openvpn debian 12 install

Информация о материале
Автор: Павел
Категория: Uncategorised
Просмотров: 712

Настройка сервера OpenVPN в debian 12

apt update

apt install openvpn

wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v 3.1.7/EasyRSA- 3.1.7.tgz

cd ~

tar xvf EasyRSA-3.1.7.tgz

cd ~/EasyRSA-*

cp vars.example vars

nano vars

. . .

#set_var EASYRSA_REQ_COUNTRY    "RU"

#set_var EASYRSA_REQ_PROVINCE   "Komi"

#set_var EASYRSA_REQ_CITY       "Syktyvkar"

#set_var EASYRSA_REQ_ORG        "IT otdel"

#set_var EASYRSA_REQ_EMAIL      "Адрес электронной почты защищен от спам-ботов. Для просмотра адреса в браузере должен быть включен Javascript."

#set_var EASYRSA_REQ_OU         "My Organizational "

. . .

 

./easyrsa init-pki

./easyrsa build-ca nopass

 

cd EasyRSA-*

./easyrsa init-pki

cp ~/EasyRSA-3.1.7/pki/private/server.key /etc/openvpn/

./easyrsa sign-req server server

You are about to sign the following certificate.

Please check over the details shown below for accuracy. Note that this request

has not been cryptographically verified. Please be sure it came from a trusted

source or that you have verified the request checksum with the sender.

 

Request subject, to be signed as a server certificate for 3650 days:

 

subject=

    commonName                = server

 

 

Type the word 'yes' to continue, or any other input to abort.

  Confirm request details: yes

 

cp /tmp/{server.crt,ca.crt} /etc/openvpn/

./easyrsa gen-dh

openvpn --genkey --secret ta.key

cp ~/EasyRSA-3.1.7/ta.key /etc/openvpn/

cp ~/EasyRSA-3.1.7/pki/dh.pem /etc/openvpn/

mkdir -p ~/client-configs/keys

chmod -R 700 ~/client-configs

cd ~/EasyRSA-*

./easyrsa gen-req client1 nopass

cp pki/private/client1.key ~/client-configs/keys/

./easyrsa sign-req client client1

 

Output

Type the word 'yes' to continue, or any other input to abort.

  Confirm request details: yes

 

cp /tmp/client1.crt ~/client-configs/keys/

cp ~/EasyRSA-3.1.7/ta.key ~/client-configs/keys/

cp /etc/openvpn/ca.crt ~/client-configs/keys/

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

gzip -d /etc/openvpn/server.conf.gz

 

nano /etc/openvpn/server.conf

tls-auth ta.key 0 # This file is secret

cipher AES-256-CBC

 

auth SHA256

dh dh.pem

user nobody

group nogroup

cert server.crt

key server.key

nano /etc/sysctl.conf

net.ipv4.ip_forward=1

sysctl –p

systemctl start openvpn@server

systemctl status openvpn@server

 

Адрес электронной почты защищен от спам-ботов. Для просмотра адреса в браузере должен быть включен Javascript. - OpenVPN connection to server

     Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; preset: enabled)

     Active: active (running) since Wed 2023-10-18 14:54:41 +05; 2 days ago

       Docs: man:openvpn(8)

             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

             https://community.openvpn.net/openvpn/wiki/HOWTO

   Main PID: 174745 (openvpn)

     Status: "Initialization Sequence Completed"

      Tasks: 1 (limit: 10)

     Memory: 3.0M

        CPU: 4.923s

     CGroup: /system.slice/system-openvpn.slice/Адрес электронной почты защищен от спам-ботов. Для просмотра адреса в браузере должен быть включен Javascript.

             └─174745 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid

systemctl enable openvpn@server

mkdir -p ~/client-configs/files

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

mkdir -p ~/client-configs/files

remote your_server_ip 1194

 

proto udp

user nobody

group nogroup

 

# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

#ca ca.crt

#cert client.crt

#key client.key

 

# If a tls-auth key is used on the server

# then every client must also have the key.

#tls-auth ta.key 1

cipher AES-256-CBC

auth SHA256

key-direction 1

nano ~/client-configs/make_config.sh

 

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/client-configs/keys

OUTPUT_DIR=~/client-configs/files

BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \

    <(echo -e '<ca>') \

    ${KEY_DIR}/ca.crt \

    <(echo -e '</ca>\n<cert>') \

    ${KEY_DIR}/${1}.crt \

    <(echo -e '</cert>\n<key>') \

    ${KEY_DIR}/${1}.key \

    <(echo -e '</key>\n<tls-auth>') \

    ${KEY_DIR}/ta.key \

    <(echo -e '</tls-auth>') \

    > ${OUTPUT_DIR}/${1}.ovpn

 

chmod 700 ~/client-configs/make_config.sh

cd ~/client-configs

sudo ./make_config.sh client1

ls ~/client-configs/files

Output

client1.ovpn

 

cd ~/EasyRSA-3.1.7/

./easyrsa gen-req pavel nopass

./easyrsa sign-req client pavel

cp pki/issued/pavel.crt ~/client-configs/keys/

cd ~/client-configs/

./make_config.sh pavel

 

Партнеры

skid.crm

Система СКИД - онлайн приложение

для автоматизации строительного
контроля и ведения документации
по строительным объектам

Map
Cервер и сайт запущен 2011.02.01 на Debian