# [howto] openvpn

## bouleetbil

OPENVPN

Introduction : (Source Wikipedia)

Le Réseau privé virtuel, est une extension des réseaux locaux qui procure une norme de sécurité en télécommunications.

Un bon compromis consiste à utiliser Internet comme support de transmission en utilisant un protocole de « tunnelisation » (en anglais tunneling), c'est-à-dire encapsulant les données à transmettre de façon chiffrée. On parle alors de réseau privé virtuel (aussi appelé VPN, sigle pour Virtual Private Network) pour désigner le réseau ainsi artificiellement créé. Ce réseau est dit virtuel car il relie deux réseaux « physiques » (réseaux locaux) par une liaison non fiable (Internet), et privé car seuls les ordinateurs des réseaux locaux de part et d'autre du VPN peuvent « voir » les données.

Installation openvpn

```
# emerge openvpn 
```

(Ajouter le USE documentation pour installer aussi les exemples de configuration.)

Création des clefs pour le serveur et les clients

```
# cd /usr/share/openvpn/easy-rsa/
```

Edition du fichier vars qui contient les variables de openvpn:

```
# nano vars 
```

 *Quote:*   

> export KEY_COUNTRY="FR"
> 
> export KEY_PROVINCE="France"
> 
> export KEY_CITY="Montpellier"
> ...

 

```

# source ./vars

# ./clean-all

```

Ceci va charger le contenu de vars, qui va initialiser les variables denvironnement et supprimer les traces danciennes clefs

Génération des clefs de Master CA (CA = CERTIFICATE AUTHORITY, Autorité de certificat)

```

# ./build-ca

```

Et répondez au différentes questions. Une fois la génération terminée, vos clefs seront crées dans le répertoire keys/ : ca.crt et ca.key.

Génération des clefs pour le serveur

Maintenant que votre VPN a les clefs de CA, il faut générer les clefs du serveur 

```

# ./build-key-server frogdev.dyndns.org

```

frogdev.dyndns.org représente le nom de mon serveur.

Les clés sont générées dans le répertoire keys/ : frogdev.dyndns.org.crt et frogdev.dyndns.org.key.

Génération de clefs pour le(s) client(s).

Vous pouvez répéter cette action plusieurs fois, pour chaque client que vous souhaiter ajouter au VPN.

```

# ./build-key gaetan

```

gaetan représente le nom du client

Il faut répondre aux questions

    * Sign the certificate? [y/n] : répondez y,

    * 1 out of 1 certificate requests certified, commit? [y/n] : répondez y.

commonName doit être votre nom/nom du client et non celui du serveur  sinon vous vous retrouverez avec un .crt vide.

Génération des paramètres Diffie Hellman (utile pour SSL/TLS)

Il suffit de faire :

```

# ./build-dh

```

Liste des fichiers créés : 

    * ca.crt : cest le certificat du Master CA. Il doit être installé sur chaque clients et sur le serveur.

    * ca.key : cest la clef du Master CA. Elle doit rester secrète et être sur chaque machine qui doit générer des clefs, dans note cas : le serveur.

    * dh1024.pem : cest les paramètres Diffie Hellman. Ils doivent rester sur le serveur.

    * frogdev.dyndns.org.crt : cest le certificat du serveur et doit être sur le serveur.

    * frogdev.dyndns.org.key : cest les clefs de votre serveur, doit être sur le serveur et rester secret.

    * gaetan.crt : cest le certificat dun de vos clients, à mettre sur le client.

    * gaetan.key : cest les clefs dun de vos clients, à mettre sur le client et rester secret.

    * Les .key doivent être secret. Vous devez donc les garder en sécurité.

    * ca.crt doit être installé sur chaque client ainsi que sur le serveur

    * gaetan(.crt|.key) est a installer sur le client.

    * frogdev.dyndns.org(.crt|.key) est a installer sur le serveur.

