Ajout fichiers de conf openvpn
This commit is contained in:
parent
4b163da5e9
commit
a74ec3c9da
openvpn-conf
client
serveur
31
openvpn-conf/client/gnu-linux/client.conf
Normal file
31
openvpn-conf/client/gnu-linux/client.conf
Normal file
@ -0,0 +1,31 @@
|
||||
client
|
||||
dev tun
|
||||
proto tcp-client
|
||||
remote xxx.xxx.xxx.xxx 443
|
||||
resolv-retry infinite
|
||||
cipher AES-256-CBC
|
||||
redirect-gateway
|
||||
|
||||
# Cles
|
||||
# Prouver l'identité
|
||||
ca ca.crt
|
||||
tls-auth ta.key 1
|
||||
key-direction 1
|
||||
ns-cert-type server
|
||||
auth-user-pass
|
||||
auth-nocache
|
||||
|
||||
# Securite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
comp-lzo
|
||||
verb 3
|
||||
|
||||
# DNS
|
||||
script-security 2
|
||||
up ./update-resolv.sh
|
||||
down ./update-resolv.sh
|
||||
|
||||
# Proxy ?
|
||||
# http-proxy cache.univ.fr 3128
|
55
openvpn-conf/client/gnu-linux/update-resolv.sh
Executable file
55
openvpn-conf/client/gnu-linux/update-resolv.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Parses DHCP options from openvpn to update resolv.conf
|
||||
# To use set as 'up' and 'down' script in your openvpn *.conf:
|
||||
# up /etc/openvpn/update-resolv-conf
|
||||
# down /etc/openvpn/update-resolv-conf
|
||||
#
|
||||
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
|
||||
# and Chris Hanson
|
||||
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
|
||||
# 07/2013 colin@daedrum.net Fixed intet name
|
||||
# 05/2006 chlauber@bnc.ch
|
||||
#
|
||||
# Example envs set from openvpn:
|
||||
# foreign_option_1='dhcp-option DNS 193.43.27.132'
|
||||
# foreign_option_2='dhcp-option DNS 193.43.27.133'
|
||||
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
|
||||
|
||||
#[ -x $(which resolvconf) ] || exit 0
|
||||
[ -x /usr/bin/resolvconf ] || exit 0
|
||||
|
||||
case $script_type in
|
||||
|
||||
up)
|
||||
for optionname in ${!foreign_option_*} ; do
|
||||
option="${!optionname}"
|
||||
echo $option
|
||||
part1=$(echo "$option" | cut -d " " -f 1)
|
||||
if [ "$part1" == "dhcp-option" ] ; then
|
||||
part2=$(echo "$option" | cut -d " " -f 2)
|
||||
part3=$(echo "$option" | cut -d " " -f 3)
|
||||
if [ "$part2" == "DNS" ] ; then
|
||||
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
|
||||
fi
|
||||
if [ "$part2" == "DOMAIN" ] ; then
|
||||
IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
R=""
|
||||
if [ "$IF_DNS_SEARCH" ] ; then
|
||||
R="${R}search $IF_DNS_SEARCH
|
||||
"
|
||||
fi
|
||||
for NS in $IF_DNS_NAMESERVERS ; do
|
||||
R="${R}nameserver $NS
|
||||
"
|
||||
done
|
||||
#echo -n "$R" | resolvconf -p -a "${dev}"
|
||||
echo -n "$R" | /usr/bin/resolvconf -a "${dev}.inet"
|
||||
;;
|
||||
down)
|
||||
resolvconf -d "${dev}.inet"
|
||||
;;
