Openvpn Angristan2
resumen en portada
root@hard:~# curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 37951 100 37951 0 0 93404 0 --:--:-- --:--:-- --:--:-- 93245
root@hard:~# chmod +x openvpn-install.sh
root@hard:~# ./openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is availableimage: "/images/bg_otono1_arbol.jpg"
at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: hard.jejo.es
Checking for IPv6 connectivity...
Your host appears to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n
What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 2
Custom port [1-65535]: 13020
What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1
What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Russia)
12) Custom
DNS [1-12]: 3
Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Hit:1 http://apt.jurisic.org/debian stretch InRelease
Ign:2 http://ftp.us.debian.org/debian stretch InRelease
Hit:3 http://ftp.us.debian.org/debian stretch Release
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20161130+nmu1+deb9u1).
ca-certificates set to manually installed.
gnupg is already the newest version (2.1.18-8~deb9u4).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20161130+nmu1+deb9u1).
curl is already the newest version (7.52.1-5+deb9u9).
iptables is already the newest version (1.6.0+snapshot20161117-6).
openssl is already the newest version (1.1.0k-1~deb9u1).
openssl set to manually installed.
wget is already the newest version (1.18-5+deb9u3).
The following additional packages will be installed:
easy-rsa libccid liblzo2-2 libpcsclite1 libpkcs11-helper1 libusb-1.0-0 opensc opensc-pkcs11 pcscd
Suggested packages:
pcmciautils resolvconf
The following NEW packages will be installed:
easy-rsa libccid liblzo2-2 libpcsclite1 libpkcs11-helper1 libusb-1.0-0 opensc opensc-pkcs11 openvpn pcscd
0 upgraded, 10 newly installed, 0 to remove and 1 not upgraded.
Need to get 2139 kB of archives.
After this operation, 5963 kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian stretch/main amd64 liblzo2-2 amd64 2.08-1.2+b2 [55.0 kB]
Get:2 http://ftp.us.debian.org/debian stretch/main amd64 libpcsclite1 amd64 1.8.20-1 [56.5 kB]
Get:3 http://ftp.us.debian.org/debian stretch/main amd64 libpkcs11-helper1 amd64 1.21-1 [46.6 kB]
Get:4 http://ftp.us.debian.org/debian stretch/main amd64 libusb-1.0-0 amd64 2:1.0.21-1 [53.9 kB]
Get:5 http://ftp.us.debian.org/debian stretch/main amd64 openvpn amd64 2.4.0-6+deb9u3 [500 kB]
Get:6 http://ftp.us.debian.org/debian stretch/main amd64 libccid amd64 1.4.26-1 [314 kB]
Get:7 http://ftp.us.debian.org/debian stretch/main amd64 pcscd amd64 1.8.20-1 [95.9 kB]
Get:8 http://ftp.us.debian.org/debian stretch/main amd64 easy-rsa all 2.2.2-2 [17.2 kB]
Get:9 http://ftp.us.debian.org/debian stretch/main amd64 opensc-pkcs11 amd64 0.16.0-3+deb9u1 [753 kB]
Get:10 http://ftp.us.debian.org/debian stretch/main amd64 opensc amd64 0.16.0-3+deb9u1 [247 kB]
Fetched 2139 kB in 2s (875 kB/s)
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "es_ES.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
Preconfiguring packages ...
Selecting previously unselected package liblzo2-2:amd64.
(Reading database ... 36179 files and directories currently installed.)
Preparing to unpack .../0-liblzo2-2_2.08-1.2+b2_amd64.deb ...
Unpacking liblzo2-2:amd64 (2.08-1.2+b2) ...
Selecting previously unselected package libpcsclite1:amd64.
Preparing to unpack .../1-libpcsclite1_1.8.20-1_amd64.deb ...
Unpacking libpcsclite1:amd64 (1.8.20-1) ...
Selecting previously unselected package libpkcs11-helper1:amd64.
Preparing to unpack .../2-libpkcs11-helper1_1.21-1_amd64.deb ...
Unpacking libpkcs11-helper1:amd64 (1.21-1) ...
Selecting previously unselected package libusb-1.0-0:amd64.
Preparing to unpack .../3-libusb-1.0-0_2%3a1.0.21-1_amd64.deb ...