Configuration du serveur

Configuration du serveur (/etc/openvpn/openvpn.conf (sur le serveur))

```

# nano /etc/openvpn/openvpn.conf

```

C'est la ou le USE documentation est utile  :Wink:  Le fichier fourni est assez bien documenté.

```

---------------------

#################################################

# Sample OpenVPN 2.0 config file for            #

# multi-client server.                          #

#                                               #

# This file is for the server side              #

# of a many-clients <-> one-server              #

# OpenVPN configuration.                        #

#                                               #

# OpenVPN also supports                         #

# single-machine <-> single-machine             #

# configurations (See the Examples page         #

# on the web site for more info).               #

#                                               #

# This config should work on Windows            #

# or Linux/BSD systems.  Remember on            #

# Windows to quote pathnames and use            #

# double backslashes, e.g.:                     #

# "C:\\Program Files\\OpenVPN\\config\\foo.key" #

#                                               #

# Comments are preceded with '#' or ';'         #

#################################################

# Which local IP address should OpenVPN

# listen on? (optional)

mode server

tls-server

# Which TCP/UDP port should OpenVPN listen on?

# If you want to run multiple OpenVPN instances

# on the same machine, use a different port

# number for each one.  You will need to

# open up this port on your firewall.

port 1194

# TCP or UDP server?

;proto tcp

proto udp

# "dev tun" will create a routed IP tunnel,

# "dev tap" will create an ethernet tunnel.

# Use "dev tap0" if you are ethernet bridging

# and have precreated a tap0 virtual interface

# and bridged it with your ethernet interface.

# If you want to control access policies

# over the VPN, you must create firewall

# rules for the the TUN/TAP interface.

# On non-Windows systems, you can give

# an explicit unit number, such as tun0.

# On Windows, use "dev-node" for this.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel if you

# have more than one.  On XP SP2 or higher,

# you may need to selectively disable the

# Windows firewall for the TAP adapter.

# Non-Windows systems usually don't need this.

;dev-node MyTap

# SSL/TLS root certificate (ca), certificate

# (cert), and private key (key).  Each client

# and the server must have their own cert and

# key file.  The server and all clients will

# use the same ca file.

#

# See the "easy-rsa" directory for a series

# of scripts for generating RSA certificates

# and private keys.  Remember to use

# a unique Common Name for the server

# and each of the client certificates.

#

# Any X509 key management system can be used.

# OpenVPN can also use a PKCS #12 formatted key file

# (see "pkcs12" directive in man page).

ca /usr/share/openvpn/easy-rsa/keys/ca.crt

cert /usr/share/openvpn/easy-rsa/keys/frogdev.dyndns.org.crt

key /usr/share/openvpn/easy-rsa/keys/frogdev.dyndns.org.key  # This file should be kept secret

# Diffie hellman parameters.

# Generate your own with:

#   openssl dhparam -out dh1024.pem 1024

# Substitute 2048 for 1024 if you are using

# 2048 bit keys. 

dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem

# Configure server mode and supply a VPN subnet

# for OpenVPN to draw client addresses from.

# The server will take 10.8.0.1 for itself,

# the rest will be made available to clients.

# Each client will be able to reach the server

# on 10.8.0.1. Comment this line out if you are

# ethernet bridging. See the man page for more info.

server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address

# associations in this file.  If OpenVPN goes down or

# is restarted, reconnecting clients can be assigned

# the same virtual IP address from the pool that was

# previously assigned.

ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.

# You must first use your OS's bridging capability

# to bridge the TAP interface with the ethernet

# NIC interface.  Then you must manually set the

# IP/netmask on the bridge interface, here we

# assume 10.8.0.4/255.255.255.0.  Finally we

# must set aside an IP range in this subnet

# (start=10.8.0.50 end=10.8.0.100) to allocate

# to connecting clients.  Leave this line commented

# out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Push routes to the client to allow it

# to reach other private subnets behind

# the server.  Remember that these

# private subnets will also need

# to know to route the OpenVPN client

# address pool (10.8.0.0/255.255.255.0)

# back to the OpenVPN server.

push "route 192.168.0.0 255.255.255.0"

;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific

# clients or if a connecting client has a private

# subnet behind it that should also have VPN access,

# use the subdirectory "ccd" for client-specific

# configuration files (see man page for more info).

# EXAMPLE: Suppose the client

# having the certificate common name "Thelonious"

# also has a small subnet behind his connecting

# machine, such as 192.168.40.128/255.255.255.248.

# First, uncomment out these lines:

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

