APLU » Historique » Version 1
Aymeric APLU, 11/06/2015 21:29
creation - draft
| 1 | 1 | Aymeric APLU | h1. De la config en vrac par rapport à TTN |
|---|---|---|---|
| 2 | 1 | Aymeric APLU | |
| 3 | 1 | Aymeric APLU | By APLU |
| 4 | 1 | Aymeric APLU | |
| 5 | 1 | Aymeric APLU | h1. VPN |
| 6 | 1 | Aymeric APLU | |
| 7 | 1 | Aymeric APLU | h2. Tunnel VPN de type TUN via openvpn |
| 8 | 1 | Aymeric APLU | |
| 9 | 1 | Aymeric APLU | Le but de ce VPN est de faire passer IPv6 et IPv4 au sein du même tunnel pour être visible sur internet avec une l'ip de son serveur. |
| 10 | 1 | Aymeric APLU | |
| 11 | 1 | Aymeric APLU | h3. [Serveur] Prerequis |
| 12 | 1 | Aymeric APLU | |
| 13 | 1 | Aymeric APLU | * sudo |
| 14 | 1 | Aymeric APLU | * openvpn |
| 15 | 1 | Aymeric APLU | |
| 16 | 1 | Aymeric APLU | h3. [Serveur] Configurer sudo |
| 17 | 1 | Aymeric APLU | |
| 18 | 1 | Aymeric APLU | On édite le fichier sudoers avec les info suivantes, ceci sera utilisé dans la suite pour permettre la déclaration de l'IPv6 tunnel côté TTN pour que l'IPv6 puisse être routé. |
| 19 | 1 | Aymeric APLU | <pre> |
| 20 | 1 | Aymeric APLU | Cmnd_Alias IPVPN = /bin/ip neigh add *, /bin/ip neigh del *, /bin/ip neigh replace * |
| 21 | 1 | Aymeric APLU | nobody ALL = NOPASSWD: IPVPN |
| 22 | 1 | Aymeric APLU | </pre> |
| 23 | 1 | Aymeric APLU | |
| 24 | 1 | Aymeric APLU | TODO: Voir comment rendre ça un peu plus sécurisé |
| 25 | 1 | Aymeric APLU | |
| 26 | 1 | Aymeric APLU | h3. [Serveur] Configuration openvpn - creation certificat |
| 27 | 1 | Aymeric APLU | |
| 28 | 1 | Aymeric APLU | <pre> |
| 29 | 1 | Aymeric APLU | # cd /etc/openvpn |
| 30 | 1 | Aymeric APLU | # mkdir easy-rsa |
| 31 | 1 | Aymeric APLU | # cp -R /usr/share/easy-rsa/* easy-rsa/ |
| 32 | 1 | Aymeric APLU | </pre> |
| 33 | 1 | Aymeric APLU | |
| 34 | 1 | Aymeric APLU | Editer : /etc/openvpn/easy-rsa/vars pour renseigner les infos relatives à la clef. On peut aussi changer la taille des clefs. |
| 35 | 1 | Aymeric APLU | |
| 36 | 1 | Aymeric APLU | # cd easy-rsa/ |
| 37 | 1 | Aymeric APLU | # touch keys/index.txt |
| 38 | 1 | Aymeric APLU | # echo 01 > keys/serial |
| 39 | 1 | Aymeric APLU | # . ./vars # set environment variables |
| 40 | 1 | Aymeric APLU | # ./clean-all |
| 41 | 1 | Aymeric APLU | # ./build-ca |
| 42 | 1 | Aymeric APLU | # ./build-key-server server |
| 43 | 1 | Aymeric APLU | # ./build-dh # prends du temps (+15h si on choisi 8192, ~10 minutes pour 2048) |
| 44 | 1 | Aymeric APLU | |
| 45 | 1 | Aymeric APLU | |
| 46 | 1 | Aymeric APLU | h3. [Serveur] Configuration openvpn - openvpn |
| 47 | 1 | Aymeric APLU | |
| 48 | 1 | Aymeric APLU | Créer un fichier de configuration /etc/openvpn/myvpn.conf (on peut changer le nom) |
| 49 | 1 | Aymeric APLU | |
| 50 | 1 | Aymeric APLU | |
| 51 | 1 | Aymeric APLU | <pre> |
| 52 | 1 | Aymeric APLU | dev tun |
| 53 | 1 | Aymeric APLU | proto udp |
| 54 | 1 | Aymeric APLU | port 1194 |
| 55 | 1 | Aymeric APLU | |
| 56 | 1 | Aymeric APLU | ca /etc/openvpn/easy-rsa/keys/ca.crt # generated keys |
| 57 | 1 | Aymeric APLU | cert /etc/openvpn/easy-rsa/keys/server.crt |
