Linux:Configuration d'un client VPN sur un poste Windows

De WIKI.minetti.org
Aller à : navigation, rechercher

But

Installer et configurer un client VPN avec OpenVPN sur un poste Windows.

Étape préliminaire

Avant de commencer:

  • il est impératif de disposer d'un serveur VPN;
  • et assurez-vous que votre poste Windows répond bien au PING.

Installation

Sur votre poste Windows, télécharger la dernière version d'OpenVPN pour Windows et procéder à son installation.

Ce tutoriel a été fait avec la version 2.3.10 d'OpenVPN.

Configuration

  • Commencer par créer la clé et le certificat SSL de votre client en vous assurant d'avoir:
    • un CN correspondant au nom ou à l'adresse IP du client vue par le serveur VPN (en principe il s'agit de l'adresse publique - dans notre exemple ce sera siteA.minetti.org);
    • un keyUsage avec uniquement digitalSignature et/ou keyAgreement;
    • un extendedKeyUsage avec clientAuth (TLS Web Client Authentication);
    • et un nsCertType avec client.
  • Récupérer le certificat CA ayant servi à la certification du certificat client et le mettre dans le répertoire C:\Program Files\OpenVPN\config.
  • Récupérer la clé du HMAC firewall, ta.key, sur le serveur et la mettre dans le répertoire C:\Program Files\OpenVPN\config.
  • Récupérer le fichier C:\Program Files\OpenVPN\sample-config\client.ovpn et le mettre dans le répertoire C:\Program Files\OpenVPN\config.
  • Editer le fichier C:\Program Files\OpenVPN\config\client.ovpn pour qu'il ressemble à ceci:
# Mode client
client

# Mode routeur
dev tun

# Connexion serveur
remote vps.minetti.org 1194
proto udp

# Divers
resolv-retry infinite
nobind

# Options de persistances
persist-key
persist-tun

# Clés et certificats CA et serveur (précédemment générés)
ca "C:\\Program Files\\OpenVPN\\config\\cacert.pem"
cert "C:\\Program Files\\OpenVPN\\config\\siteA.pem"
key "C:\\Program Files\\OpenVPN\\config\\siteA.key"
remote-cert-tls server
ns-cert-type server

