Pular para o conteúdo

OpenVPN - Servidor Ubuntu 10.04 LTS e Clientes Windows

Neste Howto vou explicar, detalhadamente, como configurar uma VPN entre Ubuntu 10.04 LTS e Windows XP.
José Rodrigues Filho joserf

Por José Rodrigues Filho em 27/08/2012

Hits: 33.300 Categoria: Linux Subcategoria: Configuração
  • Indicar
  • Impressora
  • Denunciar

Introdução

Reconheço que existem vários tutoriais aqui VOL, mas quando estava configurando minha própria VPN, tive algumas dúvidas em alguns artigos. Tudo estava certo, a VPN conectava, mas não tinha acesso ao servidor.

Então, estou postando a "receita de bolo" à minha maneira.

Pré-requisitos:
  • Servidor Ubuntu 10.04 LTS;
  • Cliente com Windows XP, ou superior, instalado.

Cenário:

Instalação do servidor OpenVPN

sudo apt-get install openvpn

Após a instalação, entre na pasta do OpenVPN, copie os arquivos de exemplo de configuração da pasta /usr/share/doc/openvpn/examples/easy-rsa/2.0/, para a pasta /etc/openvpn:

cd /etc/openvpn/
$ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/

Entre na pasta 2.0:

cd 2.0/

Edite o arquivo "vars", ajustando as últimas linhas:

sudo vim vars

export KEY_COUNTRY="BR"
export KEY_PROVINCE="SP"
export KEY_CITY="FcoDaRocha"
# Coloque o nome da sua empresa abaixo
export KEY_ORG="Ubuntu"
export KEY_EMAIL="meuemail@meu_provedor.com"


Entre como root:

sudo su

Agora, execute os comandos abaixo, um de cada vez:

# source ./vars

Você vai receber a seguinte mensagem:
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys

# ./clean-all

Ao rodar o comando abaixo, tecle ENTER apenas para ele completar as informações já adicionadas em "vars".

Ao chegar em: Organizational Unit Name (eg, section) []

- Colocar: TI
- Em Name []: Coloque exatamente como preenchido no arquivo "vars", no nosso exemplo, vai ficar Ubuntu

# ./build-ca

Páginas do artigo

   1. Introdução
   2. Certificados
   3. Configurando a Máquina Cliente

Outros artigos deste autor

CUPS + Jasmine Ubuntu Server 10.04 LTS (gerenciador de impressões e relatórios de impressão)

CUPS + Jasmine (gerenciador de impressões e relatórios de impressão)

Administrando Squid pelo browser, bloquear e liberar máquinas por IP, login, palavras

Administração - Controle de Acessos

Drivers de impressão para clientes com Windows 7/XP

Leitura recomendada

hdparm: Tire o máximo do seu HD

Apertem o cinto, o inittab sumiu!

Instalação e configuração do Ubuntu Gusty Gibbon na linha de notebooks HP/Compaq

Controle de banda sem mistérios para servidores

Como instalar e configurar duas ou mais distros

Comentários

#1 Comentário enviado por m29 em 23/12/2012 - 20:31h
conecta mas não pinga, ja pesquisei em outros forum muitas pessoas tem esse mesmo erro mas nimguem sabe a solução
caso possa ajudar estou no agurdo
#2 Comentário enviado por joserf em 12/02/2013 - 01:04h
amigo só agora vi sua msg, mas aqui funciona perfeitamente, ja conseguiu resolver ?
#3 Comentário enviado por m29 em 22/02/2013 - 22:16h
fiz tudo novamente e persiste o mesmo erro, conecta mas não pinga
fiz o teste com apache e funcionou, mas não pinga

olha a conexão:

