\u00e7o da rede e, por defini\u00e7\u00e3o, n\u00e3o pode ser atribu\u00eddo a nenhum equipamento.
\nO IP 10.15.0.1 \u00e9 o IP atribu\u00eddo a interface tun0 local
\nO IP 10.15.0.2 \u00e9 um IP l\u00f3gico, atribu\u00eddo genericamente ao gateway dos clientes. Voc\u00ea pode utilizar este IP para fazer regras de roteamento, por exemplo, se seu cliente est\u00e1 na rede 10.2.0.0\/24, voc\u00ea pode criar uma regra de roteamento que encaminhe todos os pacotes destinados a rede 10.2.0.0\/24 para o gateway 10.15.0.2: route add -net 10.2.0.0\/24 gw 10.15.0.2 dev tun0
\n\u00c9 necess\u00e1rio criar uma regra que permita que comunica\u00e7\u00e3o oriundas da internet e destinadas ao IP do seu servidor OpenVPN na porta 1194 UDP sejam aceitas. Uma regra iptables seria: iptables -A INPUT -i eth0 -d 10.0.0.1\/32 -p udp -m udp –dport 1194 -j ACCEPT
\nUma vez permitida a conex\u00e3o \u00e9 necess\u00e1rio criar regras que permitam que seu cliente converse com os servi\u00e7os de sua rede e vice-versa. Neste caso, cada rede vai ter suas particularidades. Por exemplo, para permitir que qualquer cliente da rede OpenVPN (10.15.0.0\/24) acesse um servidor de DNS de IP 10.0.0.15 em sua rede, as regras iptables seriam:
\niptables -A FORWARD -i tun0 -s 10.15.0.0\/24 -d 10.0.0.15\/32 -p tcp -m tcp –dport 53 -j ACCEPT
\niptables -A FORWARD -i tun0 -s 10.15.0.0\/24 -d 10.0.0.15\/32 -p udp -m udp –dport 53 -j ACCEPT
\nLembre-se de que para estas regras funcionarem \u00e9 importante permitir o roteamento entre as interfaces. Isto pode ser feito atribuindo o valor 1 ao par\u00e2metro \/proc\/sys\/net\/ipv4\/ip_forward. Voc\u00ea pode colocar uma linha com o comando a seguir em algum script de inicializa\u00e7\u00e3o de seu servidor, ou ajustar este par\u00e2metro diretamente no seu firewall, se ele assim o permitir: echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward
\n5. Criando Certificados para Clientes
\nPara cada novo cliente VPN de sua rede, \u00e9 necess\u00e1rio criar um certificado exclusivo. Isto \u00e9 feito atrav\u00e9s do comando \/etc\/openvpn\/build-key ou \/etc\/openvpn\/build-key-pass:<\/p>\n
1
\n\/etc\/openvpn\/build-key-pass nome-do-cliente
\nTroque nome-do-cliente por um nome \u00fanico e exclusivo para cada cliente. Ele ser\u00e1 o Common Name do certificado gerado. \u00c9 importante que no nome-do-cliente n\u00e3o haja espa\u00e7os em branco, nem caracteres especiais ou acentuados. At\u00e9 \u00e9 poss\u00edvel, mas se voc\u00ea n\u00e3o us\u00e1-los, ter\u00e1 menos problemas. Voc\u00ea pode usar n\u00fameros, a matricula dos funcion\u00e1rios, CPF, ou o Nome completo, lembrando de trocar o separador do nome por _ ou simplesmente suprimi-lo. Por exemplo, a Caixa Econ\u00f4mica Federal costuma emitir seus certificados usando o nome completo do solicitante, seguido do caracter : e dos n\u00fameros do CPF.<\/p>\n
Antes de executar o build-key \u00e9 importante executar source \/etc\/openvpn\/vars para atribuir as informa\u00e7\u00f5es de sua CA \u00e0s vari\u00e1veis de ambiente da sess\u00e3o corrente.<\/p>\n
