Accéder au contenu principal

Install and Configure OpenVPN Server on Linux (debian/ubuntu)

From http://www.linux.com/learn/tutorials/457103-install-and-configure-openvpn-server-on-linux


The VPN is very often critical to working within a company. With working from home being such a popular draw to many industries, it is still necessary to be able to access company folders and hardware that exists within the LAN. When outside of that LAN, one of the best ways to gain that access is with the help of a VPN. Many VPN solutions are costly, and/or challenging to set up and manage. Fortunately, for the open source/Linux community, there is a solution that is actually quite simple to set up, configure, and manage. OpenVPN is that solution and here you will learn how to set up the server end of that system.

What Is Needed

I will be setting OpenVPN up on a Ubuntu 11.04, using Public Key Infrastructure with a bridged Ethernet interface. This setup allows for the quickest route to getting OpenVPN up and running, while maintaining a modicum of security.
The first step (outside of having the operating system installed) is to install the necessary packages. Since I will installing on Ubunutu, the installation is fairly straightforward:
  1. Open up a terminal window.
  2. Run sudo apt-get install openvpn to install the OpenVPN package.
  3. Type the sudo password and hit Enter.
  4. Accept any dependencies.
There is only one package left to install — the package that allows the enabling of bridged networking. Setting up the bridge is simple, once you know how. But before the interface can be configured to handle bridged networking, a single package must be installed. Do the following:
  1. Install the necessary package with the command sudo apt-get install bridge-utils.
  2. Edit the /etc/network/interfaces file to reflect the necessary changes (see below).
  3. Restart networking with the command sudo /etc/init.d/networking restart .
Open up the /etc/network/interfaces file and make the necessary that apply to your networking interface, based on the sample below:


auto lo
iface lo inet loopback

auto br0
iface br0 inet static
        address 192.168.100.10
        network 192.168.100.0
        netmask 255.255.255.0
        broadcast 192.168.100.255
        gateway 192.168.100.1
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off


Make sure to configure the bridge section (shown above) to match the correct information for your network. Save that file and restart networking. Now it's time to start configuring the VPN server.

Creating Certificates

The OpenVPN server will rely on certificate authority for security. Those certificates must first be created and then placed in the proper directories. To do this, follow these steps:
  1. Create a new directory with the command sudo mkdir /etc/openvpn/easy-rsa/.
  2. Copy the necessary files with the command sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/.
  3. Change the ownership of the newly copied directory with the command sudo chown -R $USER /etc/openvpn/easy-rsa/.
  4. Edit the file /etc/openvpn/easy-rsa/vars and change the variables listed below.
The variables to edit are:


export KEY_COUNTRY="US"
export KEY_PROVINCE="KY"
export KEY_CITY="Louisville"
export KEY_ORG="Monkeypantz"
export KEY_EMAIL="
 jlwallen@monkeypantz.net"

Once the file has been edited and saved, we'll run several commands must be entered in order to create the certificates:
  • cd /etc/openvpn/easy-rsa/
  • source vars
  • ./clean-all
  • ./build-dh
  • ./pkitool --initca
  • ./pkitool --server server
  • cd keys
  • sudo openvpn --genkey --secret ta.key
  • sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Client Certificates

The clients will need to have certificates in order to authenticate to the server. To create these certificates, do the following:
  1. cd /etc/openvpn/easy-rsa/
  2. source vars
  3. ./pkitool hostname
Here the hostname is the actual hostname of the machine that will be connecting to the VPN.
Now, certificates will have to be created for each host needing to connecting to the VPN. Once the certificates have been created, they will need to be copied to the respective clients. The files that must be copied are:
  • /etc/openvpn/ca.crt
  • /etc/openvpn/ta.key
  • /etc/openvpn/easy-rsa/keys/hostname.crt (Where hostname is the hostname of the client).
  • /etc/openvpn/easy-rsa/keys/hostname.key (Where hostname is the hostname of the client).
Copy the above using a secure method, making sure they are copied to the /etc/openvpn directory.

Configuring VPN Server

It is time to configure the actual VPN server. The first step is to copy a sample configuration file to work with. This is done with the command sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/. Now decompress the server.conf.gz file with the command sudo gzip -d /etc/openvpn/server.conf.gz. The configuration options to edit are in this file. Open server.conf up in a text editor (with administrative privileges) and edit the following options:

local 192.168.100.10
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
server-bridge 192.168.100.101 255.255.255.0 192.168.100.105 192.168.100.200
push "route 192.168.100.1 255.255.255.0"
push "dhcp-option DNS 192.168.100.201"
push "dhcp-option DOMAIN example.com"
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup

If you're unsure of any of the options, here:
  • The local address is the IP address of the bridged interface.
  • The server-bridge is needed in the case of a bridged interface.
  • The server will push out the IP address range of 192.168.100.105-200 to clients.
  • The push directives are options sent to clients.

