systemadmin.es > Redes > Instalación de un servidor OpenVPN con chroot y IP fija

Instalación de un servidor OpenVPN con chroot y IP fija

Anteriormente ya vimos como instalar un servidor OpenVPN y algunas opciones de configuración: Usar chroot en OpenVPN y cómo especificar una IP fija en OpenVPN. A continuación veremos primero como instalar el servidor VPN, luego un cliente VPN para Linux y finalmente un cliente VPN para Windows con OpenVPN GUI.

Primero de todo instalamos algunas librerías como paquetes:

yum install lzo-devel -y
yum install openssl-devel -y

A continuación compilaremos la última versión de OpenVPN:

wget http://openvpn.net/release/openvpn-2.1.3.tar.gz
tar xzf openvpn-2.1.3.tar.gz 
cd openvpn-2.1.3
./configure
make && make install

A continuación creamos algunos directorios que necesitaremos y copiamos el easy-rsa:

mkdir /usr/local/etc/openvpn/
cp easy-rsa/ /usr/local/etc/openvpn/ -pr
cd /usr/local/etc/openvpn/easy-rsa/2.0

A continuación definimos algunas variables que queremos por defecto:

echo "export KEY_COUNTRY=ES" >> vars
echo "export KEY_PROVINCE=BARCELONA" >> vars
echo "export KEY_CITY=Barcelona" >> vars
echo "export KEY_ORG=\"systemadmin.es\"" >> vars
echo "export KEY_EMAIL=\"jordi@systemadmin.es\"" >> vars

A continuación generamos la CA (Autoridad Certificadora):

# . ./vars 
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/easy-rsa/2.0/keys
# ./clean-all 
# ./build-ca 
Generating a 1024 bit RSA private key
..........++++++
....................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name (full name) [BARCELONA]:
Locality Name (eg, city) [Barcelona]:
Organization Name (eg, company) [systemadmin.es]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [systemadmin.es CA]:qapla.ca.systemadmin.es
Name []:
Email Address [jordi@systemadmin.es]:

A continuación generamos los certificados para el servidor:

# ./build-key-server qapla.systemadmin.es
Generating a 1024 bit RSA private key
......................++++++
.............................++++++
writing new private key to 'qapla.systemadmin.es.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name (full name) [BARCELONA]:
Locality Name (eg, city) [Barcelona]:
Organization Name (eg, company) [systemadmin.es]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [qapla.systemadmin.es]:
Name []:
Email Address [jordi@systemadmin.es]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'ES'
stateOrProvinceName   :PRINTABLE:'BARCELONA'
localityName          :PRINTABLE:'Barcelona'
organizationName      :PRINTABLE:'systemadmin.es'
commonName            :PRINTABLE:'qapla.systemadmin.es'
emailAddress          :IA5STRING:'jordi@systemadmin.es'
Certificate is to be certified until Sep 10 07:43:56 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

A continuación generamos el certificado para el cliente:

# ./build-key croscat.systemadmin.es
Generating a 1024 bit RSA private key
...++++++
.........................................++++++
writing new private key to 'croscat.systemadmin.es.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name (full name) [BARCELONA]:
Locality Name (eg, city) [Barcelona]:
Organization Name (eg, company) [systemadmin.es]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [croscat.systemadmin.es]:
Name []:
Email Address [jordi@systemadmin.es]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'ES'
stateOrProvinceName   :PRINTABLE:'BARCELONA'
localityName          :PRINTABLE:'Barcelona'
organizationName      :PRINTABLE:'systemadmin.es'
commonName            :PRINTABLE:'croscat.systemadmin.es'
emailAddress          :IA5STRING:'jordi@systemadmin.es'
Certificate is to be certified until Sep 10 07:44:41 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

A continuación generamos los parámetros Diffie Hellman para el intercambio de claves:

# ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
......+.............+.........................................................+.............+................+..................................................................................................+.................+.......+...+.......................+.............................................................................................................................................................................................+................+...............................................................................................................+..............+............................................................................................................................+............................................+...........................................................................+..............................................................................................+..................+........................+.........................+.....+.......+................................................+....................+..............+.......................................................+.....+...............................................................+........................................................................+..........................................+..+......+.......................................+..+..................................+.................+....................................+.............+...............................................................................................+...................................+......................................................+...+..........................................................................+......................................................+................................................................................................+.........................................................................................................................+.+....+.............+......................................................+..............................................................................................+..............................+........................................+....................................+.........................................................................................+..............................................................+.............................+................+..........+.........+.........+..+.........+..................................................................................+.+..............................................................................................+..............................+..............................................................................................+............................................................................................................+...............................................................................+.................................+...................+........................+....................................................................................................................................+............+..+............................+.........................................................................+....+.........................+................................................+................................+..............................................+...................................................+..........................................................................................................................................+..................................+.......+..............+.......................................................................................................................................+.....................+.........+............+...................................................................................+.................................+......................................................+...+...........+.+.........................+...................................+.................+.......................+.......+......+........................+...........+............................++*++*++*

