OpenVPN è un software open source che può essere utilizzato per accedere a Internet in modo sicuro quando connesso a una rete non affidabile. OpenVPN ti consente di proteggere i tuoi dati online incanalandoli attraverso server crittografati. OpenVPN utilizza SSL/TLS per lo scambio di chiavi ed è in grado di attraversare i traduttori di indirizzi di rete. Esistono molti software VPN disponibili sul mercato, ma tutti sono costosi e/o difficili da configurare e gestire. Mentre OpenVPN è gratuito, semplice da configurare, configurare e gestire.
In questo tutorial, spiegheremo come configurare il server OpenVPN sul server Debian 10.
Requisiti
- Due server con Debian 10.
- Un indirizzo IP statico 192.168.0.103 è configurato sul server VPN e 192.168.0.102 è configurato sul client VPN.
- Su entrambi i server è configurata una password di root.
Installa OpenVPN
Innanzitutto, dovrai abilitare l'inoltro IP per inoltrare correttamente i pacchetti di rete. Puoi farlo modificando il file /etc/sysctl.conf:
nano /etc/sysctl.conf
Modifica la seguente riga:
net.ipv4.ip_forward=1
Salva e chiudi il file, quando hai finito. Quindi, applica le nuove impostazioni eseguendo il comando seguente:
sysctl -p
Quindi, installa il pacchetto OpenVPN semplicemente eseguendo il seguente comando:
apt-get install openvpn -y
Una volta completata l'installazione, puoi procedere al passaggio successivo.
Genera certificato e chiave server
Innanzitutto, dovrai copiare la directory EasyRSA in /etc/openvpn/. Puoi farlo con il seguente comando:
cp -r /usr/share/easy-rsa /etc/openvpn/
Quindi, cambia la directory in easy-rsa e rinomina il file vars.example:
cd /etc/openvpn/easy-rsa
mv vars.example vars
Quindi, apri il file vars:
nano vars
Aggiungi le seguenti righe:
export KEY_COUNTRY="INDIA" export KEY_PROVINCE="CA" export KEY_CITY="Junagadh" export KEY_ORG="Howtoforge" export KEY_EMAIL="[email protected]" export KEY_OU="OpenVPN"
Salva e chiudi il file quando hai finito. Quindi, inizializza PKI con il seguente comando:
./easyrsa init-pki
Dovresti vedere il seguente output:
Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
Quindi, crea la CA senza una password come mostrato di seguito:
./easyrsa build-ca nopass
Dovresti vedere il seguente output:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating RSA private key, 2048 bit long modulus (2 primes) ...................................+++++ ..............+++++ e is 65537 (0x010001) Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG 140449484268672:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt
Quindi, genera la chiave del server con il seguente comando:
./easyrsa gen-req server nopass
Dovresti vedere il seguente output:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating a RSA private key ...+++++ ................................................................................................................+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.uQ7rqU8ryK' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server.req key: /etc/openvpn/easy-rsa/pki/private/server.key
Quindi, firma il certificato del server con il seguente comando:
./easyrsa sign-req server server
Dovresti vedere il seguente output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Sep 5 15:43:29 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
Quindi, crea uno scambio di chiavi Diffie-Hellman con il seguente comando:
./easyrsa gen-dh
Dovresti vedere il seguente output:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...................+.............................................+..........................................................................................................................................................................................................................................................+.......+................................................................................+................+....................................+..........................+........................................+............................................................................................+.......................................................+............................+......................................................................................................+...................................................................................+.................+............+.+............................+...............................................................................................................................................+............+...............................................+................................................................................................................................................................................+.....................................................................................................................+...................................................................................................................................................................................................+.............................................+..................................................................................................................................+......................................................................................................................................+....................................+..................................................................................................................................................................................+................................................................................................+..............................................................................................+............................................................................................................................................................................................+...........+.................+.....+..........................................................................................................+..........................................................+............+......................................+............................................................................................................................................................................................................................................................................................................+..................................+.................................................................................