====== OpenVPN simple ====== ====== La plate-forme de tests ====== {{ :vpn:20openvpn:maquette-openvpn.png?300|}} Deux machines disposent d'une connexion internet. L'une s'appelle AARON, elle dispose d'une adresse IP publique fixe : 82.127.57.95. L'autre s'appelle CYCLOPE, et dispose d'une adresse IP dynamique : 80.8.135.67, au moment de ce premier test. Les deux machines sont des Debian Etch, avec un kernel 2.6.24 et la version 2.0.9 d'OpenVPN. aaron:~# apt-get install openvpn Reading Package Lists... Done Building Dependency Tree... Done The following NEW packages will be installed: openvpn ... Stopping openvpn:. Starting openvpn:. Le script d'installation vous pose deux questions : * la première est relative à la création du « device » virtuel nécessaire pour TUN, répondez « yes », * la seconde n'a d'intérêt que si vous faites une mise à jour d'OpenVPN, à travers un tunnel OpenVPN. A mon avis, il vaut mieux, chaque fois que c'est possible, éviter de se mettre dans des situations aussi hasardeuses. Pour ce genre d'opérations, SSH fera parfaitement l'affaire. Tant qu'on y est, vérifions la présence de la librairie de compression LZO, qui vas nous permettre d'optimiser le débit du tunnel : aaron:~# dpkg -l | grep lzo ii liblzo1 1.08-1 A real-time data compression library aaron:~# Elle y est. Sinon, un ''apt-get install liblzo1'' y remédiera. Comme nous n'avons pour l'instant aucune configuration d'OpenVPN, bien que l'installation ait indiqué : Starting openvpn:. Rien n'a démarré. Pour l'instant, nous faisons des choses simples, nous allons monter un tunnel « à la main », juste pour voir. ===== Démarrage du serveur ===== Sur AARON, qui dispose d'une adresse IP fixe, nous démarrons le serveur : aaron:~# openvpn --port 8147 --dev tun1 --ifconfig 192.168.25.1 192.168.25.2 --comp-lzo --verb 5 Quelques mots d'explication sur cette ligne de commande : * -- port 8147, c'est le port qui sera utilisé pour supporter le tunnel, * --dev tun1, l'interface réseau virtuelle qui constitue en quelque sorte le bout du tunnel côté serveur, * --ifconfig 192.168.25.1 192.168.25.2, va permettre d'attribuer les adresses IP à chaque bout du tunnel : * 192.168.25.1 côté local, * 192.168.25.2 côté distant * --comp-lzo pour indiquer que l'on utilise la compression en temps réel LZO * --verb 5, c'est le niveau de bavardage que l'on souhaite pour OpenVPN. Le niveau 5 est relativement bavard, comme l'indique la suite :
Sat Nov 15 16:12:35 2008 us=919505 Current Parameter Settings: Sat Nov 15 16:12:35 2008 us=920394 config = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=920759 mode = 0 Sat Nov 15 16:12:35 2008 us=920997 persist_config = DISABLED Sat Nov 15 16:12:35 2008 us=921227 persist_mode = 1 Sat Nov 15 16:12:35 2008 us=921453 show_ciphers = DISABLED Sat Nov 15 16:12:35 2008 us=921679 show_digests = DISABLED Sat Nov 15 16:12:35 2008 us=921905 show_engines = DISABLED Sat Nov 15 16:12:35 2008 us=922131 genkey = DISABLED Sat Nov 15 16:12:35 2008 us=922360 key_pass_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=922590 show_tls_ciphers = DISABLED Sat Nov 15 16:12:35 2008 us=922822 proto = 0 Sat Nov 15 16:12:35 2008 us=923050 local = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=923275 remote_list = NULL Sat Nov 15 16:12:35 2008 us=923503 remote_random = DISABLED Sat Nov 15 16:12:35 2008 us=923733 local_port = 8147 Sat Nov 15 16:12:35 2008 us=923960 remote_port = 8147 Sat Nov 15 16:12:35 2008 us=924193 remote_float = DISABLED Sat Nov 15 16:12:35 2008 us=924456 ipchange = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=924739 bind_local = ENABLED Sat Nov 15 16:12:35 2008 us=924967 dev = 'tun1' Sat Nov 15 16:12:35 2008 us=925195 dev_type = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=925422 dev_node = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=925649 tun_ipv6 = DISABLED Sat Nov 15 16:12:35 2008 us=925875 ifconfig_local = '192.168.25.1' Sat Nov 15 16:12:35 2008 us=926181 ifconfig_remote_netmask = '192.168.25.2' Sat Nov 15 16:12:35 2008 us=926417 ifconfig_noexec = DISABLED Sat Nov 15 16:12:35 2008 us=926646 ifconfig_nowarn = DISABLED Sat Nov 15 16:12:35 2008 us=926876 shaper = 0 Sat Nov 15 16:12:35 2008 us=927103 tun_mtu = 1500 Sat Nov 15 16:12:35 2008 us=927328 tun_mtu_defined = ENABLED Sat Nov 15 16:12:35 2008 us=927565 link_mtu = 1500 Sat Nov 15 16:12:35 2008 us=927764 link_mtu_defined = DISABLED Sat Nov 15 16:12:35 2008 us=927967 tun_mtu_extra = 0 Sat Nov 15 