# Clé du HMAC firewall
tls-auth C:\\PROGRA~1\\OpenVPN\\config\\ta.key 1

# Compression
comp-lzo

# Logs
verb 3

Test

  • Démarrer le client VPN via le OpenVPN GUI ou via le menu surgissant du fichier de configuration (Start OpenVPN on this config file).
  • Les logs doivent ressembler à ceci:
Tue Apr 12 17:25:25 2016 OpenVPN 2.3.10 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb  1 2016
Tue Apr 12 17:25:25 2016 Windows version 5.1 (Windows XP)
Tue Apr 12 17:25:25 2016 library versions: OpenSSL 1.0.1r  28 Jan 2016, LZO 2.09
Enter Management Password:
Tue Apr 12 17:25:25 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Apr 12 17:25:25 2016 Need hold release from management interface, waiting...
Tue Apr 12 17:25:26 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Apr 12 17:25:26 2016 MANAGEMENT: CMD 'state on'
Tue Apr 12 17:25:26 2016 MANAGEMENT: CMD 'log all on'
Tue Apr 12 17:25:26 2016 MANAGEMENT: CMD 'hold off'
Tue Apr 12 17:25:26 2016 MANAGEMENT: CMD 'hold release'
Tue Apr 12 17:25:26 2016 Control Channel Authentication: using 'C:\PROGRA~1\OpenVPN\config\ta.key' as a OpenVPN static key file
Tue Apr 12 17:25:26 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 17:25:26 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 17:25:26 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 12 17:25:26 2016 MANAGEMENT: >STATE:1460474726,RESOLVE,,,
Tue Apr 12 17:25:26 2016 UDPv4 link local: [undef]
Tue Apr 12 17:25:26 2016 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Tue Apr 12 17:25:26 2016 MANAGEMENT: >STATE:1460474726,WAIT,,,
Tue Apr 12 17:25:26 2016 MANAGEMENT: >STATE:1460474726,AUTH,,,
Tue Apr 12 17:25:26 2016 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=3dd841af 0e567b08
Tue Apr 12 17:25:26 2016 VERIFY OK: depth=1, C=FR, ST=Herault, L=Saint-Jean-de-Védas, O=Minetti, CN=MINETTI CA, emailAddress=root@minetti.org
Tue Apr 12 17:25:26 2016 VERIFY OK: nsCertType=SERVER
Tue Apr 12 17:25:26 2016 Validating certificate key usage
Tue Apr 12 17:25:26 2016 ++ Certificate has key usage  00a0, expects 00a0
Tue Apr 12 17:25:26 2016 VERIFY KU OK
Tue Apr 12 17:25:26 2016 Validating certificate extended key usage
Tue Apr 12 17:25:26 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Apr 12 17:25:26 2016 VERIFY EKU OK
Tue Apr 12 17:25:26 2016 VERIFY OK: depth=0, C=FR, ST=Herault, L=Saint-Jean-de-Védas, O=Minetti, OU=VPS, CN=vps.minetti.org, emailAddress=root@minetti.org
Tue Apr 12 17:25:26 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 12 17:25:26 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 17:25:26 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 12 17:25:26 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 17:25:26 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Tue Apr 12 17:25:26 2016 [vps.minetti.org] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Tue Apr 12 17:25:28 2016 MANAGEMENT: >STATE:1460474728,GET_CONFIG,,,
Tue Apr 12 17:25:29 2016 SENT CONTROL [vps.minetti.org]: 'PUSH_REQUEST' (status=1)
Tue Apr 12 17:25:29 2016 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,route 192.168.5.0 255.255.255.0 10.8.0.1,ifconfig 10.8.0.10 255.255.255.0'
Tue Apr 12 17:25:29 2016 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 12 17:25:29 2016 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 12 17:25:29 2016 OPTIONS IMPORT: route options modified
Tue Apr 12 17:25:29 2016 OPTIONS IMPORT: route-related options modified
Tue Apr 12 17:25:29 2016 ROUTE_GATEWAY 192.168.0.254/255.255.255.0 I=3 HWADDR=00:21:5c:a0:59:39
Tue Apr 12 17:25:29 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr 12 17:25:29 2016 MANAGEMENT: >STATE:1460474729,ASSIGN_IP,,10.8.0.10,
Tue Apr 12 17:25:29 2016 open_tun, tt->ipv6=0
Tue Apr 12 17:25:29 2016 TAP-WIN32 device [Connexion au réseau local 5] opened: \\.\Global\{ED187E98-87FC-4D09-9A47-570EA98DB1F8}.tap
Tue Apr 12 17:25:29 2016 TAP-Windows Driver Version 9.9 
Tue Apr 12 17:25:29 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.10/255.255.255.0 [SUCCEEDED]
Tue Apr 12 17:25:29 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.10/255.255.255.0 on interface {ED187E98-87FC- 4D09-9A47-570EA98DB1F8} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Tue Apr 12 17:25:29 2016 Successful ARP Flush on interface [4] {ED187E98-87FC-4D09-9A47-570EA98DB1F8}
Tue Apr 12 17:25:34 2016 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Tue Apr 12 17:25:34 2016 MANAGEMENT: >STATE:1460474734,ADD_ROUTES,,,
Tue Apr 12 17:25:34 2016 C:\WINDOWS\system32\route.exe ADD 192.168.5.0 MASK 255.255.255.0 10.8.0.1
Tue Apr 12 17:25:34 2016 Route addition via IPAPI succeeded [adaptive]
Tue Apr 12 17:25:34 2016 Initialization Sequence Completed
Tue Apr 12 17:25:34 2016 MANAGEMENT: >STATE:1460474734,CONNECTED,SUCCESS,10.8.0.10,x.x.x.x
  • Du côté du serveur, les logs doivent ressembler à ceci:
Tue Apr 12 17:23:35 2016 y.y.y.y:3013 TLS: Initial packet from [AF_INET]y.y.y.y:3013, sid=1aa82210 f0ed027b
Tue Apr 12 17:23:35 2016 y.y.y.y:3013 VERIFY OK: depth=1, C=FR, ST=Herault, L=Saint-Jean-de-Vedas, O=Minetti, CN=MINETTI CA, emailAddress=jp@minetti.org
Tue Apr 12 17:23:35 2016 y.y.y.y:3013 VERIFY OK: depth=0, C=FR, ST=Herault, L=Saint-Jean-de-Vedas, O=Minetti, OU=siteA (client), CN=siteA.minetti.org, emailAddress=root@minetti.org
Tue Apr 12 17:23:35 2016 y.y.y.y:3013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 12 17:23:35 2016 y.y.y.y:3013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 17:23:35 2016 y.y.y.y:3013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 12 17:23:35 2016 y.y.y.y:3013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 17:23:35 2016 y.y.y.y:3013 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Tue Apr 12 17:23:35 2016 y.y.y.y:3013 [siteA.minetti.org] Peer Connection Initiated with [AF_INET]y.y.y.y:3013
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 OPTIONS IMPORT: reading client specific options from: ccd/siteA.minetti.org
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: Learn: 10.8.0.10 -> siteA.minetti.org/y.y.y.y:3013
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: primary virtual IP for siteA.minetti.org/y.y.y.y:3013: 10.8.0.10
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: internal route 192.168.3.0/24 -> siteA.minetti.org/y.y.y.y:3013
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: Learn: 192.168.3.0/24 -> siteA.minetti.org/y.y.y.y:3013
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: internal route 192.168.2.0/24 -> siteA.minetti.org/y.y.y.y:3013
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: Learn: 192.168.2.0/24 -> siteA.minetti.org/y.y.y.y:3013
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: internal route 192.168.1.0/24 -> siteA.minetti.org/y.y.y.y:3013
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: Learn: 192.168.1.0/24 -> siteA.minetti.org/y.y.y.y:3013
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: internal route 192.168.0.0/24 -> siteA.minetti.org/y.y.y.y:3013
Tue Apr 12 17:23:35 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: Learn: 192.168.0.0/24 -> siteA.minetti.org/y.y.y.y:3013
Tue Apr 12 17:23:38 2016 siteA.minetti.org/y.y.y.y:3013 PUSH: Received control message: 'PUSH_REQUEST'
Tue Apr 12 17:23:38 2016 siteA.minetti.org/y.y.y.y:3013 send_push_reply(): safe_cap=940
Tue Apr 12 17:23:38 2016 siteA.minetti.org/y.y.y.y:3013 SENT CONTROL [siteA.minetti.org]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,route 192.168.5.0 255.255.255.0 10.8.0.1,ifconfig 10.8.0.10 255.255.255.0' (status=1)
Tue Apr 12 17:24:01 2016 siteA.minetti.org/y.y.y.y:3013 MULTI: Learn: 192.168.0.229 -> siteA.minetti.org/y.y.y.y:3013
  • Vérifier le routage:
H:\>route print
===========================================================================
Liste d'Interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 21 70 c6 ec 98 ...... Broadcom NetXtreme 57xx Gigabit Controller - Miniport d'ordonnancement de paquets
0x3 ...00 21 5c a0 59 39 ...... Intel(R) Wireless WiFi Link 4965AGN - Miniport d'ordonnancement de paquets
0x4 ...00 ff ed 18 7e 98 ...... TAP-Windows Adapter V9 - Miniport d'ordonnancement de paquets
0x10006 ...00 21 86 cf d4 16 ...... Bluetooth Personal Area Network - Miniport d'ordonnancement de paquets
===========================================================================
===========================================================================
Itinéraires actifs :
Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
          0.0.0.0          0.0.0.0    192.168.0.254   192.168.0.229       25
         10.8.0.0    255.255.255.0        10.8.0.10       10.8.0.10       30
        10.8.0.10  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255        10.8.0.10       10.8.0.10       30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0    192.168.0.229   192.168.0.229       25
    192.168.0.229  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.0.255  255.255.255.255    192.168.0.229   192.168.0.229       25
      192.168.5.0    255.255.255.0         10.8.0.1       10.8.0.10       1
        224.0.0.0        240.0.0.0        10.8.0.10       10.8.0.10       30
        224.0.0.0        240.0.0.0    192.168.0.229   192.168.0.229       25
  255.255.255.255  255.255.255.255        10.8.0.10               2       1
  255.255.255.255  255.255.255.255        10.8.0.10           10006       1
  255.255.255.255  255.255.255.255        10.8.0.10       10.8.0.10       1
  255.255.255.255  255.255.255.255    192.168.0.229   192.168.0.229       1
Passerelle par défaut :     192.168.0.254
===========================================================================
Itinéraires persistants :
  Aucun
  • Faire un ping vers le serveur VPN:
H:\>ping 10.8.0.1

