Installation et configuration d’un serveur et d’un client OpenVPN avec PiVPN.
Raspberry Pi : Version 1
Distribution : Raspbian Jessie lite 2016-12-25
Liens :
PiVPN :
http://www.pivpn.io/
Raspberry Pi : Installation et configuration d’OpenVPN :
http://www.bexen.fr/2016/03/15/raspberry-pi-installation-et-configuration-dopenvpn/
Building A Raspberry Pi VPN Part One: How And Why To Build A Server : http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/
1/ Configuration de base du Raspberry Pi.
Voir mes autres didacticiels.
2/ Passer en mode ‘root‘ :
pi@raspberrypi:~ $ sudo su root@raspberrypi:/home/pi#
3/ Téléchargement du script d’installation :
root@raspberrypi:/home/pi# curl -L https://install.pivpn.io | bash
4/ Configuration :
– PiVPN Automated Installer
This installer will transform your Raspberry Pi into an OpenVPN server!
< Ok >
– Static IP Needed
The PiVPN is a SERVER so it needs a STATIC IP ADDRESS to function properly. In the next section, you can choose to use your current network settings (DHCP) or to manually edit them.
< Ok >
– Choose An Interface (press space to select)
(*) eth0 available
< Ok >
– Static IP Address
Do you want to use your current network settings as a static address? IP address: 192.168.1.23/24 Gateway: 192.168.1.1
< Oui >
– FYI: IP Conflict
It is possible your router could still try to assign this IP to a device, which would cause a conflict. But in most cases the router is smart enough to not do that. If you are worried, either manually set the address, or modify the DHDo you want to enable unattended upgrades of security patches to this server? CP reservation pool so it does not include the IP you want. It is also possible to use a DHCP reservation, but if you are going to do that, you might as well set a static address.
< Ok >
– Local Users
Choose a local user that will hold your ovpn configurations.
< Ok >
– Choose A User
Choose: (*) pi
< Ok >
– Unattended Upgrades
Since this server will have at least one port open to the internet, it is recommended you enable unattended-upgrades. This feature will check daily for security package updates only and apply them when necessary. It will NOT automatically reboot the server so to fully apply some updates you should periodically reboot.
< Ok >
– Unattended Upgrades
Do you want to enable unattended upgrades of security patches to this server?
< Oui >
– Protocol
Choose a protocol. Please only choose TCP if you know why you need TCP. (*) UDP
< Ok >
– Default OpenVPN Port
You can modify the default OpenVPN port. Enter a new value or hit 'Enter' to retain the default 1194
< Ok >
– Confirm Custom Port Number
Are these settings correct? PORT: 1194
< Oui >
– Encryption Strength
Choose your desired level of encryption: This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications it is recommended to use 2048 bit. If you are testing or just want to get through it quicker you can use 1024. If you are paranoid about ... things... then grab a cup of joe and pick 4096. (*) 1024 Use 1024-bit encryption. Test level.
< Ok >
– Server Information
The server key, Diffie-Hellman key, and HMAC key will now be generated.
< Ok >
– Public IP or DNS
Will clients use a Public IP or DNS Name to connect to your server? (*) 90.33.115.21 Use this public IP
< Ok >
– Select the DNS Provider for your VPN Clients. To use your own, select Custom.
< Ok >
– Installation Complete!
Now run 'pivpn add' to create the ovpn profiles. Run 'pivpn help' to see what else you can do! The install log is in /etc/pivpn.
< Ok >
– Reboot
It is strongly recommended you reboot after installation. Would you like to reboot now?
< Oui >
– Rebooting
The system will now reboot.
< Ok >
5/ Vérification :
root@raspberrypi:~# tail -f /var/log/openvpn.log Mon Jan 16 21:16:58 2017 Control Channel Authentication: using '/etc/openvpn/easy-rsa/pki/ta.key' as a OpenVPN static key file Mon Jan 16 21:16:58 2017 TUN/TAP device tun0 opened Mon Jan 16 21:16:58 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Jan 16 21:16:58 2017 /sbin/ip link set dev tun0 up mtu 1500 Mon Jan 16 21:16:58 2017 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255 Mon Jan 16 21:16:58 2017 GID set to nogroup Mon Jan 16 21:16:58 2017 UID set to nobody Mon Jan 16 21:16:58 2017 UDPv4 link local (bound): [undef] Mon Jan 16 21:16:58 2017 UDPv4 link remote: [undef] Mon Jan 16 21:16:58 2017 Initialization Sequence Completed
6/ Ajouter un client OpenVPN.