16:12:35 2008 us=928166 tun_mtu_extra_defined = DISABLED Sat Nov 15 16:12:35 2008 us=928368 fragment = 0 Sat Nov 15 16:12:35 2008 us=928568 mtu_discover_type = -1 Sat Nov 15 16:12:35 2008 us=928812 mtu_test = 0 Sat Nov 15 16:12:35 2008 us=929010 mlock = DISABLED Sat Nov 15 16:12:35 2008 us=929211 keepalive_ping = 0 Sat Nov 15 16:12:35 2008 us=929411 keepalive_timeout = 0 Sat Nov 15 16:12:35 2008 us=929612 inactivity_timeout = 0 Sat Nov 15 16:12:35 2008 us=929811 ping_send_timeout = 0 Sat Nov 15 16:12:35 2008 us=930010 ping_rec_timeout = 0 Sat Nov 15 16:12:35 2008 us=930209 ping_rec_timeout_action = 0 Sat Nov 15 16:12:35 2008 us=930409 ping_timer_remote = DISABLED Sat Nov 15 16:12:35 2008 us=930612 remap_sigusr1 = 0 Sat Nov 15 16:12:35 2008 us=930812 explicit_exit_notification = 0 Sat Nov 15 16:12:35 2008 us=931012 persist_tun = DISABLED Sat Nov 15 16:12:35 2008 us=931211 persist_local_ip = DISABLED Sat Nov 15 16:12:35 2008 us=931413 persist_remote_ip = DISABLED Sat Nov 15 16:12:35 2008 us=931615 persist_key = DISABLED Sat Nov 15 16:12:35 2008 us=931815 mssfix = 1450 Sat Nov 15 16:12:35 2008 us=932014 passtos = DISABLED Sat Nov 15 16:12:35 2008 us=932216 resolve_retry_seconds = 1000000000 Sat Nov 15 16:12:35 2008 us=932418 connect_retry_seconds = 5 Sat Nov 15 16:12:35 2008 us=932659 username = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=932859 groupname = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=933059 chroot_dir = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=933257 cd_dir = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=933457 writepid = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=933657 up_script = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=933857 down_script = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=934055 down_pre = DISABLED Sat Nov 15 16:12:35 2008 us=934254 up_restart = DISABLED Sat Nov 15 16:12:35 2008 us=934453 up_delay = DISABLED Sat Nov 15 16:12:35 2008 us=934652 daemon = DISABLED Sat Nov 15 16:12:35 2008 us=934852 inetd = 0 Sat Nov 15 16:12:35 2008 us=935050 log = DISABLED Sat Nov 15 16:12:35 2008 us=935250 suppress_timestamps = DISABLED Sat Nov 15 16:12:35 2008 us=935451 nice = 0 Sat Nov 15 16:12:35 2008 us=935650 verbosity = 5 Sat Nov 15 16:12:35 2008 us=935974 mute = 0 Sat Nov 15 16:12:35 2008 us=936179 gremlin = 0 Sat Nov 15 16:12:35 2008 us=936379 status_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=936620 status_file_version = 1 Sat Nov 15 16:12:35 2008 us=936822 status_file_update_freq = 60 Sat Nov 15 16:12:35 2008 us=937022 occ = ENABLED Sat Nov 15 16:12:35 2008 us=937223 rcvbuf = 65536 Sat Nov 15 16:12:35 2008 us=937422 sndbuf = 65536 Sat Nov 15 16:12:35 2008 us=937622 socks_proxy_server = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=937825 socks_proxy_port = 0 Sat Nov 15 16:12:35 2008 us=938024 socks_proxy_retry = DISABLED Sat Nov 15 16:12:35 2008 us=938263 fast_io = DISABLED Sat Nov 15 16:12:35 2008 us=938466 comp_lzo = ENABLED Sat Nov 15 16:12:35 2008 us=938667 comp_lzo_adaptive = ENABLED Sat Nov 15 16:12:35 2008 us=938869 route_script = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=939071 route_default_gateway = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=939272 route_noexec = DISABLED Sat Nov 15 16:12:35 2008 us=939471 route_delay = 0 Sat Nov 15 16:12:35 2008 us=939670 route_delay_window = 30 Sat Nov 15 16:12:35 2008 us=939868 route_delay_defined = DISABLED Sat Nov 15 16:12:35 2008 us=940070 management_addr = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=940274 management_port = 0 Sat Nov 15 16:12:35 2008 us=940473 management_user_pass = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=940717 management_log_history_cache = 250 Sat Nov 15 16:12:35 2008 us=940919 management_echo_buffer_size = 100 Sat Nov 15 16:12:35 2008 us=941120 management_query_passwords = DISABLED Sat Nov 15 16:12:35 2008 us=941321 management_hold = DISABLED Sat Nov 15 16:12:35 2008 us=941524 shared_secret_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=941727 key_direction = 0 Sat Nov 15 16:12:35 2008 us=941928 ciphername_defined = ENABLED Sat Nov 15 16:12:35 2008 us=942132 ciphername = 'BF-CBC' Sat Nov 15 16:12:35 2008 us=942333 authname_defined = ENABLED Sat Nov 15 16:12:35 2008 us=942535 authname = 'SHA1' Sat Nov 15 16:12:35 2008 us=942736 keysize = 0 Sat Nov 15 16:12:35 2008 us=942936 engine = DISABLED Sat Nov 15 16:12:35 2008 us=943136 replay = ENABLED Sat Nov 15 