Table des matières

OpenVPN simple

La plate-forme de tests

Deux machines disposent d'une connexion internet.

L'une s'appelle AARON, elle dispose d'une adresse IP publique fixe : 82.127.57.95.

L'autre s'appelle CYCLOPE, et dispose d'une adresse IP dynamique : 80.8.135.67, au moment de ce premier test.

Les deux machines sont des Debian Etch, avec un kernel 2.6.24 et la version 2.0.9 d'OpenVPN.

aaron:~# apt-get install openvpn
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
  openvpn
...
Stopping openvpn:.
Starting openvpn:.

Le script d'installation vous pose deux questions :

Tant qu'on y est, vérifions la présence de la librairie de compression LZO, qui vas nous permettre d'optimiser le débit du tunnel :

aaron:~# dpkg -l | grep lzo
ii  liblzo1        1.08-1         A real-time data compression library
aaron:~#

Elle y est. Sinon, un apt-get install liblzo1 y remédiera.

Comme nous n'avons pour l'instant aucune configuration d'OpenVPN, bien que l'installation ait indiqué :

Starting openvpn:.

Rien n'a démarré. Pour l'instant, nous faisons des choses simples, nous allons monter un tunnel « à la main », juste pour voir.

Démarrage du serveur

Sur AARON, qui dispose d'une adresse IP fixe,  nous démarrons le serveur :

aaron:~# openvpn --port 8147 --dev tun1 --ifconfig 192.168.25.1 192.168.25.2 --comp-lzo --verb 5

Quelques mots d'explication sur cette ligne de commande :

Sat Nov 15 16:12:35 2008 us=919505 Current Parameter Settings:
Sat Nov 15 16:12:35 2008 us=920394   config = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=920759   mode = 0
Sat Nov 15 16:12:35 2008 us=920997   persist_config = DISABLED
Sat Nov 15 16:12:35 2008 us=921227   persist_mode = 1
Sat Nov 15 16:12:35 2008 us=921453   show_ciphers = DISABLED
Sat Nov 15 16:12:35 2008 us=921679   show_digests = DISABLED
Sat Nov 15 16:12:35 2008 us=921905   show_engines = DISABLED
Sat Nov 15 16:12:35 2008 us=922131   genkey = DISABLED
Sat Nov 15 16:12:35 2008 us=922360   key_pass_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=922590   show_tls_ciphers = DISABLED
Sat Nov 15 16:12:35 2008 us=922822   proto = 0
Sat Nov 15 16:12:35 2008 us=923050   local = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=923275   remote_list = NULL
Sat Nov 15 16:12:35 2008 us=923503   remote_random = DISABLED
Sat Nov 15 16:12:35 2008 us=923733   local_port = 8147
Sat Nov 15 16:12:35 2008 us=923960   remote_port = 8147
Sat Nov 15 16:12:35 2008 us=924193   remote_float = DISABLED
Sat Nov 15 16:12:35 2008 us=924456   ipchange = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=924739   bind_local = ENABLED
Sat Nov 15 16:12:35 2008 us=924967   dev = 'tun1'
Sat Nov 15 16:12:35 2008 us=925195   dev_type = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=925422   dev_node = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=925649   tun_ipv6 = DISABLED
Sat Nov 15 16:12:35 2008 us=925875   ifconfig_local = '192.168.25.1'
Sat Nov 15 16:12:35 2008 us=926181   ifconfig_remote_netmask = '192.168.25.2'
Sat Nov 15 16:12:35 2008 us=926417   ifconfig_noexec = DISABLED
Sat Nov 15 16:12:35 2008 us=926646   ifconfig_nowarn = DISABLED
Sat Nov 15 16:12:35 2008 us=926876   shaper = 0
Sat Nov 15 16:12:35 2008 us=927103   tun_mtu = 1500
Sat Nov 15 16:12:35 2008 us=927328   tun_mtu_defined = ENABLED
Sat Nov 15 16:12:35 2008 us=927565   link_mtu = 1500
Sat Nov 15 16:12:35 2008 us=927764   link_mtu_defined = DISABLED
Sat Nov 15 16:12:35 2008 us=927967   tun_mtu_extra = 0
Sat Nov 15 16:12:35 2008 us=928166   tun_mtu_extra_defined = DISABLED
Sat Nov 15 16:12:35 2008 us=928368   fragment = 0
Sat Nov 15 16:12:35 2008 us=928568   mtu_discover_type = -1
Sat Nov 15 16:12:35 2008 us=928812   mtu_test = 0
Sat Nov 15 16:12:35 2008 us=929010   mlock = DISABLED
Sat Nov 15 16:12:35 2008 us=929211   keepalive_ping = 0
Sat Nov 15 16:12:35 2008 us=929411   keepalive_timeout = 0
Sat Nov 15 16:12:35 2008 us=929612   inactivity_timeout = 0
Sat Nov 15 16:12:35 2008 us=929811   ping_send_timeout = 0
Sat Nov 15 16:12:35 2008 us=930010   ping_rec_timeout = 0
Sat Nov 15 16:12:35 2008 us=930209   ping_rec_timeout_action = 0
Sat Nov 15 16:12:35 2008 us=930409   ping_timer_remote = DISABLED
Sat Nov 15 16:12:35 2008 us=930612   remap_sigusr1 = 0
Sat Nov 15 16:12:35 2008 us=930812   explicit_exit_notification = 0
Sat Nov 15 16:12:35 2008 us=931012   persist_tun = DISABLED
Sat Nov 15 16:12:35 2008 us=931211   persist_local_ip = DISABLED
Sat Nov 15 16:12:35 2008 us=931413   persist_remote_ip = DISABLED
Sat Nov 15 16:12:35 2008 us=931615   persist_key = DISABLED
Sat Nov 15 16:12:35 2008 us=931815   mssfix = 1450
Sat Nov 15 16:12:35 2008 us=932014   passtos = DISABLED

