Skip to content

Commit

Permalink
Ajout fichiers de conf openvpn
Browse files Browse the repository at this point in the history
  • Loading branch information
Chocobozzz committed Mar 21, 2014
1 parent 4b163da commit a74ec3c
Show file tree
Hide file tree
Showing 8 changed files with 231 additions and 0 deletions.
31 changes: 31 additions & 0 deletions openvpn-conf/client/gnu-linux/client.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
client
dev tun
proto tcp-client
remote xxx.xxx.xxx.xxx 443
resolv-retry infinite
cipher AES-256-CBC
redirect-gateway

# Cles
# Prouver l'identité
ca ca.crt
tls-auth ta.key 1
key-direction 1
ns-cert-type server
auth-user-pass
auth-nocache

# Securite
nobind
persist-key
persist-tun
comp-lzo
verb 3

# DNS
script-security 2
up ./update-resolv.sh
down ./update-resolv.sh

# Proxy ?
# http-proxy cache.univ.fr 3128
55 changes: 55 additions & 0 deletions openvpn-conf/client/gnu-linux/update-resolv.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <[email protected]>
# and Chris Hanson
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
# 07/2013 [email protected] Fixed intet name
# 05/2006 [email protected]
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'

#[ -x $(which resolvconf) ] || exit 0
[ -x /usr/bin/resolvconf ] || exit 0

case $script_type in

up)
for optionname in ${!foreign_option_*} ; do
option="${!optionname}"
echo $option
part1=$(echo "$option" | cut -d " " -f 1)
if [ "$part1" == "dhcp-option" ] ; then
part2=$(echo "$option" | cut -d " " -f 2)
part3=$(echo "$option" | cut -d " " -f 3)
if [ "$part2" == "DNS" ] ; then
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
fi
if [ "$part2" == "DOMAIN" ] ; then
IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
fi
fi
done
R=""
if [ "$IF_DNS_SEARCH" ] ; then
R="${R}search $IF_DNS_SEARCH
"
fi
for NS in $IF_DNS_NAMESERVERS ; do
R="${R}nameserver $NS
"
done
#echo -n "$R" | resolvconf -p -a "${dev}"
echo -n "$R" | /usr/bin/resolvconf -a "${dev}.inet"
;;
down)
resolvconf -d "${dev}.inet"
;;
esac
26 changes: 26 additions & 0 deletions openvpn-conf/client/windows/client.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
client
dev tun
proto tcp-client
remote xxx.xxx.xxx.xxx 443
resolv-retry infinite
cipher AES-256-CBC
redirect-gateway

# Cles
# Prouver l'identité
ca ca.crt
tls-auth ta.key 1
key-direction 1
ns-cert-type server
auth-user-pass
auth-nocache

# Securite
nobind
persist-key
persist-tun
comp-lzo
verb 3

# Proxy ?
# http-proxy cache.univ.fr 3128
11 changes: 11 additions & 0 deletions openvpn-conf/serveur/scripts/config.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash
# Serveur
HOST='localhost'
# Port (par défaut : 3306)
PORT='3306'
# Username
USER='vpn_user'
# Password
PASS='mdp'
# Nom de la base de données
DB='vpn'
8 changes: 8 additions & 0 deletions openvpn-conf/serveur/scripts/connect.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
. /etc/openvpn/scripts/config.sh

# On insert les données dans la table de log
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id, user_id, log_trusted_ip, log_trusted_port, log_remote_ip, log_remote_port, log_start_time, log_end_time, log_received, log_send) VALUES(NULL, '$common_name','$trusted_ip', '$trusted_port','$ifconfig_pool_remote_ip', '$remote_port_1', now(),'0000-00-00 00:00:00', '$bytes_received', '$bytes_sent')"

# On spécifie que l'utilisateur est en ligne
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=1 WHERE user_id='$common_name'"
8 changes: 8 additions & 0 deletions openvpn-conf/serveur/scripts/disconnect.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
. /etc/openvpn/scripts/config.sh