16:12:35 2008 us=943337 mute_replay_warnings = DISABLED Sat Nov 15 16:12:35 2008 us=943541 replay_window = 64 Sat Nov 15 16:12:35 2008 us=943741 replay_time = 15 Sat Nov 15 16:12:35 2008 us=943941 packet_id_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=944143 use_iv = ENABLED Sat Nov 15 16:12:35 2008 us=944344 test_crypto = DISABLED Sat Nov 15 16:12:35 2008 us=944905 tls_server = DISABLED Sat Nov 15 16:12:35 2008 us=945125 tls_client = DISABLED Sat Nov 15 16:12:35 2008 us=945326 key_method = 2 Sat Nov 15 16:12:35 2008 us=945525 ca_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=945725 dh_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=945925 cert_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=946125 priv_key_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=946328 pkcs12_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=946528 cipher_list = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=946766 tls_verify = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=946970 tls_remote = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=947172 crl_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=947375 ns_cert_type = 0 Sat Nov 15 16:12:35 2008 us=947577 tls_timeout = 2 Sat Nov 15 16:12:35 2008 us=947779 renegotiate_bytes = 0 Sat Nov 15 16:12:35 2008 us=947981 renegotiate_packets = 0 Sat Nov 15 16:12:35 2008 us=948183 renegotiate_seconds = 3600 Sat Nov 15 16:12:35 2008 us=948388 handshake_window = 60 Sat Nov 15 16:12:35 2008 us=948627 transition_window = 3600 Sat Nov 15 16:12:35 2008 us=948830 single_session = DISABLED Sat Nov 15 16:12:35 2008 us=949035 tls_exit = DISABLED Sat Nov 15 16:12:35 2008 us=949236 tls_auth_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=949522 server_network = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=949737 server_netmask = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=949949 server_bridge_ip = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=950160 server_bridge_netmask = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=950371 server_bridge_pool_start = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=950582 server_bridge_pool_end = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=950785 ifconfig_pool_defined = DISABLED Sat Nov 15 16:12:35 2008 us=950998 ifconfig_pool_start = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=951209 ifconfig_pool_end = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=951419 ifconfig_pool_netmask = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=951622 ifconfig_pool_persist_filename = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=951829 ifconfig_pool_persist_refresh_freq = 600 Sat Nov 15 16:12:35 2008 us=952034 ifconfig_pool_linear = DISABLED Sat Nov 15 16:12:35 2008 us=952238 n_bcast_buf = 256 Sat Nov 15 16:12:35 2008 us=952440 tcp_queue_limit = 64 Sat Nov 15 16:12:35 2008 us=952681 real_hash_size = 256 Sat Nov 15 16:12:35 2008 us=952882 virtual_hash_size = 256 Sat Nov 15 16:12:35 2008 us=953082 client_connect_script = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=953285 learn_address_script = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=953489 client_disconnect_script = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=953693 client_config_dir = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=953896 ccd_exclusive = DISABLED Sat Nov 15 16:12:35 2008 us=954097 tmp_dir = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=954297 push_ifconfig_defined = DISABLED Sat Nov 15 16:12:35 2008 us=954509 push_ifconfig_local = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=954759 push_ifconfig_remote_netmask = 0.0.0.0 Sat Nov 15 16:12:35 2008 us=954965 enable_c2c = DISABLED Sat Nov 15 16:12:35 2008 us=955165 duplicate_cn = DISABLED Sat Nov 15 16:12:35 2008 us=955365 cf_max = 0 Sat Nov 15 16:12:35 2008 us=955565 cf_per = 0 Sat Nov 15 16:12:35 2008 us=955767 max_clients = 1024 Sat Nov 15 16:12:35 2008 us=955968 max_routes_per_client = 256 Sat Nov 15 16:12:35 2008 us=956170 client_cert_not_required = DISABLED Sat Nov 15 16:12:35 2008 us=956372 username_as_common_name = DISABLED Sat Nov 15 16:12:35 2008 us=956614 auth_user_pass_verify_script = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=956823 auth_user_pass_verify_script_via_file = DISABLED Sat Nov 15 16:12:35 2008 us=957028 client = DISABLED Sat Nov 15 16:12:35 2008 us=957228 pull = DISABLED Sat Nov 15 16:12:35 2008 us=957431 auth_user_pass_file = '[UNDEF]' Sat Nov 15 16:12:35 2008 us=957639 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007 Sat Nov 15 16:12:35 2008 us=958082 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext Sat Nov 15 16:12:35 2008 us=958372 LZO compression initialized Sat Nov 15 16:12:36 2008 us=8893 TUN/TAP device tun1 opened Sat Nov 15 16:12:36 2008 us=9719 TUN/TAP TX queue length set to 100 Sat Nov 15 16:12:36 2008 us=10023 ifconfig tun1 192.168.25.1 pointopoint 192.168.25.2 mtu 1500 Sat Nov 15 16:12:36 2008 us=24915 Data Channel MTU parms [ L:1501 D:1450 EF:1 EB:135 ET:0 EL:0 AF:14/1 ] Sat Nov 15 16:12:36 2008 us=25336 Local Options String: 'V4,dev-type tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo' Sat Nov 15 16:12:36 2008 us=25547 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo' Sat Nov 15 16:12:36 2008 us=25855 Local Options hash (VER=V4): 'c50ab9ee' Sat Nov 15 16:12:36 2008 us=26106 Expected Remote Options hash (VER=V4): '932cd9e7' Sat Nov 15 16:12:36 2008 us=26394 Socket Buffers: R=[110592->131072] S=[110592->131072] Sat Nov 15 16:12:36 2008 us=26622 UDPv4 link local (bound): [undef]:8147 Sat Nov 15 16:12:36 2008 us=26822 UDPv4 link remote: [undef]Tout ceci n'a pour but que de monter que nous sommes loin d'utiliser tous les paramètres proposés par OpenVPN. Le but est tout de même d'arriver le plus rapidement possible à une solution sécurisée, plutôt que d'explorer toutes les ressources d'OpenVPN. Toutefois, il n'est pas inutile de lire avec un peu d'attention le listing ci-dessus, qui peut donner pas mal d'idées sur tout ce que peut faire OpenVPN. Ce qui est surligné montre les principales options définies dans le démarrage d'OpenVPN. Vérifications :
aaron:~# ifconfig
...
ppp0 Link encap:Point-to-Point Protocol
inet addr:82.127.57.95 P-t-P:193.253.160.3 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:342756 errors:0 dropped:0 overruns:0 frame:0
TX packets:290200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:426707207 (406.9 MiB) TX bytes:26657415 (25.4 MiB)
tun1 Lien encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet adr:192.168.25.1 P-t-P:192.168.25.2 Masque:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
aaron:~#
Nous avons, en plus de ppp0 qui est la connexion à l'internet, une interface tun1 qui apparaît elle aussi comme une liaison point à point entre 192.168.25.1 (local) et 192.168.25.2 (distant).
Table de routage IP du noyau
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.25.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
...
0.0.0.0 193.253.160.3 0.0.0.0 UG 0 0 0 ppp0
aaron:~#
et nous avons bien la route vers 192.168.25.2 qui passe par tun1
===== Démarrage du client =====
Sur CYCLOPE, nous allons faire quelque chose de très similaire :
cyclope:~# openvpn --remote 82.127.57.95 --port 8147 --dev tun1 --ifconfig 192.168.25.2 192.168.25.1 --comp-lzo --verb 5
Notez qu'ici, comme nous sommes client, nous indiquons en plus l'adresse IP distante qui supporte le tunnel (--remote 82.127.57.95).
Sat Nov 15 16:34:36 2008 us=173490 Current Parameter Settings:
Sat Nov 15 16:34:36 2008 us=174921 config = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=175726 mode = 0
Sat Nov 15 16:34:36 2008 us=176424 persist_config = DISABLED
Sat Nov 15 16:34:36 2008 us=177123 persist_mode = 1
Sat Nov 15 16:34:36 2008 us=177812 show_ciphers = DISABLED
Sat Nov 15 16:34:36 2008 us=178498 show_digests = DISABLED
Sat Nov 15 16:34:36 2008 us=179278 show_engines = DISABLED
Sat Nov 15 16:34:36 2008 us=179941 genkey = DISABLED
Sat Nov 15 16:34:36 2008 us=180637 key_pass_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=181333 show_tls_ciphers = DISABLED
Sat Nov 15 16:34:36 2008 us=182030 proto = 0
Sat Nov 15 16:34:36 2008 us=182719 local = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=183491 remote_list[0] = {'82.127.57.95', 8147}
Sat Nov 15 16:34:36 2008 us=184189 remote_random = DISABLED
Sat Nov 15 16:34:36 2008 us=184887 local_port = 8147
Sat Nov 15 16:34:36 2008 us=185581 remote_port = 8147
Sat Nov 15 16:34:36 2008 us=186272 remote_float = DISABLED
Sat Nov 15 16:34:36 2008 us=186962 ipchange = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=187543 bind_local = ENABLED
Sat Nov 15 16:34:36 2008 us=188219 dev = 'tun1'
Sat Nov 15 16:34:36 2008 us=188918 dev_type = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=189610 dev_node = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=190298 tun_ipv6 = DISABLED