Sat Nov 15 16:12:35 2008 us=932216   resolve_retry_seconds = 1000000000
Sat Nov 15 16:12:35 2008 us=932418   connect_retry_seconds = 5
Sat Nov 15 16:12:35 2008 us=932659   username = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=932859   groupname = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=933059   chroot_dir = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=933257   cd_dir = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=933457   writepid = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=933657   up_script = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=933857   down_script = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=934055   down_pre = DISABLED
Sat Nov 15 16:12:35 2008 us=934254   up_restart = DISABLED
Sat Nov 15 16:12:35 2008 us=934453   up_delay = DISABLED
Sat Nov 15 16:12:35 2008 us=934652   daemon = DISABLED
Sat Nov 15 16:12:35 2008 us=934852   inetd = 0
Sat Nov 15 16:12:35 2008 us=935050   log = DISABLED
Sat Nov 15 16:12:35 2008 us=935250   suppress_timestamps = DISABLED
Sat Nov 15 16:12:35 2008 us=935451   nice = 0
Sat Nov 15 16:12:35 2008 us=935650   verbosity = 5
Sat Nov 15 16:12:35 2008 us=935974   mute = 0
Sat Nov 15 16:12:35 2008 us=936179   gremlin = 0
Sat Nov 15 16:12:35 2008 us=936379   status_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=936620   status_file_version = 1
Sat Nov 15 16:12:35 2008 us=936822   status_file_update_freq = 60
Sat Nov 15 16:12:35 2008 us=937022   occ = ENABLED
Sat Nov 15 16:12:35 2008 us=937223   rcvbuf = 65536
Sat Nov 15 16:12:35 2008 us=937422   sndbuf = 65536
Sat Nov 15 16:12:35 2008 us=937622   socks_proxy_server = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=937825   socks_proxy_port = 0
Sat Nov 15 16:12:35 2008 us=938024   socks_proxy_retry = DISABLED
Sat Nov 15 16:12:35 2008 us=938263   fast_io = DISABLED
Sat Nov 15 16:12:35 2008 us=938466   comp_lzo = ENABLED
Sat Nov 15 16:12:35 2008 us=938667   comp_lzo_adaptive = ENABLED
Sat Nov 15 16:12:35 2008 us=938869   route_script = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=939071   route_default_gateway = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=939272   route_noexec = DISABLED
Sat Nov 15 16:12:35 2008 us=939471   route_delay = 0
Sat Nov 15 16:12:35 2008 us=939670   route_delay_window = 30
Sat Nov 15 16:12:35 2008 us=939868   route_delay_defined = DISABLED
Sat Nov 15 16:12:35 2008 us=940070   management_addr = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=940274   management_port = 0
Sat Nov 15 16:12:35 2008 us=940473   management_user_pass = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=940717   management_log_history_cache = 250
Sat Nov 15 16:12:35 2008 us=940919   management_echo_buffer_size = 100
Sat Nov 15 16:12:35 2008 us=941120   management_query_passwords = DISABLED
Sat Nov 15 16:12:35 2008 us=941321   management_hold = DISABLED
Sat Nov 15 16:12:35 2008 us=941524   shared_secret_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=941727   key_direction = 0
Sat Nov 15 16:12:35 2008 us=941928   ciphername_defined = ENABLED
Sat Nov 15 16:12:35 2008 us=942132   ciphername = 'BF-CBC'
Sat Nov 15 16:12:35 2008 us=942333   authname_defined = ENABLED
Sat Nov 15 16:12:35 2008 us=942535   authname = 'SHA1'
Sat Nov 15 16:12:35 2008 us=942736   keysize = 0
Sat Nov 15 16:12:35 2008 us=942936   engine = DISABLED
Sat Nov 15 16:12:35 2008 us=943136   replay = ENABLED
Sat Nov 15 16:12:35 2008 us=943337   mute_replay_warnings = DISABLED
Sat Nov 15 16:12:35 2008 us=943541   replay_window = 64
Sat Nov 15 16:12:35 2008 us=943741   replay_time = 15
Sat Nov 15 16:12:35 2008 us=943941   packet_id_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=944143   use_iv = ENABLED
Sat Nov 15 16:12:35 2008 us=944344   test_crypto = DISABLED
Sat Nov 15 16:12:35 2008 us=944905   tls_server = DISABLED
Sat Nov 15 16:12:35 2008 us=945125   tls_client = DISABLED
Sat Nov 15 16:12:35 2008 us=945326   key_method = 2
Sat Nov 15 16:12:35 2008 us=945525   ca_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=945725   dh_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=945925   cert_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=946125   priv_key_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=946328   pkcs12_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=946528   cipher_list = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=946766   tls_verify = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=946970   tls_remote = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=947172   crl_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=947375   ns_cert_type = 0
