Knowledge base

Aktuelle Änderungen - Suchen:

Home

HowTo's

Apache?

Backup

CalDAV_Radicale

CUPS

DHCP?

DNS

Exim

IPTables

LDAP?

Log

LVM?

Mesos DAWebart

MySQL

Plesk

Postfix?

RAID

Samba4

Squid

SSH

VPN

Webmin?

Server /

VPNSetup

Keys

Initale Erstellung der Serverschlüssel und Zertifikate

Vorlage kopieren

mkdir /etc/openvpn/easy-rsa/
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Defaultwerte festlegen

Die hier angegebenen Werte sind die Defaultwerte bei der Zertifikatsgenerierung (Beispielwerte) 

/etc/openvpn/easy-rsa/vars 
	export KEY_COUNTRY="DE"
	export KEY_PROVINCE="Hessen"
	export KEY_CITY="Dieburg"
	export KEY_ORG="Horizont Dieburg e.V."
	export KEY_EMAIL="system@horizont-dieburg.org"
	export KEY_EMAIL=system@horizont-dieburg.org
	export KEY_CN=changeme
	export KEY_NAME=changeme
	export KEY_OU=changeme
	export PKCS11_MODULE_PATH=changeme
	export PKCS11_PIN=1234

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca
	Country Name (2 letter code) [DE]:
	State or Province Name (full name) [HE]:Hessen
	Locality Name (eg, city) [Dieburg]:
	Organization Name (eg, company) [Horizont Dieburg e.V.]:
	Organizational Unit Name (eg, section) [Notwaende]:
	Common Name (eg, your name or your server's hostname) [changeme]:<HOSTNAME>
	Name [changeme]:Dalliclick Internetservice
	Email Address [system@horizont-dieburg.org]:

./build-key-server nw-srv
	Common Name (eg, your name or your server's hostname) [changeme]:<HOSTNAME>
	Name [changeme]:Dalliclick Internetservice
	Challenge Password: DCI-Standard
	Company Name: -

./build-key dummy-user
./revoke-full dummy-user
./list-crl
cat keys/index.txt
cp keys/crl.pem /etc/openvpn/
cd keys
openvpn --genkey --secret ta.<HOSTNAME>.key
openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Server Konfiguration

mkdir /var/log/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gunzip server.conf.gz

/etc/openvpn/server.conf
	local <IPADDRESS HOST>
	port 1194
	proto udp
	dev tun
 
	ca /etc/openvpn/easy-rsa/keys/ca.crt
	cert /etc/openvpn/easy-rsa/keys/<HOSTNAME>.crt
	key /etc/openvpn/easy-rsa/keys/<HOSTNAME>.key
	dh /etc/openvpn/easy-rsa/keys/dh2048.pem
 
	crl-verify crl.pem
 
	server 10.8.0.0 255.255.255.0
	push "redirect-gateway def1 bypass-dhcp"
	push "dhcp-option DNS 192.168.178.3"
	push "dhcp-option DOMAIN notwaende.local"
	push "dhcp-option SEARCH notwaende.local"
 
	keepalive 10 120
 
	tls-auth /etc/openvpn/easy-rsa/keys/ta.<HOSTNAME>.key 0
 
	cipher AES-256-CBC
 
	comp-lzo
 
	max-clients 10
 
	user nobody
	group nogroup
 
	persist-key
	persist-tun
 
	verb 3
	mute 10

Server Test

ifconfig
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:71163 errors:0 dropped:0 overruns:0 frame:0
          TX packets:86759 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:15156918 (14.4 MiB)  TX bytes:55682217 (53.1 MiB)
ping 10.8.0.1
powered by:PmWiki-Logo
Bearbeiten - Versionen - Druckansicht - Aktuelle Änderungen - Suchen
Zuletzt geändert am 19.04.2015 18:22 Uhr