secres:notes
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
secres:notes [2021/12/03 09:49] – [OpenVPN] orel | secres:notes [2024/03/18 15:06] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 942: | Line 942: | ||
==== OpenVPN ==== | ==== OpenVPN ==== | ||
- | |||
- | Mise en oeuvre d'un VPN de niveau 3 (IP, interface tun) entre immortal (server, 172.16.0.2) et nile (client1, 10.0.0.2). | ||
On commence par générer les certificats comme indiqué sur la feuille de TD : | On commence par générer les certificats comme indiqué sur la feuille de TD : | ||
Line 950: | Line 948: | ||
* CN=client1 sur nile | * CN=client1 sur nile | ||
* CN=client2 sur dt | * CN=client2 sur dt | ||
+ | |||
+ | == VPN (niveau 3) == | ||
+ | |||
+ | Mise en oeuvre d'un VPN de niveau 3 (IP, interface tun) entre immortal (server, 172.16.0.2) et nile (client1, 10.0.0.2). | ||
On va ensuite lancer le serveur manuellement avec la commande : | On va ensuite lancer le serveur manuellement avec la commande : | ||
+ | < | ||
+ | ### sur immortal (server) | ||
+ | $ openvpn --dev tun1 --ifconfig 10.0.1.1 10.0.1.2 --tls-server | ||
+ | --dh server-dh.pem --ca ca-cert.pem --cert server-cert.pem | ||
+ | --key server-key.pem --reneg-sec 60 --verb 5 | ||
+ | |||
+ | # ... | ||
+ | # Initialization Sequence Completed | ||
+ | |||
+ | $ ifconfig | ||
+ | tun1: flags=4305< | ||
+ | inet 10.0.1.1 | ||
+ | inet6 fe80:: | ||
+ | unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 | ||
+ | RX packets 0 bytes 0 (0.0 B) | ||
+ | RX errors 0 dropped 0 overruns 0 frame 0 | ||
+ | TX packets 2 bytes 96 (96.0 B) | ||
+ | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 | ||
+ | |||
+ | |||
+ | ### sur nile (client1) | ||
+ | $ openvpn --remote 172.16.0.2 --dev tun1 --ifconfig 10.0.1.2 10.0.1.1 \ | ||
+ | --tls-client --ca ca-cert.pem --cert client1-cert.pem | ||
+ | --key client1-key.pem --reneg-sec 60 --verb 5 | ||
+ | |||
+ | # ... | ||
+ | # Initialization Sequence Completed | ||
+ | |||
+ | $ ifconfig | ||
+ | tun1: flags=4305< | ||
+ | inet 10.0.1.2 | ||
+ | inet6 fe80:: | ||
+ | unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 | ||
+ | RX packets 3 bytes 176 (176.0 B) | ||
+ | RX errors 0 dropped 0 overruns 0 frame 0 | ||
+ | TX packets 8 bytes 416 (416.0 B) | ||
+ | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 | ||
+ | |||
+ | </ | ||
+ | |||
+ | Y'a plus qu'à tester avec un ping entre nile et immortal avec les IPs du VPN (10.0.1.1 et 10.0.1.2). Le paquet IP/ICMP est routé sur l' | ||
+ | |||
+ | Faisons un ping de nile vers immortal avec les adresses du VPN : | ||
+ | |||
+ | < | ||
+ | nile $ ping 10.0.1.1 | ||
+ | PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data. | ||
+ | 64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=3.50 ms | ||
+ | 64 bytes from 10.0.1.1: icmp_seq=2 ttl=64 time=3.72 ms | ||
+ | 64 bytes from 10.0.1.1: icmp_seq=3 ttl=64 time=1.44 ms | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | On reçoit bien le ping sur immortal d' | ||
+ | |||
+ | < | ||
+ | immortal $ tcpdump -i eth1 | ||
+ | 11: | ||
+ | 11: | ||
+ | immortal $ tcpdump -i tun1 | ||
+ | 11: | ||
+ | 11: | ||
+ | </ | ||
+ | |||
+ | |||
+ | == VPN (niveau 2) == | ||
+ | |||
+ | Nous allons mettre en place un VPN de niveau 2 (Ethernet) qui va étendre le LAN 192.168.0.0/ | ||
+ | |||
+ | <code text server.conf> | ||
+ | port 1194 | ||
+ | proto udp | ||
+ | dev tap0 | ||
+ | script-security 3 #system | ||
+ | up /root/up.sh | ||
+ | down / | ||
+ | ca ca-cert.pem | ||
+ | cert server-cert.pem | ||
+ | key server-key.pem | ||
+ | dh server-dh.pem | ||
+ | ifconfig-pool-persist ipp.txt | ||
+ | # | ||
+ | verify-x509-name " | ||
+ | client-to-client | ||
+ | # Les adresses allant de .100 to .200 sont r´eserv´ees aux clients VPN. | ||
+ | server-bridge 192.168.0.1 255.255.255.0 192.168.0.100 192.168.0.200 | ||
+ | # Ajout d’une route sp´ecifique vers le r´eseau 140.77.13.0/ | ||
+ | push "route 212.27.48.0 255.255.255.0 192.168.0.1" | ||
+ | keepalive 10 120 | ||
+ | comp-lzo | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | status openvpn-status.log | ||
+ | verb 3 | ||
+ | </ | ||
+ | |||
+ | On rajoute également les fichiers /root/up.sh et / | ||
+ | |||
+ | < | ||
+ | $ openvpn --config server.conf | ||
+ | # ... | ||
+ | # Initialization Sequence Completed | ||
+ | |||
+ | $ ifconfig | ||
+ | tap0: flags=4419< | ||
+ | inet6 fe80:: | ||
+ | ether da: | ||
+ | RX packets 0 bytes 0 (0.0 B) | ||
+ | RX errors 0 dropped 0 overruns 0 frame 0 | ||
+ | TX packets 27 bytes 2210 (2.1 KiB) | ||
+ | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 | ||
+ | |||
+ | </ | ||
+ | |||
+ | Configurons maintenant le client1 sur nile... | ||
+ | |||
+ | <code text client1.conf> | ||
+ | client | ||
+ | dev tap | ||
+ | proto udp | ||
+ | remote 172.16.0.2 1194 | ||
+ | nobind | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | ca ca-cert.pem | ||
+ | cert client1-cert.pem | ||
+ | key client1-key.pem | ||
+ | verify-x509-name " | ||
+ | comp-lzo | ||
+ | verb 3 | ||
+ | lladdr AA: | ||
+ | </ | ||
+ | |||
+ | Puis démarrons le client VPN, on récupère normalement sur l' | ||
+ | |||
+ | < | ||
+ | $ openvpn --config client1.conf | ||
+ | </ | ||
+ | à compléter... | ||
==== SSH et Progammation avec OpenSSL ==== | ==== SSH et Progammation avec OpenSSL ==== | ||
secres/notes.txt · Last modified: 2024/03/18 15:06 by 127.0.0.1