Sat Nov 15 16:12:35 2008 us=947577   tls_timeout = 2
Sat Nov 15 16:12:35 2008 us=947779   renegotiate_bytes = 0
Sat Nov 15 16:12:35 2008 us=947981   renegotiate_packets = 0
Sat Nov 15 16:12:35 2008 us=948183   renegotiate_seconds = 3600
Sat Nov 15 16:12:35 2008 us=948388   handshake_window = 60
Sat Nov 15 16:12:35 2008 us=948627   transition_window = 3600
Sat Nov 15 16:12:35 2008 us=948830   single_session = DISABLED
Sat Nov 15 16:12:35 2008 us=949035   tls_exit = DISABLED
Sat Nov 15 16:12:35 2008 us=949236   tls_auth_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=949522   server_network = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=949737   server_netmask = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=949949   server_bridge_ip = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=950160   server_bridge_netmask = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=950371   server_bridge_pool_start = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=950582   server_bridge_pool_end = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=950785   ifconfig_pool_defined = DISABLED
Sat Nov 15 16:12:35 2008 us=950998   ifconfig_pool_start = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=951209   ifconfig_pool_end = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=951419   ifconfig_pool_netmask = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=951622   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=951829   ifconfig_pool_persist_refresh_freq = 600
Sat Nov 15 16:12:35 2008 us=952034   ifconfig_pool_linear = DISABLED
Sat Nov 15 16:12:35 2008 us=952238   n_bcast_buf = 256
Sat Nov 15 16:12:35 2008 us=952440   tcp_queue_limit = 64
Sat Nov 15 16:12:35 2008 us=952681   real_hash_size = 256
Sat Nov 15 16:12:35 2008 us=952882   virtual_hash_size = 256
Sat Nov 15 16:12:35 2008 us=953082   client_connect_script = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=953285   learn_address_script = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=953489   client_disconnect_script = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=953693   client_config_dir = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=953896   ccd_exclusive = DISABLED
Sat Nov 15 16:12:35 2008 us=954097   tmp_dir = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=954297   push_ifconfig_defined = DISABLED
Sat Nov 15 16:12:35 2008 us=954509   push_ifconfig_local = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=954759   push_ifconfig_remote_netmask = 0.0.0.0
Sat Nov 15 16:12:35 2008 us=954965   enable_c2c = DISABLED
Sat Nov 15 16:12:35 2008 us=955165   duplicate_cn = DISABLED
Sat Nov 15 16:12:35 2008 us=955365   cf_max = 0
Sat Nov 15 16:12:35 2008 us=955565   cf_per = 0
Sat Nov 15 16:12:35 2008 us=955767   max_clients = 1024
Sat Nov 15 16:12:35 2008 us=955968   max_routes_per_client = 256
Sat Nov 15 16:12:35 2008 us=956170   client_cert_not_required = DISABLED
Sat Nov 15 16:12:35 2008 us=956372   username_as_common_name = DISABLED
Sat Nov 15 16:12:35 2008 us=956614   auth_user_pass_verify_script = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=956823   auth_user_pass_verify_script_via_file = DISABLED
Sat Nov 15 16:12:35 2008 us=957028   client = DISABLED
Sat Nov 15 16:12:35 2008 us=957228   pull = DISABLED
Sat Nov 15 16:12:35 2008 us=957431   auth_user_pass_file = '[UNDEF]'
Sat Nov 15 16:12:35 2008 us=957639 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Sat Nov 15 16:12:35 2008 us=958082 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Sat Nov 15 16:12:35 2008 us=958372 LZO compression initialized
Sat Nov 15 16:12:36 2008 us=8893 TUN/TAP device tun1 opened
Sat Nov 15 16:12:36 2008 us=9719 TUN/TAP TX queue length set to 100
Sat Nov 15 16:12:36 2008 us=10023 ifconfig tun1 192.168.25.1 pointopoint 192.168.25.2 mtu 1500
Sat Nov 15 16:12:36 2008 us=24915 Data Channel MTU parms [ L:1501 D:1450 EF:1 EB:135 ET:0 EL:0 AF:14/1 ]
Sat Nov 15 16:12:36 2008 us=25336 Local Options String: 'V4,dev-type tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo'
Sat Nov 15 16:12:36 2008 us=25547 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo'
Sat Nov 15 16:12:36 2008 us=25855 Local Options hash (VER=V4): 'c50ab9ee'
Sat Nov 15 16:12:36 2008 us=26106 Expected Remote Options hash (VER=V4): '932cd9e7'
Sat Nov 15 16:12:36 2008 us=26394 Socket Buffers: R=[110592->131072] S=[110592->131072]
Sat Nov 15 16:12:36 2008 us=26622 UDPv4 link local (bound): [undef]:8147
Sat Nov 15 16:12:36 2008 us=26822 UDPv4 link remote: [undef]