Fri Feb 22 22:11:56 2013 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Fri Feb 22 22:11:56 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Feb 22 22:11:56 2013 Need hold release from management interface, waiting...
Fri Feb 22 22:11:56 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'state on'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'log all on'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'hold off'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'hold release'
Fri Feb 22 22:11:56 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Feb 22 22:11:56 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Feb 22 22:11:57 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 22 22:11:57 2013 UDPv4 link local (bound): [undef]
Fri Feb 22 22:11:57 2013 UDPv4 link remote: [AF_INET]187.21.108.240:6999
Fri Feb 22 22:11:57 2013 MANAGEMENT: >STATE:1361581917,WAIT,,,
Fri Feb 22 22:11:57 2013 MANAGEMENT: >STATE:1361581917,AUTH,,,
Fri Feb 22 22:11:57 2013 TLS: Initial packet from [AF_INET]172.16.1.254:6999, sid=557b6266 1e678bba
Fri Feb 22 22:11:57 2013 VERIFY OK: depth=1, C=BR, ST=SP, L=FcoDaRocha, O=Ubuntu, OU=TI, CN=Ubuntu CA, name=ubuntu, emailAddress=meuemail@meu_provedor.com
Fri Feb 22 22:11:57 2013 VERIFY OK: depth=0, C=BR, ST=SP, L=FcoDaRocha, O=Ubuntu, OU=TI, CN=vpn, name=vpn, emailAddress=meuemail@meu_provedor.com
Fri Feb 22 22:11:57 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 22 22:11:57 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 22 22:11:57 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 22 22:11:57 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 22 22:11:57 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 22 22:11:57 2013 [vpn] Peer Connection Initiated with [AF_INET]172.16.1.254:6999
Fri Feb 22 22:11:58 2013 MANAGEMENT: >STATE:1361581918,GET_CONFIG,,,
Fri Feb 22 22:12:00 2013 SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1)
Fri Feb 22 22:12:00 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.15.0.0 255.255.255.0,route 10.15.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.15.0.6 10.15.0.5'
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: route options modified
Fri Feb 22 22:12:00 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Feb 22 22:12:00 2013 MANAGEMENT: >STATE:1361581920,ASSIGN_IP,,10.15.0.6,
Fri Feb 22 22:12:00 2013 open_tun, tt->ipv6=0
Fri Feb 22 22:12:00 2013 TAP-WIN32 device [Conexão local 3] opened: \\.\Global\{6EB3C5AD-EBA8-4863-B23F-93ABC9CDCA3A}.tap
Fri Feb 22 22:12:00 2013 TAP-Windows Driver Version 9.9
Fri Feb 22 22:12:00 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.15.0.6/255.255.255.252 on interface {6EB3C5AD-EBA8-4863-B23F-93ABC9CDCA3A} [DHCP-serv: 10.15.0.5, lease-time: 31536000]
Fri Feb 22 22:12:00 2013 NOTE: FlushIpNetTable failed on interface [18] {6EB3^Vnx 
Fri Feb 22 22:12:05 2013 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Fri Feb 22 22:12:05 2013 MANAGEMENT: >STATE:1361581925,ADD_ROUTES,,,
Fri Feb 22 22:12:05 2013 C:\Windows\system32\route.exe ADD 10.15.0.0 MASK 255.255.255.0 10.15.0.5
Fri Feb 22 22:12:05 2013 ROUTE: route addition failed using CreateIpForwardEntry: Acesso negado. [status=5 if_index=18]
Fri Feb 22 22:12:05 2013 Route addition via IPAPI failed [adaptive]
Fri Feb 22 22:12:05 2013 Route addition fallback to route.exe
Fri Feb 22 22:12:05 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri Feb 22 22:12:05 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Feb 22 22:12:05 2013 C:\Windows\system32\route.exe ADD 10.15.0.1 MASK 255.255.255.255 10.15.0.5
Fri Feb 22 22:12:05 2013 ROUTE: route addition failed using CreateIpForwardEntry: Acesso negado. [status=5 if_index=18]
Fri Feb 22 22:12:05 2013 Route addition via IPAPI failed [adaptive]
Fri Feb 22 22:12:05 2013 Route addition fallback to route.exe
Fri Feb 22 22:12:05 2013 env_bloº^VÒx 
Fri Feb 22 22:12:05 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Feb 22 22:12:05 2013 Initialization Sequence Completed
Fri Feb 22 22:12:05 2013 MANAGEMENT: >STATE:1361581925,CONNECTED,SUCCESS,10.15.0.6,172.16.1.254
#4 Comentário enviado por joserf em 07/04/2013 - 20:44h

[3] Comentário enviado por newchel em 22/02/2013 - 22:16h:

fiz tudo novamente e persiste o mesmo erro, conecta mas não pinga
fiz o teste com apache e funcionou, mas não pinga

olha a conexão:

Fri Feb 22 22:11:56 2013 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Fri Feb 22 22:11:56 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Feb 22 22:11:56 2013 Need hold release from management interface, waiting...
Fri Feb 22 22:11:56 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'state on'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'log all on'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'hold off'
Fri Feb 22 22:11:56 2013 MANAGEMENT: CMD 'hold release'
Fri Feb 22 22:11:56 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Feb 22 22:11:56 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Feb 22 22:11:57 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 22 22:11:57 2013 UDPv4 link local (bound): [undef]
Fri Feb 22 22:11:57 2013 UDPv4 link remote: [AF_INET]187.21.108.240:6999
Fri Feb 22 22:11:57 2013 MANAGEMENT: >STATE:1361581917,WAIT,,,
Fri Feb 22 22:11:57 2013 MANAGEMENT: >STATE:1361581917,AUTH,,,
Fri Feb 22 22:11:57 2013 TLS: Initial packet from [AF_INET]172.16.1.254:6999, sid=557b6266 1e678bba
Fri Feb 22 22:11:57 2013 VERIFY OK: depth=1, C=BR, ST=SP, L=FcoDaRocha, O=Ubuntu, OU=TI, CN=Ubuntu CA, name=ubuntu, emailAddress=meuemail@meu_provedor.com
Fri Feb 22 22:11:57 2013 VERIFY OK: depth=0, C=BR, ST=SP, L=FcoDaRocha, O=Ubuntu, OU=TI, CN=vpn, name=vpn, emailAddress=meuemail@meu_provedor.com
Fri Feb 22 22:11:57 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 22 22:11:57 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 22 22:11:57 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 22 22:11:57 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 22 22:11:57 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 22 22:11:57 2013 [vpn] Peer Connection Initiated with [AF_INET]172.16.1.254:6999
Fri Feb 22 22:11:58 2013 MANAGEMENT: >STATE:1361581918,GET_CONFIG,,,
Fri Feb 22 22:12:00 2013 SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1)
Fri Feb 22 22:12:00 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.15.0.0 255.255.255.0,route 10.15.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.15.0.6 10.15.0.5'
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 22 22:12:00 2013 OPTIONS IMPORT: route options modified
Fri Feb 22 22:12:00 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Feb 22 22:12:00 2013 MANAGEMENT: >STATE:1361581920,ASSIGN_IP,,10.15.0.6,
Fri Feb 22 22:12:00 2013 open_tun, tt->ipv6=0
Fri Feb 22 22:12:00 2013 TAP-WIN32 device [Conexão local 3] opened: \\.\Global\{6EB3C5AD-EBA8-4863-B23F-93ABC9CDCA3A}.tap
Fri Feb 22 22:12:00 2013 TAP-Windows Driver Version 9.9
Fri Feb 22 22:12:00 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.15.0.6/255.255.255.252 on interface {6EB3C5AD-EBA8-4863-B23F-93ABC9CDCA3A} [DHCP-serv: 10.15.0.5, lease-time: 31536000]
Fri Feb 22 22:12:00 2013 NOTE: FlushIpNetTable failed on interface [18] {6EB3^Vnx 
Fri Feb 22 22:12:05 2013 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Fri Feb 22 22:12:05 2013 MANAGEMENT: >STATE:1361581925,ADD_ROUTES,,,
Fri Feb 22 22:12:05 2013 C:\Windows\system32\route.exe ADD 10.15.0.0 MASK 255.255.255.0 10.15.0.5
Fri Feb 22 22:12:05 2013 ROUTE: route addition failed using CreateIpForwardEntry: Acesso negado. [status=5 if_index=18]
Fri Feb 22 22:12:05 2013 Route addition via IPAPI failed [adaptive]
Fri Feb 22 22:12:05 2013 Route addition fallback to route.exe
Fri Feb 22 22:12:05 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri Feb 22 22:12:05 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Feb 22 22:12:05 2013 C:\Windows\system32\route.exe ADD 10.15.0.1 MASK 255.255.255.255 10.15.0.5
Fri Feb 22 22:12:05 2013 ROUTE: route addition failed using CreateIpForwardEntry: Acesso negado. [status=5 if_index=18]
Fri Feb 22 22:12:05 2013 Route addition via IPAPI failed [adaptive]
Fri Feb 22 22:12:05 2013 Route addition fallback to route.exe
Fri Feb 22 22:12:05 2013 env_bloº^VÒx 
Fri Feb 22 22:12:05 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Feb 22 22:12:05 2013 Initialization Sequence Completed
Fri Feb 22 22:12:05 2013 MANAGEMENT: >STATE:1361581925,CONNECTED,SUCCESS,10.15.0.6,172.16.1.254


Me explique melhor o seu cenario.
#5 Comentário enviado por marceloviana em 01/06/2015 - 16:35h
Joserf, Obrigado pelo artigo!

Como eu faço para permitir a comunicação entre os clientes que estão conectados no servidor?
#6 Comentário enviado por marceloviana em 01/06/2015 - 20:29h
Descobri como permitir a comunicação entre clientes, faltava só habilitar a travessia de pacotes:
echo 1 > /proc/sys/net/ipv4/ip_forward

Obrigado!


Contribuir com comentário

Entre na sua conta para comentar.