Migration vpn windows vers openvpn debian

zarmadaire · Février 20, 2016, 9:21pm

Bonjour

J’ai chez moi un windows home server qui fait office de vpn.
Je souhaite monter un serveur debian openvpn qui prendrait le relais au cas ou le home server est éteint ( souvent ).

J’ai actuellement une configuration qui permet a un client connecté par vpn d’avoir accès a toutes les machines de mon réseau ( 192.168.1.0 ).

J’ai installé un vps avec une appliance openvpn ( 192.168.1.103 )
Sur un poste de chez moi ( 192.168.1.14 ) j’ai installé le client OpenVPN GUI.

J’ai compris qu’il y avait 2 mode de fonctionnement avec openvpn le tun ( routage ) et le tap ( bridge ).
J’en déduis qu’avec la configuration demandée il faut monter le serveur en bridge donc tap.

Je copie l’intégralité des fichiers conf etc dans mon client windows. test en tun sans rien modifier ca se connecte avec une ip : 10.8.0.xx

En suivant le tuto de mattotop

j’installe bridge-utils

je change donc le fichier de conf d’openvpn :

;dev tun
dev tap0

client-to-client

server-bridge 192.168.1.103 255.255.255.0 192.168.1.150 192.168.1.200[/code]

je modifie mon fichier /etc/network/interfaces qui etait :

[code]auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.1.103
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.254

en

auto lo br0 iface lo inet loopback iface br0 inet static address 192.168.1.103 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.254 bridge-ports eth0 post-up /etc/openvpn/scripts/ovup && /etc/init.d/openvpn start pre-down /etc/init.d/openvpn stop post-down /etc/openvpn/scripts/ovdown

j’adapte la config du client en remplaçant juste :

;dev tun
dev tap0

résultat : impossible de me connecter en passant en mode bridge

Log :

ue Jan 12 21:36:04 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Tue Jan 12 21:36:04 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Tue Jan 12 21:36:04 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue Jan 12 21:36:04 2010 LZO compression initialized Tue Jan 12 21:36:04 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Jan 12 21:36:04 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Tue Jan 12 21:36:04 2010 Local Options hash (VER=V4): '41690919' Tue Jan 12 21:36:04 2010 Expected Remote Options hash (VER=V4): '530fdded' Tue Jan 12 21:36:04 2010 UDPv4 link local: [undef] Tue Jan 12 21:36:04 2010 UDPv4 link remote: 192.168.1.103:1194 Tue Jan 12 21:36:04 2010 TLS: Initial packet from 192.168.1.103:1194, sid=c99b8782 7e353bb2 Tue Jan 12 21:36:05 2010 VERIFY OK: depth=1, /C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/OU=no-unit/CN=OpenVPN-CA/emailAddress=me@myhost.mydomain Tue Jan 12 21:36:05 2010 VERIFY OK: depth=0, /C=KG/ST=NA/O=OpenVPN-TEST/OU=no-unit/CN=OpenVPN-CA/emailAddress=me@myhost.mydomain Tue Jan 12 21:36:05 2010 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap' Tue Jan 12 21:36:05 2010 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574' Tue Jan 12 21:36:05 2010 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532' Tue Jan 12 21:36:05 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Jan 12 21:36:05 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jan 12 21:36:05 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Jan 12 21:36:05 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jan 12 21:36:05 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Jan 12 21:36:05 2010 [OpenVPN-CA] Peer Connection Initiated with 192.168.1.103:1194 Tue Jan 12 21:36:06 2010 SENT CONTROL [OpenVPN-CA]: 'PUSH_REQUEST' (status=1) Tue Jan 12 21:36:06 2010 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway 192.168.1.103,ifconfig 192.168.1.150 255.255.255.0' Tue Jan 12 21:36:06 2010 OPTIONS IMPORT: --ifconfig/up options modified Tue Jan 12 21:36:06 2010 OPTIONS IMPORT: route options modified Tue Jan 12 21:36:06 2010 WARNING: Since you are using --dev tun, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn) Tue Jan 12 21:36:06 2010 WARNING: potential conflict between --remote address [192.168.1.103] and --ifconfig address pair [192.168.1.150, 255.255.255.0] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) Tue Jan 12 21:36:06 2010 There is a problem in your selection of --ifconfig endpoints [local=192.168.1.150, remote=255.255.255.0]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info. Tue Jan 12 21:36:06 2010 Exiting

