Comunicando client Debian ao openvpn num VirtualBOX MV Debian

1. Comunicando client Debian ao openvpn num VirtualBOX MV Debian

mbrainiac
(usa Debian)

Enviado em 24/10/2013 - 12:33h

Caros Srs,

Tenho instalado no VirtualBox um Debian 7 com openVpn SERVER como guest um linux mint 13, conectado a vivo Fixa (Speedy)

O cliente um desktop Debian 7 conectado a vivo(3G)

As chaves já foram criadas e instaladas tanto no cliente e servidor.

Os serviços não apontam erros ao iniciar no cliente e no servidor ( /etc/init.d/openvpn restart)

Mas faltam detalhes para comunicar o Servidor com o cliente comunicar o 10.15.0.1 do sevidor no tunel com 10.15.0.2 do tunel do cliente.

Servidor

oot@debianVPN:/home/jga# route

Tabela de Roteamento IP do Kernel

Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface

default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1

10.15.0.0 10.15.0.2 255.255.255.0 UG 0 0 0 tun0

10.15.0.2 * 255.255.255.255 UH 0 0 0 tun0

192.168.0.0 * 255.255.255.0 U 0 0 0 eth1

192.168.10.0 * 255.255.255.0 U 0 0 0 eth0

root@debianVPN:/home/jga# ifconfig

eth0 Link encap:Ethernet Endereço de HW 08:00:27:a9:c3:dd

inet end.: 192.168.10.100 Bcast:10.15.10.255 Masc:255.255.255.0

endereço inet6: fe80::a00:27ff:fea9:c3dd/64 Escopo:Link

UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1

RX packets:1 errors:0 dropped:0 overruns:0 frame:0

TX packets:92 errors:0 dropped:0 overruns:0 carrier:0

colisões:0 txqueuelen:1000

RX bytes:60 (60.0 B) TX bytes:16759 (16.3 KiB)

eth1 Link encap:Ethernet Endereço de HW 08:00:27:2f:28:25

inet end.: 192.168.0.114 Bcast:192.168.0.255 Masc:255.255.255.0

endereço inet6: fe80::a00:27ff:fe2f:2825/64 Escopo:Link

UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1

RX packets:116 errors:0 dropped:0 overruns:0 frame:0

TX packets:127 errors:0 dropped:0 overruns:0 carrier:0

colisões:0 txqueuelen:1000

RX bytes:15639 (15.2 KiB) TX bytes:20676 (20.1 KiB)

lo Link encap:Loopback Local

inet end.: 127.0.0.1 Masc:255.0.0.0

endereço inet6: ::1/128 Escopo:Máquina

UP LOOPBACKRUNNING MTU:16436 Métrica:1

RX packets:24 errors:0 dropped:0 overruns:0 frame:0

TX packets:24 errors:0 dropped:0 overruns:0 carrier:0

colisões:0 txqueuelen:0

RX bytes:1240 (1.2 KiB) TX bytes:1240 (1.2 KiB)

tun0 Link encap:Não Especificado Endereço de HW 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet end.: 10.15.0.1 P-a-P:10.15.0.2 Masc:255.255.255.255

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Métrica:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:269 errors:0 dropped:0 overruns:0 carrier:0

colisões:0 txqueuelen:100

RX bytes:0 (0.0 B) TX bytes:22596 (22.0 KiB)

###################3PLACAS DE REDE do servidor###############################

nano /etc/network/interfaces

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# configuração interface de rede

auto lo

iface lo inet loopback

# Placa de rede primária(com servidores DHCP, DNS, SSH, SAMBA)BRIDGE NO VIRTUALBOX

auto eth0

allow-hotplug eth0

iface eth0 inet static

address 192.168.10.100

netmask 255.255.255.0

network 192.168.10.0

broadcast 10.15.10.255

# Placa de rede segundaria (Exclusiva para redeVPN externa)NAT NO VIRTUALBOX
auto eth1
allow-hotplug eth1
iface eth1 inet dhcp