# Then create a file ccd/Thelonious with this line:

#   iroute 192.168.40.128 255.255.255.248

# This will allow Thelonious' private subnet to

# access the VPN.  This example will only work

# if you are routing, not bridging, i.e. you are

# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give

# Thelonious a fixed VPN IP address of 10.9.0.1.

# First uncomment out these lines:

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

# Then add this line to ccd/Thelonious:

#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different

# firewall access policies for different groups

# of clients.  There are two methods:

# (1) Run multiple OpenVPN daemons, one for each

#     group, and firewall the TUN/TAP interface

#     for each group/daemon appropriately.

# (2) (Advanced) Create a script to dynamically

#     modify the firewall in response to access

#     from different clients.  See man

#     page for more info on learn-address script.

;learn-address ./script

# If enabled, this directive will configure

# all clients to redirect their default

# network gateway through the VPN, causing

# all IP traffic such as web browsing and

# and DNS lookups to go through the VPN

# (The OpenVPN server machine may need to NAT

# the TUN/TAP interface to the internet in

# order for this to work properly).

# CAVEAT: May break client's network config if

# client's local DHCP server packets get routed

# through the tunnel.  Solution: make sure

# client's local DHCP server is reachable via

# a more specific route than the default route

# of 0.0.0.0/0.0.0.0.

push "redirect-gateway"

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS

# or WINS server addresses.  CAVEAT:

# http://openvpn.net/faq.html#dhcpcaveats

;push "dhcp-option DNS 10.8.0.1"

;push "dhcp-option WINS 10.8.0.1"

push dhcp-option "DNS 212.27.32.5"

# serveur DNS primaire free

push dhcp-option "DNS 212.27.32.176"

# serveur DNS secondaire free 

push "route-gateway 192.168.0.1"

#permet de forcer la pesserelle

# Uncomment this directive to allow different

# clients to be able to "see" each other.

# By default, clients will only see the server.

# To force clients to only see the server, you

# will also need to appropriately firewall the

# server's TUN/TAP interface.

client-to-client

# Uncomment this directive if multiple clients

# might connect with the same certificate/key

# files or common names.  This is recommended

# only for testing purposes.  For production use,

# each client should have its own certificate/key

# pair.

#

# IF YOU HAVE NOT GENERATED INDIVIDUAL

# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

# EACH HAVING ITS OWN UNIQUE "COMMON NAME",

# UNCOMMENT THIS LINE OUT.

;duplicate-cn

# The keepalive directive causes ping-like

# messages to be sent back and forth over

# the link so that each side knows when

# the other side has gone down.

# Ping every 10 seconds, assume that remote

# peer is down if no ping received during

# a 120 second time period.

keepalive 10 120

# For extra security beyond that provided

# by SSL/TLS, create an "HMAC firewall"

# to help block DoS attacks and UDP port flooding.

#

# Generate with:

#   openvpn --genkey --secret ta.key

#

# The server and each client must have

# a copy of this key.

# The second parameter should be '0'

# on the server and '1' on the clients.

;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

;cipher BF-CBC        # Blowfish (default)

;cipher AES-128-CBC   # AES

;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.

# If you enable it here, you must also

# enable it in the client config file.

comp-lzo

# The maximum number of concurrently connected

# clients we want to allow.

max-clients 10

# It's a good idea to reduce the OpenVPN

# daemon's privileges after initialization.

#

# You can uncomment this out on

# non-Windows systems.

;user nobody

;group nobody

# The persist options will try to avoid

# accessing certain resources on restart

# that may no longer be accessible because

# of the privilege downgrade.

persist-key

persist-tun

# Output a short status file showing

# current connections, truncated

# and rewritten every minute.

status openvpn-status.log

# By default, log messages will go to the syslog (or

# on Windows, if running as a service, they will go to

# the "\Program Files\OpenVPN\log" directory).

# Use log or log-append to override this default.

# "log" will truncate the log file on OpenVPN startup,

# while "log-append" will append to it.  Use one

# or the other (but not both).

log         /var/log/openvpn.log

log-append  /var/log/openvpn.log

# Set the appropriate level of log

# file verbosity.

#

# 0 is silent, except for fatal errors

# 4 is reasonable for general usage

# 5 and 6 can help to debug connection problems

# 9 is extremely verbose

verb 3

# Silence repeating messages.  At most 20

# sequential messages of the same message

# category will be output to the log.

;mute 20