|
||||
esac
|
26
openvpn-conf/client/windows/client.conf
Normal file
26
openvpn-conf/client/windows/client.conf
Normal file
@ -0,0 +1,26 @@
|
||||
client
|
||||
dev tun
|
||||
proto tcp-client
|
||||
remote xxx.xxx.xxx.xxx 443
|
||||
resolv-retry infinite
|
||||
cipher AES-256-CBC
|
||||
redirect-gateway
|
||||
|
||||
# Cles
|
||||
# Prouver l'identité
|
||||
ca ca.crt
|
||||
tls-auth ta.key 1
|
||||
key-direction 1
|
||||
ns-cert-type server
|
||||
auth-user-pass
|
||||
auth-nocache
|
||||
|
||||
# Securite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
comp-lzo
|
||||
verb 3
|
||||
|
||||
# Proxy ?
|
||||
# http-proxy cache.univ.fr 3128
|
11
openvpn-conf/serveur/scripts/config.sh
Normal file
11
openvpn-conf/serveur/scripts/config.sh
Normal file
@ -0,0 +1,11 @@
|
||||
#!/bin/bash
|
||||
# Serveur
|
||||
HOST='localhost'
|
||||
# Port (par défaut : 3306)
|
||||
PORT='3306'
|
||||
# Username
|
||||
USER='vpn_user'
|
||||
# Password
|
||||
PASS='mdp'
|
||||
# Nom de la base de données
|
||||
DB='vpn'
|
8
openvpn-conf/serveur/scripts/connect.sh
Normal file
8
openvpn-conf/serveur/scripts/connect.sh
Normal file
@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
. /etc/openvpn/scripts/config.sh
|
||||
|
||||
# On insert les données dans la table de log
|
||||
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id, user_id, log_trusted_ip, log_trusted_port, log_remote_ip, log_remote_port, log_start_time, log_end_time, log_received, log_send) VALUES(NULL, '$common_name','$trusted_ip', '$trusted_port','$ifconfig_pool_remote_ip', '$remote_port_1', now(),'0000-00-00 00:00:00', '$bytes_received', '$bytes_sent')"
|
||||
|
||||
# On spécifie que l'utilisateur est en ligne
|
||||
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=1 WHERE user_id='$common_name'"
|
8
openvpn-conf/serveur/scripts/disconnect.sh
Normal file
8
openvpn-conf/serveur/scripts/disconnect.sh
Normal file
@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
. /etc/openvpn/scripts/config.sh
|
||||
|
||||
# On précise que l'utilisateur n'est plus en ligne
|
||||
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=0 WHERE user_id='$common_name'"
|
||||
|
||||
# On insert le datetime de déconnexion
|
||||
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE log SET log_end_time=now(), log_received='$bytes_received', log_send='$bytes_sent' WHERE log_trusted_ip='$trusted_ip' AND log_trusted_port='$trusted_port' AND user_id='$common_name' AND log_end_time='0000-00-00 00:00:00'"
|
8
openvpn-conf/serveur/scripts/login.sh
Normal file
8
openvpn-conf/serveur/scripts/login.sh
Normal file
@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
. /etc/openvpn/scripts/config.sh
|
||||
|
||||
# Authentication
|
||||
user_id=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "SELECT user_id FROM user WHERE user_id = '$username' AND user_pass = SHA1('$password') AND user_enable=1 AND (TO_DAYS(now()) >= TO_DAYS(user_start_date) OR user_start_date='0000-00-00') AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')")
|
||||
|
||||
# Vérification de l'utilisateur
|
||||
[ "$user_id" != '' ] && [ "$user_id" = "$username" ] && echo "user : $username" && echo 'authentication ok.' && exit 0 || echo 'authentication failed.'; exit 1
|
84
openvpn-conf/serveur/serveur.conf
Normal file
84
openvpn-conf/serveur/serveur.conf
Normal file
@ -0,0 +1,84 @@
|
||||
# Server en tcp, port 443 en écoute en créant un tunnel
|
||||
mode server
|
||||
proto tcp
|
||||
port 443
|
||||
dev tun
|
||||
|
||||
## CLE, CERTIFICATS ET CONFIGURATION RÉSEAU ##
|
||||
# Prouver l'identité
|
||||
ca ca.crt
|
||||
# Clé publique du serveur
|
||||
cert server.crt
|
||||
# Clé privée du serveur
|
||||
key server.key
|
||||
# Clé partagée (utilisé pour le chiffrement symétrique, hashage...)
|
||||
dh dh1024.pem
|
||||
# Augmente la sécurité (DDOS, port flooding...)
|
||||
# Deuxième paramètre à 0 sur le serveur et 1 sur le client)
|
||||
tls-auth ta.key 0
|
||||
# Choix de la méthode de cryptographie
|
||||
cipher AES-256-CBC
|
||||
|
||||
# Reseau
|
||||
# Sous réseau, le serveur prendra l'adresse 10.8.0.1 et le reste sera disponible pour les clients
|
||||
server 10.8.0.0 255.255.255.0
|
||||
|
||||
# Redirection du trafic via internet
|
||||
push "redirect-gateway def1"
|
||||
|
||||
# Utilisation de DNS alternatifs (OpenDNS)
|
||||
push "dhcp-option DNS 208.67.222.222"
|
||||
push "dhcp-option DNS 208.67.220.220"
|
||||
|
||||
# (DNS de Google)
|
||||
# push "dhcp-option DNS 8.8.8.8"
|
||||
# push "dhcp-option DNS 8.8.4.4"
|
||||
|
||||
# Ping toutes les 10 secondes et si après 120 secondes le client ne répond toujours pas alors on déconnecte
|
||||
keepalive 10 120
|
||||
# Regenerer la clé du canal toutes les 5h (implique la déconnexion du client)
|
||||
reneg-sec 18000
|
||||
|
||||
## SECURITE ##
|
||||
|
||||
# On abaisse les privilèges du démon
|
||||
user nobody
|
||||
group nogroup
|
||||
|
||||
# Rend les clés persistantes au démarrage
|
||||
# Donc, plus besoin de relire les clés cryptographiques (dont on aurait pas eu les droits car on a abaissé les privilèges du démon)
|
||||
persist-key
|
||||
# Ne pas fermer et rouvrir le périphérique TUN/TAP
|
||||
persist-tun
|
||||
# Active la compression
|
||||
comp-lzo
|
||||
|
||||
## LOG ##
|
||||
|
||||
# Quantité de log (choix entre 0 et 9)
|
||||
# Choisir entre 3 et 4 pour une utilisation normale
|
||||
verb 3
|
||||
# Imprime au plus 20 messages de la même catégorie
|
||||
mute 20
|
||||
# Fichier où on liste les connexions des clients
|
||||
status openvpn-status.log
|
||||
# Fichier de log
|
||||
log-append /var/log/openvpn.log
|
||||
# Dossier de configuration des clients
|
||||
client-config-dir ccd
|
||||
|
||||
## PASS ##
|
||||
|
||||
# Autoriser l'exécution de scripts externes en passant les mots de passe via les variables d'environnement
|
||||
script-security 3 system
|
||||
# Utiliser le pseudo d'authentification comme nom (au lieu du nom du certificat du client)
|
||||
username-as-common-name
|
||||
# Certificat du client non requis
|
||||
client-cert-not-required
|
||||
# Utiliser le script de connexion lorsqu'un client veut s'authentifier
|
||||
auth-user-pass-verify scripts/login.sh via-env
|
||||
# Nombre maximum de clients
|
||||
max-clients 50
|
||||
# Appeler ces scripts à la connexion et déconnexion du client
|
||||
client-connect scripts/connect.sh
|
||||
client-disconnect scripts/disconnect.sh
|
Loading…
Reference in New Issue
Block a user