Lembre-se de responder as perguntas adequadamente. Elas j\u00e1 vir\u00e3o pr\u00e9-preenchidas pelos valores de \/etc\/openvpn\/vars. Voc\u00ea pode colocar qualquer informa\u00e7\u00e3o no campo name, inclusive espa\u00e7os em branco e caracteres acentuados.<\/p>\n
\u00c9 recomend\u00e1vel usar o build-key-pass ao inv\u00e9s do build-key, visto que o primeiro ir\u00e1 solicitar uma senha secreta para cada cliente. Essa senha sera utilizada em cada conex\u00e3o OpenVPN. Isso \u00e9 importante pois caso um notebook que contenha as configura\u00e7\u00f5es e certificados de determinado usu\u00e1rio seja perdido ou furtado um meliante n\u00e3o seria capaz de fechar a conex\u00e3o VPN sem ter a senha. \u00c9 claro que nestes casos recomenda-se ainda revogar o certificado do cliente.<\/p>\n
Para gerar um novo certificado para o usu\u00e1rio Jo\u00e3o da Silva voc\u00ea pode digitar o seguinte:<\/p>\n
root@openvpn:\/etc\/openvpn# source \/etc\/openvpn\/vars
\nNOTE: If you run .\/clean-all, I will be doing a rm -rf on \/etc\/openvpn\/keys
\nroot@openvpn:\/etc\/openvpn# \/etc\/openvpn\/build-key joao_da_silva
\nGenerating a 1024 bit RSA private key
\n…………..++++++
\n…………………….++++++
\nwriting new private key to ‘joao_da_silva.key’
\n—–
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter ‘.’, the field will be left blank.
\n—–
\nCountry Name (2 letter code) [BR]:
\nState or Province Name (full name) [SP]:
\nLocality Name (eg, city) [S\u00e3o Paulo]:
\nOrganization Name (eg, company) [Blog do Nerd]:
\nOrganizational Unit Name (eg, section) [Divis\u00e3o de TI]:
\nCommon Name (eg, your name or your server’s hostname) [joao_da_silva]:
\nName [Blog do Nerd CA]:Jo\u00e3o da Silva
\nEmail Address [nerd@blogdonerd.email.com]:joao@blogdonerd.email.com<\/p>\n
Please enter the following ‘extra’ attributes
\nto be sent with your certificate request
\nA challenge password []:
\nAn optional company name []:
\nUsing configuration from \/etc\/openvpn\/openssl.cnf
\nCheck that the request matches the signature
\nSignature ok
\nThe Subject’s Distinguished Name is as follows
\ncountryName : PRINTABLE:’BR’
\nstateOrProvinceName : PRINTABLE:’SP’
\nlocalityName : T61STRING:’S\0xFFFFFFC3\0xFFFFFFA3o Paulo’
\norganizationName : PRINTABLE:’Blog do Nerd’
\norganizationalUnitName: T61STRING:’Divis\0xFFFFFFC3\0xFFFFFFA3o de TI’
\ncommonName : T61STRING:’joao_da_silva’
\nname : T61STRING:’Jo\0xFFFFFFC3\0xFFFFFFA3o da Silva’
\nemailAddress : IA5STRING:’joao@blogdonerd.email.com’
\nCertificate is to be certified until Jun 19 14:04:54 2022 GMT (3650 days)
\nSign the certificate? [y\/n]:y<\/p>\n
1 out of 1 certificate requests certified, commit? [y\/n]y
\nWrite out database with 1 new entries
\nData Base Updated
\nroot@openvpn:\/etc\/openvpn#
\nTr\u00eas novos arquivos ser\u00e3o gerados na pasta \/etc\/openvpn\/keys:<\/p>\n
joao_da_silva.csr – Solicita\u00e7\u00e3o do novo certificado
\njoao_da_silva.crt – Certificado p\u00fablico
\njoao_da_silva.key – Chave privada
\nSer\u00e1 necess\u00e1rio copiar estes arquivos para o computador do cliente no pr\u00f3ximo passo.