```

Quelques Explications :

 *Quote:*   

>  * La ligne proto udp défini quel protocole utiliser (udp ou tcp).
> 
>     * La ligne dev tun défini le type dinterface virtuelle a créer.
> 
>     * Les lignes ca, cert, key, dh défini les noms de fichier à utiliser pour lauthentification (noubliez pas de changer Nom-du-serveur),
> ...

 

Règles iptables sur le serveur 

Il faut ces règles iptables sur votre serveur :

```

# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d ! 10.8.0.1 -j SNAT --to-source IP_SERVEUR_VPN

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# iptables -A OUTPUT -p tcp --dport 1194 -j ACCEPT   

# iptables -A INPUT -p tcp --dport 1194 -j ACCEPT

```

Vous devez changer IP_SERVEUR_VPN par lIP de votre serveur et eth0 par l'interface réseau utilisée.

Autoriser le forward IPv4

Et vous devez autoriser le forward IPv4.

```

# echo 1 > /proc/sys/net/ipv4/ip_forward

```

Configuration poste client

```

# ln -s /etc/init.d/openvpn /etc/init.d/openvpn.gaetan

# nano /etc/openvpn/gaetan.conf

```

Merci USE exemples :

```

##############################################

# Sample client-side OpenVPN 2.0 config file #

# for connecting to multi-client server.     #

#                                            #

# This configuration can be used by multiple #

# clients, however each client should have   #

# its own cert and key files.                #

#                                            #

# On Windows, you might want to rename this  #

# file so it has a .ovpn extension           #

##############################################

# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client

# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

;proto tcp

proto udp

# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

remote 82.XXX.233.24 1194

;remote 192.168.0.11 1194

;remote my-server-2 1194

# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

;remote-random

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Downgrade privileges after initialization (non-Windows only)

;user nobody

;group nobody

# Try to preserve some state across restarts.

persist-key

persist-tun

# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

;mute-replay-warnings

# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

ca /usr/share/openvpn/easy-rsa/keys/ca.crt

cert /usr/share/openvpn/easy-rsa/keys/gaetan.crt

key /usr/share/openvpn/easy-rsa/keys/gaetan.key

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server".  The build-key-server

# script in the easy-rsa folder will do this.

;ns-cert-type server

# If a tls-auth key is used on the server

# then every client must also have the key.

;tls-auth ta.key 1

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

;cipher x

# Enable compression on the VPN link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo

log         /var/log/openvpngaetan.log

log-append  /var/log/openvpngaetan.log

verb 3

# Set log file verbosity.

# Silence repeating messages

;mute 20

```

Noubliez pas de changer remote 82.XXX.233.24 1194 : 82.XXX.233.24 par lIP de votre serveur (1194 est le port)

Pour tester si tout marche

```
$ ping 10.8.0.1
```

Démarrage des services 

serveur : 

```
# /etc/init.d/openvpn start
```

client :

```
 # /etc/init.d/openvpn.gaetan start
```

Astuces :

Configuration du noyau

```

[*] Network device support

Networking options  --->

[ ] Amateur Radio support  --->

< > IrDA (infrared) subsystem support  --->

< > Bluetooth subsystem support  --->

[*] Network device support

<M>   Dummy net driver support

< >   Bonding driver support

< >   EQL (serial line load balancing) support

<X>   Universal TUN/TAP device driver support

< > IP: ESP transformation

< > IP: IPComp transformation

< > IP: tunnel transformation

< > IP: TCP socket monitoring interface

    IP: Virtual Server Configuration  --->

< > The IPv6 protocol (EXPERIMENTAL)

[*] Network packet filtering (replaces ipchains)  --->

    SCTP Configuration (EXPERIMENTAL)  --->

< > Asynchronous Transfer Mode (ATM) (EXPERIMENTAL)

<X> 802.1d Ethernet Bridging

```

Ne pas oublier de rerouter le port 1194 (Port par défaut) si vous passez par un router vers le serveur openvpn

Informations sur Internet

http://www.openvpn.net/

http://gentoo-wiki.com/HOWTO_Road_Warriors_with_OpenVPN

http://planet.gentoo.org/developers/rphillips/2005/05/13/openvpn_setup

https://forums.gentoo.org/viewtopic-t-233080-highlight-openvpn.html

http://gentoo-wiki.com/HOWTO_OpenVPN_RoadWarrior

openvpn pour windows http://openvpn.se/

Les sources : 

http://blog.irrealia.org/articles/tag/gentoo

http://yom.retiaire.org/doku.php?id=start:openvpn_how-to

http://fr.wikipedia.org/wiki/VPN

https://forums.gentoo.org/viewtopic-t-538662-highlight-dh1024.html

----------

## zyprexa

Excellent boulot, c'est très clair.

ne vaudrait-il pas mieux se passer de la ligne suivante dans la config serveur ?

```
push "redirect-gateway" 
```

Car celle-ci change la route par défaut de tous les clients ... si bien que tout transite par le serveur. Si les clients veulent surfer et / ou télécharger des choses, le vpn va finir par saturer processeur et bande passante.

