vpn:openvpn_server [Моя склеротичка]

Эта страница только для чтения. Вы можете посмотреть её исходный текст, но не можете его изменить. Сообщите администратору, если считаете, что это неправильно.

====== Настройка сервера OpenVPN ======

<code bash>
emerge net-misc/openvpn app-crypt/easy-rsa
cd /etc/init.d/
ln -sndf openvpn openvpn.server
rc-update add openvpn.server default
mkdir -p /etc/openvpn/server/ccd
touch /etc/openvpn/server.conf
cd /etc/openvpn/server/

cp /usr/share/easy-rsa/vars.example /usr/share/easy-rsa/vars
mcedit /usr/share/easy-rsa/vars

ln -sndf /usr/share/easy-rsa/x509-types
ln -sndf /usr/share/easy-rsa/openssl-1.0.cnf

/usr/share/easy-rsa/easyrsa init-pki
/usr/share/easy-rsa/easyrsa build-ca nopass
/usr/share/easy-rsa/easyrsa gen-dh
# либо openssl dhparam -out dh4096.pem 4096 т.к. easyrsa gen-dh генерит 2К-ключ
cd pki
openvpn --genkey --secret ta.key
cd ..

export KEY_CN="server.fqdn.tld"
/usr/share/easy-rsa/easyrsa build-server-full "${KEY_CN}" nopass

mcedit /etc/openvpn/server.conf
</code>


<file bash /etc/openvpn/server.conf>
mode server
tls-server

local 1.2.3.4
port 179
proto udp
dev tun
tun-mtu 1400
mtu-disc yes
keepalive 10 60

tls-auth        /etc/openvpn/server/pki/ta.key 0
ca              /etc/openvpn/server/pki/ca.crt
dh              /etc/openvpn/server/pki/dh.pem
cert            /etc/openvpn/server/pki/issued/server.fqdn.tld.crt
key             /etc/openvpn/server/pki/private/server.fqdn.tld.key


persist-key
persist-tun
comp-lzo

ifconfig-pool-persist ipp.txt
ifconfig 10.77.96.1 255.255.255.0
ifconfig-pool 10.77.96.2 10.77.96.254
route 10.77.96.0 255.255.255.0 10.77.96.1

# route to this VPN server
push "route 1.2.3.4 255.255.255.255 net_gateway"

# Philology, Philosophy, History
push "route 1.2.3.0 255.255.255.0 vpn_gateway 100"
push "route 10.77.0.0 255.255.0.0 vpn_gateway 100"

client-config-dir server/ccd

client-to-client
float

duplicate-cn
verb 3
#cipher DES-EDE3-CBC # Тип шифрования.
log-append /var/log/openvpn.log # Лог-файл.

user nobody
group nogroup
status openvpn-status.log

</file>


<code bash>
/etc/init.d/openvpn.server restart 
mcedit /usr/local/sbin/gen-openvpn-client-profile.sh
chmod +x /usr/local/sbin/gen-openvpn-client-profile.sh
</code>


<file bash /usr/local/sbin/gen-openvpn-client-profile.sh>
#!/bin/bash

CLIENT_NAME=$1
KEYS_DIR='/etc/openvpn/keys'
TEMPLATE_DIR='/etc/openvpn'
OUTPUT_DIR='/etc/openvpn'

source /usr/share/easy-rsa/vars
/usr/share/easy-rsa/build-key-pkcs12 ${CLIENT_NAME}

(
        cat ${TEMPLATE_DIR}/client.ovpn-templates ;
        echo '<ca>'       ; cat ${KEYS_DIR}/ca.crt             ; echo '</ca>' ;
        echo '<cert>'     ; cat ${KEYS_DIR}/${CLIENT_NAME}.crt ; echo '</cert>' ;
        echo '<key>'      ; cat ${KEYS_DIR}/${CLIENT_NAME}.key ; echo '</key>' ;
        echo '<tls-auth>' ; cat ${KEYS_DIR}/ta.key             ; echo '</tls-auth>' ;
) > ${OUTPUT_DIR}/${CLIENT_NAME}.ovpn
</file>

<file bash /etc/openvpn/client.ovpn-templates>
client
dev tun
proto udp
remote server.fqdn.tld 179
resolv-retry infinite
persist-key
persist-tun
ping 10
comp-lzo
tls-client
verb 3
pull
key-direction 1

</file>