Si quelqun a des conseils / solutions je suis preneur je connais pas du-tout openvpn

fran.b · Février 20, 2016, 9:21pm

[quote]Tue Jan 12 21:36:06 2010 WARNING: Since you are using --dev tun, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)[/quote]Il y a un souci dans le lancement de ton VPN, tu as combien de fichiers .conf dans /etc/openvpn??

Par ailleurs, nulle part tu met tap0 dans le bridge, tu peux montrer ton fichier /etc/init.d/openvpn (la partie démarrage) ou bien le script de fabrication du VPN

zarmadaire · Février 20, 2016, 9:22pm

Bonjour ,

voici le contenu du fichier /etc/init.d/openvpn

[code]#!/bin/sh -e

BEGIN INIT INFO

Provides: vpn

Required-Start: $network $local_fs

Required-Stop: $network $local_fs

Default-Start: 2 3 4 5

Default-Stop: 0 1 6

Short-Description: Openvpn VPN service

END INIT INFO

Original version by Robert Leslie

rob@mars.org, edited by iwj and cs

Modified for openvpn by Alberto Gonzalez Iniesta agi@inittab.org

Modified for restarting / starting / stopping single tunnels by Richard Muelle r mueller@teamix.net

. /lib/lsb/init-functions

test $DEBIAN_SCRIPT_DEBUG && set -v -x

DAEMON=/usr/sbin/openvpn
DESC="virtual private network daemon"
CONFIG_DIR=/etc/openvpn
test -x $DAEMON || exit 0
test -d $CONFIG_DIR || exit 0

Source defaults file; edit that file to configure this script.

AUTOSTART="all"
STATUSREFRESH=10
if test -e /etc/default/openvpn ; then
. /etc/default/openvpn
fi

start_vpn () {
if grep -q ‘^[ ]*daemon’ $CONFIG_DIR/$NAME.conf ; then
# daemon already given in config file
DAEMONARG=
else
# need to daemonize
DAEMONARG="–daemon ovpn-$NAME"
fi

if grep -q '^[       ]*status ' $CONFIG_DIR/$NAME.conf ; then
  # status file already given in config file
  STATUSARG=""
elif test $STATUSREFRESH -eq 0 ; then
  # default status file disabled in /etc/default/openvpn
  STATUSARG=""
else
  # prepare default status file
  STATUSARG="--status /var/run/openvpn.$NAME.status $STATUSREFRESH"
fi

log_progress_msg "$NAME"
STATUS=0

# Check to see if it's already started...
if test -e /var/run/openvpn.$NAME.pid ; then
  log_failure_msg "Already running (PID file exists)"
  STATUS=0
else
  $DAEMON $OPTARGS --writepid /var/run/openvpn.$NAME.pid \
          $DAEMONARG $STATUSARG --cd $CONFIG_DIR \
          --config $CONFIG_DIR/$NAME.conf || STATUS=1
fi

