Difference between revisions of "OpenVPN"
Porcelinux (talk | contribs) |
Porcelinux (talk | contribs) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Entrare nella VPN == | == Entrare nella VPN == | ||
=== Installazione Client === | === Installazione Client === | ||
*Download: | *Download: | ||
Linux http://openvpn.net/download.html | Linux http://openvpn.net/download.html | ||
Mac http://www.tunnelblick.net/ | Mac http://www.tunnelblick.net/ | ||
Windows http://www.openvpn.se/ | Windows http://www.openvpn.se/ | ||
=== Client Windows === | === Client Windows === | ||
spostarsi nella cartella | spostarsi nella cartella | ||
Line 32: | Line 15: | ||
aprirlo con BloccoNote e incollarci quanto segue | aprirlo con BloccoNote e incollarci quanto segue | ||
client | client | ||
remote 1.2.3.4 1194 | |||
dev tun | dev tun | ||
nobind | |||
ca ca.crt | |||
persist-key | |||
persist-tun | |||
comp-lzo | |||
resolv-retry infinite | resolv-retry infinite | ||
cert ''hostname''.crt | cert ''hostname''.crt | ||
key ''hostname''.key | key ''hostname''.key | ||
Line 54: | Line 36: | ||
copiare il seguente testo in /etc/openvpn/openvpn.conf | copiare il seguente testo in /etc/openvpn/openvpn.conf | ||
client | client | ||
remote | remote 1.2.3.4 1194 | ||
dev tun | dev tun | ||
nobind | nobind | ||
ca ca.crt | ca ca.crt | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
comp-lzo | comp-lzo | ||
resolv-retry infinite | resolv-retry infinite | ||
cert ''hostname''.crt | cert ''hostname''.crt | ||
key ''hostname''.key | key ''hostname''.key | ||
Line 75: | Line 55: | ||
riavviare openvpn e settarlo che parta all'avvio (questo dipende dalla distro): | riavviare openvpn e settarlo che parta all'avvio (questo dipende dalla distro): | ||
/etc/init.d/openvpn start | /etc/init.d/openvpn start | ||
==== DDWRT ==== | ==== DDWRT ==== | ||
Follows how to configure A DDWRT router to be a client of a PtP Openvpn connection. Useful for subnet routing | |||
*; Services->VPN->OpenVPN Server/Daemon | *; Services->VPN->OpenVPN Server/Daemon | ||
Line 115: | Line 91: | ||
iptables -t nat -A POSTROUTING -d 10.0.0.0/24 -o tun0 -j MASQUERADE | iptables -t nat -A POSTROUTING -d 10.0.0.0/24 -o tun0 -j MASQUERADE | ||
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o tun0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o tun0 -j MASQUERADE | ||
iptables -I INPUT 3 -s 10.0.0.0/ | iptables -I FORWARD 10 -s 10.0.0.0/24 -i tun0 -j ACCEPT | ||
iptables -I INPUT 3 -s 10.0.0.0/24 -i tun0 -j ACCEPT | |||
=== Client Mac OS/X (intel e non) === | === Client Mac OS/X (intel e non) === | ||
Line 123: | Line 100: | ||
copiare il seguente testo in /etc/openvpn/openvpn.conf | copiare il seguente testo in /etc/openvpn/openvpn.conf | ||
client | client | ||
remote | remote 1.2.3.4 1194 | ||
dev tun | dev tun | ||
nobind | nobind | ||
ca ca.crt | ca ca.crt | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
comp-lzo | comp-lzo | ||
resolv-retry infinite | resolv-retry infinite | ||
cert ''hostname''.crt | cert ''hostname''.crt | ||
key ''hostname''.key | key ''hostname''.key | ||
Line 183: | Line 156: | ||
= troubleshooting = | == troubleshooting == | ||
=== packet HMAC authentication failed === | |||
<blockquote>Authenticate/Decrypt packet error: packet HMAC authentication failed</blockquote> | |||
Solution: "auth SHA512" was not set in the config file | |||
== test port udp 1194 == | === test port udp 1194 === | ||
nmap <server.address> -sU -pU:1194 -Pn | nmap <server.address> -sU -pU:1194 -Pn | ||
== UDPv4 []: No buffer space available (code=105) == | === UDPv4 []: No buffer space available (code=105) === | ||
* "Increase the required free memory. I recommend at least 2 MB, which you can set with:" | * "Increase the required free memory. I recommend at least 2 MB, which you can set with:" | ||
echo 2048 >/proc/sys/vm/min_free_kbytes | echo 2048 >/proc/sys/vm/min_free_kbytes |
Latest revision as of 01:14, 16 March 2022
Entrare nella VPN
Installazione Client
- Download:
Linux http://openvpn.net/download.html Mac http://www.tunnelblick.net/ Windows http://www.openvpn.se/
Client Windows
spostarsi nella cartella
%ProgramFiles%\OpenVPN\config
copiare qui dentro i tre file dei certificati ricevuti da noi
hostname.crt hostname.key ca.crt
creare un file di testo chiamandolo
client.ovpn
aprirlo con BloccoNote e incollarci quanto segue