----------

## bouleetbil

Bonsoir,

En effet cette option est inclue au serveur

```

push "redirect-gateway"

```

j'ai utilisé ceci  

```

push "route-gateway 192.168.0.1" 

```

pour forcer la passerelle car j'ai rencontré des problèmes mais en principe le push "redirect-gateway"  suffit

----------

## 666cars

Merci bouleetbil pour cet how-to clair, simple et en français ! Cependant j'ai une ou deux questions : 

1- C'est bien une configuration Routed qu'on a là (pas un Bridged, hein ?)

2- Comment les clients qui se connectent acquièrent une adresse IP dynamiquement (une locale en 192.168.0.x) ? Y-a-t'il une directive spécifique que j'ai loupé ?

3- N'as-tu pas inversé un 1 au lieu d'un 0 dans cette directive : push "route 192.168.0.1 255.255.255.0" ?

4- Peux-tu dans cette configuration n'utiliser qu'une seule carte réseau avec une IP 192.168.0.1 (comme dans tes exemples) ?

5- Pour les Règles iptables sur le serveur, l' IP_SERVEUR_VPN est donc (dans tes exemples) 192.168.0.1

6 - Dans ton script IPTABLES ne faudrait-il pas remplacer TCP par UDP lorsque tu évoques le port 1194 ?

Heuuu si je pense à autre chose, je rajouterai !

MERCI !!   :Very Happy: 

----------

## bouleetbil

Bonjour,

 1. oui c'est du Routed 

```
 dev tun 
```

 2. normalement on récupere une IP quand la connexion est établie

 3. 

```
 push "route 192.168.0.1 255.255.255.0"
```

 oui en effet c'est 0 (Je corrige))

 4. c'est le cas chez moi  :Wink: 

 5. IP_SERVEUR_VPN est l'adresse IP du serveur vpn en local. Chez moi 192.168.0.1 c'est l'adresse de mon routeur et le vpn est sur 192.168.0.11

A plus

----------

## 666cars

Ok alors j'ai suivi ton how-to à la lettre !

Le contexte :

- Client Road Warrior (mode routed donc) sous MacOS X avec client OpenVPN Tunnelblinck

- Serveur OpenVPN à la maison derrière une Freebox avec redirection de l'UDP/1194 vers le serveur VPN

- IP serveur VPN : 192.168.0.77/24 - IP Freebox : 192.168.0.250 - Serveur DNS interne : 192.168.0.5 (avec redirecteur vers DNS de Free)

- IP du client MacOS X : DHCP - A l'intérieur d'un réseau local en 192.168.253.0/24

La connexion s'éffectue, YOUPI !

Le problème c'est que n'est pas de DNS ni de GATEWAY qui me permettent de ping les interface 10.8.0.1 ou 192.168.0.77 donc pas de réseau local à la maison.

J'ai pourtant bien une interface tun0 qui monte avec une IP 10.8.0.5...

Voilà le log de ma connexion client : 

```
Fri 07/06/07 02:40 PM: IMPORTANT: OpenVPN's default port number is now 1194

Fri 07/06/07 02:40 PM: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Fri 07/06/07 02:40 PM: LZO compression initialized

Fri 07/06/07 02:40 PM: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

Fri 07/06/07 02:40 PM: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

Fri 07/06/07 02:40 PM: Local Options hash (VER=V4): '41690919'

Fri 07/06/07 02:40 PM: Expected Remote Options hash (VER=V4): '530fdded'

Fri 07/06/07 02:40 PM: UDPv4 link local: [undef]

Fri 07/06/07 02:40 PM: UDPv4 link remote: 81.xx.xx.126:1194

Fri 07/06/07 02:40 PM: TLS: Initial packet from 81.xx.xx.126:1194

Fri 07/06/07 02:40 PM: VERIFY OK: depth=1

Fri 07/06/07 02:40 PM: VERIFY OK: depth=0

Fri 07/06/07 02:40 PM: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri 07/06/07 02:40 PM: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri 07/06/07 02:40 PM: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri 07/06/07 02:40 PM: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri 07/06/07 02:40 PM: Control Channel: TLSv1

Fri 07/06/07 02:40 PM: [xx.hd.free.fr] Peer Connection Initiated with 81.xx.xx.126:1194

Fri 07/06/07 02:40 PM: SENT CONTROL [xx.hd.free.fr]: 'PUSH_REQUEST' (status=1)

Fri 07/06/07 02:40 PM: PUSH: Received control message: 'PUSH_REPLY

Fri 07/06/07 02:40 PM: OPTIONS IMPORT: timers and/or timeouts modified

Fri 07/06/07 02:40 PM: OPTIONS IMPORT: --ifconfig/up options modified

Fri 07/06/07 02:40 PM: OPTIONS IMPORT: route options modified

Fri 07/06/07 02:40 PM: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Fri 07/06/07 02:40 PM: gw 192.168.253.254

Fri 07/06/07 02:40 PM: TUN/TAP device /dev/tun0 opened

Fri 07/06/07 02:40 PM: /sbin/ifconfig tun0 delete

Fri 07/06/07 02:40 PM: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

Fri 07/06/07 02:40 PM: /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up

Fri 07/06/07 02:40 PM: /sbin/route add -net 81.xx.xx.126 192.168.253.254 255.255.255.255

Fri 07/06/07 02:40 PM: /sbin/route delete -net 0.0.0.0 192.168.253.254 0.0.0.0

Fri 07/06/07 02:40 PM: /sbin/route add -net 0.0.0.0 192.168.0.250 0.0.0.0

Fri 07/06/07 02:40 PM: /sbin/route add -net 192.168.0.0 192.168.0.250 255.255.255.0

Fri 07/06/07 02:40 PM: /sbin/route add -net 10.8.0.0 192.168.0.250 255.255.255.0

Fri 07/06/07 02:40 PM: Initialization Sequence Completed
```

