cd /usr/src
descargamos
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz
descomprimimos
tar -xf lzo-2.04.tar.gz
cd lzo-2.04
y compilamos
./configure--prefix=/usr
make
make check
make install
Ahora instalamos OpenVPN
cd ..
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.1.tar.gz
tar -xf openvpn-2.2.1.tar.gz
cd openvpn-2.2.1
./configure
make
make install
Preparamos el servidor Linux para crear las distintas claves (CA, servidor, cliente)
cd easy-rsa/2.0
mkdir /usr/local/sbin/keys
nano vars
modificamos las líneas que aquí se muestran. Esto datos serán los que se usaran como predefinidos al momento de la generación de las claves
export KEY_DIR=/usr/local/sbin/keys
export KEY_COUNTRY="CO"
export KEY_PROVINCE="MAG"
export KEY_CITY="SantaMarta"
export KEY_ORG="VozToVoice"
export KEY_EMAIL="admin@unosystem.c"
export KEY_EMAIL=admin@unosystem.co
guardamos los cambios y salimos del editor
Ctrl-O Ctrl-X
unos pasajes más
. ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/local/sbin/openvpn/keys
IMPORTANTE: entre el primer punto y el segundo hay un espacio.
./clean-all
Ahora tenemos que crear el certificado y la clave CA (Certificate Authority)
./build-ca
Generating a 1024 bit RSA private key
.........................................++++++
.......................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CO]:
State or Province Name (full name) [MAG]:
Locality Name (eg, city) [SantaMarta]:
Organization Name (eg, company) [VozToVoice]:
Organizational Unit Name (eg, section) [changeme]:PBX
Common Name (eg, your name or your server's hostname) [changeme]:unosystem
Name [changeme]:voztovoice
Email Address [admin@voztovoice.org]:
Creamos la clave para el servidor
./build-key-server server
./build-key-server server
Generating a 1024 bit RSA private key
........++++++
............................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CO]:
State or Province Name (full name) [MAG]:
Locality Name (eg, city) [Bogota]:
Organization Name (eg, company) [unosystem]:
Organizational Unit Name (eg, section) [changeme]:PBX
Common Name (eg, your name or your server's hostname) [server]:
Name [changeme]:unosystem
Email Address [admin@unosystem.co]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/src/openvpn-2.2.1/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CO'
stateOrProvinceName :PRINTABLE:'MAG'
localityName :PRINTABLE:'Bogota'
organizationName :PRINTABLE:'unosystem'
organizationalUnitName:PRINTABLE:'PBX'
commonName :PRINTABLE:'server'
name :PRINTABLE:'voztovoice'
emailAddress :IA5STRING:'admin@unosystem.co'
Certificate is to be certified until Sep 17 23:04:43 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
y la clave para el o los clientes que planeamos utilizar
./build-key slice1
Generating a 1024 bit RSA private key
.........................++++++
.....................++++++
writing new private key to 'slice1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CO]:
State or Province Name (full name) [MAG]:
Locality Name (eg, city) [bogota]:
Organization Name (eg, company) [unosystem]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [slice1]:
Name [changeme]:
Email Address [admin@unosystem.co]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/src/openvpn-2.2.1/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CO'
stateOrProvinceName :PRINTABLE:'MAG'
localityName :PRINTABLE:'Bogota'
organizationName :PRINTABLE:'Unosystem'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'slice1'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'admin@uosystem.co'
Certificate is to be certified until Sep 17 23:05:36 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Si queremos configurar 3 clientes repetimos esta operación dos veces más. ATENCION!!! La única línea que tenemos que modificar es Common Name indicando por cada cliente el mismo nombre de la clave.
Ej Slice2 - Common Name: Slice2, Slice3 - Common Name: Slice3, etc...
./build-key slice2
./build-key slice3
completamos con la generación del parámetro Diffie Hellman
./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
El servidor OpenVPN usa como puerto predefinido 1194. Tenemos que abrirlo en iptables
nano /etc/sysconfig/iptables
y añadimos
# OPENVPN server port
-A INPUT -p tcp --dport 1194 -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT
volvemos a arrancar iptables
service iptables restart
La siguiente fase es copiar un script para que OpenVPN arranque en automático
cd /usr/src/openvpn-2.2.1/sample-scripts/
cp openvpn.init /etc/rc.d/init.d/openvpn
chkconfig --add openvpn
chkconfig openvpn on
mkdir /etc/openvpn
Ahora creamos nuestro archivo de configuración para el servidor OpenVPN
cd /etc/openvpn
nano server.conf
port 1194
proto udp
dev tun
ca /usr/local/sbin/keys/ca.crt
cert /usr/local/sbin/keys/server.crt
key /usr/local/sbin/keys/server.key
dh /usr/local/sbin/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
max-clients 30
persist-key
persist-tun
log openvpn.log
log-append openvpn.log
verb 3
management localhost 7505
Arrancamos el servidor
/etc/init.d/openvpn start
Si no sale ningún error tenemos nuestro servidor escuchando en el puerto 1194 para las conexiones de los clientes.
con ifconfig podemos ver la nueva red funcionando:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:73 errors:0 dropped:0 overruns:0 frame:0
TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:24242 (23.6 KiB) TX bytes:41235 (40.2 KiB)
Ahora tenemos que configurar el cliente OpenVPN para que se conecte al servidor.
-
Windows XP
Desde la ventanilla de los comandos digitamos
C:\>md keys
entramos
cd keys
copiamos del servidor linux a esta carpeta utilizando winscp los siguientes archivos
ca.crt
slice1. crt
slice1.key
Creamos el archivo de configuración para el cliente (con notepad)
client
dev tun
proto udp
remote 174.143.180.175 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca c:\\keys\\ca.crt
cert c:\\keys\\slice1.crt
key c:\\keys\\slice1.key
comp-lzo
verb 3
ns-cert-type server
y lo guardamos con la extension .ovpn Ej: client.ovpn
Copiamos el archivo de configuración en la carpeta /config dentro de la carpeta OpenVPN (creada en archivos de programa al momento de la instalación de OpenVPN GUI para windows.
Ahora solo nos queda de arrancar el cliente
WWW.ALOMUNDO.CO
No hay comentarios:
Publicar un comentario