public:recetas:gnulinux:linuxdebianservidoropenvpnusuarioypassword
Diferencias
Muestra las diferencias entre dos versiones de la página.
Próxima revisión | Revisión previa | ||
public:recetas:gnulinux:linuxdebianservidoropenvpnusuarioypassword [2016/11/23 13:35] – creado mperez | public:recetas:gnulinux:linuxdebianservidoropenvpnusuarioypassword [2016/11/24 18:34] (actual) – [Enlaces] mperez | ||
---|---|---|---|
Línea 1: | Línea 1: | ||
+ | {{tag> | ||
+ | ~~NOTOC~~ | ||
+ | |||
+ | ====== Cómo crear un tunel cifrado con OpenVPN para múltiples clientes con autenticación con usuario y password ====== | ||
+ | |||
+ | |||
+ | ====== Instalar y configurar openvpn ====== | ||
+ | |||
+ | ===== Instalar openvpn ===== | ||
+ | |||
+ | apt-get install openvpn | ||
+ | |||
+ | ===== Instalar openssl ===== | ||
+ | |||
+ | Se necesita para generar los certificados | ||
+ | |||
+ | apt-get install openssl | ||
+ | |||
+ | ===== Crear los certificados ===== | ||
+ | |||
+ | En el servidor ejecutar | ||
+ | |||
+ | < | ||
+ | computer:/ | ||
+ | computer:/ | ||
+ | computer:/ | ||
+ | computer:/ | ||
+ | Generating a 1024 bit RSA private key | ||
+ | .++++++ | ||
+ | ........++++++ | ||
+ | writing new private key to ' | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [US]:ES | ||
+ | State or Province Name (full name) [CA]:CS | ||
+ | Locality Name (eg, city) [SanFrancisco]: | ||
+ | Organization Name (eg, company) [Fort-Funston]: | ||
+ | Organizational Unit Name (eg, section) []: | ||
+ | Common Name (eg, your name or your server' | ||
+ | Email Address [me@myhost.mydomain]: | ||
+ | |||
+ | computer:/ | ||
+ | Generating a 1024 bit RSA private key | ||
+ | ...............................++++++ | ||
+ | .....................................++++++ | ||
+ | writing new private key to ' | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [US]:ES | ||
+ | State or Province Name (full name) [CA]:CS | ||
+ | Locality Name (eg, city) [SanFrancisco]: | ||
+ | Organization Name (eg, company) [Fort-Funston]: | ||
+ | Organizational Unit Name (eg, section) []: | ||
+ | Common Name (eg, your name or your server' | ||
+ | Email Address [me@myhost.mydomain]: | ||
+ | |||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: | ||
+ | An optional company name []: | ||
+ | Using configuration from / | ||
+ | Check that the request matches the signature | ||
+ | Signature ok | ||
+ | The Subject' | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | commonName | ||
+ | emailAddress | ||
+ | Certificate is to be certified until May 2 11:55:26 2020 GMT (3650 days) | ||
+ | Sign the certificate? | ||
+ | |||
+ | |||
+ | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
+ | Write out database with 1 new entries | ||
+ | Data Base Updated | ||
+ | |||
+ | computer:/ | ||
+ | Generating DH parameters, 1024 bit long safe prime, generator 2 | ||
+ | This is going to take a long time | ||
+ | .................................................+.......+.................................+....+...........+..................................+..................................................................................................+.......................................................................................+.......+.................+..............................+...................................+.........................................+.+............................................................................................+.........................................................................................................................................................................+.............................................................++*++*++* | ||
+ | </ | ||
+ | |||
+ | Copiar los certificados a ''/ | ||
+ | |||
+ | < | ||
+ | computer:/ | ||
+ | |||
+ | computer:/ | ||
+ | |||
+ | computer:/ | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Configuración y arranque del servidor autenticando con un script ===== | ||
+ | |||
