Requisiti

TUN/TAP deve essere installato e attivo. Per controllare se sia attivo o meno eseguire il seguente comando.

# cat /dev/net/tun
cat: /dev/net/tun: Il descrittore del file è danneggiato
#

Se tutto va bene si dovrebbe ricevere lo stesso output. Nel mio caso invece mi da un errore.

# cat /dev/net/tun
cat: /dev/net/tun: File o directory non esistente
#

Questo è dovuto al fatto che ho compilato il Kernel e ho tolto tutto quello che non mi serviva.

Ricompilo il Kernel e aggiungo il modulo.

In Device Drivers -> Network device support scegliere “Universal TUN/TAP device driver support”.

device-drivers-network-tun-tap

Installazione

Usare zypper per installare openvpn con il seguente comando.

# zypper in openvpn

Impostazioni easy-rsa

Easy-rsa è un gestore di chiavi basato su OPENSSL. Per scaricarlo eseguire il seguente comando.

# wget -O easy-rsa-2.x.tar.gz https://github.com/OpenVPN/easy-rsa/archive/release/2.x.tar.gz

Poi estrarre il contenuto dall’archivio compresso con il seguente comando.

# tar -xf easy-rsa-2.x.tar.gz

Spostarsi nella cartella.

# cd easy-rsa-release-2.x

Copiare la cartella easy-rsa in /etc/openvpn.

workstation1:/home/chit/easy-rsa-release-2.x # cp -R easy-rsa /etc/openvpn/

Generare certificati e chiavi (Certificates & Keys)

Spostarsi nella cartella easy-rsa/2.0 (o la propria versione).

# cd /etc/openvpn/easy-rsa/2.0

Una volta nella cartella editare il file “vars” con vi o un altro editore di testo.

/etc/openvpn/easy-rsa/2.0 # vi vars

Modificare le informazioni relative alla propria località, città, il nome dell’organizzazione, l’indirizzo e-mail eccetera a proprio piacimento.

Una volta fatto eseguire il file “vars”.

workstation1:/etc/openvpn/easy-rsa/2.0 # ./vars
bash: ./vars: Permesso negato
workstation1:/etc/openvpn/easy-rsa/2.0 #

Nel mio caso mi da un errore. Per rimediare bisogna cambire i diritti del file.

workstation1:/etc/openvpn/easy-rsa/2.0 # chmod u+x vars

Ora funziona.

workstation1:/etc/openvpn/easy-rsa/2.0 # ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
workstation1:/etc/openvpn/easy-rsa/2.0 #

Eseguire il comando clean-all.

workstation1:/etc/openvpn/easy-rsa/2.0 # ./clean-all
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.
workstation1:/etc/openvpn/easy-rsa/2.0 #

Il programma mi invita ad eseguire il comando source.

workstation1:/etc/openvpn/easy-rsa/2.0 # source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
workstation1:/etc/openvpn/easy-rsa/2.0 #

Ora funziona.

workstation1:/etc/openvpn/easy-rsa/2.0 # ./clean-all
workstation1:/etc/openvpn/easy-rsa/2.0 # 

Eseguire build-ca.

workstation1:/etc/openvpn/easy-rsa/2.0 # ./build-ca
Generating a 2048 bit RSA private key
...++
...........++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CH]:
State or Province Name (full name) [ZH]:
Locality Name (eg, city) [Zurich]:
Organization Name (eg, company) [CHIT]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) [christeninformatica.ch]:
Name [EasyRSA]:
Email Address [xxxxxx@]:
workstation1:/etc/openvpn/easy-rsa/2.0 #

Lasciare tutto com’è, se avete cambiato i valori all’inizio (nel file vars) verranno visualizzati automaticamente.