\n6. Instalando e configurando o OpenVPN nos Clientes Windows ou Linux
\nBaixe e instale a vers\u00e3o mais recente do OpenVPN. Para clientes Ubuntu basta executar apt-get install openvpn.<\/p>\n
No Windows se aparecer uma mensagem solicitando para sua permiss\u00e3o para instalar um novo adaptador de rede TAP-Win32 (conforme abaixo), clique no bot\u00e3o Instalar.<\/p>\n
No Windows, um \u00edcone do OpenVPN GUI ser\u00e1 instalado na \u00e1rea de trabalho.<\/p>\n
Se seu sistema operacional for Windows Vista ou 7, clique com o bot\u00e3o direito do mouse nesse \u00edcone e escolha Propriedades. Na guia Atalho clique no bot\u00e3o Avan\u00e7ados e na nova janela marque a op\u00e7\u00e3o Executar como administrador.<\/p>\n
Isto \u00e9 importante porque as regras de roteamento enviadas pelo servidor OpenVPN s\u00f3 ser\u00e3o atribu\u00eddas se o cliente OpenVPN possuir privil\u00e9gios administrativos.<\/p>\n
Se o sistema operacional for Windows XP execute o seguinte procedimento para que a resolu\u00e7\u00e3o de DNS funcione corretamente:<\/p>\n
Clique em Iniciar, clique em Executar…, digite regedit na caixa de di\u00e1logo aberta e ent\u00e3o clique OK.
\nNavegue at\u00e9 a chave de registro: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Linkage
\nNo painel da direita, clique duas vezes no item Bind.
\nNa caixa que se abre selecione o item “\\Device\\NdisWanIp”, pressione CTRL + X, clique no topo da lista de dispositivos, e pressione CTRL + V. Em outras palavras: o que deve ser feito \u00e9 passar o item “\\Device\\NdisWanIp” para o primeiro da lista.
\nClique OK e feche o Editor do Registro.
\nReinicialize o computador.
\nAgora vamos configurar o cliente OpenVPN.<\/p>\n
V\u00e1 at\u00e9 o servidor e copie os seguintes arquivos da pasta \/etc\/openvpn\/keys:<\/p>\n
ca.crt – Certificado p\u00fablico de sua CA
\nta.key – Chave privada para assinatura de pacotes TLS de forma a aumentar a seguran\u00e7a na comunica\u00e7\u00e3o
\njoao_da_silva.crt – Certificado p\u00fablico do usu\u00e1rio a ser configurado
\njoao_da_silva.key – Certificado privado do usu\u00e1rio a ser configurado
\nTalvez voc\u00ea tenha dificuldades para copar os arquivos .key que s\u00e3o privados e n\u00e3o possuem permiss\u00e3o de leitura para usu\u00e1rios comuns. Se necess\u00e1rio, copie os arquivos para uma pasta tempor\u00e1ria (\/tmp por exemplo) e altere as permiss\u00f5es com o comando chmod: chmod 644 \/tmp\/joao_da_silva.key.<\/p>\n
ATEN\u00c7\u00c3O: Lembre-se o arquivo joao_da_silva.key cont\u00e9m a chave privada do Jo\u00e3o e n\u00e3o deve ser distribuida livremente para n\u00e3o comprometer a seguran\u00e7a, especialmente se ele n\u00e3o possuir uma challenge password.<\/p>\n
Copie estes arquivos para a pasta C:\\Program Files\\OpenVPN\\config para o cliente Windows ou para \/etc\/openvpn no caso de um cliente Linux.<\/p>\n
Renomeie os arquivos joao_da_silva.crt e joao_da_silva.key no cliente, conforme segue:<\/p>\n
joao_da_silva.crt -> client.crt
\njoao_da_silva.key -> client.key
\nSe preferir, ao inv\u00e9s de renomear estes arquivos, voc\u00ea pode ajustar os par\u00e2metros cert e key no arquivo openvpn.conf (Linux) ou openvpn.ovpn (Windows) que ser\u00e1 configurado no pr\u00f3ximo passo.
