Mise en place d'un serveur OpenVPN sous Debian 10 Buster

Intro

Voici un tutoriel pour mettre en place rapidement un serveur OpenVPN sous Debian 10 Buster.

Synoptique

Configuration côté serveur Debian

Installation

root@host:~# apt install openvpn
root@host:~# cd /etc/openvpn/
root@host:~# /usr/share/easy-rsa/easyrsa clean-all
root@host:~# /usr/share/easy-rsa/easyrsa init-pki

root@host:~# /usr/share/easy-rsa/easyrsa build-ca nopass
root@host:~# /usr/share/easy-rsa/easyrsa build-server-full server nopass
root@host:~# /usr/share/easy-rsa/easyrsa gen-dh
root@host:~# echo "MyCertPass" >> /etc/openvpn/auth; chmod 400 /etc/openvpn/auth
root@host:~# /usr/share/easy-rsa/easyrsa build-client-full client01 nopass

Créer 10 certificats clients

root@host:~# for i in $(seq -w 1 10);do /usr/share/easy-rsa/easyrsa build-client-full client"$i" nopass; done

Activer OpenVPN au démarrage

root@host:~# sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn

/etc/openvpn/server.conf

port 1194
proto udp
dev tun

ca /etc/openvpn/pki/ca.crt # generated keys
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key # keep secret
dh /etc/openvpn/pki/dh.pem

server 10.50.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun

push "dhcp-option DNS 192.168.0.200"
push "dhcp-option DOMAIN domain.local"
push "route 192.168.1.0 255.255.255.0"

status /var/log/openvpn-status.log
askpass auth #avoid "Please enter password with the systemd-tty-ask-password-agent" error

verb 3 # verbose mode

iptables

Règle netfilter/Iptables pour permettre aux clients vpn d'accéder au réseau LAN :

root@host:~# ip addr sh
root@host:~# iptables -t nat -A POSTROUTING -s 10.50.8.0/24 -o ens192 -j MASQUERADE

Activer le mode Routeur

Pour pouvoir accéder au réseau LAN il faut également activer le routage sur le serveur OpenVPN.

net.ipv4.ip_forward = 1
root@host:~# sysctl -p /etc/sysctl.conf

Configuration côté client Windows

client

dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client01.crt
key client01.key

comp-lzo

verb 3
Licence Creative Commons
This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.
Contact :