Generare il certificato e la chiave per il Server

workstation1:/etc/openvpn/easy-rsa/2.0 # ./build-key-server server
Generating a 4096 bit RSA private key
..................................................................++
......................................................................................++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CH]:
State or Province Name (full name) [ZH]:
Locality Name (eg, city) [Zurich]:
Organization Name (eg, company) [CHIT]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) [christeninformatica.ch]:
Name [EasyRSA]:
Email Address [xxxxxx@xxxxxx]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CH'
stateOrProvinceName   :PRINTABLE:'ZH'
localityName          :PRINTABLE:'Zurich'
organizationName      :PRINTABLE:'CHIT'
organizationalUnitName:PRINTABLE:'IT'
commonName            :PRINTABLE:'christeninformatica.ch'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'xxxxxx@xxxxxx'
Certificate is to be certified until Mar 26 00:21:16 2025 GMT (3650 days)


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
workstation1:/etc/openvpn/easy-rsa/2.0 #

Lasciare anche qui tutto com’è e confermare con “y” alle ultime due domande:

  • Sign the certificate? [y/n]:y
  • 1 out of 1 certificate requests certified, commit? [y/n]y

Generare il certificato e le chiavi per due clients

workstation1:/etc/openvpn/easy-rsa/2.0 # ./build-key client
Generating a 2048 bit RSA private key
........++
......................................................................................................................................................++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CH]:
State or Province Name (full name) [ZH]:
Locality Name (eg, city) [Zurich]:
Organization Name (eg, company) [CHIT]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) [christeninformatica.ch]:
Name [EasyRSA]:
Email Address [xxxxxx@xxxxxx]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CH'
stateOrProvinceName   :PRINTABLE:'ZH'
localityName          :PRINTABLE:'Zurich'
organizationName      :PRINTABLE:'CHIT'
organizationalUnitName:PRINTABLE:'IT'
commonName            :PRINTABLE:'christeninformatica.ch'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'xxxxxx@xxxxxx'
Certificate is to be certified until Mar 26 00:25:48 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
workstation1:/etc/openvpn/easy-rsa/2.0 # 

Per generare un secondo client fare la stessa cosa con client2.

Generare i parametri Diffie Hellman

workstation1:/etc/openvpn/easy-rsa/2.0 # ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

File chiave (Key Files)

Ogni client ha bisogno di tre files chiave (Key Files) per potersi connettere e identificare, ca.crt, client.crt e client.key. Questi files si trovano in “/etc/openvpn/easy-rsa/2.0/keys”. Copiare i file sul computer del client.

Nome del file Necessari a Scopo Segreta
ca.crt Al Server e a tutti i clients Root CA certificate NO
ca.key A chi segna il certificato Root CA Key SI
dh{n}.pem Al server Parametri Diffie Hellman NO
server.crt Al server Server Certificate NO
server.key Al server Server Key SI
client.crt Al client Client Certificate NO
client.key Al client Client Key SI

Configurazione del client

Creare un file nominato client.conf per ogni client e aggiungere quanto segue.

client
remote xxx.xx.xxx.xx 1194
ca "/path/to/ca.crt"
cert "/path/to/client.crt"
key "/path/to/client.key"
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody
remote-cert-tls server

Sostituire naturalmente i dati come l’indirizzo IP del server (xxx.xx.xxx.xx), il nome del certificato, della chiave, la cartella in cui si trova eccetera presenti nell’esempio con i propri.

Configurazione del Server

workstation1:/etc/openvpn/easy-rsa/2.0 # cd keys
workstation1:/etc/openvpn/easy-rsa/2.0/keys # cp ca.key ca.crt dh2048.pem server.key server.crt /etc/openvpn/

Copiare il file di configurazione del server nella cartella /etc/openvpn.

workstation1:/etc/openvpn/easy-rsa/2.0/keys # cp /usr/share/doc/packages/openvpn/sample-config-files/server.conf /etc/openvpn/

Editare il file di configurazione del sever.

# vi /etc/openvpn/server.conf

Cambiare il valore della chiave dh in dh2048 al posto di dh1024.

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys. 
dh dh4096.pem

Attivare la direttiva push “redirect-gateway def1 bypass-dhcp”

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"

Salvare il file.

Per ulteriori informazioni consultare anche la guida in inglese di OPENSUSE: OpenVPN Installation and Setup