Tout ceci n'a pour but que de monter que nous sommes loin d'utiliser tous les paramètres proposés par OpenVPN. Le but est tout de même d'arriver le plus rapidement possible à une solution sécurisée, plutôt que d'explorer toutes les ressources d'OpenVPN. Toutefois, il n'est pas inutile de lire avec un peu d'attention le listing ci-dessus, qui peut donner pas mal d'idées sur tout ce que peut faire OpenVPN.

Ce qui est surligné montre les principales options définies dans le démarrage d'OpenVPN.

Vérifications :

aaron:~# ifconfig
...
ppp0      Link encap:Point-to-Point Protocol
          inet addr:82.127.57.95  P-t-P:193.253.160.3  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:342756 errors:0 dropped:0 overruns:0 frame:0
          TX packets:290200 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:426707207 (406.9 MiB)  TX bytes:26657415 (25.4 MiB)

tun1      Lien encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet adr:192.168.25.1  P-t-P:192.168.25.2  Masque:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


aaron:~#

Nous avons, en plus de ppp0 qui est la connexion à l'internet, une interface tun1 qui apparaît elle aussi comme une liaison point à point entre 192.168.25.1 (local) et 192.168.25.2 (distant).

Table de routage IP du noyau
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.25.2    0.0.0.0         255.255.255.255 UH    0      0        0 tun1
...
0.0.0.0         193.253.160.3   0.0.0.0         UG    0      0        0 ppp0
aaron:~#

et nous avons bien la route vers 192.168.25.2 qui passe par tun1

Démarrage du client

Sur CYCLOPE, nous allons faire quelque chose de très similaire :

cyclope:~# openvpn --remote 82.127.57.95 --port 8147 --dev tun1 --ifconfig 192.168.25.2 192.168.25.1 --comp-lzo --verb 5

Notez qu'ici, comme nous sommes client, nous indiquons en plus l'adresse IP distante qui supporte le tunnel (–remote 82.127.57.95).