Unpacking libusb-1.0-0:amd64 (2:1.0.21-1) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../4-openvpn_2.4.0-6+deb9u3_amd64.deb ...
Unpacking openvpn (2.4.0-6+deb9u3) ...
Selecting previously unselected package libccid.
Preparing to unpack .../5-libccid_1.4.26-1_amd64.deb ...
Unpacking libccid (1.4.26-1) ...
Selecting previously unselected package pcscd.
Preparing to unpack .../6-pcscd_1.8.20-1_amd64.deb ...
Unpacking pcscd (1.8.20-1) ...
Selecting previously unselected package easy-rsa.
Preparing to unpack .../7-easy-rsa_2.2.2-2_all.deb ...
Unpacking easy-rsa (2.2.2-2) ...
Selecting previously unselected package opensc-pkcs11:amd64.
Preparing to unpack .../8-opensc-pkcs11_0.16.0-3+deb9u1_amd64.deb ...
Unpacking opensc-pkcs11:amd64 (0.16.0-3+deb9u1) ...
Selecting previously unselected package opensc.
Preparing to unpack .../9-opensc_0.16.0-3+deb9u1_amd64.deb ...
Unpacking opensc (0.16.0-3+deb9u1) ...
Setting up libpcsclite1:amd64 (1.8.20-1) ...
Setting up libpkcs11-helper1:amd64 (1.21-1) ...
Setting up opensc-pkcs11:amd64 (0.16.0-3+deb9u1) ...
Setting up libusb-1.0-0:amd64 (2:1.0.21-1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
Setting up easy-rsa (2.2.2-2) ...
Setting up libccid (1.4.26-1) ...
Setting up liblzo2-2:amd64 (2.08-1.2+b2) ...
Setting up opensc (0.16.0-3+deb9u1) ...
Setting up pcscd (1.8.20-1) ...
Created symlink /etc/systemd/system/sockets.target.wants/pcscd.socket → /lib/systemd/system/pcscd.socket.
Setting up openvpn (2.4.0-6+deb9u3) ...
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
[ ok ] Restarting virtual private network daemon.:.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service.
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for systemd (232-25+deb9u12) ...
--2019-12-06 11:30:57-- https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
Resolving github.com (github.com)... 140.82.118.4
Connecting to github.com (github.com)|140.82.118.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/4519663/8d46db80-266e-11e9-85e3-7de4dbee40d9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191206%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191206T103058Z&X-Amz-Expires=300&X-Amz-Signature=01a62bdc10185793a936c304ab3cc9c6e19b9de6b6b651ca5dbed4bf29ae5064&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-unix-v3.0.6.tgz&response-content-type=application%2Foctet-stream [following]
--2019-12-06 11:30:58-- https://github-production-release-asset-2e65be.s3.amazonaws.com/4519663/8d46db80-266e-11e9-85e3-7de4dbee40d9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191206%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191206T103058Z&X-Amz-Expires=300&X-Amz-Signature=01a62bdc10185793a936c304ab3cc9c6e19b9de6b6b651ca5dbed4bf29ae5064&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-unix-v3.0.6.tgz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.88.115
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.88.115|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 40840 (40K) [application/octet-stream]
Saving to: '/root/EasyRSA-unix-v3.0.6.tgz'
/root/EasyRSA-unix-v3.0.6.tgz 100%[==============================================>] 39.88K --.-KB/s in 0.1s
2019-12-06 11:30:59 (371 KB/s) - '/root/EasyRSA-unix-v3.0.6.tgz' saved [40840/40840]
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
read EC key
writing EC key
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0k 28 May 2019
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server_87KDHONOkdw9763Z.key.njVCZ38QjO'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Can't open /etc/openvpn/easy-rsa/pki/index.txt.attr for reading, No such file or directory
140143549988928:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/etc/openvpn/easy-rsa/pki/index.txt.attr','r')
140143549988928:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server_87KDHONOkdw9763Z'
Certificate is to be certified until Nov 20 10:30:59 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0k 28 May 2019
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
* Applying /etc/sysctl.d/20-openvpn.conf ...
net.ipv4.ip_forward = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
Job for openvpn@server.service failed because the control process exited with error code.
