====== OpenVPN avec une clé partagée ======
Cette méthode consiste à créer une clé de chiffrement symétrique, que l'on va communiquer aux deux bouts du tunnel. Simple, efficace et relativement sécurisé.
En effet, il va y avoir ici :
* un chiffrement des données dans le tunnel ;
* une (pseudo) authentification des extrémités, si l'on suppose que le secret partagé ne l'est bien qu'entre les deux extrémités souhaitées.
===== Création du secret =====
C'est openvpn qui se charge lui-même de l'opération. Créons ce secret sur ''cyclope'' :
cyclope:~# openvpn --genkey --secret shared.key
Ce qui nous donne dans le répertoire de ''root'' (mais nous aurions pu la créer ailleurs) :
cyclope:~# cat shared.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
f7257a2e6711515f6599d18748910696
7cd9ed0fbd09060e936a0a96584c5c29
1b1ba87ac953aa6f09d5e03e4d9b815c
2b849998f8fede8394edfa965d58d5eb
bd811c44df8d4b2fee59e2ca1d300942
79cc16e2da898b3c5d81ac8dd595c276
1517d3893178924e4b8b79b9add4efcd
e65685b2f813808b0852f9f283588762
3c544069b06e45a00ea799d4ddbd3916
925d71f4577ea4693fe380fd7d534ff0
5a6cb5048ce4f7d62c996d545d6f92ae
a59d828dbb7c5e16d8ce2ebf8238cbfb
0dccf02e0dafed1442ef8e11cb452c93
2c9691ee67ffafd1bce0c6c89736944b
8977756470622841278ad45e924f9bff
74004f2850fd8c72efd8de48b628d0c3
-----END OpenVPN Static key V1-----
Il ne nous reste plus qu'à copier un exemplaire de ce secret sur ''aaron'' par un moyen sécurisé, ''scp'' par exemple, et de tester le tunnel en ajoutant l'appel à ce secret.
===== Sur aaron =====
La commande :
aaron:~# openvpn --port 8147 --dev tun1 --ifconfig 192.168.25.1 192.168.25.2 --comp-lzo --verb 5 --secret /root/shared.key
Et la réponse :
Sat Nov 15 17:42:06 2008 us=754964 Current Parameter Settings:
Sat Nov 15 17:42:06 2008 us=755921 config = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=756229 mode = 0
Sat Nov 15 17:42:06 2008 us=756485 persist_config = DISABLED
Sat Nov 15 17:42:06 2008 us=756784 persist_mode = 1
Sat Nov 15 17:42:06 2008 us=757012 show_ciphers = DISABLED
Sat Nov 15 17:42:06 2008 us=757239 show_digests = DISABLED
Sat Nov 15 17:42:06 2008 us=757466 show_engines = DISABLED
Sat Nov 15 17:42:06 2008 us=757693 genkey = DISABLED
Sat Nov 15 17:42:06 2008 us=757923 key_pass_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=758153 show_tls_ciphers = DISABLED
Sat Nov 15 17:42:06 2008 us=758384 proto = 0
Sat Nov 15 17:42:06 2008 us=758611 local = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=758838 remote_list = NULL
Sat Nov 15 17:42:06 2008 us=759066 remote_random = DISABLED
Sat Nov 15 17:42:06 2008 us=759297 local_port = 8147
Sat Nov 15 17:42:06 2008 us=759526 remote_port = 8147
Sat Nov 15 17:42:06 2008 us=759760 remote_float = DISABLED
Sat Nov 15 17:42:06 2008 us=760023 ipchange = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=760259 bind_local = ENABLED
Sat Nov 15 17:42:06 2008 us=760488 dev = 'tun1'
Sat Nov 15 17:42:06 2008 us=760762 dev_type = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=760991 dev_node = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=761218 tun_ipv6 = DISABLED
Sat Nov 15 17:42:06 2008 us=761445 ifconfig_local = '192.168.25.1'
Sat Nov 15 17:42:06 2008 us=761686 ifconfig_remote_netmask = '192.168.25.2'
Sat Nov 15 17:42:06 2008 us=761919 ifconfig_noexec = DISABLED
Sat Nov 15 17:42:06 2008 us=762150 ifconfig_nowarn = DISABLED
Sat Nov 15 17:42:06 2008 us=762380 shaper = 0
Sat Nov 15 17:42:06 2008 us=762610 tun_mtu = 1500
Sat Nov 15 17:42:06 2008 us=762836 tun_mtu_defined = ENABLED
Sat Nov 15 17:42:06 2008 us=763079 link_mtu = 1500
Sat Nov 15 17:42:06 2008 us=763307 link_mtu_defined = DISABLED
Sat Nov 15 17:42:06 2008 us=763538 tun_mtu_extra = 0
Sat Nov 15 17:42:06 2008 us=763765 tun_mtu_extra_defined = DISABLED