Bringing The VPN Up And Down

Before the VPN is started (or restarted) a couple of scripts will be necessary to add the tap interface to the bridge (If bridged networking is not being used, these scripts are not necessary.) These scripts will then be used by the executable for OpenVPN. The scripts are /etc/openvpn/up.sh and /etc/openvpn/down.sh.

#!/bin/sh
#This is /etc/openvpn/up.sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV


#!/bin/sh
#This is/etc/openvpn/down.sh
The VPN is very often critical to working within a company. With working from home being such a popular draw to many industries, it is still necessary to be able to access company folders and hardware that exists within the LAN. When outside of that LAN, one of the best ways to gain that access is with the help of a VPN. Many VPN solutions are costly, and/or challenging to set up and manage. Fortunately, for the open source/Linux community, there is a solution that is actually quite simple to set up, configure, and manage. OpenVPN is that solution and here you will learn how to set up the server end of that system.

Posts les plus consultés de ce blog

Expérience professionnelle Cnam Liban informatique

Au Cnam Liban 1/3 des crédits environs sont attribués à l'expérience professionnelle, voici les conditions de validation de cette expérience:

Source : département informatique Cnam Liban , Computer Science Lebanon for adult training and continuous training
Les titres du répertoire national des certifications professionnelles (RNCP)Les diplômes de niveau III (bac+2) :
2 ans d’expérience professionnelle dans le domaine ou 2 ans en dehors du domaine
+ 3 mois de stage dans la spécialitéLes diplômes de niveau II (bac+3/4) :
2 ans d’expérience professionnelle dans le domaine ou 3 ans en dehors du domaine
+ un stage de 3 à 6 mois selon la spécialitéLes licencesParcours complet L1, L2, L3
3 ans d’expérience professionnelle dont 1 an dans le domaine validé par un rapport
d’activité. Si l’expérience professionnelle est en dehors de la spécialité : 3 ans + 6 mois de
stage dans la spécialitéParcours L3
1 an d’expérience professionnelle dans le domaine validé par un rapport d’activité.
Si l’expérience…

Consigne Valeur C2 ISAE Cnam Liban informatique

Bonjour, (Vous recevez les mails???)

Voici un petit exemple de ce que chacun de vous pourrait faire pour le travail demandé
Dans le WIKI comme wikipedia avec le logiciel mediawiki,
1- Créer votre compte sur http://wiki.cofares.net/ 2- Créer votre page perso : la mienne par exemple http://wiki.cofares.net/index.php/Utilisateur:Pascalfares 3- Editer votre page et ajouter les liens vers vos autres pages (crées automatiquement) Aide http://wiki.cofares.net/index.php/Aide:Contents/fr 4- Espionner les page en cliquant sur Modifié (en haut vers la droite)
Ceci est un "micro exemple" de support du tutoriel demandé (conférence) http://wiki.cofares.net/index.php/Programmation:Chrome (réalisation d’extensions pour chrome)
Si le mediawiki ne vous convient pas vous pouvez utiliser tikiwiki http://libre.cofares.net/
Les 2 sont bien mais MediaWiki est plus robuste c'est la base de la plus grande encyclopédie en ligne http://www.wikipedia.org

LTE IoT: Sequans Claims 'Big Lead' over Rivals

Sequans : With the promise of growth in the cellular IoT market, Sequans (Paris, France) is coming to Las Vegas this week to unveil what the company calls “the world’s first purpose-built Cat M1/NB1 chip” at CTIA’s Super Mobility Week.

Specifically designed for narrowband IoT applications by Release 13 of the 3GPP LTE standard, Cat M1 and Cat NB1 are expected to bring better coverage and a longer battery life to wearable devices, industrial monitors and low-data, sensor-driven IoT networks.

Category M1, also known as LTE-M and Cat M, delivers about 1 Megabit per second (Mbps) maximum in a 1.4 MHz channel. Category NB1, also previously known as NB-IoT, delivers about 40 kilobit per second (kbps) in a 200 kHz channel.
Full article : http://www.eetimes.com/document.asp?doc_id=1330407&cid=SM_ELE_EET_Edit&_mc=sm_eet_editor_junkoyoshida