client remote 1.2.3.4 1194 dev tun nobind ca ca.crt persist-key persist-tun comp-lzo resolv-retry infinite cert hostname.crt key hostname.key
copiare i tre files che vi sono stati inviati nella directory /etc/openvpn/ aprire eventuali porte nel firewall
- on windows vista you'll need to add the following to your onfiguration:
route-method exe route-delay 2
Client Linux
installare openvpn a seconda della distribuzione che si usa: copiare il seguente testo in /etc/openvpn/openvpn.conf
client remote 1.2.3.4 1194 dev tun nobind ca ca.crt persist-key persist-tun comp-lzo resolv-retry infinite cert hostname.crt key hostname.key
copiare i tre files che vi sono stati inviati nella directory /etc/openvpn/ aggiustare i permessi;
chmod 600 hostname.key
aprire eventuali porte nel firewall
iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
riavviare openvpn e settarlo che parta all'avvio (questo dipende dalla distro):
/etc/init.d/openvpn start
DDWRT
Follows how to configure A DDWRT router to be a client of a PtP Openvpn connection. Useful for subnet routing
- Services->VPN->OpenVPN Server/Daemon
- OpenVPN -> Enable
- Start Type -> UpSystem
- Inbound Firewall on TUN [NO]
- Config as -> Daemon
- Additional Config
remote 1.2.3.4 port 31194 proto udp ifconfig 10.0.3.1 10.0.3.2 dev tun link-mtu 1472 comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key route 10.0.3.0 255.255.255.0 <secret> -----BEGIN OpenVPN Static key V1----- 4.....t -----END OpenVPN Static key V1----- </secret>
- Firewall command (adjust for your subnets)
iptables -t nat -A POSTROUTING -d 10.0.0.0/24 -o tun0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o tun0 -j MASQUERADE iptables -I FORWARD 10 -s 10.0.0.0/24 -i tun0 -j ACCEPT iptables -I INPUT 3 -s 10.0.0.0/24 -i tun0 -j ACCEPT
Client Mac OS/X (intel e non)
scaricare Tunnelblick Universal e installarlo www.tunnelblick.net
copiare il seguente testo in /etc/openvpn/openvpn.conf
client remote 1.2.3.4 1194 dev tun nobind ca ca.crt persist-key persist-tun comp-lzo resolv-retry infinite cert hostname.crt key hostname.key
copiare i tre files che vi sono stati inviati nella directory /etc/openvpn/ aggiustare i permesi;
chmod 600 hostname.key
aprire eventuali porte nel firewall
iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
riavviare openvpn e settarlo che parta all'avvio (questo dipende dalla distro):
/etc/init.d/openvpn start
client rejecting options
- in my case I wanted to skip the dns nameserver setting from my linux client.
push option
Push a config file option back to the client for remote execution. Note that option must be enclosed in double quotes (""). The client must specify --pull in its config file. The set of options which can be pushed is limited by both feasibility and security. Some options such as those which would execute scripts are banned, since they would effectively allow a compromised server to execute arbitrary code on the client. Other options such as TLS or MTU parameters cannot be pushed because the client needs to know them before the connection to the server can be initiated.
This is a partial list of options which can currently be pushed: --route, --route-gateway, --route-delay, --redirect-gateway, --ip-win32, --dhcp-option, --inactive, --ping, --ping-exit, --ping-restart, --setenv, --persist-key, --persist-tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf
push-reset
Don't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level.
disable
Disable a particular client (based on the common name) from connecting. Don't use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead (see the --crl-verify option). This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using --client-config-dir or dynamically generated using a --client-connect script.
Server
- listare gli ip connessi
grep openvpn /var/log/messages|grep 'ifconfig 10.8.0'|awk '{print $18}'|sort|uniq
oppure
cat /var/log/openvpn-status.log
- route statica per accedere alla VPN dalla rete locale
route add -net 10.8.0.0/24 gw 192.168.82.1
troubleshooting
packet HMAC authentication failed
Authenticate/Decrypt packet error: packet HMAC authentication failed
Solution: "auth SHA512" was not set in the config file
test port udp 1194
nmap <server.address> -sU -pU:1194 -Pn
UDPv4 []: No buffer space available (code=105)
- "Increase the required free memory. I recommend at least 2 MB, which you can set with:"
echo 2048 >/proc/sys/vm/min_free_kbytes