Sat Nov 15 16:34:36 2008 us=173490 Current Parameter Settings:
Sat Nov 15 16:34:36 2008 us=174921   config = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=175726   mode = 0
Sat Nov 15 16:34:36 2008 us=176424   persist_config = DISABLED
Sat Nov 15 16:34:36 2008 us=177123   persist_mode = 1
Sat Nov 15 16:34:36 2008 us=177812   show_ciphers = DISABLED
Sat Nov 15 16:34:36 2008 us=178498   show_digests = DISABLED
Sat Nov 15 16:34:36 2008 us=179278   show_engines = DISABLED
Sat Nov 15 16:34:36 2008 us=179941   genkey = DISABLED
Sat Nov 15 16:34:36 2008 us=180637   key_pass_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=181333   show_tls_ciphers = DISABLED
Sat Nov 15 16:34:36 2008 us=182030   proto = 0
Sat Nov 15 16:34:36 2008 us=182719   local = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=183491   remote_list[0] = {'82.127.57.95', 8147}
Sat Nov 15 16:34:36 2008 us=184189   remote_random = DISABLED
Sat Nov 15 16:34:36 2008 us=184887   local_port = 8147
Sat Nov 15 16:34:36 2008 us=185581   remote_port = 8147
Sat Nov 15 16:34:36 2008 us=186272   remote_float = DISABLED
Sat Nov 15 16:34:36 2008 us=186962   ipchange = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=187543   bind_local = ENABLED
Sat Nov 15 16:34:36 2008 us=188219   dev = 'tun1'
Sat Nov 15 16:34:36 2008 us=188918   dev_type = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=189610   dev_node = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=190298   tun_ipv6 = DISABLED
Sat Nov 15 16:34:36 2008 us=190814   ifconfig_local = '192.168.25.2'
Sat Nov 15 16:34:36 2008 us=191576   ifconfig_remote_netmask = '192.168.25.1'
Sat Nov 15 16:34:36 2008 us=192110   ifconfig_noexec = DISABLED
Sat Nov 15 16:34:36 2008 us=192626   ifconfig_nowarn = DISABLED
Sat Nov 15 16:34:36 2008 us=193144   shaper = 0
Sat Nov 15 16:34:36 2008 us=193524   tun_mtu = 1500
Sat Nov 15 16:34:36 2008 us=194325   tun_mtu_defined = ENABLED
Sat Nov 15 16:34:36 2008 us=195256   link_mtu = 1500
Sat Nov 15 16:34:36 2008 us=195933   link_mtu_defined = DISABLED
Sat Nov 15 16:34:36 2008 us=196634   tun_mtu_extra = 0
Sat Nov 15 16:34:36 2008 us=197319   tun_mtu_extra_defined = DISABLED
Sat Nov 15 16:34:36 2008 us=198018   fragment = 0
Sat Nov 15 16:34:36 2008 us=198173   mtu_discover_type = -1
Sat Nov 15 16:34:36 2008 us=198277   mtu_test = 0
Sat Nov 15 16:34:36 2008 us=198565   mlock = DISABLED
Sat Nov 15 16:34:36 2008 us=198674   keepalive_ping = 0
Sat Nov 15 16:34:36 2008 us=198777   keepalive_timeout = 0
Sat Nov 15 16:34:36 2008 us=198879   inactivity_timeout = 0
Sat Nov 15 16:34:36 2008 us=198980   ping_send_timeout = 0
Sat Nov 15 16:34:36 2008 us=199082   ping_rec_timeout = 0
Sat Nov 15 16:34:36 2008 us=199240   ping_rec_timeout_action = 0
Sat Nov 15 16:34:36 2008 us=199351   ping_timer_remote = DISABLED
Sat Nov 15 16:34:36 2008 us=199454   remap_sigusr1 = 0
Sat Nov 15 16:34:36 2008 us=199556   explicit_exit_notification = 0
Sat Nov 15 16:34:36 2008 us=199657   persist_tun = DISABLED
Sat Nov 15 16:34:36 2008 us=199758   persist_local_ip = DISABLED
Sat Nov 15 16:34:36 2008 us=199861   persist_remote_ip = DISABLED
Sat Nov 15 16:34:36 2008 us=199963   persist_key = DISABLED
Sat Nov 15 16:34:36 2008 us=200065   mssfix = 1450
Sat Nov 15 16:34:36 2008 us=200164   passtos = DISABLED
Sat Nov 15 16:34:36 2008 us=200268   resolve_retry_seconds = 1000000000
Sat Nov 15 16:34:36 2008 us=200371   connect_retry_seconds = 5
Sat Nov 15 16:34:36 2008 us=200472   username = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=200574   groupname = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=200676   chroot_dir = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=200777   cd_dir = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=200879   writepid = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=201342   up_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=201449   down_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=201552   down_pre = DISABLED
Sat Nov 15 16:34:36 2008 us=201653   up_restart = DISABLED
Sat Nov 15 16:34:36 2008 us=201754   up_delay = DISABLED
Sat Nov 15 16:34:36 2008 us=201854   daemon = DISABLED
Sat Nov 15 16:34:36 2008 us=201956   inetd = 0
Sat Nov 15 16:34:36 2008 us=202055   log = DISABLED
Sat Nov 15 16:34:36 2008 us=202187   suppress_timestamps = DISABLED
Sat Nov 15 16:34:36 2008 us=202293   nice = 0
Sat Nov 15 16:34:36 2008 us=202395   verbosity = 5
Sat Nov 15 16:34:36 2008 us=202495   mute = 0
Sat Nov 15 16:34:36 2008 us=202594   gremlin = 0
Sat Nov 15 16:34:36 2008 us=202694   status_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=202797   status_file_version = 1
Sat Nov 15 16:34:36 2008 us=202899   status_file_update_freq = 60
Sat Nov 15 16:34:36 2008 us=202998   occ = ENABLED
Sat Nov 15 16:34:36 2008 us=203099   rcvbuf = 65536
Sat Nov 15 16:34:36 2008 us=203257   sndbuf = 65536
Sat Nov 15 16:34:36 2008 us=203364   socks_proxy_server = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=203467   socks_proxy_port = 0
Sat Nov 15 16:34:36 2008 us=203567   socks_proxy_retry = DISABLED
Sat Nov 15 16:34:36 2008 us=203668   fast_io = DISABLED
Sat Nov 15 16:34:36 2008 us=203768   comp_lzo = ENABLED
Sat Nov 15 16:34:36 2008 us=203870   comp_lzo_adaptive = ENABLED
Sat Nov 15 16:34:36 2008 us=203972   route_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=204075   route_default_gateway = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=204178   route_noexec = DISABLED
Sat Nov 15 16:34:36 2008 us=204280   route_delay = 0
Sat Nov 15 16:34:36 2008 us=204381   route_delay_window = 30
Sat Nov 15 16:34:36 2008 us=204482   route_delay_defined = DISABLED
Sat Nov 15 16:34:36 2008 us=204584   management_addr = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=204687   management_port = 0
Sat Nov 15 16:34:36 2008 us=204787   management_user_pass = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=204892   management_log_history_cache = 250
Sat Nov 15 16:34:36 2008 us=204995   management_echo_buffer_size = 100
Sat Nov 15 16:34:36 2008 us=205096   management_query_passwords = DISABLED
Sat Nov 15 16:34:36 2008 us=205198   management_hold = DISABLED
Sat Nov 15 16:34:36 2008 us=205301   shared_secret_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=205406   key_direction = 0