+ | Editar el fichero ''/ | ||
+ | |||
+ | < | ||
+ | tmp-dir / | ||
+ | #tmp-dir /tmp | ||
+ | # | ||
+ | # | ||
+ | auth-user-pass-verify / | ||
+ | client-cert-not-required | ||
+ | script-security 2 | ||
+ | |||
+ | local 10.90.74.33 | ||
+ | port 1194 | ||
+ | #proto tcp | ||
+ | proto udp | ||
+ | dev tun | ||
+ | |||
+ | dh / | ||
+ | ca / | ||
+ | cert / | ||
+ | key / | ||
+ | |||
+ | server 192.168.12.0 255.255.255.0 | ||
+ | ifconfig-pool-persist ipp2.txt | ||
+ | push " | ||
+ | #push "route 192.168.13.0 255.255.255.0" | ||
+ | client-to-client | ||
+ | keepalive 10 120 | ||
+ | #comp-lzo | ||
+ | user nobody | ||
+ | group nogroup | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | verb 5 | ||
+ | # | ||
+ | |||
+ | cipher BF-CBC | ||
+ | auth SHA1 | ||
+ | tls-server | ||
+ | |||
+ | push " | ||
+ | </ | ||
+ | |||
+ | |||
+ | local 10.90.74.33 Esta instrucción sirve para indicar la IP en la que atiende túneles. Si no se pone, atiende en cualquier interfaz. Puede ocurrir que no conteste con la IP esperadas. | ||
+ | |||
+ | server 192.168.12.0 255.255.255.0 es la red sobre la que se va a dar IP a los clientes. El servidor tendrá la 192.168.12.1. Esta IP no se tiene que asignar previamente al servidor. | ||
+ | |||
+ | Para añadir la ruta por defecto a través del tunel, http:// | ||
+ | |||
+ | this is a major gripe for me as well: the behaviour on how to start | ||
+ | external programs changed quite drastically somewhere between rc7 and | ||
+ | rc13 (I believe rc10 was the first version), especially on the Windows | ||
+ | platform | ||
+ | |||
+ | http:// | ||
+ | |||
+ | hay que añadir '' | ||
+ | |||
+ | ==== scritp de autenticación en el servidor ==== | ||
+ | |||
+ | Como se comenta en el man, en este sistema la seguridad y confidencialidad del sistema recae en el script de autenticación del usuario y password, con lo que hay que ser meticuloso con él. | ||
+ | |||
+ | El script debe tener los permisos adecuados de ejecución | ||
+ | |||
+ | |||
+ | En perl | ||
+ | |||
+ | < | ||
+ | # | ||
+ | |||
+ | |||
+ | # Código perl que comprueba el usuario y el password | ||
+ | |||
+ | exit(0); | ||
+ | |||
+ | # | ||
+ | |||
+ | </ | ||
+ | |||
+ | En bash | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | # Código shell que comprueba el usuario y el password | ||
+ | |||
+ | exit 0 # si la autenticación es correcta | ||
+ | |||
+ | #exit 1 # si la autenticación no es correcta | ||
+ | |||
+ | </ | ||
+ | |||
+ | La comprobación del usuario y password se puede llevar a cabo consultando una base de datos, por ejemplo utilizando python | ||
+ | |||
+ | < | ||
+ | # | ||
+ | # -*- coding: utf-8 -*- | ||
+ | ''' | ||
+ | auth-user-pass-verify / | ||
+ | del fichero de configuración de openvpn | ||
+ | ''' | ||
+ | |||
+ | import sys, getopt, os, string, time | ||
+ | from sys import argv | ||
+ | import psycopg2 | ||
+ | import hashlib | ||
+ | |||
+ | |||
+ | def usage(): | ||
+ | print " | ||
+ | print """ | ||
+ | |||
+ | """ | ||
+ | return | ||
+ | |||
+ | def getSize(file): | ||
+ | """ | ||
+ | """ | ||
+ | sf=os.stat(file) | ||
+ | return sf.st_size | ||
+ | |||
+ | def main(): | ||
+ | |||
+ | sys.stderr.write(' | ||
+ | nombre=argv[1] | ||
+ | f=open(nombre," | ||
+ | |||
+ | nuser=f.readline()[: | ||
+ | npass=hashlib.md5(f.readline()[: | ||
+ | f.close() | ||
+ | |||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | conn = psycopg2.connect(" | ||
+ | cur = conn.cursor() | ||
+ | cur.execute(""" | ||
+ | |||
+ | # print nuser | ||
+ | # print hashlib.md5(npass).hexdigest() | ||
+ | rows = cur.fetchall() | ||
+ | |||
+ | |||
+ | if rows: | ||
+ | palm=rows[0][0] | ||
+ | |||
+ | if npass==palm: | ||
+ | print " | ||
+ | | ||
+ | else: | ||
+ | print " | ||
+ | | ||
+ | else: | ||
+ | print " | ||
+ | return 1 | ||
+ | |||
+ | if __name__ == ' | ||
+ | |||
+ | sys.stderr.write(' | ||
+ | |||
+ | a=main() | ||
+ | #print a | ||
+ | exit(a) | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Puesta en marcha del servidor ==== | ||