\n7.1. Particularidades do Cliente Windows
\nPara um cliente Windows, crie o arquivo C:\\Program Files\\OpenVPN\\config\\openvpn.ovpn com o conte\u00fado abaixo.<\/p>\n
Ajuste o par\u00e2metro remote para o endere\u00e7o p\u00fablico IP ou FQDN se seu servidor OpenVPN seguido da porta de conex\u00e3o com o servidor. No meu exemplo usei o FQDN blogdonerd.no-ip.com. Se voc\u00ea configurou o servidor como TCP, ent\u00e3o ajuste o par\u00e2metro proto.<\/p>\n
#####################################################################<\/pre>
\n# OpenVPN 2.0 – Arquivo de configura\u00e7\u00e3o do cliente Windows
\n#####################################################################<\/p>\n
# Specify that we are a client and that we
\n# will be pulling certain config file directives
\n# from the server.
\nclient<\/p>\n
# Use the same setting as you are using on
\n# the server.
\ndev tun<\/p>\n
script-security 2<\/p>\n
# Are we connecting to a TCP or
\n# UDP server? Use the same setting as
\n# on the server.
\nproto udp<\/p>\n
# The hostname\/IP and port of the server.
\n# You can have multiple remote entries
\n# to load balance between the servers.
\nremote blogdonerd.no-ip.com 1194<\/p>\n
# Keep trying indefinitely to resolve the
\n# host name of the OpenVPN server. Very useful
\n# on machines which are not permanently connected
\n# to the internet such as laptops.
\nresolv-retry infinite<\/p>\n
# Most clients don’t need to bind to
\n# a specific local port number.
\nnobind<\/p>\n
# Try to preserve some state across restarts.
\npersist-key
\npersist-tun<\/p>\n
# If you are connecting through an
\n# HTTP proxy to reach the actual OpenVPN
\n# server, put the proxy server\/IP and
\n# port number here. See the man page
\n# if your proxy server requires
\n# authentication.
\n;http-proxy-retry # retry on connection failures
\n;http-proxy [proxy server] [proxy port #]<\/p>\n
# Wireless networks often produce a lot
\n# of duplicate packets. Set this flag
\n# to silence duplicate packet warnings.
\nmute-replay-warnings<\/p>\n
# SSL\/TLS parms.
\n# See the server config file for more
\n# description. It’s best to use
\n# a separate .crt\/.key file pair
\n# for each client. A single ca
\n# file can be used for all clients.
\nca ca.crt
\ncert client.crt
\nkey client.key<\/p>\n
# Verify server certificate by checking
\n# that the certicate has the nsCertType
\n# field set to “server”. This is an
\n# important precaution to protect against
\n# a potential attack discussed here:
\n# http:\/\/openvpn.net\/howto.html#mitm
\nns-cert-type server<\/p>\n
# If a tls-auth key is used on the server
\n# then every client must also have the key.
\ntls-auth ta.key 1<\/p>\n
# Select a cryptographic cipher.
\n# If the cipher option is used on the server
\n# then you must also specify it here.
\ncipher AES-128-CBC<\/p>\n
# Enable compression on the VPN link.
\n# Don’t enable this unless it is also
\n# enabled in the server config file.
\ncomp-lzo<\/p>\n
# Set log file verbosity.
\nverb 3
\nA pasta C:\\Program Files\\OpenVPN\\config ficar\u00e1 assim:<\/p>\n
Execute o OpenVPN GUI. Um \u00edcone de dois computadores com uma tela vermelha aparecer\u00e1 no canto pr\u00f3ximo ao rel\u00f3gio.<\/p>\n
Clique duas vezes neste \u00edcone ou clique com o bot\u00e3o direito no \u00edcone e em seguida clique em Connect.<\/p>\n
A tela de conex\u00e3o e logs do OpenVPN ser\u00e1 mostrada. Se voc\u00ea configurou uma challenge password para o certificado do cliente ela deveria ser solicitada agora. Se tudo ocorreu bem o \u00edcone passara de vermelho para verde e uma mensagem informando que a conex\u00e3o foi bem sucedida ser\u00e1 apresentada.<\/p>\n
Para desconectar \u00e9 s\u00f3 clicar com o direito no \u00edcone dos computadores verdes e escolher a op\u00e7\u00e3o Disconnect.<\/p>\n
7.2. Particularidades do Cliente Linux
\nCrie o arquivo \/etc\/openvpn\/openvpn.conf com o conte\u00fado abaixo.<\/p>\n
Ajuste o par\u00e2metro remote para o endere\u00e7o p\u00fablico IP ou FQDN se seu servidor OpenVPN seguido da porta de conex\u00e3o com o servidor. No meu exemplo usei o FQDN blogdonerd.no-ip.com. Se voc\u00ea configurou o servidor como TCP, ent\u00e3o ajuste o par\u00e2metro proto.<\/p>\n
#####################################################################<\/pre>
\n# OpenVPN 2.0 – Arquivo de configura\u00e7\u00e3o do cliente Linux
\n#####################################################################<\/p>\n
# Specify that we are a client and that we
\n# will be pulling certain config file directives
\n# from the server.