Finalmente acabamos de crear los directorios que necesitamos y generamos el fichero de configuración:

ln -s /usr/local/etc/openvpn/easy-rsa/2.0/keys/ /usr/local/etc/openvpn/keys
mkdir -p /usr/local/etc/openvpn/chroot/ccd
chown nobody. /usr/local/etc/openvpn/chroot -R
cat <<EOF > /usr/local/etc/openvpn/openvpn.conf

port 1194

proto udp

dev tun

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/$(hostname --long).crt

#clau privada
key /usr/local/etc/openvpn/keys/$(hostname --long).key

dh /usr/local/etc/openvpn/keys/dh1024.pem

server 172.16.101.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-config-dir ccd

keepalive 10 120

comp-lzo

max-clients 3

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

verb 3

chroot /usr/local/etc/openvpn/chroot
EOF

Con esto ya podemos levantar el servidor VPN con daemontools:

mkdir -p /usr/local/supervise/openvpn
cat <<EOF > /usr/local/supervise/openvpn/run
#!/bin/bash
exec /usr/local/sbin/openvpn --config /usr/local/etc/openvpn/openvpn.conf --syslog openvpn
EOF
chmod +x /usr/local/supervise/openvpn/run

Para establecer una IP fija para el cliente creamos un fichero con el nombre del cliente dentro del directorio ccd:

echo "ifconfig-push 172.16.101.2 172.16.101.1" > /usr/local/etc/openvpn/chroot/ccd/croscat.systemadmin.es

Para que sea compatible con clientes Windows la IP de cliente y servidor deberán ser dentro de estos conjuntos:

[  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

Finalmente levantamos el servidor VPN:

ln -s /usr/local/supervise/openvpn/ /service/

Dentro de /var/log/messages veremos lo siguiente:

Sep 13 10:04:25 qapla openvpn[5787]: OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Sep  8 2010
Sep 13 10:04:25 qapla openvpn[5787]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sep 13 10:04:25 qapla openvpn[5787]: Diffie-Hellman initialized with 1024 bit key
Sep 13 10:04:25 qapla openvpn[5787]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 13 10:04:25 qapla openvpn[5787]: Socket Buffers: R=[262144->131072] S=[262144->131072]
Sep 13 10:04:25 qapla openvpn[5787]: ROUTE default_gateway=91.121.142.254
Sep 13 10:04:25 qapla openvpn[5787]: TUN/TAP device tun0 opened
Sep 13 10:04:25 qapla openvpn[5787]: TUN/TAP TX queue length set to 100
Sep 13 10:04:25 qapla openvpn[5787]: /sbin/ifconfig tun0 172.16.101.1 pointopoint 172.16.101.2 mtu 1500
Sep 13 10:04:25 qapla openvpn[5787]: /sbin/route add -net 172.16.101.0 netmask 255.255.255.0 gw 172.16.101.2
Sep 13 10:04:25 qapla openvpn[5787]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sep 13 10:04:25 qapla openvpn[5787]: chroot to '/usr/local/etc/openvpn/chroot' and cd to '/' succeeded
Sep 13 08:04:25 qapla openvpn[5787]: GID set to nobody
Sep 13 08:04:25 qapla openvpn[5787]: UID set to nobody
Sep 13 08:04:25 qapla openvpn[5787]: UDPv4 link local (bound): [undef]:1194
Sep 13 08:04:25 qapla openvpn[5787]: UDPv4 link remote: [undef]
Sep 13 08:04:25 qapla openvpn[5787]: MULTI: multi_init called, r=256 v=256
Sep 13 08:04:25 qapla openvpn[5787]: IFCONFIG POOL: base=172.16.101.4 size=62
Sep 13 08:04:25 qapla openvpn[5787]: IFCONFIG POOL LIST
Sep 13 08:04:25 qapla openvpn[5787]: Initialization Sequence Completed

Otros artículos de esta serie:

One comment to “Instalación de un servidor OpenVPN con chroot y IP fija”

  1. Buenas, tengo instalado su software de vpn, segui los pasos, modifique hasta el archivo host y nada me a funcionado.
    como podriamos hacer para que me presten un servicio remoto.

    gracias por la atención prestada

Deja un comentario:

XHTML - Tags permitidos:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>