+ | |||
+ | Para ver la salida del servidor y las conexiones de los clientes se puede ejecutar | ||
+ | |||
+ | openvpn / | ||
+ | |||
+ | |||
+ | para ponerlo «en explotación» se puede utilizar el script de arranque | ||
+ | |||
+ | / | ||
+ | |||
+ | |||
+ | ===== Abrir los puertos del cortafuegos ===== | ||
+ | |||
+ | En el fichero '' | ||
+ | |||
+ | iptables -A INPUT -p udp --dport 1194 -j ACCEPT | ||
+ | |||
+ | |||
+ | |||
+ | ===== Configuración y arranque de clientes ===== | ||
+ | |||
+ | En todos los casos hay que copiar el fichero '' | ||
+ | |||
+ | |||
+ | ==== Mediante fichero de configuración en Linux ==== | ||
+ | |||
+ | Editar el fichero ''/ | ||
+ | |||
+ | < | ||
+ | client | ||
+ | port 1194 | ||
+ | #proto tcp | ||
+ | proto udp | ||
+ | dev tun | ||
+ | |||
+ | remote 150.128.97.59 | ||
+ | #push "route 192.168.13.0 255.255.255.0" | ||
+ | #Debe ser push "route 192.168.13.0 255.255.255.0" | ||
+ | keepalive 10 120 | ||
+ | #comp-lzo | ||
+ | script-security 2 | ||
+ | user nobody | ||
+ | group nogroup | ||
+ | nobind persist-key | ||
+ | persist-tun | ||
+ | verb 3 | ||
+ | |||
+ | |||
+ | cipher BF-CBC | ||
+ | auth SHA1 | ||
+ | |||
+ | |||
+ | ca / | ||
+ | #capath . | ||
+ | auth-user-pass | ||
+ | </ | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | auth-user-pass / | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | === Puesta en marcha del cliente === | ||
+ | |||
+ | Para ver la salida del servidor y las conexiones de los clientes se puede ejecutar | ||
+ | |||
+ | openvpn / | ||
+ | |||
+ | |||
+ | para ponerlo «en explotación» se puede utilizar el script de arranque | ||
+ | |||
+ | / | ||
+ | |||
+ | |||
+ | ==== Mediante el networkmanager en Linux ==== | ||
+ | |||
+ | Instalar el paquete '' | ||
+ | |||
+ | Ir a '' | ||
+ | |||
+ | Seleccionar el tipo de conexión '' | ||
+ | |||
+ | En la pestaña '' | ||
+ | < | ||
+ | Nombre de la Conexión: openvpnClient | ||
+ | |||
+ | Pasarela: servidor.dominio | ||
+ | Tipo: Contraseña | ||
+ | Nombre de Usuario: mm | ||
+ | Contraseña: | ||
+ | Certificado CA: / | ||
+ | </ | ||
+ | |||
+ | |||
+ | La contraseña se puede dejar en blanco. | ||
+ | |||
+ | Pulsar el botón '' | ||
+ | |||
+ | |||
+ | < | ||
+ | Cifrado: BF-CBC | ||
+ | Autenticación HMAC: SHA-1 | ||
+ | </ | ||
+ | |||
+ | |||
+ | Ir a '' | ||
+ | |||
+ | === Problemas === | ||
+ | |||
+ | En algunas distribuciones de GNU/Linux se produce el error «The VPN connection " | ||
+ | |||
+ | En http:// | ||
+ | |||
+ | |||
+ | ==== Windows ==== | ||
+ | |||
+ | Instalar openvpn | ||
+ | |||
+ | Crear en '' | ||
+ | |||
+ | |||
+ | |||
+ | < | ||
+ | client | ||
+ | port 1194 | ||
+ | #proto tcp | ||
+ | proto udp | ||
+ | dev tun | ||
+ | |||
+ | remote 150.128.97.59 | ||
+ | #push "route 192.168.13.0 255.255.255.0" | ||
+ | keepalive 10 120 | ||
+ | #comp-lzo | ||
+ | script-security 2 | ||
+ | user nobody | ||
+ | group nogroup | ||
+ | nobind persist-key | ||
+ | persist-tun | ||
+ | verb 3 | ||
+ | |||
+ | |||
+ | cipher BF-CBC | ||
+ | auth SHA1 | ||
+ | |||
+ | |||
+ | ca C: | ||
+ | #capath . | ||
+ | auth-user-pass | ||
+ | </ | ||
+ | |||
+ | Copiar el certificado del servidor en '' | ||
+ | |||
+ | |||
+ | |||
+ | ====== Activar el forwarding y firewall en el servidor ====== | ||
+ | |||
+ | Instalar las siguientes reglas en el '' | ||
+ | |||
+ | < | ||
+ | #!/bin/sh | ||
+ | IPTABLES=/ | ||
+ | |||
+ | $IPTABLES -F -t nat | ||
+ | |||
+ | $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.12.0/ | ||
+ | $IPTABLES -t nat -A POSTROUTING -s 192.168.12.0/ | ||
+ | </ | ||
+ | |||
+ | Editar el fichero ''/ | ||
+ | |||
+ | net.ipv4.ip_forward = 1 | ||
+ | |||
+ | normalmente esta linea estará comentada, hay que descomentarla. | ||
+ | |||
+ | Esto hace que el forwarding se active al arrancar, si sólo queremos hacer una prueba se puede hacer: | ||
+ | |||
+ | echo " | ||
+ | |||
+ | |||
+ | ====== Enlaces ====== | ||
+ | |||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// |