\nclient<\/p>\n
# Use the same setting as you are using on
\n# the server.
\ndev tun0<\/p>\n
script-security 2<\/p>\n
# Are we connecting to a TCP or
\n# UDP server? Use the same setting as
\n# on the server.
\nproto udp<\/p>\n
# The hostname\/IP and port of the server.
\n# You can have multiple remote entries
\n# to load balance between the servers.
\nremote blogdonerd.no-ip.com 1194<\/p>\n
# Keep trying indefinitely to resolve the
\n# host name of the OpenVPN server. Very useful
\n# on machines which are not permanently connected
\n# to the internet such as laptops.
\nresolv-retry infinite<\/p>\n
# Most clients don’t need to bind to
\n# a specific local port number.
\nnobind<\/p>\n
# Try to preserve some state across restarts.
\npersist-key
\npersist-tun<\/p>\n
# If you are connecting through an
\n# HTTP proxy to reach the actual OpenVPN
\n# server, put the proxy server\/IP and
\n# port number here. See the man page
\n# if your proxy server requires
\n# authentication.
\n;http-proxy-retry # retry on connection failures
\n;http-proxy [proxy server] [proxy port #]<\/p>\n
# Wireless networks often produce a lot
\n# of duplicate packets. Set this flag
\n# to silence duplicate packet warnings.
\nmute-replay-warnings<\/p>\n
# SSL\/TLS parms.
\n# See the server config file for more
\n# description. It’s best to use
\n# a separate .crt\/.key file pair
\n# for each client. A single ca
\n# file can be used for all clients.
\nca \/etc\/openvpn\/ca.crt
\ncert \/etc\/openvpn\/client.crt
\nkey \/etc\/openvpn\/client.key<\/p>\n
# Verify server certificate by checking
\n# that the certicate has the nsCertType
\n# field set to “server”. This is an
\n# important precaution to protect against
\n# a potential attack discussed here:
\n# http:\/\/openvpn.net\/howto.html#mitm
\nns-cert-type server<\/p>\n
# If a tls-auth key is used on the server
\n# then every client must also have the key.
\ntls-auth \/etc\/openvpn\/ta.key 1<\/p>\n
# Select a cryptographic cipher.
\n# If the cipher option is used on the server
\n# then you must also specify it here.
\ncipher AES-128-CBC<\/p>\n
# Enable compression on the VPN link.
\n# Don’t enable this unless it is also
\n# enabled in the server config file.
\ncomp-lzo<\/p>\n
# Set log file verbosity.
\nverb 3
\nA pasta \/etc\/openvpn ficar\u00e1 assim:
\n1
\n2
\n3
\nroot@openvpn:\/etc\/openvpn# ls \/etc\/openvpn\/
\nca.crt client.crt client.key openvpn.conf ta.key
\nroot@openvpn:\/etc\/openvpn#
\nAgora basta executar service openvpn start para que a conex\u00e3o com o servidor seja realizada.
\nPara encerrar a conex\u00e3o execute service openvpn stop.
\nPara controlar se a conex\u00e3o ser\u00e1 executada automaticamente na inicializa\u00e7\u00e3o do computador, edite o arquivo \/etc\/default\/openvpn.
