Generate Master Certificate Authority (CA) certificate and key
Change Directory to /etc/openvpn/easy-rsa/2.0/ directory and run the following commands to cleanup initialize, cleanup any existing keys and build the CA.
Opensuse:~ # cd /etc/opensuse/easy-rsa/2.0/
opensuse:/etc/opensuse/easy-rsa/2.0/ # . ./vars
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./clean-all
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-ca
/etc/opensuse
/etc/openvpn
# . ./vars
Da muß ich Dich enttäuschen. Die einzugebenden Befehle beginnen jeweils hinter dem #-Zeichen, also ist$cruffy schrieb:ich denke, ich habe es richtig gemacht.
falsch und$cruffy schrieb:/etc/openvpn/easy-rsa/2.0/ . ./vars
. ./vars
Du hast offenbar nicht ganz verstanden, was ein VPN ist. Voraussetzung für den Betrieb eines VPN ist - natürlich - ein bestehendes Netz, über das per TCP/IP kommuniziert werden kann. Der Einfachheit halber nimm einmal Dein LAN 192.168.40.0/24. Dein Router hat in dem Netz die IP 192.168.40.1. In dem LAN tickt ein Server z. B. unter 192.168.40.10. Auf Port 1194 lauscht auf diesem PC ein openvpn-Service. Dein Router muss den Port 1194 (UDP) auf den Server unter 192.168.40.10 Port 1194 weiterleiten.$cruffy schrieb:Ok, jetzt verstehe ich nicht wie ich das mit dyndns machen soll. Ich will über das Internet mit dem Laufwerk verbinden. Aber die IP ist so komisch: 10.8.0.0/24
Mein Netzwerk hat aber 192.168.40.0/24
Muss ich die IP meines Netzwerkes ändern oder die von VPN Server? Oder ist das einer Art eigennetz? Wie connecte ich dann über den Router? Einfach eine Portweiterleitung von Port auf Port auf 10.8.0.1 eingeben?
client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
remote meinddnsserver.dyndns.org 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca c:\\Programme\\OpenVPN\\keys\\ca.crt
cert c:\\Programme\\OpenVPN\\keys\\vpnhost1.crt
key c:\\Programme\\OpenVPN\\keys\\vpnhost1.key
ns-cert-type server
;tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 3
;mute 20
;local a.b.c.d
port 1194
proto tcp
;proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/scruffys.crt
key /etc/openvpn/easy-rsa/2.0/keys/scruffys.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
max-clients 3
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 192.168.40.100 -j ACCEPT
Sun Jun 06 06:48:00 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Sun Jun 06 06:48:00 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jun 06 06:48:00 2010 LZO compression initialized
Sun Jun 06 06:48:00 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jun 06 06:48:00 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Jun 06 06:48:00 2010 Local Options hash (VER=V4): '41690919'
Sun Jun 06 06:48:00 2010 Expected Remote Options hash (VER=V4): '530fdded'
Sun Jun 06 06:48:00 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jun 06 06:48:00 2010 UDPv4 link local: [undef]
Sun Jun 06 06:48:00 2010 UDPv4 link remote: 12.345.67.890:1194
Sun Jun 06 06:48:00 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sun Jun 06 06:48:02 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sun Jun 06 06:48:05 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sun Jun 06 06:48:07 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
linux~ # cat /var/log/firewall
Feb 19 18:02:39 localhost kernel: [145944.075048] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=195.212.4.5 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=62077 DF PROTO=TCP SPT=51737 DPT=80 WINDOW=2970 RES=0x00 ACK FIN URGP=0 OPT (0101080A08AE5A2A789B3C99)
Feb 19 18:03:11 localhost kernel: [145975.692057] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=195.212.4.5 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=62078 DF PROTO=TCP SPT=51737 DPT=80 WINDOW=2970 RES=0x00 ACK FIN URGP=0 OPT (0101080A08AED5AB789B3C99)
Feb 19 18:04:14 localhost kernel: [146038.924045] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=195.212.4.5 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=62079 DF PROTO=TCP SPT=51737 DPT=80 WINDOW=2970 RES=0x00 ACK FIN URGP=0 OPT (0101080A08AFCCAC789B3C99)
Feb 28 02:57:27 localhost kernel: [38562.365178] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=92.134.118.10 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=1202 DF PROTO=TCP SPT=42727 DPT=563 WINDOW=41328 RES=0x00 ACK RST URGP=0
Feb 28 02:57:27 localhost kernel: [38562.365945] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=92.104.108.10 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=32654 DF PROTO=TCP SPT=42739 DPT=563 WINDOW=41328 RES=0x00 ACK RST URGP=0
Feb 28 02:57:27 localhost kernel: [38562.368332] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=92.104.108.10 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=63639 DF PROTO=TCP SPT=42648 DPT=563 WINDOW=41296 RES=0x00 ACK RST URGP=0
Feb 28 02:57:27 localhost kernel: [38562.369830] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=92.104.108.10 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=13091 DF PROTO=TCP SPT=42649 DPT=563 WINDOW=41328 RES=0x00 ACK RST URGP=0
Feb 28 02:57:27 localhost kernel: [38562.397668] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=92.104.108.10 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=59880 DF PROTO=TCP SPT=42728 DPT=563 WINDOW=41328 RES=0x00 ACK RST URGP=0