#########Arquivo de configuração do servidor##################################

# Which local IP address should OpenVPN

# listen on? (optional)

# Which TCP/UDP port should OpenVPN listen on?

port 1194

# TCP or UDP server?

proto udp

# "dev tun" will create a routed IP tunnel,

# "dev tap" will create an ethernet tunnel.

dev tun0

# SSL/TLS root certificate (ca), certificate

# (cert), and private key (key). Each client

# and the server must have their own cert and

# key file. The server and all clients will

# use the same ca file.

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

key /etc/openvpn/keys/server.key # This file should be kept secret

# Diffie hellman parameters.

dh /etc/openvpn/keys/dh1024.pem

# Configure server mode and supply a VPN subnet

# for OpenVPN to draw client addresses from.

server 10.15.0.0 255.255.255.0

# Maintain a record of client virtual IP address

# associations in this file. If OpenVPN goes down or

# is restarted, reconnecting clients can be assigned

# the same virtual IP address from the pool that was

# previously assigned.

ifconfig-pool-persist ipp.txt

# Push routes to the client to allow it

# to reach other private subnets behind

# the server. Remember that these

# private subnets will also need

# to know to route the OpenVPN client

# address pool (10.8.0.0/255.255.255.0)

# back to the OpenVPN server.

push "route 192.168.192.0 255.255.255.0" # tipo de rota do cliente

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS

# or WINS server addresses. CAVEAT:

# http://openvpn.net/faq.html#dhcpcaveats

#push "dhcp-option DNS 10.0.0.10"

#push "dhcp-option DNS 10.0.0.11"

#push "dhcp-option DOMAIN blogdonerd.com.br"

# The keepalive directive causes ping-like

# messages to be sent back and forth over

# the link so that each side knows when

# the other side has gone down.

# Ping every 10 seconds, assume that remote

# peer is down if no ping received during

# a 120 second time period.

keepalive 10 120

float

# For extra security beyond that provided

# by SSL/TLS, create an "HMAC firewall"

# to help block DoS attacks and UDP port flooding.

tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret

# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

cipher AES-128-CBC # AES

# Enable compression on the VPN link.

# If you enable it here, you must also

# enable it in the client config file.

comp-lzo

# The maximum number of concurrently connected

# clients we want to allow.

max-clients 100

# It's a good idea to reduce the OpenVPN

# daemon's privileges after initialization.

user nobody

group nogroup

# The persist options will try to avoid

# accessing certain resources on restart

# that may no longer be accessible because

# of the privilege downgrade.

persist-key

persist-tun

# Output a short status file showing

# current connections, truncated

# and rewritten every minute.

status /var/log/openvpn/openvpn-status.log

# By default, log messages will go to the syslog (or

# on Windows, if running as a service, they will go to

# the "\Program Files\OpenVPN\log" directory).

log-append /var/log/openvpn/openvpn.log

# Set the appropriate level of log

# file verbosity.

verb 3

script-security 2

##########CHAVES DO SERVIDORVPN##########

root@debianVPN:/etc/openvpn/keys# ls

01.pem coordenador.crt index.txt serial server.key

02.pem coordenador.csr index.txt.attr serial.old ta.key

ca.crt coordenador.key index.txt.attr.old server.crt

ca.key dh1024.pem index.txt.old server.csr

&&&&&&&&&&&&&&&&&&&&& Cliente Debian no 3G &&&&&&&&&&&&&&&

CLIENTE DEBIAN

Cliente com 3G vivo
root@hotpc:/etc/openvpn# route
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
default 10.64.64.64 0.0.0.0 UG 0 0 0 ppp0
10.64.64.64 * 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0

root@hotpc:/etc/openvpn# ping 10.15.0.1
PING 10.15.0.1 (10.15.0.1) 56(84) bytes of data.
^C
--- 10.15.0.1 ping statistics ---
252 packets transmitted, 0 received, 100% packet loss, time 252841ms

&&&&&&&&&&&&&&&& Arquivo de configuração do cliente Debian)&&&&&&&&&&&&&&
# /etc/openvpn/openvpn.ovpn

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
dev tun

script-security 2

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 192.168.0.1 1194 #ip do gateway da operadora VIVO e porta