– Création d’un client :
pi@raspberrypi:~ $ pivpn add Enter a Name for the Client: client01 Enter the password for the client: Enter the password again to verify: ... Write out database with 1 new entries Data Base Updated Client's cert found: client01.crt Client's Private Key found: client01.key CA public Key found: ca.crt tls-auth Private Key found: ta.key ======================================================== Done! client01.ovpn successfully created! client01.ovpn was copied to: /home/pi/ovpns for easy transfer. ========================================================
– Vérification :
pi@raspberrypi:~ $ ls -l ovpns/client01.ovpn -rw-r--r-- 1 pi root 3626 janv. 16 21:20 ovpns/client01.ovpn
7/ Installation de OpenVPN Client :
A partir d’un ordinateur distant :
– Installation de OpenVPN :
[~] ➔ sudo apt-get install openvpn
– Connexion :
[~] ➔ sudo openvpn --config client01.ovpn [sudo] password for nekrofage: Mon Jan 16 22:20:49 2017 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Apr 13 2015 Enter Private Key Password: ********* Mon Jan 16 22:20:53 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Mon Jan 16 22:20:53 2017 Control Channel Authentication: tls-auth using INLINE static key file Mon Jan 16 22:20:53 2017 UDPv4 link local: [undef] Mon Jan 16 22:20:53 2017 UDPv4 link remote: [AF_INET]90.33.115.21:1194 Mon Jan 16 22:20:55 2017 [server] Peer Connection Initiated with [AF_INET]90.33.115.21:1194 Mon Jan 16 22:20:58 2017 TUN/TAP device tun0 opened Mon Jan 16 22:20:58 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Jan 16 22:20:58 2017 /sbin/ip link set dev tun0 up mtu 1500 Mon Jan 16 22:20:58 2017 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 RTNETLINK answers: File exists Mon Jan 16 22:20:58 2017 ERROR: Linux route add command failed: external program exited with error status: 2 Mon Jan 16 22:20:58 2017 Initialization Sequence Completed ^CMon Jan 16 22:21:53 2017 event_wait : Interrupted system call (code=4) Mon Jan 16 22:21:53 2017 /sbin/ip addr del dev tun0 10.8.0.2/24 Mon Jan 16 22:21:53 2017 SIGINT[hard,] received, process exiting
– Erreur :
Options error: Unrecognized option or missing parameter(s) in client01.ovpn:11: tls-version-min (2.3.2)
Solution
Ouvrir :
client01.ovpn
Chercher et supprimer :
tls-version-min 1.2
– Vérification :
[~] ➔ ifconfig
eth0 Link encap:Ethernet HWaddr 14:58:d0:04:c6:76
UP BROADCAST MULTICAST MTU:1500 Metric:1
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)
lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:65536 Metric:1
Packets reçus:291 erreurs:0 :0 overruns:0 frame:0
TX packets:291 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
Octets reçus:25244 (25.2 KB) Octets transmis:25244 (25.2 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet adr:10.8.0.2 P-t-P:10.8.0.2 Masque:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
Packets reçus:58 erreurs:0 :0 overruns:0 frame:0
TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
Octets reçus:4480 (4.4 KB) Octets transmis:7224 (7.2 KB)
wlan0 Link encap:Ethernet HWaddr 9c:ad:97:92:ed:43
inet adr:192.168.43.201 Bcast:192.168.43.255 Masque:255.255.255.0
adr inet6: fe80::9ead:97ff:fe92:ed43/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Packets reçus:234 erreurs:0 :0 overruns:0 frame:0
TX packets:318 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
Octets reçus:32758 (32.7 KB) Octets transmis:46095 (46.0 KB)
[~] ➔ ping 192.168.1.26 PING 192.168.1.26 (192.168.1.26) 56(84) bytes of data. 64 bytes from 192.168.1.26: icmp_seq=1 ttl=63 time=176 ms 64 bytes from 192.168.1.26: icmp_seq=2 ttl=63 time=97.1 ms 64 bytes from 192.168.1.26: icmp_seq=3 ttl=63 time=236 ms 64 bytes from 192.168.1.26: icmp_seq=4 ttl=63 time=136 ms ^C --- 192.168.1.26 ping statistics --- 5 packets transmitted, 4 received, 20% packet loss, time 4006ms rtt min/avg/max/mdev = 97.163/161.867/236.772/51.618 ms
[~] ➔ ping google.fr PING google.fr (216.58.204.99) 56(84) bytes of data. 64 bytes from par10s28-in-f3.1e100.net (216.58.204.99): icmp_seq=1 ttl=52 time=1300 ms 64 bytes from par10s28-in-f3.1e100.net (216.58.204.99): icmp_seq=2 ttl=52 time=1783 ms 64 bytes from par10s28-in-f3.1e100.net (216.58.204.99): icmp_seq=4 ttl=52 time=473 ms 64 bytes from par10s28-in-f3.1e100.net (216.58.204.99): icmp_seq=5 ttl=52 time=619 ms ^C --- google.fr ping statistics --- 5 packets transmitted, 4 received, 20% packet loss, time 4009ms rtt min/avg/max/mdev = 473.314/1044.053/1783.473/528.811 ms, pipe 2
- Vérification du log sur le serveur : root@raspberrypi:~# tail -f /var/log/openvpn.log ... Mon Jan 16 22:20:56 2017 37.163.78.32:63337 [client01] Peer Connection Initiated with [AF_INET]37.163.78.32:63337 Mon Jan 16 22:20:56 2017 client01/37.163.78.32:63337 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled) Mon Jan 16 22:20:58 2017 client01/37.163.78.32:63337 send_push_reply(): safe_cap=940
Comments are closed, but trackbacks and pingbacks are open.