Sat Nov 15 17:42:06 2008 us=763996 fragment = 0
Sat Nov 15 17:42:06 2008 us=764224 mtu_discover_type = -1
Sat Nov 15 17:42:06 2008 us=764452 mtu_test = 0
Sat Nov 15 17:42:06 2008 us=764769 mlock = DISABLED
Sat Nov 15 17:42:06 2008 us=765002 keepalive_ping = 0
Sat Nov 15 17:42:06 2008 us=765230 keepalive_timeout = 0
Sat Nov 15 17:42:06 2008 us=765458 inactivity_timeout = 0
Sat Nov 15 17:42:06 2008 us=765685 ping_send_timeout = 0
Sat Nov 15 17:42:06 2008 us=765913 ping_rec_timeout = 0
Sat Nov 15 17:42:06 2008 us=766141 ping_rec_timeout_action = 0
Sat Nov 15 17:42:06 2008 us=766372 ping_timer_remote = DISABLED
Sat Nov 15 17:42:06 2008 us=766607 remap_sigusr1 = 0
Sat Nov 15 17:42:06 2008 us=766836 explicit_exit_notification = 0
Sat Nov 15 17:42:06 2008 us=767066 persist_tun = DISABLED
Sat Nov 15 17:42:06 2008 us=767294 persist_local_ip = DISABLED
Sat Nov 15 17:42:06 2008 us=767524 persist_remote_ip = DISABLED
Sat Nov 15 17:42:06 2008 us=767754 persist_key = DISABLED
Sat Nov 15 17:42:06 2008 us=767982 mssfix = 1450
Sat Nov 15 17:42:06 2008 us=768208 passtos = DISABLED
Sat Nov 15 17:42:06 2008 us=768437 resolve_retry_seconds = 1000000000
Sat Nov 15 17:42:06 2008 us=768714 connect_retry_seconds = 5
Sat Nov 15 17:42:06 2008 us=768945 username = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=769174 groupname = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=769401 chroot_dir = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=769628 cd_dir = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=769869 writepid = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=770099 up_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=770327 down_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=770554 down_pre = DISABLED
Sat Nov 15 17:42:06 2008 us=770781 up_restart = DISABLED
Sat Nov 15 17:42:06 2008 us=771008 up_delay = DISABLED
Sat Nov 15 17:42:06 2008 us=771235 daemon = DISABLED
Sat Nov 15 17:42:06 2008 us=771463 inetd = 0
Sat Nov 15 17:42:06 2008 us=771689 log = DISABLED
Sat Nov 15 17:42:06 2008 us=771916 suppress_timestamps = DISABLED
Sat Nov 15 17:42:06 2008 us=772146 nice = 0
Sat Nov 15 17:42:06 2008 us=772374 verbosity = 5
Sat Nov 15 17:42:06 2008 us=772641 mute = 0
Sat Nov 15 17:42:06 2008 us=772871 gremlin = 0
Sat Nov 15 17:42:06 2008 us=773098 status_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=773332 status_file_version = 1
Sat Nov 15 17:42:06 2008 us=773560 status_file_update_freq = 60
Sat Nov 15 17:42:06 2008 us=773788 occ = ENABLED
Sat Nov 15 17:42:06 2008 us=774017 rcvbuf = 65536
Sat Nov 15 17:42:06 2008 us=774245 sndbuf = 65536
Sat Nov 15 17:42:06 2008 us=774474 socks_proxy_server = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=774705 socks_proxy_port = 0
Sat Nov 15 17:42:06 2008 us=774933 socks_proxy_retry = DISABLED
Sat Nov 15 17:42:06 2008 us=775163 fast_io = DISABLED
Sat Nov 15 17:42:06 2008 us=775391 comp_lzo = ENABLED
Sat Nov 15 17:42:06 2008 us=775620 comp_lzo_adaptive = ENABLED
Sat Nov 15 17:42:06 2008 us=775851 route_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=776082 route_default_gateway = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=776311 route_noexec = DISABLED
Sat Nov 15 17:42:06 2008 us=776552 route_delay = 0
Sat Nov 15 17:42:06 2008 us=776823 route_delay_window = 30
Sat Nov 15 17:42:06 2008 us=777051 route_delay_defined = DISABLED
Sat Nov 15 17:42:06 2008 us=777282 management_addr = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=777514 management_port = 0
Sat Nov 15 17:42:06 2008 us=777742 management_user_pass = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=777974 management_log_history_cache = 250
Sat Nov 15 17:42:06 2008 us=778205 management_echo_buffer_size = 100