Sat Nov 15 16:34:36 2008 us=205511   ciphername_defined = ENABLED
Sat Nov 15 16:34:36 2008 us=205617   ciphername = 'BF-CBC'
Sat Nov 15 16:34:36 2008 us=207738   authname_defined = ENABLED
Sat Nov 15 16:34:36 2008 us=208446   authname = 'SHA1'
Sat Nov 15 16:34:36 2008 us=208797   keysize = 0
Sat Nov 15 16:34:36 2008 us=209136   engine = DISABLED
Sat Nov 15 16:34:36 2008 us=209596   replay = ENABLED
Sat Nov 15 16:34:36 2008 us=209938   mute_replay_warnings = DISABLED
Sat Nov 15 16:34:36 2008 us=210281   replay_window = 64
Sat Nov 15 16:34:36 2008 us=211657   replay_time = 15
Sat Nov 15 16:34:36 2008 us=212493   packet_id_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=213188   use_iv = ENABLED
Sat Nov 15 16:34:36 2008 us=213880   test_crypto = DISABLED
Sat Nov 15 16:34:36 2008 us=214576   tls_server = DISABLED
Sat Nov 15 16:34:36 2008 us=215350   tls_client = DISABLED
Sat Nov 15 16:34:36 2008 us=216024   key_method = 2
Sat Nov 15 16:34:36 2008 us=216707   ca_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=217400   dh_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=218080   cert_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=218775   priv_key_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=219533   pkcs12_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=220223   cipher_list = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=220918   tls_verify = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=221613   tls_remote = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=222309   crl_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=223007   ns_cert_type = 0
Sat Nov 15 16:34:36 2008 us=223760   tls_timeout = 2
Sat Nov 15 16:34:36 2008 us=224460   renegotiate_bytes = 0
Sat Nov 15 16:34:36 2008 us=225159   renegotiate_packets = 0
Sat Nov 15 16:34:36 2008 us=225858   renegotiate_seconds = 3600
Sat Nov 15 16:34:36 2008 us=226428   handshake_window = 60
Sat Nov 15 16:34:36 2008 us=226544   transition_window = 3600
Sat Nov 15 16:34:36 2008 us=226648   single_session = DISABLED
Sat Nov 15 16:34:36 2008 us=226753   tls_exit = DISABLED
Sat Nov 15 16:34:36 2008 us=226858   tls_auth_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=227094   server_network = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227279   server_netmask = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227402   server_bridge_ip = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227522   server_bridge_netmask = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227675   server_bridge_pool_start = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227795   server_bridge_pool_end = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=227902   ifconfig_pool_defined = DISABLED
Sat Nov 15 16:34:36 2008 us=228204   ifconfig_pool_start = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=228332   ifconfig_pool_end = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=228450   ifconfig_pool_netmask = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=228592   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=228713   ifconfig_pool_persist_refresh_freq = 600
Sat Nov 15 16:34:36 2008 us=228819   ifconfig_pool_linear = DISABLED
Sat Nov 15 16:34:36 2008 us=228926   n_bcast_buf = 256
Sat Nov 15 16:34:36 2008 us=229032   tcp_queue_limit = 64
Sat Nov 15 16:34:36 2008 us=229135   real_hash_size = 256
Sat Nov 15 16:34:36 2008 us=229240   virtual_hash_size = 256
Sat Nov 15 16:34:36 2008 us=229344   client_connect_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=229450   learn_address_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=229556   client_disconnect_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=229663   client_config_dir = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=229767   ccd_exclusive = DISABLED
Sat Nov 15 16:34:36 2008 us=229870   tmp_dir = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=229972   push_ifconfig_defined = DISABLED
Sat Nov 15 16:34:36 2008 us=230091   push_ifconfig_local = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=230210   push_ifconfig_remote_netmask = 0.0.0.0
Sat Nov 15 16:34:36 2008 us=230315   enable_c2c = DISABLED
Sat Nov 15 16:34:36 2008 us=230417   duplicate_cn = DISABLED
Sat Nov 15 16:34:36 2008 us=230521   cf_max = 0
Sat Nov 15 16:34:36 2008 us=230623   cf_per = 0
Sat Nov 15 16:34:36 2008 us=230726   max_clients = 1024
Sat Nov 15 16:34:36 2008 us=230832   max_routes_per_client = 256
Sat Nov 15 16:34:36 2008 us=230936   client_cert_not_required = DISABLED
Sat Nov 15 16:34:36 2008 us=231040   username_as_common_name = DISABLED
Sat Nov 15 16:34:36 2008 us=231147   auth_user_pass_verify_script = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=231317   auth_user_pass_verify_script_via_file = DISABLED
Sat Nov 15 16:34:36 2008 us=231425   client = DISABLED
Sat Nov 15 16:34:36 2008 us=231527   pull = DISABLED
Sat Nov 15 16:34:36 2008 us=231630   auth_user_pass_file = '[UNDEF]'
Sat Nov 15 16:34:36 2008 us=231742 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Sat Nov 15 16:34:36 2008 us=232260 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Sat Nov 15 16:34:36 2008 us=232487 LZO compression initialized
Sat Nov 15 16:34:36 2008 us=291858 TUN/TAP device tun1 opened
Sat Nov 15 16:34:36 2008 us=292762 TUN/TAP TX queue length set to 100
Sat Nov 15 16:34:36 2008 us=293672 ifconfig tun1 192.168.25.2 pointopoint 192.168.25.1 mtu 1500
Sat Nov 15 16:34:36 2008 us=316511 Data Channel MTU parms [ L:1501 D:1450 EF:1 EB:135 ET:0 EL:0 AF:14/1 ]
Sat Nov 15 16:34:36 2008 us=318237 Local Options String: 'V4,dev-type tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo'
Sat Nov 15 16:34:36 2008 us=318785 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1501,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo'
Sat Nov 15 16:34:36 2008 us=319679 Local Options hash (VER=V4): '932cd9e7'
Sat Nov 15 16:34:36 2008 us=320671 Expected Remote Options hash (VER=V4): 'c50ab9ee'
Sat Nov 15 16:34:36 2008 us=321508 Socket Buffers: R=[110592->131072] S=[110592->131072]
Sat Nov 15 16:34:36 2008 us=322223 UDPv4 link local (bound): [undef]:8147
Sat Nov 15 16:34:36 2008 us=322935 UDPv4 link remote: 82.127.57.95:8147