Sat Nov 15 16:34:36 2008 us=190814 ifconfig_local = '192.168.25.2'
Sat Nov 15 16:34:36 2008 us=191576 ifconfig_remote_netmask = '192.168.25.1'
Sat Nov 15 16:34:36 2008 us=192110 ifconfig_noexec = DISABLED
Sat Nov 15 16:34:36 2008 us=192626 ifconfig_nowarn = DISABLED
Sat Nov 15 16:34:36 2008 us=193144 shaper = 0
Sat Nov 15 16:34:36 2008 us=193524 tun_mtu = 1500
Sat Nov 15 16:34:36 2008 us=194325 tun_mtu_defined = ENABLED
Sat Nov 15 16:34:36 2008 us=195256 link_mtu = 1500
Sat Nov 15 16:34:36 2008 us=195933 link_mtu_defined = DISABLED
Sat Nov 15 16:34:36 2008 us=196634 tun_mtu_extra = 0
Sat Nov 15 16:34:36 2008 us=197319 tun_mtu_extra_defined = DISABLED
Sat Nov 15 16:34:36 2008 us=198018 fragment = 0
Sat Nov 15 16:34:36 2008 us=198173 mtu_discover_type = -1
Sat Nov 15 16:34:36 2008 us=198277 mtu_test = 0
Sat Nov 15 16:34:36 2008 us=198565 mlock = DISABLED
Sat Nov 15 16:34:36 2008 us=198674 keepalive_ping = 0
Sat Nov 15 16:34:36 2008 us=198777 keepalive_timeout = 0
Sat Nov 15 16:34:36 2008 us=198879 inactivity_timeout = 0
Sat Nov 15 16:34:36 2008 us=198980 ping_send_timeout = 0
Sat Nov 15 16:34:36 2008 us=199082 ping_rec_timeout = 0
Sat Nov 15 16:34:36 2008 us=199240 ping_rec_timeout_action = 0
Sat Nov 15 16:34:36 2008 us=199351 ping_timer_remote = DISABLED
Sat Nov 15 16:34:36 2008 us=199454 remap_sigusr1 = 0
Sat Nov 15 16:34:36 2008 us=199556 explicit_exit_notification = 0
Sat Nov 15 16:34:36 2008 us=199657 persist_tun = DISABLED
Sat Nov 15 16:34:36 2008 us=199758 persist_local_ip = DISABLED
Sat Nov 15 16:34:36 2008 us=199861 persist_remote_ip = DISABLED
Sat Nov 15 16:34:36 2008 us=199963 persist_key = DISABLED
Sat Nov 15 16:34:36 2008 us=200065 mssfix = 1450
Sat Nov 15 16:34:36 2008 us=200164 passtos = DISABLED
Sat Nov 15 16:34:36 2008 us=200268 resolve_retry_seconds = 1000000000
Sat Nov 15 16:34:36 2008 us=200371 connect_retry_seconds = 5
Sat Nov 15 16:34:36 2008 us=200472 username = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=200574 groupname = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=200676 chroot_dir = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=200777 cd_dir = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=200879 writepid = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=201342 up_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=201449 down_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=201552 down_pre = DISABLED
Sat Nov 15 16:34:36 2008 us=201653 up_restart = DISABLED
Sat Nov 15 16:34:36 2008 us=201754 up_delay = DISABLED
Sat Nov 15 16:34:36 2008 us=201854 daemon = DISABLED
Sat Nov 15 16:34:36 2008 us=201956 inetd = 0
Sat Nov 15 16:34:36 2008 us=202055 log = DISABLED
Sat Nov 15 16:34:36 2008 us=202187 suppress_timestamps = DISABLED
Sat Nov 15 16:34:36 2008 us=202293 nice = 0
Sat Nov 15 16:34:36 2008 us=202395 verbosity = 5
Sat Nov 15 16:34:36 2008 us=202495 mute = 0
Sat Nov 15 16:34:36 2008 us=202594 gremlin = 0
Sat Nov 15 16:34:36 2008 us=202694 status_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=202797 status_file_version = 1
Sat Nov 15 16:34:36 2008 us=202899 status_file_update_freq = 60
Sat Nov 15 16:34:36 2008 us=202998 occ = ENABLED
Sat Nov 15 16:34:36 2008 us=203099 rcvbuf = 65536
Sat Nov 15 16:34:36 2008 us=203257 sndbuf = 65536
Sat Nov 15 16:34:36 2008 us=203364 socks_proxy_server = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=203467 socks_proxy_port = 0
Sat Nov 15 16:34:36 2008 us=203567 socks_proxy_retry = DISABLED
Sat Nov 15 16:34:36 2008 us=203668 fast_io = DISABLED
Sat Nov 15 16:34:36 2008 us=203768 comp_lzo = ENABLED
Sat Nov 15 16:34:36 2008 us=203870 comp_lzo_adaptive = ENABLED
Sat Nov 15 16:34:36 2008 us=203972 route_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=204075 route_default_gateway = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=204178 route_noexec = DISABLED
Sat Nov 15 16:34:36 2008 us=204280 route_delay = 0
Sat Nov 15 16:34:36 2008 us=204381 route_delay_window = 30
Sat Nov 15 16:34:36 2008 us=204482 route_delay_defined = DISABLED
Sat Nov 15 16:34:36 2008 us=204584 management_addr = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=204687 management_port = 0
Sat Nov 15 16:34:36 2008 us=204787 management_user_pass = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=204892 management_log_history_cache = 250
Sat Nov 15 16:34:36 2008 us=204995 management_echo_buffer_size = 100
Sat Nov 15 16:34:36 2008 us=205096 management_query_passwords = DISABLED
