Eu tenho um guia passo-a-passo para o OpenVPN em um roteador OpenWRT 10.03: (wl500gpv2)
opkg install openvpn_2.1.1-1_brcm-2.4.ipk kmod-tun_2.4.37.9-1_brcm-2.4.ipk libopenssl_0.9.8m-3_brcm-2.4.ipk liblzo_2.03-3_brcm-2.4.ipk openssl-util_0.9.8m-3_brcm-2.4.ipk ntpd_4.2.6-4_brcm-2.4.ipk
# 0)
mkdir -p /etc/ssl/certs/demoCA/newcerts /etc/ssl/certs/demoCA/private /etc/ssl/private; touch /etc/ssl/certs/demoCA/index.txt; echo "01" >> /etc/ssl/certs/demoCA/serial; cd /etc/ssl/certs
# 1)
# cakey.pem: CA's private key - needed by key signing machine only, purpose: Root CA key, keep it in SECRET!!
# cacert.pem: CA's cert - needed by server + all clients, purpose: Root CA certificate, not secret
# common name: "vpnserver" - in every other case just hit enter
time openssl req -nodes -new -x509 -days 3650 -keyout /etc/ssl/certs/demoCA/private/cakey.pem -out demoCA/cacert.pem
# 2)
# server.key: needed by server only, purpose: Server Key, keep it in SECRET!!
# server.csr: [???]
# common name: "vpnserver" - in every other case just hit enter
time openssl req -nodes -new -keyout /etc/ssl/private/server.key -out server.csr # password not advised - only if you're paranoic..
# 3)
# server.crt: needed by server only, purpose: Server Certificate, not secret
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
time openssl ca -cert demoCA/cacert.pem -keyfile /etc/ssl/certs/demoCA/private/cakey.pem -out server.crt -in server.csr -days 3650
# 4)
# shared.key: [???]
time openvpn --genkey --secret shared.key
# 5)
# dh.pem: Diffie-Hellman file for secure SSL/TLS negotiation, identical on the server and all clients
time openssl dhparam -out dh.pem 1024
# 6)
# give a common name! it will be the user name
# client1.key: needed at client1 only, purpose: Client1 Key, keep it in SECRET!
# client1.csr: [???]
# client1.crt: needed at client1 only, purpose: Client1 Certificate, not secret
# Give the client's key file a password for better security.
time openssl req -nodes -new -keyout /etc/ssl/private/client1.key -out client1.csr
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
time openssl ca -out client1.crt -in client1.csr
copie os certificados
# on the router
mkdir -p /etc/ssl/certs/client1; cp demoCA/cacert.pem client1.crt /etc/ssl/private/client1.key shared.key dh.pem client1; tar -cvf /root/client1.tar client1; rm -fr /etc/ssl/certs/client1
# on the pc [with a normal user]
mkdir ~/.cert/; rm ~/.cert/*; cd ~/.cert/; scp [email protected]:/root/client1.tar ~/.cert/; tar -xvf ~/.cert/client1.tar; mv ~/.cert/client1/* .; rm -fr client1; chmod 600 ~/.cert/*
# if you're using e.g.: Fedora/SELinux, then
restorecon -Rv ~/.cert*
mkdir /etc/openvpn; vim /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/ssl/certs/demoCA/cacert.pem
cert /etc/ssl/certs/server.crt
key /etc/ssl/private/server.key
dh /etc/ssl/certs/dh.pem
tls-auth /etc/ssl/certs/shared.key 0
server 192.168.80.0 255.255.255.0
push "redirect-gateway"
comp-lzo
keepalive 10 120
status /tmp/openvpn.status
vim /etc/firewall.user
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
sync; sync; sync
reboot
openvpn --daemon --config /etc/openvpn/server.conf
root@OpenWrt:/etc/ssl/certs# ps aux | fgrep -i openvpn
941 root 2876 S openvpn --daemon --config /etc/openvpn/server.conf
root@OpenWrt:/etc/ssl/certs# netstat -tulpn | fgrep -i 1194
udp 0 0 0.0.0.0:1194 0.0.0.0:* 941/openvpn
root@OpenWrt:/etc/ssl#
yum install openvpn
vim /etc/openvpn/client.conf
client
dev tun
proto udp
remote 192.168.1.1 1194
nobind
ca /home/USERNAME/.cert/cacert.pem
