OpenVPN - Servidor Ubuntu 10.04 LTS e Clientes Windows

Neste Howto vou explicar, detalhadamente, como configurar uma VPN entre Ubuntu 10.04 LTS e Windows XP.

Por José Rodrigues Filho em 27/08/2012

Hits: 33.309 Categoria: Linux Subcategoria: Configuração

Parte 2: Certificados

Criação do Certificado do Servidor

É necessário a geração de um certificado para o servidor OpenVPN:

# ./build-key-server vpn

Como dissemos anteriormente, em:

Organizational Unit Name (eg, section) []:TI
Name []: vpn

Não atribuir um challenge password.

Confirme a assinatura e a atualização do certificado com a tecla 'y'.

Todos os arquivos foram gerados na pasta "keys":

# ls keys/

ca.crt - Certificado Público de sua CA.
ca.key - Chave Privada de sua CA.
index.txt - Controle das chaves geradas pela nova CA.
serial - Controle de número serial das chaves geradas pela nova CA.
server.crt - Certificado público do servidor OpenVPN.
server.key - Chave privada do servidor OpenVPN.

Criando Certificados para Clientes

Para cada novo cliente VPN de sua rede, é necessário criar um certificado exclusivo.

Troque "nome-do-cliente" por um nome único e exclusivo para cada cliente. Ele será o Common Name do certificado gerado.

É importante que no "nome-do-cliente" não haja espaços em branco, nem caracteres especiais ou acentuados. Até é possível, mas se você não usá-los, terá menos problemas.

* Lembre-se de responder às perguntas adequadamente. Elas já virão pré preenchidas pelos valores de "vars", então, apenas aperte ENTER, e em "Organizational Unit Name (eg, section) []:", recomendo colocar TI, e em "Name []:", recomendo colocar joserf

Recomendo não atribuir um challenge password.

Confirme a assinatura e a atualização do certificado com a tecla 'y'.

# ./build-key joserf
# ./build-key reinaldo

Neste momento, já crio todos os usuários que terão acesso, para poupar o trabalho.

Agora, parâmetros do Diffie-Hellman:

# ./build-dh

Agora, voltamos para a pasta do OpenVPN:

# cd /etc/openvpn

Saia do root.

E criaremos um link simbólico para facilitar:

sudo ln -s 2.0/keys keys

Arquivo de configuração

Dentro da pasta /etc/openvpn, crie um arquivo chamado "vpn.conf":

sudo vim vpn.conf

Copie e cole o exemplo abaixo:

dev tun0
port 6999
proto udp
ca keys/ca.crt
cert keys/vpn.crt
key keys/vpn.key
dh keys/dh1024.pem
server 10.15.0.0 255.255.255.0
push "route 10.15.0.0 255.255.255.0"
keepalive 10 120
max-clients 5
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
verb 3

O IP do servidor OpenVPN, no nosso caso, vai ser: 10.15.0.1

sudo /etc/init.d/openvpn restart

Arquivos principais para o cliente

Agora, copie os arquivos do servidor para o cliente Windows XP:

# cd /etc/openvpn/keys

Pegue esses 3 arquivos abaixo, para usarmos no próximo passo:

ca.crt
joserf.crt
joserf.key

Páginas do artigo

   1. Introdução
   2. Certificados
   3. Configurando a Máquina Cliente

Outros artigos deste autor

Administração - Controle de Acessos

FTP com autenticação LDAP

CUPS + Jasmine Ubuntu Server 10.04 LTS (gerenciador de impressões e relatórios de impressão)

Servidor Ubuntu 8.04 com proxy autenticado + SARG + Samba + CUPS

CUPS + Jasmine (gerenciador de impressões e relatórios de impressão)

Leitura recomendada

Dual boot no Fenix Extreme Linux

Remasterizando o Ubuntu

Verificando a temperatura do HD no Slackware

Request Tracker 3 - Ticketing system

Fedora Core 1 :: Firewall e update

Comentários

#1 Comentário enviado por m29 em 23/12/2012 - 20:31h

conecta mas não pinga, ja pesquisei em outros forum muitas pessoas tem esse mesmo erro mas nimguem sabe a solução
caso possa ajudar estou no agurdo

#2 Comentário enviado por joserf em 12/02/2013 - 01:04h

amigo só agora vi sua msg, mas aqui funciona perfeitamente, ja conseguiu resolver ?