See "systemctl status openvpn@server.service" and "journalctl -xe" for details.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /etc/systemd/system/openvpn@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/iptables-openvpn.service → /etc/systemd/system/iptables-openvpn.service.
Tell me a name for the client.
Use one word only, no special characters.
Client name:
Client name: medion Do you want to protect the configuration file with a password? (e.g. encrypt the private key with a password) 1) Add a passwordless client 2) Use a password for the client Select an option [1-2]: 1 Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.0k 28 May 2019 Generating an EC private key writing new private key to '/etc/openvpn/easy-rsa/pki/private/medion.key.6bhy8aTKiW' ----- Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'medion' Certificate is to be certified until Nov 20 10:36:55 2022 GMT (1080 days) Write out database with 1 new entries Data Base Updated Client medion added, the configuration file is available at /root/medion.ovpn. Download the .ovpn file and import it in your OpenVPN client.
Comprobar Funcionamiento del Servidor a mano
Y ya esta asi de facil.
Pues si. si todo ha ido bien deberia funcionar.
I si algo falla que hago que miro…..?
- Podemos lanzar el servidor a mano con el modo verbose activado para ir viendo que pasa.
openvpn --verb 6 --config server.conf
root@hard:~# cd /etc/openvpn/ root@hard:/etc/openvpn# ls ca.crt client-template.txt ipp.txt server_87KDHONOkdw9763Z.crt update-resolv-conf ca.key crl.pem server server_87KDHONOkdw9763Z.key client easy-rsa server.conf tls-crypt.key root@hard:/etc/openvpn# openvpn --verb 6 --config server.conf Fri Dec 6 12:02:50 2019 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 14 2018 Fri Dec 6 12:02:50 2019 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.08 Fri Dec 6 12:02:50 2019 ECDH curve prime256v1 added Fri Dec 6 12:02:50 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Fri Dec 6 12:02:50 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Fri Dec 6 12:02:50 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Fri Dec 6 12:02:50 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Fri Dec 6 12:02:50 2019 TUN/TAP device tun0 opened Fri Dec 6 12:02:50 2019 TUN/TAP TX queue length set to 100 Fri Dec 6 12:02:50 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Fri Dec 6 12:02:50 2019 /sbin/ip link set dev tun0 up mtu 1500 Fri Dec 6 12:02:50 2019 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255 Fri Dec 6 12:02:50 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET Fri Dec 6 12:02:50 2019 Socket Buffers: R=[133120->133120] S=[133120->133120] Fri Dec 6 12:02:50 2019 UDPv4 link local (bound): [AF_INET][undef]:13020 Fri Dec 6 12:02:50 2019 UDPv4 link remote: [AF_UNSPEC] Fri Dec 6 12:02:50 2019 GID set to nogroup Fri Dec 6 12:02:50 2019 UID set to nobody Fri Dec 6 12:02:50 2019 MULTI: multi_init called, r=256 v=256 Fri Dec 6 12:02:50 2019 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0 Fri Dec 6 12:02:50 2019 IFCONFIG POOL LIST Fri Dec 6 12:02:50 2019 Initialization Sequence Completed
Y cuando se conecte un cliente veremos:
Fri Dec 6 12:10:22 2019 83.33.184.238:35001 TLS: Initial packet from [AF_INET]83.33.184.238:35001, sid=5126a9c3 7a1c9ac8 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 VERIFY OK: depth=1, CN=cn_r7RIKDTGgmwtNtgX Fri Dec 6 12:10:22 2019 83.33.184.238:35001 VERIFY OK: depth=0, CN=x30 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_VER=2.5_master Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_PLAT=android Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_PROTO=2 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_NCP=2 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_LZ4=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_LZ4v2=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_LZO=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_COMP_STUB=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_COMP_STUBv2=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_TCPNL=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.7 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES128-GCM-SHA256 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 [x30] Peer Connection Initiated with [AF_INET]83.33.184.238:35001 Fri Dec 6 12:10:22 2019 x30/83.33.184.238:35001 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled) Fri Dec 6 12:10:22 2019 x30/83.33.184.238:35001 MULTI: Learn: 10.8.0.2 -> x30/83.33.184.238:35001 Fri Dec 6 12:10:22 2019 x30/83.33.184.238:35001 MULTI: primary virtual IP for x30/83.33.184.238:35001: 10.8.0.2