cert /home/USERNAME/.cert/client1.crt
key /home/USERNAME/.cert/client1.key
dh /home/USERNAME/.cert/dh.pem
tls-auth /home/USERNAME/.cert/shared.key 1
comp-lzo
openvpn /etc/openvpn/client.conf
Mas depois que eu experimento, o cliente dá um erro: (e quando eu uso a VPN, não consigo pingar google.com do cliente ... apenas o roteador)
Sat Jul 9 13:14:19 2011 OpenVPN 2.1.1 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan 5 2010
Sat Jul 9 13:14:19 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jul 9 13:14:19 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jul 9 13:14:19 2011 Control Channel Authentication: using '/home/USERNAME/.cert/shared.key' as a OpenVPN static key file
Sat Jul 9 13:14:19 2011 LZO compression initialized
Sat Jul 9 13:14:19 2011 UDPv4 link local: [undef]
Sat Jul 9 13:14:19 2011 UDPv4 link remote: 192.168.1.1:1194
Sat Jul 9 13:14:19 2011 [vpnserver] Peer Connection Initiated with 192.168.1.1:1194
Sat Jul 9 13:14:21 2011 TUN/TAP device tun0 opened
Sat Jul 9 13:14:21 2011 /sbin/ip link set dev tun0 up mtu 1500
Sat Jul 9 13:14:21 2011 /sbin/ip addr add dev tun0 local 192.168.80.6 peer 192.168.80.5
Sat Jul 9 13:14:21 2011 OpenVPN ROUTE: omitted no-op route: 192.168.1.1/255.255.255.255 -> 192.168.1.1
Sat Jul 9 13:14:21 2011 WARNING: potential route subnet conflict between local LAN [192.168.80.0/255.255.255.0] and remote VPN [192.168.80.1/255.255.255.255]
Sat Jul 9 13:14:21 2011 Initialization Sequence Completed
^CSat Jul 9 13:16:10 2011 event_wait : Interrupted system call (code=4)
RTNETLINK answers: No such process
Sat Jul 9 13:16:10 2011 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul 9 13:16:10 2011 /sbin/ip addr del dev tun0 local 192.168.80.6 peer 192.168.80.5
Sat Jul 9 13:16:10 2011 SIGINT[hard,] received, process exiting
A pergunta é: o que estou fazendo de errado? Por que isso não funciona? Estou dando sub-redes erradas? Como posso dar bons? (por exemplo: má "servidor" linha na "configuração do servidor openvpn"?)
---
Topologia:
ISP - > OPENWRT ROUTER (dando 192.168.1.0/24) - > MYPC (dhcp, ip não estático)
Obrigado por qualquer ajuda / dicas. Eu já pesquisei por horas e perguntei a muitos especialistas, mas sem sorte. Meu objetivo é abrir para este roteador openwrt do meu PC para ter um "canal" seguro (a partir de um netcafe, ou da topologia mencionada, etc.). O "MYPC" está executando o Fedora 14
UPDATE Q:
Alguém pode explicar o que são esses arquivos ?:
: D
Eu resolvi o problema:
Quando eu abro do cliente para o servidor, a conexão SSH para o roteador é morta, e o servidor OpenVPN também é morto, porque eu usei:
openvpn --daemon --config /etc/openvpn/server.conf
e não:
nohup openvpn --daemon --config /etc/openvpn/server.conf >/dev/null &
:) Problema resolvido. Agora funciona perfeitamente ...: D headshot: D LOL.
Sat Jul 9 13:14:21 2011 WARNING: potential route subnet conflict between local LAN [192.168.80.0/255.255.255.0] and remote VPN [192.168.80.1/255.255.255.255]
Por algum motivo, sua configuração parece estar compartilhando o espaço de endereço IP. Sua VPN está selecionando endereços do espaço de endereço 192.168.80.x e sua LAN local está selecionando endereços do espaço de endereço 192.168.80.x . Se isso acontecer, quando o tráfego da VPN for roteado para o MyPC, ele não saberá qual roteador obterá a resolução do endereço e tudo será violado.
Além disso, você precisa usar o iptables no roteador. Ele deve estar embutido, mas será necessária uma regra para redirecionar todo o tráfego do seu MyPC pela VPN. Há um artigo muito bom aqui que deve ajudar.