#3 Comentário enviado por m29 em 22/02/2013 - 22:16h

fiz tudo novamente e persiste o mesmo erro, conecta mas não pinga
fiz o teste com apache e funcionou, mas não pinga

olha a conexão:

Fri Feb 22 22:11:56 2013 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Fri Feb 22 22:11:56 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Feb 22 22:11:56 2013 Need hold release from management interface, waiting...
Fri Feb 22 22:11:56 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'state on'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'log all on'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'hold off'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'hold release'
Fri Feb 22 22:11:56 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Feb 22 22:11:56 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Feb 22 22:11:57 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 22 22:11:57 2013 UDPv4 link local (bound): [undef]
Fri Feb 22 22:11:57 2013 UDPv4 link remote: [AF_INET]187.21.108.240:6999
Fri Feb 22 22:11:57 2013 MANAGEMENT: >STATE:1361581917,WAIT,,,
Fri Feb 22 22:11:57 2013 MANAGEMENT: >STATE:1361581917,AUTH,,,
Fri Feb 22 22:11:57 2013 TLS: Initial packet from [AF_INET]172.16.1.254:6999, sid=557b6266 1e678bba
Fri Feb 22 22:11:57 2013 VERIFY OK: depth=1, C=BR, ST=SP, L=FcoDaRocha, O=Ubuntu, OU=TI, CN=Ubuntu CA, name=ubuntu, emailAddress=meuemail@meu_provedor.com
Fri Feb 22 22:11:57 2013 VERIFY OK: depth=0, C=BR, ST=SP, L=FcoDaRocha, O=Ubuntu, OU=TI, CN=vpn, name=vpn, emailAddress=meuemail@meu_provedor.com
Fri Feb 22 22:11:57 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 22 22:11:57 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 22 22:11:57 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 22 22:11:57 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 22 22:11:57 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 22 22:11:57 2013 [vpn] Peer Connection Initiated with [AF_INET]172.16.1.254:6999
Fri Feb 22 22:11:58 2013 MANAGEMENT: >STATE:1361581918,GET_CONFIG,,,
Fri Feb 22 22:12:00 2013 SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1)
Fri Feb 22 22:12:00 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.15.0.0 255.255.255.0,route 10.15.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.15.0.6 10.15.0.5'
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: route options modified
Fri Feb 22 22:12:00 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Feb 22 22:12:00 2013 MANAGEMENT: >STATE:1361581920,ASSIGN_IP,,10.15.0.6,
Fri Feb 22 22:12:00 2013 open_tun, tt->ipv6=0
Fri Feb 22 22:12:00 2013 TAP-WIN32 device [Conexão local 3] opened: \\.\Global\{6EB3C5AD-EBA8-4863-B23F-93ABC9CDCA3A}.tap
Fri Feb 22 22:12:00 2013 TAP-Windows Driver Version 9.9
Fri Feb 22 22:12:00 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.15.0.6/255.255.255.252 on interface {6EB3C5AD-EBA8-4863-B23F-93ABC9CDCA3A} [DHCP-serv: 10.15.0.5, lease-time: 31536000]
Fri Feb 22 22:12:00 2013 NOTE: FlushIpNetTable failed on interface [18] {6EB3^Vnx
Fri Feb 22 22:12:05 2013 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Fri Feb 22 22:12:05 2013 MANAGEMENT: >STATE:1361581925,ADD_ROUTES,,,
Fri Feb 22 22:12:05 2013 C:\Windows\system32\route.exe ADD 10.15.0.0 MASK 255.255.255.0 10.15.0.5
Fri Feb 22 22:12:05 2013 ROUTE: route addition failed using CreateIpForwardEntry: Acesso negado. [status=5 if_index=18]
Fri Feb 22 22:12:05 2013 Route addition via IPAPI failed [adaptive]
Fri Feb 22 22:12:05 2013 Route addition fallback to route.exe
Fri Feb 22 22:12:05 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri Feb 22 22:12:05 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Feb 22 22:12:05 2013 C:\Windows\system32\route.exe ADD 10.15.0.1 MASK 255.255.255.255 10.15.0.5
Fri Feb 22 22:12:05 2013 ROUTE: route addition failed using CreateIpForwardEntry: Acesso negado. [status=5 if_index=18]
Fri Feb 22 22:12:05 2013 Route addition via IPAPI failed [adaptive]
Fri Feb 22 22:12:05 2013 Route addition fallback to route.exe
Fri Feb 22 22:12:05 2013 env_bloº^VÒx
Fri Feb 22 22:12:05 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Feb 22 22:12:05 2013 Initialization Sequence Completed
Fri Feb 22 22:12:05 2013 MANAGEMENT: >STATE:1361581925,CONNECTED,SUCCESS,10.15.0.6,172.16.1.254

#4 Comentário enviado por joserf em 07/04/2013 - 20:44h

[3] Comentário enviado por newchel em 22/02/2013 - 22:16h:

fiz tudo novamente e persiste o mesmo erro, conecta mas não pinga
fiz o teste com apache e funcionou, mas não pinga

olha a conexão:

Fri Feb 22 22:11:56 2013 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Fri Feb 22 22:11:56 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Feb 22 22:11:56 2013 Need hold release from management interface, waiting...
Fri Feb 22 22:11:56 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'state on'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'log all on'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'hold off'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'hold release'
Fri Feb 22 22:11:56 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Feb 22 22:11:56 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Feb 22 22:11:57 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 22 22:11:57 2013 UDPv4 link local (bound): [undef]
Fri Feb 22 22:11:57 2013 UDPv4 link remote: [AF_INET]187.21.108.240:6999
Fri Feb 22 22:11:57 2013 MANAGEMENT: >STATE:1361581917,WAIT,,,
Fri Feb 22 22:11:57 2013 MANAGEMENT: >STATE:1361581917,AUTH,,,
Fri Feb 22 22:11:57 2013 TLS: Initial packet from [AF_INET]172.16.1.254:6999, sid=557b6266 1e678bba
Fri Feb 22 22:11:57 2013 VERIFY OK: depth=1, C=BR, ST=SP, L=FcoDaRocha, O=Ubuntu, OU=TI, CN=Ubuntu CA, name=ubuntu, emailAddress=meuemail@meu_provedor.com
Fri Feb 22 22:11:57 2013 VERIFY OK: depth=0, C=BR, ST=SP, L=FcoDaRocha, O=Ubuntu, OU=TI, CN=vpn, name=vpn, emailAddress=meuemail@meu_provedor.com
Fri Feb 22 22:11:57 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 22 22:11:57 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 22 22:11:57 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 22 22:11:57 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 22 22:11:57 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 22 22:11:57 2013 [vpn] Peer Connection Initiated with [AF_INET]172.16.1.254:6999
Fri Feb 22 22:11:58 2013 MANAGEMENT: >STATE:1361581918,GET_CONFIG,,,
Fri Feb 22 22:12:00 2013 SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1)
Fri Feb 22 22:12:00 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.15.0.0 255.255.255.0,route 10.15.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.15.0.6 10.15.0.5'
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: route options modified
Fri Feb 22 22:12:00 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Feb 22 22:12:00 2013 MANAGEMENT: >STATE:1361581920,ASSIGN_IP,,10.15.0.6,
Fri Feb 22 22:12:00 2013 open_tun, tt->ipv6=0
Fri Feb 22 22:12:00 2013 TAP-WIN32 device [Conexão local 3] opened: \\.\Global\{6EB3C5AD-EBA8-4863-B23F-93ABC9CDCA3A}.tap
Fri Feb 22 22:12:00 2013 TAP-Windows Driver Version 9.9
Fri Feb 22 22:12:00 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.15.0.6/255.255.255.252 on interface {6EB3C5AD-EBA8-4863-B23F-93ABC9CDCA3A} [DHCP-serv: 10.15.0.5, lease-time: 31536000]
Fri Feb 22 22:12:00 2013 NOTE: FlushIpNetTable failed on interface [18] {6EB3^Vnx
Fri Feb 22 22:12:05 2013 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Fri Feb 22 22:12:05 2013 MANAGEMENT: >STATE:1361581925,ADD_ROUTES,,,
Fri Feb 22 22:12:05 2013 C:\Windows\system32\route.exe ADD 10.15.0.0 MASK 255.255.255.0 10.15.0.5
Fri Feb 22 22:12:05 2013 ROUTE: route addition failed using CreateIpForwardEntry: Acesso negado. [status=5 if_index=18]
Fri Feb 22 22:12:05 2013 Route addition via IPAPI failed [adaptive]
Fri Feb 22 22:12:05 2013 Route addition fallback to route.exe
Fri Feb 22 22:12:05 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri Feb 22 22:12:05 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Feb 22 22:12:05 2013 C:\Windows\system32\route.exe ADD 10.15.0.1 MASK 255.255.255.255 10.15.0.5
Fri Feb 22 22:12:05 2013 ROUTE: route addition failed using CreateIpForwardEntry: Acesso negado. [status=5 if_index=18]
Fri Feb 22 22:12:05 2013 Route addition via IPAPI failed [adaptive]
Fri Feb 22 22:12:05 2013 Route addition fallback to route.exe
Fri Feb 22 22:12:05 2013 env_bloº^VÒx
Fri Feb 22 22:12:05 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Feb 22 22:12:05 2013 Initialization Sequence Completed
Fri Feb 22 22:12:05 2013 MANAGEMENT: >STATE:1361581925,CONNECTED,SUCCESS,10.15.0.6,172.16.1.254

Me explique melhor o seu cenario.

#5 Comentário enviado por marceloviana em 01/06/2015 - 16:35h

Joserf, Obrigado pelo artigo!

Como eu faço para permitir a comunicação entre os clientes que estão conectados no servidor?

#6 Comentário enviado por marceloviana em 01/06/2015 - 20:29h

Descobri como permitir a comunicação entre clientes, faltava só habilitar a travessia de pacotes:
echo 1 > /proc/sys/net/ipv4/ip_forward

Obrigado!