Sat Nov 15 17:42:06 2008 us=778434 management_query_passwords = DISABLED
Sat Nov 15 17:42:06 2008 us=778664 management_hold = DISABLED
Sat Nov 15 17:42:06 2008 us=778895 shared_secret_file = '/root/shared.key'
Sat Nov 15 17:42:06 2008 us=779127 key_direction = 0
Sat Nov 15 17:42:06 2008 us=779357 ciphername_defined = ENABLED
Sat Nov 15 17:42:06 2008 us=779603 ciphername = 'BF-CBC'
Sat Nov 15 17:42:06 2008 us=779833 authname_defined = ENABLED
Sat Nov 15 17:42:06 2008 us=780064 authname = 'SHA1'
Sat Nov 15 17:42:06 2008 us=780293 keysize = 0
Sat Nov 15 17:42:06 2008 us=780521 engine = DISABLED
Sat Nov 15 17:42:06 2008 us=780792 replay = ENABLED
Sat Nov 15 17:42:06 2008 us=781022 mute_replay_warnings = DISABLED
Sat Nov 15 17:42:06 2008 us=781485 replay_window = 64
Sat Nov 15 17:42:06 2008 us=781733 replay_time = 15
Sat Nov 15 17:42:06 2008 us=781962 packet_id_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=782193 use_iv = ENABLED
Sat Nov 15 17:42:06 2008 us=782422 test_crypto = DISABLED
Sat Nov 15 17:42:06 2008 us=782651 tls_server = DISABLED
Sat Nov 15 17:42:06 2008 us=782879 tls_client = DISABLED
Sat Nov 15 17:42:06 2008 us=783109 key_method = 2
Sat Nov 15 17:42:06 2008 us=783340 ca_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=783570 dh_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=783798 cert_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=784027 priv_key_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=784258 pkcs12_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=784486 cipher_list = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=784757 tls_verify = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=784986 tls_remote = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=785215 crl_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=785445 ns_cert_type = 0
Sat Nov 15 17:42:06 2008 us=785675 tls_timeout = 2
Sat Nov 15 17:42:06 2008 us=785905 renegotiate_bytes = 0
Sat Nov 15 17:42:06 2008 us=786136 renegotiate_packets = 0
Sat Nov 15 17:42:06 2008 us=786366 renegotiate_seconds = 3600
Sat Nov 15 17:42:06 2008 us=786599 handshake_window = 60
Sat Nov 15 17:42:06 2008 us=786842 transition_window = 3600
Sat Nov 15 17:42:06 2008 us=787075 single_session = DISABLED
Sat Nov 15 17:42:06 2008 us=787307 tls_exit = DISABLED
Sat Nov 15 17:42:06 2008 us=787535 tls_auth_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=787850 server_network = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=788097 server_netmask = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=788337 server_bridge_ip = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=788616 server_bridge_netmask = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=788861 server_bridge_pool_start = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=789101 server_bridge_pool_end = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=789333 ifconfig_pool_defined = DISABLED
Sat Nov 15 17:42:06 2008 us=789575 ifconfig_pool_start = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=789817 ifconfig_pool_end = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=790060 ifconfig_pool_netmask = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=790291 ifconfig_pool_persist_filename = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=790527 ifconfig_pool_persist_refresh_freq = 600
Sat Nov 15 17:42:06 2008 us=790761 ifconfig_pool_linear = DISABLED
Sat Nov 15 17:42:06 2008 us=790994 n_bcast_buf = 256
Sat Nov 15 17:42:06 2008 us=791225 tcp_queue_limit = 64
Sat Nov 15 17:42:06 2008 us=791454 real_hash_size = 256
Sat Nov 15 17:42:06 2008 us=791684 virtual_hash_size = 256