+.............................+.....................................................................................................................................................................................................................+..........................+.......................................................+......................+.................................+..............................................................+.............................................................................................................................................................+........................................................................+...............................+...............................................................................................................+..............................................+......................................................+.......................+......................................................................................................................................................................................................................+............................................................................................................................+..........................+......................................................................................................................................................................+..........................................................................................+..........................................................++*++*++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
Quindi, genera una firma HMAC con il seguente comando:
openvpn --genkey --secret ta.key
Infine, copia tutto il certificato e la chiave nella directory /etc/openvpn:
cp ta.key /etc/openvpn/
cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/
Genera certificato cliente e chiave
Quindi, genera il certificato del cliente con il seguente comando:
./easyrsa gen-req client nopass
Dovresti vedere il seguente output:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating a RSA private key ..........................................+++++ ...............+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.wU45j6E0Dt' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/client.req key: /etc/openvpn/easy-rsa/pki/private/client.key
Quindi, firma il certificato del cliente con il seguente comando:
./easyrsa sign-req client client
Dovresti vedere il seguente output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Sep 5 12:28:25 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
Quindi, copia tutti i certificati e le chiavi del client nella directory /etc/openvpn/client/:
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/
Configura server OpenVPN
Vengono ora generati tutti i certificati e le chiavi richiesti per server e client. Successivamente, dovrai creare un file di configurazione OpenVPN. Puoi crearlo con il seguente comando:
nano /etc/openvpn/server.conf
Aggiungi il seguente contenuto:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1
Salva e chiudi il file. Quindi, avvia il servizio OpenVPN con il seguente comando:
systemctl start [email protected]
Successivamente, verifica il server OpenVPN utilizzando il seguente comando:
systemctl status [email protected]
Uscita:
? [email protected] - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
Active: active (running) since Sat 2019-09-21 08:46:47 EDT; 6s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 5040 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 1138)
Memory: 1.7M
CGroup: /system.slice/system-openvpn.slice/[email protected]
??5040 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.
Sep 21 08:46:47 debian systemd[1]: Starting OpenVPN connection to server...
Sep 21 08:46:47 debian systemd[1]: Started OpenVPN connection to server.
Installa e configura il client OpenVPN
Quindi, accedi al sistema client OpenVPN e installa il pacchetto OpenVPN con il seguente comando:
apt-get install openvpn -y
Una volta installato, crea un nuovo file di configurazione per OpenVPN Client:
nano /etc/openvpn/client.conf
Definisci l'indirizzo IP del tuo server e il file del certificato client come mostrato di seguito:
client dev tun proto udp remote 192.168.0.103 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC verb 3
Salva e chiudi il file. Quindi, copia tutto il certificato client e il file chiave dal server OpenVPN al sistema client OpenVPN con il seguente comando:
scp [email protected]:/etc/openvpn/client/ca.crt /etc/openvpn/
scp [email protected]:/etc/openvpn/client/client.crt /etc/openvpn/
scp [email protected]:/etc/openvpn/client/client.key /etc/openvpn/
scp [email protected]:/etc/openvpn/ta.key /etc/openvpn/
Quindi, avvia il servizio client OpenVPN con il seguente comando:
systemctl start [email protected]
Ora puoi vedere il nuovo indirizzo IP assegnato dal server OpenVPN con il seguente comando:
ifconfig
Dovresti vedere il seguente output:
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.102 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a00:27ff:fe99:dc40 prefixlen 64 scopeid 0x20
ether 08:00:27:99:dc:40 txqueuelen 1000 (Ethernet)
RX packets 447 bytes 42864 (41.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 334 bytes 47502 (46.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 57 bytes 9754 (9.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 57 bytes 9754 (9.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
inet6 fe80::52b5:a1d2:fa23:f51e prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9 bytes 472 (472.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Quindi, vai al sistema del server OpenVPN e controlla il registro OpenVPN con il seguente comando:
tail -f /var/log/openvpn/openvpn.log
Dovresti ottenere il seguente output:
Sun Sep 22 19:46:08 2019 192.168.0.103:45700 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Sun Sep 22 19:46:08 2019 192.168.0.103:45700 [_] Peer Connection Initiated with [AF_INET]192.168.0.103:45700 Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: Learn: 10.8.0.6 -> _/192.168.0.103:45700 Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: primary virtual IP for _/192.168.0.103:45700: 10.8.0.6 Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 PUSH: Received control message: 'PUSH_REQUEST' Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 SENT CONTROL [_]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1) Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Congratulazioni! hai installato e configurato con successo il server e il client OpenVPN su Debian 10.