\nDescomente ou inclua a linha abaixo para que a conex\u00e3o seja realizada automaticamente na inicializa\u00e7\u00e3o:<\/p>\n
AUTOSTART=”all”
\nPara impedir a inicializa\u00e7\u00e3o autom\u00e1tica do openvpn descomente ou inclua a seguinte linha:<\/p>\n
AUTOSTART=”none”
\n7. Revogando Certificados de Clientes
\nCaso um computador contendo um certificado seja perdido, ou ainda para impedir que determinado usu\u00e1rio realize a conex\u00e3o VPN voc\u00ea deve revogar o certificado.<\/p>\n
Uma vez revogado, n\u00e3o h\u00e1 volta, voc\u00ea ter\u00e1 que gerar um novo certificado para permitir a conex\u00e3o de detreminado cliente.<\/p>\n
A lista de certificados revogados \u00e9 armazenada no arquivo \/etc\/openvpn\/keys\/crl.pem. O problema \u00e9 que o OpenVPN, ap\u00f3s entrar em execu\u00e7\u00e3o, n\u00e3o possui permiss\u00e3o de leitura para essa pasta. Ent\u00e3o teremos ainda que copiar o arquivo \/etc\/openvpn\/keys\/crl.pem para a pasta \/etc\/openvpn, que \u00e9 o motivo da \u00faltima linha dos comandos abaixo.<\/p>\n
Para revogar o certificado de joao_da_silva execute os seguintes comandos:<\/p>\n
source \/etc\/openvpn\/vars
\n\/etc\/openvpn\/revoke-full joao_da_silva
\ncp \/etc\/openvpn\/keys\/crl.pem \/etc\/openvpn
\nA sa\u00edda ser\u00e1 a seguinte:<\/p>\n
root@openvpn:\/etc\/openvpn# \/etc\/openvpn\/revoke-full joao_da_silva
\nUsing configuration from \/etc\/openvpn\/openssl.cnf
\nRevoking Certificate 04.
\nData Base Updated
\nUsing configuration from \/etc\/openvpn\/openssl.cnf
\njoao_da_silva.crt: C = BR, ST = SP, L = Sao Paulo, O = Blog do Nerd, OU = Divisao de TI, CN = joao3, name = Joao da Silva, emailAddress = joao@blogdonerd.email.com
\nerror 23 at 0 depth lookup:certificate revoked
\nroot@openvpn:\/etc\/openvpn# cp \/etc\/openvpn\/keys\/crl.pem \/etc\/openvpn\/
\nroot@openvpn:\/etc\/openvpn#
\nPrecisamos ainda informar ao servidor OpenVPN para considerar esse arquivo na verifica\u00e7\u00e3o das conex\u00f5es.<\/p>\n
Para fazer isso, edite o arquivo \/etc\/openvpn\/server.conf e inclua a seguinte linha no final do arquivo:<\/p>\n
crl-verify \/etc\/openvpn\/crl.pem
\nReinicie o OpenVPN para que esta nova configura\u00e7\u00e3o entre em a\u00e7\u00e3o:<\/p>\n
service opevpn reload
\nVoc\u00ea n\u00e3o precisar\u00e1 reiniciar ou recarregar o OepnVPN a cada vez que revogar um certificado. Somente na primeira vez em que configurar a diretiva crl-verify.<\/p>\n
Para gerar um arquivo crl.pem inicial voc\u00ea pode executar o comando revoke-full com um nome qualquer:<\/p>\n
1
\n\/etc\/openvpn\/revoke-full teste
\n8. Informa\u00e7\u00f5es Adicionais
\nPara controlar se o servidor OpenVPN ser\u00e1 inicializado automaticamente junto com a inicializa\u00e7\u00e3o do computador, edite o arquivo \/etc\/default\/openvpn.<\/p>\n
Descomente ou inclua a linha abaixo para que o servidor OpenVPN inicie automaticamente na inicializa\u00e7\u00e3o:<\/p>\n
AUTOSTART=”all”
\nPara impedir a inicializa\u00e7\u00e3o autom\u00e1tica do OpenVPN descomente ou inclua a seguinte linha:<\/p>\n
AUTOSTART=”none”
\nDesculpe pelo artigo extremamente longo. Espero que ele seja \u00fatil. Qualquer d\u00favida, sugest\u00e3o ou relato de erros \u00e9 s\u00f3 postar nos coment\u00e1rios.<\/p>\n
====================================================
\nUma observa\u00e7\u00e3o seria qndo for gerar a chave esteja dentro do diret\u00f3rio corrente do bin\u00e1rio gerador (\/etc\/openvpn).<\/p>\n
Lembrar do USUARIO NOBODY (criar ou trocar para um que ja exista como realizei).