}
stop_vpn () {
kill cat $PIDFILE || true
rm -f $PIDFILE
rm -f /var/run/openvpn.$NAME.status 2> /dev/null
}

case “$1” in
start)
log_daemon_msg “Starting $DESC”

autostart VPNs

if test -z “$2” ; then
# check if automatic startup is disabled by AUTOSTART=none
if test “x$AUTOSTART” = “xnone” -o -z “$AUTOSTART” ; then
log_warning_msg " Autostart disabled."
exit 0
fi
if test -z “$AUTOSTART” -o “x$AUTOSTART” = “xall” ; then
# all VPNs shall be started automatically
for CONFIG in cd $CONFIG_DIR; ls *.conf 2> /dev/null; do
NAME=${CONFIG%%.conf}
start_vpn
done
else
# start only specified VPNs
for NAME in $AUTOSTART ; do
if test -e $CONFIG_DIR/$NAME.conf ; then
start_vpn
else
log_failure_msg "No such VPN: $NAME"
STATUS=1
fi
done
fi
#start VPNs from command line
else
while shift ; do
[ -z “$1” ] && break
if test -e $CONFIG_DIR/$1.conf ; then
NAME=$1
start_vpn
else
log_failure_msg " No such VPN: $1"
STATUS=1
fi
done
fi
log_end_msg ${STATUS:-0}

;;
stop)
log_daemon_msg “Stopping $DESC”

if test -z “$2” ; then
for PIDFILE in ls /var/run/openvpn.*.pid 2> /dev/null; do
NAME=echo $PIDFILE | cut -c18-
NAME=${NAME%%.pid}
stop_vpn
log_progress_msg "$NAME"
done
else
while shift ; do
[ -z “$1” ] && break
if test -e /var/run/openvpn.$1.pid ; then
PIDFILE=ls /var/run/openvpn.$1.pid 2> /dev/null
NAME=echo $PIDFILE | cut -c18-
NAME=${NAME%%.pid}
stop_vpn
log_progress_msg "$NAME"
else
log_failure_msg " (failure: No such VPN is running: $1)"
fi
done
fi
log_end_msg 0
;;

Only ‘reload’ running VPNs. New ones will only start with ‘start’ or ‘restart’ .

reload|force-reload)
log_daemon_msg "Reloading $DESC"
for PIDFILE in ls /var/run/openvpn.*.pid 2> /dev/null; do
NAME=echo $PIDFILE | cut -c18-
NAME=${NAME%%.pid}

If openvpn if running under a different user than root we’ll need to restart

if egrep '^[[:blank:]]*user[[:blank:]]' $CONFIG_DIR/$NAME.conf > /dev/null 2                                                                                                                     >&1 ; then
  stop_vpn
  sleep 1
  start_vpn
  log_progress_msg "(restarted)"
else
  kill -HUP `cat $PIDFILE` || true
log_progress_msg "$NAME"
fi

done
log_end_msg 0
;;

Only ‘soft-restart’ running VPNs. New ones will only start with ‘start’ or ‘re start’.

soft-restart)
log_daemon_msg "$DESC sending SIGUSR1"
for PIDFILE in ls /var/run/openvpn.*.pid 2> /dev/null; do
NAME=echo $PIDFILE | cut -c18-
NAME=${NAME%%.pid}
kill -USR1 cat $PIDFILE || true
log_progress_msg "$NAME"
done
log_end_msg 0
;;

restart)
shift
$0 stop ${@}
sleep 1
$0 start ${@}
;;
cond-restart)
log_daemon_msg "Restarting $DESC."
for PIDFILE in ls /var/run/openvpn.*.pid 2> /dev/null; do
NAME=echo $PIDFILE | cut -c18-
NAME=${NAME%%.pid}
stop_vpn
sleep 1
start_vpn
done
log_end_msg 0
;;
*)
echo “Usage: $0 {start|stop|reload|restart|force-reload|cond-restart}” >&2
exit 1
;;
esac

exit 0

vim:set ai sts=2 sw=2 tw=0:

[/code]

il y a l’air d’avoir un seul fichier conf dans /etc/openvpn :

ls /etc/openvpn build-ca build-dh build-key build-key-server clean-all client-config ipp.txt keys lan openssl.cnf openvpn-status.log scripts server.conf setup update-resolv-conf vars

J’avoue n’avoir déclaré nul part le tap0, il faut surement l’ajouté dans /etc/network/interfaces mais je suis douteux sur comment l’ajouter.