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
Verb 3

&&&&&&&&&&&&&&&CHAVES instaladas no cliente&&&&&&&&&&&&&&&&&&&&&&&&&&&
root@hotpc:/etc/openvpn# ls -a
. .. ca.crt
client.crt
client.key
openvpn.ovpn
ta.key

0 0

Quote

2. Re: Comunicando client Debian ao openvpn num VirtualBOX MV Debian

mbrainiac
(usa Debian)

Enviado em 24/10/2013 - 12:36h

Placa no Servidor Debian conectado no vivo fixo (antigo speedy)

Configuração dentro do Virtual Box:

eth1 em NAT conectando a VPN

eth0 em BRIDGE na rede interna

https://wiki.debian.org/OpenVPN

Teste de comnuicação no cliente
root@hotpc:/home/brainiac# openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.15.0.2 10.15.0.1
Thu Oct 24 15:34:15 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Thu Oct 24 15:34:15 2013 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Oct 24 15:34:15 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Oct 24 15:34:15 2013 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Thu Oct 24 15:34:16 2013 RESOLVE: Cannot resolve host address: SERVER_IP: [HOST_NOT_FOUND] The specified host is unknown.
Thu Oct 24 15:34:16 2013 TUN/TAP device tun1 opened
Thu Oct 24 15:34:16 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 24 15:34:16 2013 /sbin/ifconfig tun1 10.15.0.2 pointopoint 10.15.0.1 mtu 1500
Thu Oct 24 15:34:16 2013 RESOLVE: Cannot resolve host address: SERVER_IP: [HOST_NOT_FOUND] The specified host is unknown.
Thu Oct 24 15:34:22 2013 RESOLVE: Cannot resolve host address: SERVER_IP: [HOST_NOT_FOUND] The specified host is unknown.
Thu Oct 24 15:34:27 2013 RESOLVE: Cannot resolve host address: SERVER_IP: [HOST_NOT_FOUND] The specified host is unknown.
Thu Oct 24 15:34:33 2013 RESOLVE: Cannot resolve host address: SERVER_IP: [HOST_NOT_FOUND] The specified host is unknown.
Thu Oct 24 15:34:39 2013 RESOLVE: Cannot resolve host address: SERVER_IP: [HOST_NOT_FOUND] The specified host is unknown.
^CThu Oct 24 15:34:42 2013 RESOLVE: signal received during DNS resolution attempt
Thu Oct 24 15:34:42 2013 /sbin/ifconfig tun1 0.0.0.0
Thu Oct 24 15:34:42 2013 SIGINT[hard,init_instance] received, process exiting
root@hotpc:/home/brainiac# openvpn --remote 192.168.0.1 --dev tun1 --ifconfig 10.15.0.2 10.15.0.1
Thu Oct 24 15:41:25 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Thu Oct 24 15:41:25 2013 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Oct 24 15:41:25 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Oct 24 15:41:25 2013 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Thu Oct 24 15:41:25 2013 TUN/TAP device tun1 opened
Thu Oct 24 15:41:25 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 24 15:41:25 2013 /sbin/ifconfig tun1 10.15.0.2 pointopoint 10.15.0.1 mtu 1500
Thu Oct 24 15:41:25 2013 UDPv4 link local (bound): [undef]
Thu Oct 24 15:41:25 2013 UDPv4 link remote: [AF_INET]192.168.0.1:1194
^CThu Oct 24 15:47:38 2013 event_wait : Interrupted system call (code=4)
Thu Oct 24 15:47:38 2013 /sbin/ifconfig tun1 0.0.0.0
Thu Oct 24 15:47:38 2013 SIGINT[hard,] received, process exiting

TEste de comunicação no servidor:

openvpn --remote CLIENT_IP --dev tun1 --ifconfig 10.15.0.1 10.15.0.2
root@debianVPN:/home/jga# openvpn --remote CLIENT_IP --dev tun1 --ifconfig 10.15.0.1 10.15.0.2
Thu Oct 24 15:43:57 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Thu Oct 24 15:43:57 2013 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Oct 24 15:43:57 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Oct 24 15:43:57 2013 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Thu Oct 24 15:43:57 2013 TCP/UDP: Socket bind failed on local address [undef]: Address already in use
Thu Oct 24 15:43:57 2013 Exiting

0 0

Quote