Voilà mon log côté serveur :

```
Jul  6 16:41:08 sslexp ovpn-server[2958]: MULTI: multi_create_instance called

Jul  6 16:41:08 sslexp ovpn-server[2958]: 82.127.89.40:49911 Re-using SSL/TLS context

Jul  6 16:41:08 sslexp ovpn-server[2958]: 82.127.89.40:49911 LZO compression initialized

Jul  6 16:41:08 sslexp ovpn-server[2958]: 82.127.89.40:49911 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

Jul  6 16:41:08 sslexp ovpn-server[2958]: 82.127.89.40:49911 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

Jul  6 16:41:08 sslexp ovpn-server[2958]: 82.127.89.40:49911 Local Options hash (VER=V4): '530fdded'

Jul  6 16:41:08 sslexp ovpn-server[2958]: 82.127.89.40:49911 Expected Remote Options hash (VER=V4): '41690919'

Jul  6 16:41:08 sslexp ovpn-server[2958]: 82.127.89.40:49911 TLS: Initial packet from 82.127.89.40:49911, sid=e7ef7736 0af79b79

Jul  6 16:41:09 sslexp ovpn-server[2958]: 82.127.89.40:49911 VERIFY OK: depth=1, /C=FR/ST=France/L=ParisO=home/CN=sslexp/emailAddress=user@domain.com

Jul  6 16:41:09 sslexp ovpn-server[2958]: 82.127.89.40:49911 VERIFY OK: depth=0, /C=FR/ST=France/L=Paris/O=home/CN=client1/emailAddress=user@domain.com

Jul  6 16:41:09 sslexp ovpn-server[2958]: 82.127.89.40:49911 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Jul  6 16:41:09 sslexp ovpn-server[2958]: 82.127.89.40:49911 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jul  6 16:41:09 sslexp ovpn-server[2958]: 82.127.89.40:49911 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Jul  6 16:41:09 sslexp ovpn-server[2958]: 82.127.89.40:49911 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jul  6 16:41:09 sslexp ovpn-server[2958]: 82.127.89.40:49911 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Jul  6 16:41:09 sslexp ovpn-server[2958]: 82.127.89.40:49911 [client1] Peer Connection Initiated with 82.127.89.40:49911

Jul  6 16:41:09 sslexp ovpn-server[2958]: client1/82.127.89.40:49911 MULTI: Learn: 10.8.0.6 -> client1/82.127.89.40:49911

Jul  6 16:41:09 sslexp ovpn-server[2958]: client1/82.127.89.40:49911 MULTI: primary virtual IP for client1/82.127.89.40:49911: 10.8.0.6

Jul  6 16:41:10 sslexp ovpn-server[2958]: client1/82.127.89.40:49911 PUSH: Received control message: 'PUSH_REQUEST'

Jul  6 16:41:10 sslexp ovpn-server[2958]: client1/82.127.89.40:49911 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,redirect-gateway,dhcp-option DNS 192.168.0.5,dhcp-option DNS 212.27.32.5,dhcp-option WINS 192.168.0.5,route-gateway 192.168.0.250,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
```

