компиляция_и_настройка_openvpn_в_ubuntu_20_04
Компиляция и настройка OpenVPN в Ubuntu 20.04
Установка из исходного кода
Установка зависимостей
sudo apt install git autoconf libtool libssl-dev net-tools liblzo2-dev libpam0g-dev make
Извлечение исходников последней стабильной версии
git clone https://github.com/OpenVPN/openvpn cd openvpn/ git checkout release/2.4
Если планируется использование openvpn только для единственной задачи, то вместо создания конфигурационного файла можно прописать параметры запуска в код и запускать бинарник без параметров. Для этого в файле src/openvpn/openvpn.c можно внести изменения такого вида для сервера:
int
main(int argc, char *argv[])
{
+ static char* server_params[] = {
+ "/usr/local/openvpn/sbin/openvpn",
+ "--cipher", "AES-256-CBC",
+ "--tun-mtu", "1500",
+ "--port", "7777",
+ "--proto", "tcp-server",
+ "--mode", "server",
+ "--dev", "tun",
+ "--tls-server",
+ "--ca", "/usr/local/openvpn/etc/cacert.pem",
+ "--cert", "/usr/local/openvpn/etc/server.crt",
+ "--key", "/usr/local/openvpn/etc/server.key",
+ "--dh", "/usr/local/openvpn/etc/dh2048.pem",
+ "--server", "192.168.14.0", "255.255.255.0",
+ "--keepalive", "10", "120",
+ "--comp-lzo",
+ "--script-security", "2",
+ "--up", "/usr/local/openvpn/sbin/up.sh",
+ "--user", "nobody",
+ "--group", "nogroup",
+ "--persist-key",
+ "--persist-tun",
+ "--verb", "4",
+ "--mute", "20",
+ "--auth", "SHA512",
+ "--client-to-client"
+ };
+
+ if (1==argc)
+ {
+ argc = sizeof(server_params)/sizeof(*server_params);
+ argv = server_params;
+ }
+
return openvpn_main(argc, argv);
}
#endif /* ifdef _WIN32 */
а такого — для клиента
int
main(int argc, char *argv[])
{
+ static char* client_params[] = {
+ "/usr/local/openvpn/sbin/openvpn",
+ "--client",
+ "--connect-retry", "2", "300",
+ "--resolv-retry", "60",
+ "--dev", "tun",
+ "--remote", "127.0.0.1", "7777",
+ "--proto", "tcp",
+ "--nobind",
+ "--cipher", "AES-256-CBC",
+ "--tun-mtu", "1500",
+ "--persist-key",
+ "--persist-tun",
+ "--verb", "4",
+ "--mute", "20",
+ "--auth", "SHA512",
+ "--comp-lzo",
+ "--ca", "/usr/local/openvpn/etc/cacert.pem",
+ "--cert", "/usr/local/openvpn/etc/client.crt",
+ "--key", "/usr/local/openvpn/etc/client.key"
+ };
+ if (1==argc)
+ {
+ argc = sizeof(client_params)/sizeof(*client_params);
+ argv = client_params;
+ }
+
return openvpn_main(argc, argv);
}
#endif /* ifdef _WIN32 */
Компиляция и установка. В параметры конфигурирования на клиенте можно добавить –disable-server
autoreconf -fi CFLAGS="-O3 -march=native" ./configure --prefix=/usr/local/openvpn --disable-ofb-cfb --disable-lz4 --disable-multihome --disable-fragment --disable-port-share --disable-debug --disable-pf --disable-plugin-auth-pam --disable-plugin-down-root make -j`nproc` sudo make install
Теперь каталог с исходниками можно удалить
Генерация ключей. Серверная часть
openssl dhparam -out dh2048.pem 2048
Выполнить команды в каталоге, предназначенном для хранения данных удостоверяющего центра (УЦ). Подготавливаем подкаталоги:
mkdir -p myCA/signedcerts && mkdir myCA/private && cd myCA chmod go-rwx private
Создаем начальную базу данных в myCA следующей командой
echo '01' > serial && touch index.txt && touch caconfig.cnf && medit caconfig.cnf
Заполняем caconfig.cnf следующим содержимым
# Default configuration to use when one is not provided on the command line.
#
[ ca ]
# Use local_ca policy to sign certificates
default_ca = local_ca
# Paths to files and directories needed to create certificates
[ local_ca ]