# On précise que l'utilisateur n'est plus en ligne
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=0 WHERE user_id='$common_name'"

# On insert le datetime de déconnexion
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE log SET log_end_time=now(), log_received='$bytes_received', log_send='$bytes_sent' WHERE log_trusted_ip='$trusted_ip' AND log_trusted_port='$trusted_port' AND user_id='$common_name' AND log_end_time='0000-00-00 00:00:00'"
8 changes: 8 additions & 0 deletions openvpn-conf/serveur/scripts/login.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
. /etc/openvpn/scripts/config.sh

# Authentication
user_id=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "SELECT user_id FROM user WHERE user_id = '$username' AND user_pass = SHA1('$password') AND user_enable=1 AND (TO_DAYS(now()) &gt;= TO_DAYS(user_start_date) OR user_start_date='0000-00-00') AND (TO_DAYS(now()) &lt;= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')")

# Vérification de l'utilisateur
[ "$user_id" != '' ] && [ "$user_id" = "$username" ] && echo "user : $username" && echo 'authentication ok.' && exit 0 || echo 'authentication failed.'; exit 1
84 changes: 84 additions & 0 deletions openvpn-conf/serveur/serveur.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# Server en tcp, port 443 en écoute en créant un tunnel
mode server
proto tcp
port 443
dev tun

## CLE, CERTIFICATS ET CONFIGURATION RÉSEAU ##
# Prouver l'identité
ca ca.crt
# Clé publique du serveur
cert server.crt
# Clé privée du serveur
key server.key
# Clé partagée (utilisé pour le chiffrement symétrique, hashage...)
dh dh1024.pem
# Augmente la sécurité (DDOS, port flooding...)
# Deuxième paramètre à 0 sur le serveur et 1 sur le client)
tls-auth ta.key 0
# Choix de la méthode de cryptographie
cipher AES-256-CBC

# Reseau
# Sous réseau, le serveur prendra l'adresse 10.8.0.1 et le reste sera disponible pour les clients
server 10.8.0.0 255.255.255.0

# Redirection du trafic via internet
push "redirect-gateway def1"

# Utilisation de DNS alternatifs (OpenDNS)
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# (DNS de Google)
# push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 8.8.4.4"

# Ping toutes les 10 secondes et si après 120 secondes le client ne répond toujours pas alors on déconnecte
keepalive 10 120
# Regenerer la clé du canal toutes les 5h (implique la déconnexion du client)
reneg-sec 18000

## SECURITE ##

# On abaisse les privilèges du démon
user nobody
group nogroup

# Rend les clés persistantes au démarrage
# Donc, plus besoin de relire les clés cryptographiques (dont on aurait pas eu les droits car on a abaissé les privilèges du démon)
persist-key
# Ne pas fermer et rouvrir le périphérique TUN/TAP
persist-tun
# Active la compression
comp-lzo

## LOG ##

# Quantité de log (choix entre 0 et 9)
# Choisir entre 3 et 4 pour une utilisation normale
verb 3
# Imprime au plus 20 messages de la même catégorie
mute 20
# Fichier où on liste les connexions des clients
status openvpn-status.log
# Fichier de log
log-append /var/log/openvpn.log
# Dossier de configuration des clients
client-config-dir ccd

## PASS ##

# Autoriser l'exécution de scripts externes en passant les mots de passe via les variables d'environnement
script-security 3 system
# Utiliser le pseudo d'authentification comme nom (au lieu du nom du certificat du client)
username-as-common-name
# Certificat du client non requis
client-cert-not-required
# Utiliser le script de connexion lorsqu'un client veut s'authentifier
auth-user-pass-verify scripts/login.sh via-env
# Nombre maximum de clients
max-clients 50
# Appeler ces scripts à la connexion et déconnexion du client
client-connect scripts/connect.sh
client-disconnect scripts/disconnect.sh

0 comments on commit a74ec3c

Please sign in to comment.