Pour info mon fichier de conf serveur :

```
port 1194

proto udp

dev tun

;dev-node MyTap

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/xx.hd.free.fr.crt

key /etc/openvpn/keys/xx.hd.free.fr.key  # This file should be kept secret

dh /etc/openvpn/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

push "route 192.168.0.0 255.255.255.0"

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

#   ifconfig-push 10.9.0.1 10.9.0.2

;learn-address ./script

push "redirect-gateway"

push "dhcp-option DNS 192.168.0.5"

push "dhcp-option DNS 212.27.32.5"

push "dhcp-option WINS 192.168.0.5"

push "route-gateway 192.168.0.250"

client-to-client

;duplicate-cn

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)

;cipher AES-128-CBC   # AES

;cipher DES-EDE3-CBC  # Triple-DES

comp-lzo

max-clients 10

;user nobody

;group nogroup

persist-key

persist-tun

status openvpn-status.log

;log         openvpn.log

;log-append  openvpn.log

verb 3

;mute 20
```

Et mon fichier de conf client : 

```
client

dev tun

;dev-node MyTap

proto udp

remote xx.hd.free.fr 1194

;remote-random

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

;mute-replay-warnings

ca /Users/moi/ca.crt

cert /Users/moi/client1.crt

key /Users/moi/client1.key

;ns-cert-type server

;tls-auth ta.key 1

;cipher x

comp-lzo

verb 3

;mute 20
```

Bizarrement même si la connexion s'effecture un netstat ne me renvoie rien sur le serveur :

```

#netstat -an | grep 1194

udp        0      0 0.0.0.0:1194            0.0.0.0:*  
```

Et je confirme le ping depuis le client : 

```

#ping 10.8.0.1

PING 10.8.0.1 (10.8.0.1): 56 data bytes

ping: sendto: No route to host

...
```

Ca doit se situer au niveau du "push"... peux-tu m'aider ? MERCI !Last edited by 666cars on Sat Feb 15, 2014 9:24 am; edited 2 times in total

----------

## 666cars

J'ai un peu de nouveau (qui me conduis vers un problème de "route" !) en essayant depuis un client Windows (avec OpenVPN-GUI), j'obtiens ceci dans les logs :

```
Fri Jul 06 15:39:39 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006

Fri Jul 06 15:39:39 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

Fri Jul 06 15:39:39 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Fri Jul 06 15:39:39 2007 LZO compression initialized

Fri Jul 06 15:39:39 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

Fri Jul 06 15:39:39 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

Fri Jul 06 15:39:39 2007 Local Options hash (VER=V4): '41690919'

Fri Jul 06 15:39:39 2007 Expected Remote Options hash (VER=V4): '530fdded'

Fri Jul 06 15:39:39 2007 UDPv4 link local: [undef]

Fri Jul 06 15:39:39 2007 UDPv4 link remote: 81.xx.xx.126:1194

Fri Jul 06 15:39:39 2007 TLS: Initial packet from 81.xx.xx.126:1194, sid=c5f5f53a 7542bc81

Fri Jul 06 15:39:40 2007 VERIFY OK: depth=1, /C=FR/ST=France/L=Paris/O=home/CN=sslexp/emailAddress=user@domain.com

Fri Jul 06 15:39:40 2007 VERIFY OK: depth=0, /C=FR/ST=France/L=Paris/O=home/CN=user@domain.com/emailAddress=user@domain.com

Fri Jul 06 15:39:41 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri Jul 06 15:39:41 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Jul 06 15:39:41 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri Jul 06 15:39:41 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Jul 06 15:39:41 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Fri Jul 06 15:39:41 2007 [xx.hd.free.fr] Peer Connection Initiated with 81.xx.xx.126:1194

Fri Jul 06 15:39:42 2007 SENT CONTROL [xx.hd.free.fr]: 'PUSH_REQUEST' (status=1)

Fri Jul 06 15:39:42 2007 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,redirect-gateway,dhcp-option DNS 192.168.0.5,dhcp-option DNS 212.27.32.5,dhcp-option WINS 192.168.0.5,route-gateway 192.168.0.250,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'

Fri Jul 06 15:39:42 2007 OPTIONS IMPORT: timers and/or timeouts modified

Fri Jul 06 15:39:42 2007 OPTIONS IMPORT: --ifconfig/up options modified

Fri Jul 06 15:39:42 2007 OPTIONS IMPORT: route options modified

Fri Jul 06 15:39:42 2007 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Fri Jul 06 15:39:42 2007 TAP-WIN32 device [Connexion au réseau local 2] opened: \\.\Global\{048D8454-D324-44F7-9F2F-33B751FCFA91}.tap

Fri Jul 06 15:39:42 2007 TAP-Win32 Driver Version 8.4 

Fri Jul 06 15:39:42 2007 TAP-Win32 MTU=1500

Fri Jul 06 15:39:42 2007 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {048D8454-D324-44F7-9F2F-33B751FCFA91} [DHCP-serv: 10.8.0.5, lease-time: 31536000]

Fri Jul 06 15:39:42 2007 Successful ARP Flush on interface [196612] {048D8454-D324-44F7-9F2F-33B751FCFA91}

Fri Jul 06 15:39:44 2007 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down

Fri Jul 06 15:39:44 2007 Route: Waiting for TUN/TAP interface to come up...

Fri Jul 06 15:39:46 2007 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up

Fri Jul 06 15:39:46 2007 Route: Waiting for TUN/TAP interface to come up...

Fri Jul 06 15:39:48 2007 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up

Fri Jul 06 15:39:48 2007 Route: Waiting for TUN/TAP interface to come up...

Fri Jul 06 15:39:51 2007 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up

Fri Jul 06 15:39:51 2007 Route: Waiting for TUN/TAP interface to come up...

Fri Jul 06 15:39:54 2007 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up

Fri Jul 06 15:39:54 2007 Route: Waiting for TUN/TAP interface to come up...

Fri Jul 06 15:39:55 2007 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up

Fri Jul 06 15:39:55 2007 Route: Waiting for TUN/TAP interface to come up...

Fri Jul 06 15:39:56 2007 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up

Fri Jul 06 15:39:56 2007 Route: Waiting for TUN/TAP interface to come up...

Fri Jul 06 15:39:58 2007 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up

Fri Jul 06 15:39:58 2007 Route: Waiting for TUN/TAP interface to come up...

Fri Jul 06 15:39:58 2007 TCP/UDP: Closing socket

Fri Jul 06 15:39:58 2007 Closing TUN/TAP interface

Fri Jul 06 15:39:58 2007 SIGTERM[hard,] received, process exiting 
```