\nCriar a sintaxe no boot para compartilhar a conexao:
\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/p>\n
DIRETORIO OPENVPN dentro de \/etc:
\ndebian:~# ls \/etc\/openvpn\/
\nbuild-ca build-key-pass build-req-pass ipp.txt openssl-0.9.6.cnf pkitool sign-req
\nbuild-dh build-key-pkcs12 clean-all keys openssl-0.9.8.cnf README update-resolv-conf
\nbuild-inter build-key-server IHUNTER list-crl openssl-1.0.0.cnf revoke-full vars
\nbuild-key build-req inherit-inter Makefile openssl.cnf server.conf whichopensslcnf<\/p>\n
CONTEUDO DO ARQUIVO server.conf CRIADO PARA (Servidor vpn):
\ndebian:\/etc\/openvpn# cat server.conf
\nport 1194
\nproto udp
\ndev tun0
\nca \/etc\/openvpn\/keys\/ca.crt
\ncert \/etc\/openvpn\/keys\/server.crt
\nkey \/etc\/openvpn\/keys\/server.key
\ndh \/etc\/openvpn\/keys\/dh1024.pem
\nserver 10.15.0.0 255.255.255.0
\nifconfig-pool-persist ipp.txt
\npush “route 192.168.254.0 255.255.255.0”
\npush “dhcp-option DNS 192.168.254.254”
\npush “dhcp-option DNS 8.8.8.8”
\npush “dhcp-option DOMAIN abratel”
\nkeepalive 10 120
\ntls-auth \/etc\/openvpn\/keys\/ta.key 0 # This file is secret
\ncipher AES-128-CBC # AES
\ncomp-lzo
\nmax-clients 100
\nuser root
\ngroup root
\npersist-key
\npersist-tun
\nstatus \/var\/log\/openvpn\/openvpn-status.log
\nlog-append \/var\/log\/openvpn\/openvpn.log
\nverb 3<\/p>\n
CONTEUDO DO DIRETORIO CLIENTE WINDOWSXP:
\n Pasta de C:\\Arquivos de programas\\OpenVPN\\config<\/p>\n
18\/11\/2012 21:18
CONTEUDO DO ARQUIVO server.ovpn (cliente):
\nclient
\ndev tun
\nproto udp
\nremote abratel.com.net 1194
\nresolv-retry infinite
\nnobind
\npersist-key
\npersist-tun
\nmute-replay-warnings
\nca ca.crt
\ncert client.crt
\nkey client.key
\nns-cert-type server
\ntls-auth ta.key 1
\ncipher AES-128-CBC
\ncomp-lzo
\nverb 3<\/p>\n
Criei essas duas regras:
\niptables -A INPUT -i eth0 -d 10.15.0.0\/32 -p udp -m udp –dport 1194 -j ACCEPT
\niptables -A INPUT -i eth0 -d 192.168.254.0\/32 -p udp -m udp –dport 1194 -j ACCEPT<\/p>\n","protected":false},"excerpt":{"rendered":"
Creditos e leitura recomendada: http:\/\/blogdonerd.com.br\/2012\/06\/openvpn-servidor-ubuntu-e-clientes-windows-e-linux\/ – Angelo Caso o link esteja indispon\u00edvel segue abaixo conte\u00fado em forma texto (sem imagens) adicionado de algumas observa\u00e7oes: 1. Instala\u00e7\u00e3o do Servidor OpenVPN e Cria\u00e7\u00e3o da CA Local Para instalar o OpenVPN no Ubuntu execute: apt-get install openvpn Ap\u00f3s…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/410"}],"collection":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=410"}],"version-history":[{"count":0,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/410\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}