Envoi d'une requête 'ping' sur 10.8.0.1 avec 32 octets de données :

Réponse de 10.8.0.1 : octets=32 temps=63 ms TTL=64
Réponse de 10.8.0.1 : octets=32 temps=64 ms TTL=64
Réponse de 10.8.0.1 : octets=32 temps=64 ms TTL=64
Réponse de 10.8.0.1 : octets=32 temps=63 ms TTL=64

Statistiques Ping pour 10.8.0.1:
    Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%),
Durée approximative des boucles en millisecondes :
    Minimum = 63ms, Maximum = 64ms, Moyenne = 63ms
  • Sur le serveur VPN, faire un ping vers le client:
# ping -c 4 10.8.0.10
PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data.
64 bytes from 10.8.0.10: icmp_seq=1 ttl=128 time=78.2 ms
64 bytes from 10.8.0.10: icmp_seq=2 ttl=128 time=161 ms
64 bytes from 10.8.0.10: icmp_seq=3 ttl=128 time=184 ms
64 bytes from 10.8.0.10: icmp_seq=4 ttl=128 time=105 ms

--- 10.8.0.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 78.260/132.571/184.938/42.723 ms
Récupérée de « http://www.minetti.org/mediawiki/index.php?title=Linux:Configuration_d%27un_client_VPN_sur_un_poste_Windows&oldid=201 »