Sat Nov 15 16:34:36 2008 us=205198 management_hold = DISABLED
Sat Nov 15 16:34:36 2008 us=205301 shared_secret_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=205406 key_direction = 0
Sat Nov 15 16:34:36 2008 us=205511 ciphername_defined = ENABLED
Sat Nov 15 16:34:36 2008 us=205617 ciphername = 'BF-CBC'
Sat Nov 15 16:34:36 2008 us=207738 authname_defined = ENABLED
Sat Nov 15 16:34:36 2008 us=208446 authname = 'SHA1'
Sat Nov 15 16:34:36 2008 us=208797 keysize = 0
Sat Nov 15 16:34:36 2008 us=209136 engine = DISABLED
Sat Nov 15 16:34:36 2008 us=209596 replay = ENABLED
Sat Nov 15 16:34:36 2008 us=209938 mute_replay_warnings = DISABLED
Sat Nov 15 16:34:36 2008 us=210281 replay_window = 64
Sat Nov 15 16:34:36 2008 us=211657 replay_time = 15
Sat Nov 15 16:34:36 2008 us=212493 packet_id_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=213188 use_iv = ENABLED
Sat Nov 15 16:34:36 2008 us=213880 test_crypto = DISABLED
Sat Nov 15 16:34:36 2008 us=214576 tls_server = DISABLED
Sat Nov 15 16:34:36 2008 us=215350 tls_client = DISABLED
Sat Nov 15 16:34:36 2008 us=216024 key_method = 2
Sat Nov 15 16:34:36 2008 us=216707 ca_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=217400 dh_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=218080 cert_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=218775 priv_key_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=219533 pkcs12_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=220223 cipher_list = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=220918 tls_verify = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=221613 tls_remote = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=222309 crl_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=223007 ns_cert_type = 0
Sat Nov 15 16:34:36 2008 us=223760 tls_timeout = 2
Sat Nov 15 16:34:36 2008 us=224460 renegotiate_bytes = 0
Sat Nov 15 16:34:36 2008 us=225159 renegotiate_packets = 0
Sat Nov 15 16:34:36 2008 us=225858 renegotiate_seconds = 3600
Sat Nov 15 16:34:36 2008 us=226428 handshake_window = 60
Sat Nov 15 16:34:36 2008 us=226544 transition_window = 3600
Sat Nov 15 16:34:36 2008 us=226648 single_session = DISABLED
Sat Nov 15 16:34:36 2008 us=226753 tls_exit = DISABLED
Sat Nov 15 16:34:36 2008 us=226858 tls_auth_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=227094 server_network = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227279 server_netmask = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227402 server_bridge_ip = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227522 server_bridge_netmask = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227675 server_bridge_pool_start = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227795 server_bridge_pool_end = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227902 ifconfig_pool_defined = DISABLED
Sat Nov 15 16:34:36 2008 us=228204 ifconfig_pool_start = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=228332 ifconfig_pool_end = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=228450 ifconfig_pool_netmask = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=228592 ifconfig_pool_persist_filename = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=228713 ifconfig_pool_persist_refresh_freq = 600
Sat Nov 15 16:34:36 2008 us=228819 ifconfig_pool_linear = DISABLED
Sat Nov 15 16:34:36 2008 us=228926 n_bcast_buf = 256
Sat Nov 15 16:34:36 2008 us=229032 tcp_queue_limit = 64
Sat Nov 15 16:34:36 2008 us=229135 real_hash_size = 256
Sat Nov 15 16:34:36 2008 us=229240 virtual_hash_size = 256
Sat Nov 15 16:34:36 2008 us=229344 client_connect_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=229450 learn_address_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=229556 client_disconnect_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=229663 client_config_dir = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=229767 ccd_exclusive = DISABLED
Sat Nov 15 16:34:36 2008 us=229870 tmp_dir = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=229972 push_ifconfig_defined = DISABLED
Sat Nov 15 16:34:36 2008 us=230091 push_ifconfig_local = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=230210 push_ifconfig_remote_netmask = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=230315 enable_c2c = DISABLED
Sat Nov 15 16:34:36 2008 us=230417 duplicate_cn = DISABLED
Sat Nov 15 16:34:36 2008 us=230521 cf_max = 0
Sat Nov 15 16:34:36 2008 us=230623 cf_per = 0
Sat Nov 15 16:34:36 2008 us=230726 max_clients = 1024
