informatica:linux:openvpn
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| informatica:linux:openvpn [2015/05/25 14:40] – javi | informatica:linux:openvpn [2018/01/05 14:20] (current) – [Autenticación LDAP] javi | ||
|---|---|---|---|
| Line 22: | Line 22: | ||
| < | < | ||
| - | cd /usr/share/ | + | cd / |
| sudo su | sudo su | ||
| vim vars | vim vars | ||
| Line 44: | Line 44: | ||
| ./clean-all | ./clean-all | ||
| ./build-ca | ./build-ca | ||
| + | </ | ||
| + | |||
| + | Error: | ||
| + | |||
| + | < | ||
| + | grep: / | ||
| + | pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong | ||
| + | version of openssl.cnf: | ||
| + | The correct version should have a comment that says: easy-rsa version 2.x | ||
| + | </ | ||
| + | |||
| + | Solución: | ||
| + | |||
| + | ln -s openssl-1.0.0.cnf openssl.cnf | ||
| + | |||
| + | Y volver a intentar: | ||
| + | |||
| + | ./build-ca | ||
| + | | ||
| + | Error: | ||
| + | |||
| + | < | ||
| + | unable to find ' | ||
| + | problems making Certificate Request | ||
| + | 1995425184: | ||
| + | </ | ||
| + | |||
| + | Desconozco el motivo, pero se resuleve editando las lineas en las que se le asigna un valor a la variable " | ||
| + | |||
| + | vim openssl.cnf | ||
| + | | ||
| + | Y cambio los valores: | ||
| + | |||
| + | < | ||
| + | # anyadido | ||
| + | # | ||
| + | subjectAltName=email: | ||
| + | </ | ||
| + | |||
| + | Y volver a intentar: | ||
| + | |||
| + | ./build-ca | ||
| + | |||
| + | Ahora a contestar las preguntas y pulsar " | ||
| + | |||
| + | < | ||
| + | Country Name (2 letter code) [US]:ES | ||
| + | State or Province Name (full name) [BC]: | ||
| + | Locality Name (eg, city) [Barcelona]: | ||
| + | Organization Name (eg, company) [Contrabanda FM]: | ||
| + | Organizational Unit Name (eg, section) [Tècnica]: | ||
| + | Common Name (eg, your name or your server' | ||
| + | Name [EasyRSA]: | ||
| + | Email Address [admin@example.com]: | ||
| </ | </ | ||
| Line 51: | Line 105: | ||
| ./ | ./ | ||
| + | |||
| + | Ahora a contestar las preguntas y pulsar " | ||
| + | |||
| + | < | ||
| + | Country Name (2 letter code) [US]:ES | ||
| + | State or Province Name (full name) [BC]: | ||
| + | Locality Name (eg, city) [Barcelona]: | ||
| + | Organization Name (eg, company) [Contrabanda FM]: | ||
| + | Organizational Unit Name (eg, section) [Tècnica]: | ||
| + | Common Name (eg, your name or your server' | ||
| + | Name [EasyRSA]: | ||
| + | Email Address [admin@example.com]: | ||
| + | </ | ||
| + | |||
| + | Las contraseñas las dejo en blanco: | ||
| + | |||
| + | A challenge password []: | ||
| + | An optional company name []: | ||
| + | |||
| + | Y aquí hay que pulsar " | ||
| + | |||
| + | Sign the certificate? | ||
| + | 1 out of 1 certificate requests certified, commit? [y/n] | ||
| 4.2. Generate Diffie Hellman parameters | 4.2. Generate Diffie Hellman parameters | ||
| + | **OJO**: puede llevar mucho tiempo, unos 15 minutos: | ||
| + | |||
| ./build-dh | ./build-dh | ||
| - | 4.3. Mover llaves | + | 4.3. Mover llaves |
| mkdir -p / | mkdir -p / | ||
| Line 79: | Line 158: | ||
| cert / | cert / | ||
| key / | key / | ||
| - | dh / | + | dh / |
| server 172.16.0.0 255.255.255.0 | server 172.16.0.0 255.255.255.0 | ||
| ifconfig-pool-persist ipp.txt | ifconfig-pool-persist ipp.txt | ||
| Line 104: | Line 183: | ||
| ===== Generar claves de los clientes ===== | ===== Generar claves de los clientes ===== | ||
| - | ==== Migracion a openvpn >=2.3 ==== | ||
| - | **IMPORTANTE**: | ||
| - | |||
| - | 0. Instalar paquete, ahora ya NO es parte de openvpn | ||
| - | |||
| - | sudo aptitude install easy-rsa | ||
| - | | ||
| - | 1. **IMPORTANTE**: | ||
| - | |||
| - | cd / | ||
| - | mv keys keys.old | ||
| - | sudo mv / | ||
| ==== Procedimiento generico ==== | ==== Procedimiento generico ==== | ||
