FreeBSD uzerinde OpenVPN Kurulum ve ayarlari

Posted on April 15, 2007 by Huzeyfe ONAL

FreeBSD & OpenVPN’i sistem hesaplari ile kullanmak icin icin gerekli adimlar;

Porttan OpenVPN Kurulumu

#cd /usr/ports/security/openvpn
# make && make install

Açılışta OpenVPN’in başlaması için /etc/rc.conf’a

openvpn_enable=”YES”
openvpn_if=”tun”

satırları eklenir.

# mkdir /usr/local/etc/openvpn
# cp -r /usr/local/share/doc/openvpn/ /usr/local/etc/openvpn/
# cd /usr/local/etc/openvpn/easy-rsa/

# . vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/easy-rsa/keys
# ./clean-all

Kendi sertifika otoritemizi(CA) olusturmak icin,

# ./build-ca
Generating a 1024 bit RSA private key
…………….++++++
…………………………………………++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [KG]:TR
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:IStanbul
Organization Name (eg, company) [OpenVPN-TEST]:lifeoverIP
Organizational Unit Name (eg, section) []:ITS
Common Name (eg, your name or your server’s hostname) []:vpn.lifeoverip.net
Email Address [[email protected]]:[email protected]

Sunucu icin sertifika olusturma

# ./build-key-server server
Generating a 1024 bit RSA private key
..++++++
………….++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [KG]:TR
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:IStanbul
Organization Name (eg, company) [OpenVPN-TEST]:lifeoverIP
Organizational Unit Name (eg, section) []:ITS
Common Name (eg, your name or your server’s hostname) []:vpn.lifeoverip.net
Email Address [[email protected]]:[email protected]

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’TR’
stateOrProvinceName :PRINTABLE:’NA’
localityName :PRINTABLE:’IStanbul’
organizationName :PRINTABLE:’lifeoverIP’
organizationalUnitName:PRINTABLE:’ITS’
commonName :PRINTABLE:’vpn.lifeoverip.net’
emailAddress :IA5STRING:’[email protected]
Certificate is to be certified until Apr 12 14:11:51 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Diffie Helman anahtarini olusturmak

# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time

#cp -r keys /usr/local/etc/openvpn/

OpenVPN’i sistem hesaplari(/etc/passwd) ile kullanacak sekilde ayarlamak

— openvpn.conf dosyasi icerigi —

local VPN_Sunucu_IP_Adresi
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh1024.pem
plugin /usr/local/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 5.5.5.0 255.255.255.0
push “redirect-gateway”
keepalive 10 120
comp-lzo
verb 3

–client.ovpn dosyasi icerigi—

client
proto udp
dev tun
remote vpn.lifeoverip.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ca ca.crt
comp-lzo

* ca.crt sunucuda olusturulduktan sonra istemciye guvenli bir sekilde ulastirilmali.

VPN istemcileri icin Firewall(PacketFilter) Konfigurasyonu

Vpn_agi=”5.5.5.1/24”

nat pass on $ext_if from $vpn_agi to any -> ($ext_if:0)

pass in quick on $ext_if proto udp from any to port 1194 keep state

vi /etc/sysctl.conf
net.inet.ip.forwarding=1

:wq!

Related posts:

  1. OpenVPN & OpenBSD’i sistem hesaplarini kullanacak sekilde yapilandirmak
  2. Proxy uzerinden OpenVPN Kullanimi
  3. OpenVPN & Active Directory/LDAP Kimlik Denetimi
  4. FreeBSD Telnet Daemon Zero Day Açıklığı
  5. FreeBSD ile bogusmak

This entry was posted in FreeBSD. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

eleven − one =