| 58 | 1 | Aymeric APLU | key /etc/openvpn/easy-rsa/keys/server.key # keep secret |
| 59 | 1 | Aymeric APLU | dh /etc/openvpn/easy-rsa/keys/dh2048.pem |
| 60 | 1 | Aymeric APLU | |
| 61 | 1 | Aymeric APLU | user nobody |
| 62 | 1 | Aymeric APLU | group nogroup |
| 63 | 1 | Aymeric APLU | server 10.42.42.0 255.255.255.0 |
| 64 | 1 | Aymeric APLU | |
| 65 | 1 | Aymeric APLU | tun-ipv6 |
| 66 | 1 | Aymeric APLU | push tun-ipv6 |
| 67 | 1 | Aymeric APLU | |
| 68 | 1 | Aymeric APLU | push "route-ipv6 2000::/3" |
| 69 | 1 | Aymeric APLU | learn-address /etc/openvpn/learn-address |
| 70 | 1 | Aymeric APLU | |
| 71 | 1 | Aymeric APLU | # execution de script |
| 72 | 1 | Aymeric APLU | script-security 2 |
| 73 | 1 | Aymeric APLU | |
| 74 | 1 | Aymeric APLU | #mssfix |
| 75 | 1 | Aymeric APLU | #fragment 1300 |
| 76 | 1 | Aymeric APLU | |
| 77 | 1 | Aymeric APLU | persist-key |
| 78 | 1 | Aymeric APLU | persist-tun |
| 79 | 1 | Aymeric APLU | |
| 80 | 1 | Aymeric APLU | keepalive 10 100 |
| 81 | 1 | Aymeric APLU | |
| 82 | 1 | Aymeric APLU | status /var/log/openvpn-status.log |
| 83 | 1 | Aymeric APLU | log-append /var/log/openvpn |
| 84 | 1 | Aymeric APLU | verb 3 |
| 85 | 1 | Aymeric APLU | client-to-client |
| 86 | 1 | Aymeric APLU | |
| 87 | 1 | Aymeric APLU | push "redirect-gateway def1 bypass-dhcp" |
| 88 | 1 | Aymeric APLU | push "dhcp-option DNS 10.42.42.1" |
| 89 | 1 | Aymeric APLU | push "dhcp-option DNS 91.224.149.254" |
| 90 | 1 | Aymeric APLU | |
| 91 | 1 | Aymeric APLU | comp-lzo adaptive |
| 92 | 1 | Aymeric APLU | |
| 93 | 1 | Aymeric APLU | server-ipv6 2a01:6600:80XX:YY01::1/64 |
| 94 | 1 | Aymeric APLU | </pre> |
| 95 | 1 | Aymeric APLU | |
| 96 | 1 | Aymeric APLU | On adaptera XX:YY en fonction de l'IPv6 fourni par les administrateurs de TTN. |
| 97 | 1 | Aymeric APLU | |
| 98 | 1 | Aymeric APLU | |
| 99 | 1 | Aymeric APLU | Créer le script /etc/openvpn/learn-address avec le contenu suivant (penser à le rendre executable) : |
| 100 | 1 | Aymeric APLU | |
| 101 | 1 | Aymeric APLU | <pre> |
| 102 | 1 | Aymeric APLU | #!/bin/bash |
| 103 | 1 | Aymeric APLU | |
| 104 | 1 | Aymeric APLU | action="$1" |
| 105 | 1 | Aymeric APLU | addr="$2" |
| 106 | 1 | Aymeric APLU | grep -qE "^2a01:.*" <<< "$addr" |
| 107 | 1 | Aymeric APLU | if [ $? -eq 0 ] |
| 108 | 1 | Aymeric APLU | then |
| 109 | 1 | Aymeric APLU | case "$action" in |
| 110 | 1 | Aymeric APLU | add ) |
| 111 | 1 | Aymeric APLU | sudo /bin/ip neigh add proxy "$addr" dev eth0 |
| 112 | 1 | Aymeric APLU | ;; |
| 113 | 1 | Aymeric APLU | update ) |
| 114 | 1 | Aymeric APLU | sudo /bin/ip neigh replace proxy "$addr" dev eth0 |
| 115 | 1 | Aymeric APLU | ;; |
| 116 | 1 | Aymeric APLU | delete) |
| 117 | 1 | Aymeric APLU | sudo /bin/ip neigh del proxy "$addr" dev eth0 |
| 118 | 1 | Aymeric APLU | ;; |
| 119 | 1 | Aymeric APLU | esac |
| 120 | 1 | Aymeric APLU | fi |
| 121 | 1 | Aymeric APLU | </pre> |
| 122 | 1 | Aymeric APLU | |
| 123 | 1 | Aymeric APLU | TODO: S'assurer que $addr contient bien une IPv6.. le script est lancée en nobody les checks ne risque rien, le sudo moins. |