Sat Nov 15 16:34:36 2008 us=230832 max_routes_per_client = 256
Sat Nov 15 16:34:36 2008 us=230936 client_cert_not_required = DISABLED
Sat Nov 15 16:34:36 2008 us=231040 username_as_common_name = DISABLED
Sat Nov 15 16:34:36 2008 us=231147 auth_user_pass_verify_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=231317 auth_user_pass_verify_script_via_file = DISABLED
Sat Nov 15 16:34:36 2008 us=231425 client = DISABLED
Sat Nov 15 16:34:36 2008 us=231527 pull = DISABLED
Sat Nov 15 16:34:36 2008 us=231630 auth_user_pass_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=231742 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Sat Nov 15 16:34:36 2008 us=232260 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Sat Nov 15 16:34:36 2008 us=232487 LZO compression initialized
Sat Nov 15 16:34:36 2008 us=291858 TUN/TAP device tun1 opened
Sat Nov 15 16:34:36 2008 us=292762 TUN/TAP TX queue length set to 100
Sat Nov 15 16:34:36 2008 us=293672 ifconfig tun1 192.168.25.2 pointopoint 192.168.25.1 mtu 1500
Sat Nov 15 16:34:36 2008 us=316511 Data Channel MTU parms [ L:1501 D:1450 EF:1 EB:135 ET:0 EL:0 AF:14/1 ]
Sat Nov 15 16:34:36 2008 us=318237 Local Options String: 'V4,dev-type tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo'
Sat Nov 15 16:34:36 2008 us=318785 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo'
Sat Nov 15 16:34:36 2008 us=319679 Local Options hash (VER=V4): '932cd9e7'
Sat Nov 15 16:34:36 2008 us=320671 Expected Remote Options hash (VER=V4): 'c50ab9ee'
Sat Nov 15 16:34:36 2008 us=321508 Socket Buffers: R=[110592->131072] S=[110592->131072]
Sat Nov 15 16:34:36 2008 us=322223 UDPv4 link local (bound): [undef]:8147
Sat Nov 15 16:34:36 2008 us=322935 UDPv4 link remote: 82.127.57.95:8147
Vérification des interfaces virtuelles :
cyclope:~# ifconfig
...
ppp0 Link encap:Point-to-Point Protocol
inet addr:80.8.135.67 P-t-P:80.8.128.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:5197 errors:0 dropped:0 overruns:0 frame:0
TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:295907 (288.9 KiB) TX bytes:9499 (9.2 KiB)
tun1 Link encap:Point-to-Point Protocol
inet addr:192.168.25.2 P-t-P:192.168.25.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1299 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Vérification des routes :
cyclope:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.25.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
...
0.0.0.0 80.8.128.1 0.0.0.0 UG 0 0 0 ppp0
===== Contrôle du tunnel =====
Depuis CYCLOPE (192.168.25.2), un petit ping sur AARON (192.168.25.1) :
cyclope:~# ping -c 4 192.168.25.1
PING 192.168.25.1 (192.168.25.1): 56 data bytes
--- 192.168.25.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
cyclope:~#
Ah ! Ca ne fonctionne pas...
**Et c'est bon signe !**
Si ça fonctionnait, ça voudrait dire que les deux machines sont connectées à l'internet sans firewall, ce qui serait très **__mal !__**
Réfléchissons. Nous avons sur les deux hôtes des règles IPtables du genre :
iptables -P INPUT DROP
iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Donc, les paquets "NEW" n'entrent pas, c'est normal. Ajoutons ceci de chaque côté :
iptables -A INPUT -i ppp0 -p UDP --dport 8147 -j ACCEPT
Rappelons-nous en effet qu'OpenVPN utilise ici UDP et que nous avons établi le tunnel sur le port 8147.
Deuxième essai :
cyclope:~# ping -c 4 192.168.25.1
PING 192.168.25.1 (192.168.25.1): 56 data bytes
--- 192.168.25.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
cyclope:~#
Ça, c'est ce qui arrive quand on ne réfléchit pas assez... On a dit quelque chose au firewall, à propose de tun1 ? Non ? Alors, c'est normal que ça ne fonctionne toujours pas (iptables -P INPUT DROP).
iptables -A INPUT -i tun1 -j ACCEPT
iptables -A OUTPUT -o tun1 -j ACCEPT
Ceci afin d'éviter les ennuis, mais par la suite, ce sera peut-être une bonne chose d'affiner un peu plus ces règles de filtrage.
Troisième essai :
cyclope:~# ping -c 4 192.168.25.1
PING 192.168.25.1 (192.168.25.1): 56 data bytes
64 bytes from 192.168.25.1: icmp_seq=0 ttl=64 time=89.0 ms
64 bytes from 192.168.25.1: icmp_seq=1 ttl=64 time=65.3 ms
64 bytes from 192.168.25.1: icmp_seq=2 ttl=64 time=71.4 ms
64 bytes from 192.168.25.1: icmp_seq=3 ttl=64 time=74.9 ms
--- 192.168.25.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 65.3/75.1/89.0 ms
cyclope:~#
Bon. On y est arrivé, et tout ça pour pas grand chose, à part que l'on a vérifié que le tunnel fonctionne.