A la fin c'est mon Ctrl+C qui envoie le Sigterm sans quoi ça ne s'arrête pas... Oops je corrige ! Si ça s'arrête si on attend un moment et puis on me dit que je suis connecté. Cepdendant les routes ont pas l'air bonne vu que je ne peux pinger que mes adresses locales et pas distantes ; même pas 10.8.0.1 !

Voilà le route print sur le client Windows :

```
===========================================================================

Liste d'Interfaces

0x1 ........................... MS TCP Loopback interface

0x2 ...00 0c 29 4f 31 25 ...... Carte AMD PCNET Family Ethernet PCI - Miniport d'ordonnancement de paquets

0x30004 ...00 ff 04 8d 84 54 ...... TAP-Win32 Adapter V8 - Miniport d'ordonnancement de paquets

===========================================================================

===========================================================================

ItinÇraires actifsˇ:

Destination rÇseau    Masque rÇseau  Adr. passerelle   Adr. interface MÇtrique

         10.8.0.4  255.255.255.252         10.8.0.6        10.8.0.6     30

         10.8.0.6  255.255.255.255        127.0.0.1       127.0.0.1     30

   10.255.255.255  255.255.255.255         10.8.0.6        10.8.0.6     30

    81.56.217.126  255.255.255.255  192.168.253.254  192.168.253.57     1

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1     1

    192.168.253.0    255.255.255.0   192.168.253.57  192.168.253.57     10

   192.168.253.57  255.255.255.255        127.0.0.1       127.0.0.1     10

  192.168.253.255  255.255.255.255   192.168.253.57  192.168.253.57     10

        224.0.0.0        240.0.0.0         10.8.0.6        10.8.0.6     30

        224.0.0.0        240.0.0.0   192.168.253.57  192.168.253.57     10

  255.255.255.255  255.255.255.255         10.8.0.6        10.8.0.6     1

  255.255.255.255  255.255.255.255   192.168.253.57  192.168.253.57     1

===========================================================================

ItinÇraires persistantsˇ:

  Aucun
```

Last edited by 666cars on Sat Feb 15, 2014 9:25 am; edited 2 times in total

----------

## bouleetbil

Bonjour,

Est -ce que tu pourrais essayer sans 

push "route-gateway 192.168.0.250" 

normalement push "redirect-gateway"  suffit

----------

## 666cars

 *bouleetbil wrote:*   

> Bonjour,
> 
> Est -ce que tu pourrais essayer sans 
> 
> push "route-gateway 192.168.0.250" 
> ...

 

C'est bon, tout roule !

Merci infiniement pour ton temps et ton how-to !

----------