Sat Nov 15 17:42:06 2008 us=791914 client_connect_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=792147 learn_address_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=792380 client_disconnect_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=792652 client_config_dir = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=792887 ccd_exclusive = DISABLED
Sat Nov 15 17:42:06 2008 us=793131 tmp_dir = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=793334 push_ifconfig_defined = DISABLED
Sat Nov 15 17:42:06 2008 us=793548 push_ifconfig_local = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=793761 push_ifconfig_remote_netmask = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=793965 enable_c2c = DISABLED
Sat Nov 15 17:42:06 2008 us=794166 duplicate_cn = DISABLED
Sat Nov 15 17:42:06 2008 us=794369 cf_max = 0
Sat Nov 15 17:42:06 2008 us=794572 cf_per = 0
Sat Nov 15 17:42:06 2008 us=794774 max_clients = 1024
Sat Nov 15 17:42:06 2008 us=794977 max_routes_per_client = 256
Sat Nov 15 17:42:06 2008 us=795182 client_cert_not_required = DISABLED
Sat Nov 15 17:42:06 2008 us=795387 username_as_common_name = DISABLED
Sat Nov 15 17:42:06 2008 us=795592 auth_user_pass_verify_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=795799 auth_user_pass_verify_script_via_file = DISABLED
Sat Nov 15 17:42:06 2008 us=796006 client = DISABLED
Sat Nov 15 17:42:06 2008 us=796207 pull = DISABLED
Sat Nov 15 17:42:06 2008 us=796410 auth_user_pass_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=796661 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Sat Nov 15 17:42:06 2008 us=798465 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 17:42:06 2008 us=798743 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 17:42:06 2008 us=799255 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 17:42:06 2008 us=799485 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 17:42:06 2008 us=799753 LZO compression initialized
Sat Nov 15 17:42:06 2008 us=850486 TUN/TAP device tun1 opened
Sat Nov 15 17:42:06 2008 us=850907 TUN/TAP TX queue length set to 100
Sat Nov 15 17:42:06 2008 us=851230 ifconfig tun1 192.168.25.1 pointopoint 192.168.25.2 mtu 1500
Sat Nov 15 17:42:06 2008 us=865884 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Nov 15 17:42:06 2008 us=866409 Local Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Sat Nov 15 17:42:06 2008 us=866663 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Sat Nov 15 17:42:06 2008 us=867004 Local Options hash (VER=V4): '6963813b'
Sat Nov 15 17:42:06 2008 us=867286 Expected Remote Options hash (VER=V4): '3210d11a'
Sat Nov 15 17:42:06 2008 us=867602 Socket Buffers: R=[110592->131072] S=[110592->131072]
Sat Nov 15 17:42:06 2008 us=867859 UDPv4 link local (bound): [undef]:8147
Sat Nov 15 17:42:06 2008 us=868086 UDPv4 link remote: [undef]
Nous n'avons plus de vilain « warning » nous signalant que les données circulent en clair, nous avons à la place les informations sur la méthode de chiffrement.
===== Sur cyclope =====
La commande :
cyclope:/etc/openvpn# openvpn --remote 82.127.57.95 --port 8147 --dev tun1 --ifconfig 192.168.25.2 192.168.25.1 --comp-lzo --verb 5 --secret /root/shared.key
Et la réponse :
Sat Nov 15 17:48:47 2008 us=847763 Current Parameter Settings:
Sat Nov 15 17:48:47 2008 us=849252 config = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=850003 mode = 0
Sat Nov 15 17:48:47 2008 us=850695 persist_config = DISABLED
Sat Nov 15 17:48:47 2008 us=851472 persist_mode = 1
Sat Nov 15 17:48:47 2008 us=852164 show_ciphers = DISABLED
Sat Nov 15 17:48:47 2008 us=852859 show_digests = DISABLED
Sat Nov 15 17:48:47 2008 us=853550 show_engines = DISABLED
Sat Nov 15 17:48:47 2008 us=854244 genkey = DISABLED
Sat Nov 15 17:48:47 2008 us=854939 key_pass_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=855703 show_tls_ciphers = DISABLED
