cd /usr/src
descargamos
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz
descomprimimos
tar -xf lzo-2.04.tar.gz
cd lzo-2.04
y compilamos
./configure--prefix=/usr
make
make check
make install
Ahora instalamos OpenVPN
cd ..
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.1.tar.gz
tar -xf openvpn-2.2.1.tar.gz
cd openvpn-2.2.1
./configure
make
make install
Preparamos el servidor Linux para crear las distintas claves (CA, servidor, cliente)
cd easy-rsa/2.0
mkdir /usr/local/sbin/keys
nano vars
modificamos las líneas que aquí se muestran. Esto datos serán los que se usaran como predefinidos al momento de la generación de las claves
export KEY_DIR=/usr/local/sbin/keys
export KEY_COUNTRY="CO"
export KEY_PROVINCE="MAG"
export KEY_CITY="SantaMarta"
export KEY_ORG="VozToVoice"
export KEY_EMAIL="admin@unosystem.c"
export KEY_EMAIL=admin@unosystem.co
guardamos los cambios y salimos del editor
Ctrl-O Ctrl-X
unos pasajes más
. ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/local/sbin/openvpn/keys
IMPORTANTE: entre el primer punto y el segundo hay un espacio.
./clean-all
Ahora tenemos que crear el certificado y la clave CA (Certificate Authority)
./build-ca
Generating a 1024 bit RSA private key
.........................................++++++
.......................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CO]:
State or Province Name (full name) [MAG]:
Locality Name (eg, city) [SantaMarta]:
Organization Name (eg, company) [VozToVoice]:
Organizational Unit Name (eg, section) [changeme]:PBX
Common Name (eg, your name or your server's hostname) [changeme]:unosystem
Name [changeme]:voztovoice
Email Address [admin@voztovoice.org]:
Creamos la clave para el servidor
./build-key-server server
./build-key-server server
Generating a 1024 bit RSA private key
........++++++
............................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CO]:
State or Province Name (full name) [MAG]:
Locality Name (eg, city) [Bogota]:
Organization Name (eg, company) [unosystem]:
Organizational Unit Name (eg, section) [changeme]:PBX
Common Name (eg, your name or your server's hostname) [server]:
Name [changeme]:unosystem
Email Address [admin@unosystem.co]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/src/openvpn-2.2.1/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CO'
stateOrProvinceName :PRINTABLE:'MAG'
localityName :PRINTABLE:'Bogota'
organizationName :PRINTABLE:'unosystem'
organizationalUnitName:PRINTABLE:'PBX'
commonName :PRINTABLE:'server'
name :PRINTABLE:'voztovoice'
emailAddress :IA5STRING:'admin@unosystem.co'
Certificate is to be certified until Sep 17 23:04:43 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
y la clave para el o los clientes que planeamos utilizar
./build-key slice1
Generating a 1024 bit RSA private key
.........................++++++
.....................++++++
writing new private key to 'slice1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CO]:
State or Province Name (full name) [MAG]:
Locality Name (eg, city) [bogota]:
Organization Name (eg, company) [unosystem]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [slice1]:
Name [changeme]:
Email Address [admin@unosystem.co]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/src/openvpn-2.2.1/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CO'
stateOrProvinceName :PRINTABLE:'MAG'
localityName :PRINTABLE:'Bogota'
organizationName :PRINTABLE:'Unosystem'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'slice1'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'admin@uosystem.co'
Certificate is to be certified until Sep 17 23:05:36 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Si queremos configurar 3 clientes repetimos esta operación dos veces más. ATENCION!!! La única línea que tenemos que modificar es Common Name indicando por cada cliente el mismo nombre de la clave.
Ej Slice2 - Common Name: Slice2, Slice3 - Common Name: Slice3, etc...
./build-key slice2
./build-key slice3
completamos con la generación del parámetro Diffie Hellman
./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
El servidor OpenVPN usa como puerto predefinido 1194. Tenemos que abrirlo en iptables
nano /etc/sysconfig/iptables
y añadimos
# OPENVPN server port
-A INPUT -p tcp --dport 1194 -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT
volvemos a arrancar iptables
service iptables restart
La siguiente fase es copiar un script para que OpenVPN arranque en automático
cd /usr/src/openvpn-2.2.1/sample-scripts/
cp openvpn.init /etc/rc.d/init.d/openvpn
chkconfig --add openvpn
chkconfig openvpn on
mkdir /etc/openvpn
Ahora creamos nuestro archivo de configuración para el servidor OpenVPN
cd /etc/openvpn
nano server.conf
port 1194
proto udp
dev tun
ca /usr/local/sbin/keys/ca.crt
cert /usr/local/sbin/keys/server.crt
key /usr/local/sbin/keys/server.key
dh /usr/local/sbin/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
max-clients 30
persist-key
persist-tun
log openvpn.log
log-append openvpn.log
verb 3
management localhost 7505
Arrancamos el servidor
/etc/init.d/openvpn start
Si no sale ningún error tenemos nuestro servidor escuchando en el puerto 1194 para las conexiones de los clientes.
con ifconfig podemos ver la nueva red funcionando:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:73 errors:0 dropped:0 overruns:0 frame:0
TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:24242 (23.6 KiB) TX bytes:41235 (40.2 KiB)
Ahora tenemos que configurar el cliente OpenVPN para que se conecte al servidor.
-
Windows XP
Desde la ventanilla de los comandos digitamos
C:\>md keys
entramos
cd keys
copiamos del servidor linux a esta carpeta utilizando winscp los siguientes archivos
ca.crt
slice1. crt
slice1.key
Creamos el archivo de configuración para el cliente (con notepad)
client
dev tun
proto udp
remote 174.143.180.175 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca c:\\keys\\ca.crt
cert c:\\keys\\slice1.crt
key c:\\keys\\slice1.key
comp-lzo
verb 3
ns-cert-type server
y lo guardamos con la extension .ovpn Ej: client.ovpn
Copiamos el archivo de configuración en la carpeta /config dentro de la carpeta OpenVPN (creada en archivos de programa al momento de la instalación de OpenVPN GUI para windows.
Ahora solo nos queda de arrancar el cliente
WWW.ALOMUNDO.CO