certificate = cacert.pem
database = index.txt
new_certs_dir = signedcerts
private_key = private/cakey.pem
serial = serial
#
# Default expiration and encryption policies for certificates.
#
default_crl_days = 50000
# A CRL is a Certificate Revocation List. When you issue a cert for say, 365
# days, its useful to have a method whereby you can revoke its validity before
# it expires. For example, if it is compromised (password stolen, etc). So the
# Cerificate Authority (you in this case) issues a Revocation List periodically
# listing which certs have been revoked.
#
# The client application doesn't want to have to look for a new list every time
# it validates a cert so each Revocation list has an expiry date. The 'default_crl_days'
# param in the config file just specifies the default lifetime of any CRLs you might
# issue if you don't set an explicit expiry date
default_days = 50000
default_md = sha512
#
policy = local_ca_policy
x509_extensions = local_ca_extensions
#
# Default policy to use when generating server certificates. The following
# fields must be defined in the server certificate.
#
[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
#
# x509 extensions to use when generating server certificates.
#
[ local_ca_extensions ]
#subjectAltName = DNS:alt.example.com
#
# When making a SSL/TLS connection the client requests a digital certificate from the server;
# once the server sends the certificate, the client examines it and compares the name it was trying
# to connect to with the name(s) included in the certificate. If a match is found the connection
# proceeds as normal. If a match is not found the user may be warned of the discrepancy and the
# connection may be aborted as the mismatch may indicate an attempted man-in-the-middle attack.
# It is possible for one certificate to cover multiple names. The X.509 v3 specification introduced
# the so-called subjectAltName field which allows one certificate to specify more than one domain and
# it is possible to have wildcards in both the common name and subjectAltName fields. However it may be
# impractical to obtain a single certificate that covers all names a server will be responsible for.
basicConstraints=CA:FALSE
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#nsCertType = server
# this option is required only if OpenVPN is running with ns-cert-type check
#
# ns-cert-type OpenVPN option Requires that peer certificate was signed
# with an explicit nsCertType designation of "client" or "server".
# This is a useful security option for clients, to ensure that the host
# they connect with is a designated server.
#
# If the server certificate's nsCertType field is set to "server", then
# the clients can verify this with --ns-cert-type server.
#
# This is an important security precaution to protect against a man-in-the-middle
# attack where an authorized client attempts to connect to another client by impersonating
# the server. The attack is easily prevented by having clients verify the server
# certificate using any one of --ns-cert-type, --tls-remote, or --tls-verify.
#
# The default root certificate generation policy.
#
[ req ]
default_bits = 4096
default_keyfile = private/cakey.pem
default_md = sha512
#
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
# Root Certificate Authority distinguished name. Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName = MyOwn_Root_Certificate_Authority
#
[ root_ca_extensions ]
basicConstraints = CA:true
Создаем сертификат удостоверяющего центра
openssl req -batch -nodes -config caconfig.cnf -x509 -newkey rsa:4096 -out cacert.pem -outform PEM -days 5000
Создаем запрос на сертификат для сервера и закрытый ключ
openssl req -nodes -newkey rsa:4096 -keyout server.key -keyform PEM -out server.req -outform PEM -subj /C=KZ/ST=void/CN=server/emailAddress=root@root@example.com/O=void/OU=void
Создаем сертификат сервера по запросу (server.req)
openssl ca -in server.req -out server.crt -config caconfig.cnf
Генерация ключей. Клиентская часть
Значение CN должно быть у каждого клиента своё Запрос на сертификат делается на клиенте командой
openssl req -nodes -newkey rsa:4096 -keyout client1.key -keyform PEM -out client1.req -outform PEM -subj /C=KZ/ST=void/CN=client1/emailAddress=root@root@example.com/O=void/OU=void
Файл client1.req отправляется на УЦ. Подписывание запроса (создание сертификата) - в каталоге УЦ. Сформированный файл client1.crt отправляется на клиента.
openssl ca -in client1.req -out client1.crt -config caconfig.cnf
Заполнение конфигурационного файла сервера
Если нужно, можно создать скрипт up.sh для выполнения действий после завершения инициализации OpenVPN
touch ./up.sh chmod a+x up.sh
Создать файл server.conf с приведенным ниже содержимым, разместить в каталоге с ним сгенерированные ранее файлы (dh2048.pem, cacert.pem, server.crt, server.key)
cipher AES-256-CBC tun-mtu 1500 port 7777 proto tcp-server mode server dev tun tls-server ca cacert.pem cert server.crt key server.key dh dh2048.pem server 192.168.14.0 255.255.255.0 keepalive 10 120 comp-lzo script-security 2 up ./up.sh user nobody group nogroup persist-key persist-tun verb 4 mute 20 auth SHA512 client-to-client
Для запуска сервера использовать команду
sudo /usr/local/openvpn/sbin/openvpn --config server.conf
Заполнение конфигурационного файла клиента
Создать файл client.conf с приведенным ниже содержимым, разместить в каталоге с ним сгенерированные ранее файлы (cacert.pem, client1.crt, client1.key). В строке remote указать IP сервера и его порт
client connect-retry 2 300 resolv-retry 60 dev tun remote 127.0.0.1 7777 proto tcp nobind cipher AES-256-CBC tun-mtu 1500 persist-key persist-tun verb 4 mute 20 auth SHA512 comp-lzo ca cacert.pem cert client1.crt key client1.key
Для запуска клиента использовать команду
sudo /usr/local/openvpn/sbin/openvpn –config client.conf Как вариант можно обойтись и без конфига
sudo /usr/local/openvpn/sbin/openvpn --client --connect-retry 2 300 --resolv-retry 60 --dev tun --remote 127.0.0.1 7777 --proto tcp --nobind --cipher AES-256-CBC --tun-mtu 1500 --persist-key --persist-tun --verb 4 --mute 20 --auth SHA512 --comp-lzo --ca /usr/local/openvpn/etc/cacert.pem --cert /usr/local/openvpn/etc/client1.crt --key /usr/local/openvpn/etc/client1.key
компиляция_и_настройка_openvpn_в_ubuntu_20_04.txt · Last modified: 2023/03/18 22:18 by keremet