Attention tout de même que ça pourrait encore ne pas fonctionner, en fonction des règles en vigueur sur FORWARD.
Mais réfléchissons encore un peu...
Lorsque nous avons établi le tunnel, en lançant OpenVPN de chaque côté, nous n'avons rien établi du tout, puisque les firewalls ne laissaient pas passer. Pourtant, ça a fonctionné quand même, après modification des règles, ce qui prouve qu'OpenVPN est très efficace sur des liaisons difficiles.
===== Un petit coup de sniffeur =====
Nous sommes sur CYCLOPE. On sniffe le ping sur tun 1 :
No. Time Source Destination Protocol Info
1 0.000000 192.168.25.2 192.168.25.1 ICMP Echo (ping) request
2 0.077503 192.168.25.1 192.168.25.2 ICMP Echo (ping) reply
3 1.007802 192.168.25.2 192.168.25.1 ICMP Echo (ping) request
4 1.095914 192.168.25.1 192.168.25.2 ICMP Echo (ping) reply
5 2.018634 192.168.25.2 192.168.25.1 ICMP Echo (ping) request
6 2.083968 192.168.25.1 192.168.25.2 ICMP Echo (ping) reply
7 3.019537 192.168.25.2 192.168.25.1 ICMP Echo (ping) request
8 3.087613 192.168.25.1 192.168.25.2 ICMP Echo (ping) reply
Pas besoin d'entrer dans les détails, nous voyons bien ICMP qui circule entre 192.168.25.1 et 192.168.25.2.
Puis on le resniffe sur ppp0 :
No. Time Source Destination Protocol Info
1 0.000000 80.8.135.67 82.127.57.95 UDP Source port: 8147 Destination port: 8147
2 0.067128 82.127.57.95 80.8.135.67 UDP Source port: 8147 Destination port: 8147
3 1.011132 80.8.135.67 82.127.57.95 UDP Source port: 8147 Destination port: 8147
4 1.074716 82.127.57.95 80.8.135.67 UDP Source port: 8147 Destination port: 8147
5 2.027369 80.8.135.67 82.127.57.95 UDP Source port: 8147 Destination port: 8147
6 2.096456 82.127.57.95 80.8.135.67 UDP Source port: 8147 Destination port: 8147
7 3.041653 80.8.135.67 82.127.57.95 UDP Source port: 8147 Destination port: 8147
8 3.105374 82.127.57.95 80.8.135.67 UDP Source port: 8147 Destination port: 8147
A ce niveau, nous ne voyons que de l'UDP, bien sûr. Si nous regardons en détail l'une des trames :
Frame 1 (129 bytes on wire, 129 bytes captured)
Arrival Time: Jun 26, 2004 16:22:50.261813000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 129 bytes
Capture Length: 129 bytes
Linux cooked capture
Packet type: Sent by us (4)
Link-layer address type: 512
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src Addr: 80.8.135.67, Dst Addr: 82.127.57.95
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 113
Identification: 0x0200 (512)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xd552 (correct)
Source: 80.8.135.67 (80.8.135.67)
Destination: 82.127.57.95 (82.127.57.95)
User Datagram Protocol, Src Port: 8147 (8147), Dst Port: 8147 (8147)
Source port: 8147 (8147)
Destination port: 8147 (8147)
Length: 93
Checksum: 0x6263 (correct)
Data (85 bytes)
0000 fa 45 00 00 54 00 00 40 00 40 01 87 55 c0 a8 19 .E..T..@.@..U...
0010 02 c0 a8 19 01 08 00 5c 4c ee 0a 00 00 40 dd 86 .......\L....@..
0020 ba 00 03 fb 0a 08 09 0a 0b 0c 0d 0e 0f 10 11 12 ................
0030 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 ............. !"
0040 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 #$%&'()*+,-./012
0050 33 34 35 36 37 34567
Et que nous savons décoder les données transportées, nous trouverons le paquet ICMP compressé par LZO. Un simple sniff ne suffira déjà pas à lire simplement les données qui circulent.
===== Premières conclusions =====
Nous avons réussi à monter un tunnel tout simple, qui relie point à point deux hôtes distants, tous deux connectés à l'internet.
A l'intérieur de ce tunnel, tout se passe comme si les deux hôtes étaient reliés par une liaison série, comme par exemple avec PPP.
Nous n'avons pas réuni deux réseaux, juste deux machines. Mais si ces machines sont des routeurs, en réfléchissant (encore) un peu, nous trouverons bien des règles de routages intelligentes qui permettront aux réseaux qui sont derrière ces routeurs de communiquer entre eux.
Il n'y a pas d'authentification, il n'y a pas de confidentialité, il y a juste une compression des données.
Bien sûr, nous allons faire mieux, en mettant en œuvre du chiffrement.