| Para cada nuevo cliente se tiene que repetir este proceso completo. | Para cada nuevo cliente se tiene que repetir este proceso completo. | ||
| - | |||
| 1. Convertirse en root y entrar en el directorio: | 1. Convertirse en root y entrar en el directorio: | ||
| sudo su | sudo su | ||
| - | cd / | ||
| - | |||
| - | Openvpn >=2.3: | ||
| - | |||
| cd / | cd / | ||
| Line 139: | Line 201: | ||
| ./build-key client1 | ./build-key client1 | ||
| + | |||
| + | Contestar las preguntas, presionar " | ||
| + | |||
| + | < | ||
| + | Country Name (2 letter code) [US]:ES | ||
| + | State or Province Name (full name) [BC]: | ||
| + | Locality Name (eg, city) [Barcelona]: | ||
| + | Organization Name (eg, company) [Contrabanda FM]: | ||
| + | Organizational Unit Name (eg, section) [Tècnica]: | ||
| + | Common Name (eg, your name or your server' | ||
| + | Name [EasyRSA]: | ||
| + | Email Address [admin@example.com]: | ||
| + | </ | ||
| + | |||
| + | Las contraseñas las dejo en blanco: | ||
| + | |||
| + | A challenge password []: | ||
| + | An optional company name []: | ||
| + | |||
| + | Y aquí hay que pulsar “y” más “enter”: | ||
| + | |||
| + | Sign the certificate? | ||
| + | 1 out of 1 certificate requests certified, commit? [y/n] | ||
| + | |||
| 4. Mover las llaves y copiar la clave publica de la CA a un directorio: | 4. Mover las llaves y copiar la clave publica de la CA a un directorio: | ||
| mkdir -p ~/ | mkdir -p ~/ | ||
| - | user=" | + | user=" |
| - | rm -fr keys/client1.csr | + | |
| 5. Crear el archivo de configuracion del cliente (hay un ejemplo en / | 5. Crear el archivo de configuracion del cliente (hay un ejemplo en / | ||
| ): | ): | ||
| - | vim ~/openvpn/client1/client1.conf | + | |
| | | ||
| Con el siguiente contenido: | Con el siguiente contenido: | ||
| Line 305: | Line 390: | ||
| sudo service openvpn start | sudo service openvpn start | ||
| + | | ||
| + | ==== Migracion a openvpn >=2.3 ==== | ||
| + | |||
| + | **IMPORTANTE**: | ||
| + | |||
| + | 0. Instalar paquete, ahora ya NO es parte de openvpn | ||
| + | |||
| + | sudo aptitude install easy-rsa | ||
| + | |||
| + | 1. **IMPORTANTE**: | ||
| + | |||
| + | cd / | ||
| + | mv keys keys.old | ||
| + | sudo mv / | ||
| + | |||
| ====== Acceso desde el cliente a la LAN del servidor VPN (gateway de la LAN y servidor VPN son distintos) ====== | ====== Acceso desde el cliente a la LAN del servidor VPN (gateway de la LAN y servidor VPN son distintos) ====== | ||
| Line 889: | Line 989: | ||
| </ | </ | ||
| + | |||
| + | ====== IPs estáticas ====== | ||
| + | |||
| + | http:// | ||
| + | |||
| + | 1. Una sola vez | ||
| + | |||
| + | 1.1. Crear directorios y archivos: | ||
| + | |||
| + | sudo mkdir / | ||
| + | sudo touch / | ||
| + | | ||
| + | 1.2. Editar arhcivo de configuración del servidor VPN: | ||
| + | |||
| + | sudo vim / | ||
| + | | ||
| + | Y añadir las lineas: | ||
| + | |||
| + | client-config-dir / | ||
| + | ifconfig-pool-persist / | ||
| + | |||
| + | 1.3. Reiniciar el servicio: | ||
| + | |||
| + | sudo service openvpn restart | ||
| + | | ||
| + | 2. Para cada cliente | ||
| + | |||
| + | 2.1. Crear un archivo con el nombre del certificado que se ha creado: | ||
| + | |||
| + | sudo vim / | ||
| + | |||
| + | Y especificar tanto la IP como la IP del servidor VPN: | ||
| + | |||
| + | ifconfig-push 172.16.0.50 172.16.0.1 | ||
| + | |||
| + | 2.2. Reservar esa IP para ese certificado, | ||
| + | |||
| + | client1, | ||
| + | |||
| + | 2.3. (Cliente) Reiniciar el servicio VPN: | ||
| + | |||
| + | sudo service openvpn restart | ||
| + | | ||
| + | 2.4. (Cliente) Comprobar que la IP es la especificada en los pasos 2.1. y 2.2: | ||
| + | |||
| + | sudo ifconfig | ||
| + | |||
| + | | ||
| + | | ||
| + | | ||
informatica/linux/openvpn.1432564822.txt.gz · Last modified: 2015/05/25 14:40 by javi