Vérification des interfaces virtuelles :

cyclope:~# ifconfig
...
ppp0      Link encap:Point-to-Point Protocol
          inet addr:80.8.135.67  P-t-P:80.8.128.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:5197 errors:0 dropped:0 overruns:0 frame:0
          TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:295907 (288.9 KiB)  TX bytes:9499 (9.2 KiB)

tun1      Link encap:Point-to-Point Protocol
          inet addr:192.168.25.2  P-t-P:192.168.25.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1299  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Vérification des routes :

cyclope:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.25.1    0.0.0.0         255.255.255.255 UH    0      0        0 tun1
...
0.0.0.0         80.8.128.1      0.0.0.0         UG    0      0        0 ppp0

Contrôle du tunnel

Depuis CYCLOPE (192.168.25.2), un petit ping sur AARON (192.168.25.1) :

cyclope:~# ping -c 4 192.168.25.1
PING 192.168.25.1 (192.168.25.1): 56 data bytes

--- 192.168.25.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
cyclope:~#

Ah ! Ca ne fonctionne pas…

Et c'est bon signe !

Si ça fonctionnait, ça voudrait dire que les deux machines sont connectées à l'internet sans firewall, ce qui serait très mal !

Réfléchissons. Nous avons sur les deux hôtes des règles IPtables du genre :

iptables -P INPUT DROP
iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Donc, les paquets “NEW” n'entrent pas, c'est normal. Ajoutons ceci de chaque côté :

iptables -A INPUT -i ppp0 -p UDP --dport 8147 -j ACCEPT

Rappelons-nous en effet qu'OpenVPN utilise ici UDP et que nous avons établi le tunnel sur le port 8147.

Deuxième essai :

cyclope:~# ping -c 4 192.168.25.1
PING 192.168.25.1 (192.168.25.1): 56 data bytes

--- 192.168.25.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
cyclope:~#

Ça, c'est ce qui arrive quand on ne réfléchit pas assez… On a dit quelque chose au firewall, à propose de tun1 ? Non ? Alors, c'est normal que ça ne fonctionne toujours pas (iptables -P INPUT DROP).

iptables -A INPUT -i tun1 -j ACCEPT
iptables -A OUTPUT -o tun1 -j ACCEPT

Ceci afin d'éviter les ennuis, mais par la suite, ce sera peut-être une bonne chose d'affiner un peu plus ces règles de filtrage.

Troisième essai :

cyclope:~# ping -c 4 192.168.25.1
PING 192.168.25.1 (192.168.25.1): 56 data bytes
64 bytes from 192.168.25.1: icmp_seq=0 ttl=64 time=89.0 ms
64 bytes from 192.168.25.1: icmp_seq=1 ttl=64 time=65.3 ms
64 bytes from 192.168.25.1: icmp_seq=2 ttl=64 time=71.4 ms
64 bytes from 192.168.25.1: icmp_seq=3 ttl=64 time=74.9 ms

--- 192.168.25.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 65.3/75.1/89.0 ms
cyclope:~#

Bon. On y est arrivé, et tout ça pour pas grand chose, à part que l'on a vérifié que le tunnel fonctionne.

