networking:openvpn_howto
This is an old revision of the document!
Table of Contents
OpenVPN - tahák
1. Generování klíčů (Linux)
1.1. PKI - příprava
- Zkopírovat nástroje z adresáře
/usr/share/easy-rsa. - Upravit soubor
vars.example.- Volitelně eliptické křivky:
set_var EASYRSA_ALGO ecset_var EASYRSA_CURVE secp384r1
# ./easyrsa init-pki # ./easyrsa build-ca nopass # ./easyrsa build-server-full <nazevserveru> nopass # ./easyrsa build-client-full <jmenoklienta> nopass # ./easyrsa gen-dh
1.2. PKI - umístění souborů
- server:
pki/ca.crtpki/private/<nazevserveru>.keypki/issued/<nazevserveru>.crtpki/dh.pem
- klient:
pki/ca.crtpki/private/<jmenoklienta>.keypki/issued/<jmenoklienta>.crt
1.3. TLS auth
openvpn --genkey --secret ta.key
2. Nastavení serveru (Linux)
server 172.17.255.0 255.255.255.0 port 1194 proto udp topology subnet dev tun user nobody group nogroup persist-key persist-tun remote-cert-tls client cipher AES-256-GCM client-to-client # ifconfig-pool-persist ipp.txt keepalive 10 120 compress lz4 log /var/log/openvpn/<mujserver>.log verb 3 mute 10 ca [inline] cert [inline] key [inline] dh [inline] tls-auth [inline] key-direction 0 <cert> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- </key> <ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca> <dh> -----BEGIN DH PARAMETERS----- ... -----END DH PARAMETERS----- </dh> <tls-auth> -----BEGIN OpenVPN Static key V1----- ... -----END OpenVPN Static key V1----- </tls-auth>
3. Nastavení klientů (Windows)
client dev tun dev-node tap0 <-- název síťového připojení musí být "tap0" <connection> remote <server-hostname> 1194 udp </connection> nobind resolv-retry infinite persist-key persist-tun remote-cert-tls server cipher AES-256-GCM compress lz4 log "..\\log\\<firma>-<username>log" verb 3 mute 10 ca [inline] cert [inline] key [inline] tls-auth [inline] key-direction 1 <cert> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- </key> <ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca> <tls-auth> -----BEGIN OpenVPN Static key V1----- ... -----END OpenVPN Static key V1----- </tls-auth>
networking/openvpn_howto.1513376823.txt.gz · Last modified: 2022/03/16 09:38 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