Feb 28 19:31:58 localhost kernel: [98234.053062] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=192.168.40.15 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=65395 DF PROTO=TCP SPT=139 DPT=49160 WINDOW=41270 RES=0x00 ACK PSH FIN URGP=0
Feb 28 19:33:06 localhost kernel: [98301.253054] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=192.168.40.15 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=65396 DF PROTO=TCP SPT=139 DPT=49160 WINDOW=41270 RES=0x00 ACK PSH FIN URGP=0
Mar 2 03:49:00 localhost kernel: [23440.632045] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=192.168.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=61271 DF PROTO=TCP SPT=445 DPT=51263 WINDOW=41328 RES=0x00 ACK FIN URGP=0
Mar 5 02:02:41 localhost kernel: [40781.089065] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=192.168.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=13290 DF PROTO=TCP SPT=445 DPT=49988 WINDOW=10381 RES=0x00 ACK FIN URGP=0
Mar 5 02:03:52 localhost kernel: [40852.129065] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=192.168.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=13291 DF PROTO=TCP SPT=445 DPT=49988 WINDOW=10381 RES=0x00 ACK FIN URGP=0
Mar 7 00:33:49 localhost kernel: [208249.277057] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=192.168.40.15 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=10758 DF PROTO=TCP SPT=445 DPT=49157 WINDOW=10343 RES=0x00 ACK PSH FIN URGP=0
Mar 7 15:34:13 localhost kernel: [ 4802.861044] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=76.52.87.145 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=16502 DF PROTO=TCP SPT=22 DPT=50271 WINDOW=189 RES=0x00 ACK FIN URGP=0 OPT (0101080A0044B54D001C5E24)
Mar 10 10:33:02 localhost kernel: [41178.246061] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=192.168.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=50315 DF PROTO=TCP SPT=445 DPT=54314 WINDOW=10362 RES=0x00 ACK FIN URGP=0
Mar 10 10:34:05 localhost kernel: [41241.094058] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=192.168.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=50316 DF PROTO=TCP SPT=445 DPT=54314 WINDOW=10362 RES=0x00 ACK FIN URGP=0
Mar 24 23:09:31 localhost kernel: [ 23.189809] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=76.52.87.145 LEN=40 TOS=0x10 PREC=0x20 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=42658 WINDOW=0 RES=0x00 RST URGP=0
May 9 07:32:27 localhost kernel: [105481.903194] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=76.52.87.145 LEN=40 TOS=0x00 PREC=0x20 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=57116 WINDOW=0 RES=0x00 RST URGP=0
May 9 07:48:35 localhost kernel: [ 67.670725] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=92.134.118.10 LEN=40 TOS=0x00 PREC=0x20 TTL=64 ID=0 DF PROTO=TCP SPT=54147 DPT=563 WINDOW=0 RES=0x00 RST URGP=0
May 9 07:53:36 localhost kernel: [ 68.067074] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=92.134.118.10 LEN=40 TOS=0x00 PREC=0x20 TTL=64 ID=0 DF PROTO=TCP SPT=54148 DPT=563 WINDOW=0 RES=0x00 RST URGP=0
May 10 07:54:42 localhost kernel: [93733.952610] SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.40.100 DST=76.52.87.145 LEN=40 TOS=0x00 PREC=0x20 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=42321 WINDOW=0 RES=0x00 RST URGP=0
llinux:~ # tcpdump -i eth0 -n "port 1194"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:50:20.563901 IP 12.345.67.890.1362 > 192.168.40.100.1194: UDP, length 14
linux:~ # lsof -i | grep vpn
openvpn 2644 root 5u IPv4 9830 0t0 TCP *:openvpn (LISTEN)
linux:~ # nmap -sU -p 1194 192.168.40.100
Starting Nmap 5.00 ( http://nmap.org ) at 2010-06-06 21:41 CEST
Interesting ports on (192.168.40.100):
PORT STATE SERVICE
1194/udp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
$cruffy schrieb:Code:linux:~ # nmap -sU -p 1194 192.168.40.100 Starting Nmap 5.00 ( http://nmap.org ) at 2010-06-06 21:41 CEST Interesting ports on (192.168.40.100): PORT STATE SERVICE 1194/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
FW_SERVICES_EXT_UDP="1194"
## Type: string
#
# 9.)
# Which TCP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Format: space separated list of ports, port ranges or well known
# service names (see /etc/services)
#
# Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_TCP="1194"
## Type: string
#
# Which UDP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Format: space separated list of ports, port ranges or well known
# service names (see /etc/services)
#
# Example: "53", "syslog"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_UDP="1194"
linux:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED
input_int all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
Chain forward_ext (0 references)
target prot opt source destination
Chain forward_int (0 references)
target prot opt source destination
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:openvpn flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
LOG udp -- 192.168.40.0/24 anywhere udp dpt:openvpn state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC '
ACCEPT udp -- 192.168.40.0/24 anywhere udp dpt:openvpn
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain reject_func (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
$cruffy schrieb:Ist schon klar, aber wie binde ich die Freigabe dann an den Client als Netzlaufwerk ? Ich habe ein Windows XP Pro Notebook und möchte auf die VPN Freigabe zugreifen.