Attention tout de même que ça pourrait encore ne pas fonctionner, en fonction des règles en vigueur sur FORWARD.

Mais réfléchissons encore un peu…

Lorsque nous avons établi le tunnel, en lançant OpenVPN de chaque côté, nous n'avons rien établi du tout, puisque les firewalls ne laissaient pas passer. Pourtant, ça a fonctionné quand même, après modification des règles, ce qui prouve qu'OpenVPN est très efficace sur des liaisons difficiles.

Un petit coup de sniffeur

Nous sommes sur CYCLOPE. On sniffe le ping sur tun 1 :

No.     Time        Source         Destination    Protocol Info
      1 0.000000    192.168.25.2   192.168.25.1   ICMP     Echo (ping) request
      2 0.077503    192.168.25.1   192.168.25.2   ICMP     Echo (ping) reply
      3 1.007802    192.168.25.2   192.168.25.1   ICMP     Echo (ping) request
      4 1.095914    192.168.25.1   192.168.25.2   ICMP     Echo (ping) reply
      5 2.018634    192.168.25.2   192.168.25.1   ICMP     Echo (ping) request
      6 2.083968    192.168.25.1   192.168.25.2   ICMP     Echo (ping) reply
      7 3.019537    192.168.25.2   192.168.25.1   ICMP     Echo (ping) request
      8 3.087613    192.168.25.1   192.168.25.2   ICMP     Echo (ping) reply

Pas besoin d'entrer dans les détails, nous voyons bien ICMP qui circule entre 192.168.25.1 et 192.168.25.2.

Puis on le resniffe sur ppp0 :

No.     Time        Source         Destination    Protocol Info
      1 0.000000    80.8.135.67    82.127.57.95   UDP      Source port: 8147  Destination port: 8147
      2 0.067128    82.127.57.95   80.8.135.67    UDP      Source port: 8147  Destination port: 8147
      3 1.011132    80.8.135.67    82.127.57.95   UDP      Source port: 8147  Destination port: 8147
      4 1.074716    82.127.57.95   80.8.135.67    UDP      Source port: 8147  Destination port: 8147
      5 2.027369    80.8.135.67    82.127.57.95   UDP      Source port: 8147  Destination port: 8147
      6 2.096456    82.127.57.95   80.8.135.67    UDP      Source port: 8147  Destination port: 8147
      7 3.041653    80.8.135.67    82.127.57.95   UDP      Source port: 8147  Destination port: 8147
      8 3.105374    82.127.57.95   80.8.135.67    UDP      Source port: 8147  Destination port: 8147

A ce niveau, nous ne voyons que de l'UDP, bien sûr. Si nous regardons en détail l'une des trames :

Frame 1 (129 bytes on wire, 129 bytes captured)
    Arrival Time: Jun 26, 2004 16:22:50.261813000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 129 bytes
    Capture Length: 129 bytes
Linux cooked capture
    Packet type: Sent by us (4)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: 80.8.135.67, Dst Addr: 82.127.57.95
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 113
    Identification: 0x0200 (512)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0xd552 (correct)
    Source: 80.8.135.67 (80.8.135.67)
    Destination: 82.127.57.95 (82.127.57.95)
User Datagram Protocol, Src Port: 8147 (8147), Dst Port: 8147 (8147)
    Source port: 8147 (8147)
    Destination port: 8147 (8147)
    Length: 93
    Checksum: 0x6263 (correct)
Data (85 bytes)
0000  fa 45 00 00 54 00 00 40 00 40 01 87 55 c0 a8 19   .E..T..@.@..U...
0010  02 c0 a8 19 01 08 00 5c 4c ee 0a 00 00 40 dd 86   .......\L....@..
0020  ba 00 03 fb 0a 08 09 0a 0b 0c 0d 0e 0f 10 11 12   ................
0030  13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22   ............. !"
0040  23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32   #$%&'()*+,-./012
0050  33 34 35 36 37                                    34567
Et que nous savons décoder les données transportées, nous trouverons le paquet ICMP compressé par LZO. Un simple sniff ne suffira déjà pas à lire simplement les données qui circulent.

Premières conclusions

Nous avons réussi à monter un tunnel tout simple, qui relie point à point deux hôtes distants, tous deux connectés à l'internet.

A l'intérieur de ce tunnel, tout se passe comme si les deux hôtes étaient reliés par une liaison série, comme par exemple avec PPP.

Nous n'avons pas réuni deux réseaux, juste deux machines. Mais si ces machines sont des routeurs, en réfléchissant (encore) un peu, nous trouverons bien des règles de routages intelligentes qui permettront aux réseaux qui sont derrière ces routeurs de communiquer entre eux.

Il n'y a pas d'authentification, il n'y a pas de confidentialité, il y a juste une compression des données.

Bien sûr, nous allons faire mieux, en mettant en œuvre du chiffrement.