Sat Nov 15 17:48:47 2008 us=856406 proto = 0
Sat Nov 15 17:48:47 2008 us=857097 local = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=857794 remote_list[0] = {'82.127.57.95', 8147}
Sat Nov 15 17:48:47 2008 us=858488 remote_random = DISABLED
Sat Nov 15 17:48:47 2008 us=860129 local_port = 8147
Sat Nov 15 17:48:47 2008 us=860657 remote_port = 8147
Sat Nov 15 17:48:47 2008 us=861336 remote_float = DISABLED
Sat Nov 15 17:48:47 2008 us=862029 ipchange = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=862720 bind_local = ENABLED
Sat Nov 15 17:48:47 2008 us=864281 dev = 'tun1'
Sat Nov 15 17:48:47 2008 us=864789 dev_type = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=865482 dev_node = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=866171 tun_ipv6 = DISABLED
Sat Nov 15 17:48:47 2008 us=866860 ifconfig_local = '192.168.25.2'
Sat Nov 15 17:48:47 2008 us=867794 ifconfig_remote_netmask = '192.168.25.1'
Sat Nov 15 17:48:47 2008 us=868492 ifconfig_noexec = DISABLED
Sat Nov 15 17:48:47 2008 us=869183 ifconfig_nowarn = DISABLED
Sat Nov 15 17:48:47 2008 us=869875 shaper = 0
Sat Nov 15 17:48:47 2008 us=870569 tun_mtu = 1500
Sat Nov 15 17:48:47 2008 us=871472 tun_mtu_defined = ENABLED
Sat Nov 15 17:48:47 2008 us=871991 link_mtu = 1500
Sat Nov 15 17:48:47 2008 us=872506 link_mtu_defined = DISABLED
Sat Nov 15 17:48:47 2008 us=872892 tun_mtu_extra = 0
Sat Nov 15 17:48:47 2008 us=873233 tun_mtu_extra_defined = DISABLED
Sat Nov 15 17:48:47 2008 us=873575 fragment = 0
Sat Nov 15 17:48:47 2008 us=873914 mtu_discover_type = -1
Sat Nov 15 17:48:47 2008 us=874253 mtu_test = 0
Sat Nov 15 17:48:47 2008 us=874588 mlock = DISABLED
Sat Nov 15 17:48:47 2008 us=874710 keepalive_ping = 0
Sat Nov 15 17:48:47 2008 us=874814 keepalive_timeout = 0
Sat Nov 15 17:48:47 2008 us=874918 inactivity_timeout = 0
Sat Nov 15 17:48:47 2008 us=875021 ping_send_timeout = 0
Sat Nov 15 17:48:47 2008 us=875124 ping_rec_timeout = 0
Sat Nov 15 17:48:47 2008 us=875674 ping_rec_timeout_action = 0
Sat Nov 15 17:48:47 2008 us=875793 ping_timer_remote = DISABLED
Sat Nov 15 17:48:47 2008 us=875899 remap_sigusr1 = 0
Sat Nov 15 17:48:47 2008 us=876002 explicit_exit_notification = 0
Sat Nov 15 17:48:47 2008 us=876104 persist_tun = DISABLED
Sat Nov 15 17:48:47 2008 us=876238 persist_local_ip = DISABLED
Sat Nov 15 17:48:47 2008 us=876344 persist_remote_ip = DISABLED
Sat Nov 15 17:48:47 2008 us=876618 persist_key = DISABLED
Sat Nov 15 17:48:47 2008 us=876735 mssfix = 1450
Sat Nov 15 17:48:47 2008 us=876836 passtos = DISABLED
Sat Nov 15 17:48:47 2008 us=876943 resolve_retry_seconds = 1000000000
Sat Nov 15 17:48:47 2008 us=877046 connect_retry_seconds = 5
Sat Nov 15 17:48:47 2008 us=877148 username = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877251 groupname = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877354 chroot_dir = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877456 cd_dir = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877559 writepid = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877661 up_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877763 down_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877865 down_pre = DISABLED
Sat Nov 15 17:48:47 2008 us=877966 up_restart = DISABLED
Sat Nov 15 17:48:47 2008 us=878068 up_delay = DISABLED
Sat Nov 15 17:48:47 2008 us=878168 daemon = DISABLED
Sat Nov 15 17:48:47 2008 us=878270 inetd = 0
Sat Nov 15 17:48:47 2008 us=878370 log = DISABLED
Sat Nov 15 17:48:47 2008 us=878471 suppress_timestamps = DISABLED
Sat Nov 15 17:48:47 2008 us=878574 nice = 0
Sat Nov 15 17:48:47 2008 us=878675 verbosity = 5
Sat Nov 15 17:48:47 2008 us=878777 mute = 0
Sat Nov 15 17:48:47 2008 us=878877 gremlin = 0
Sat Nov 15 17:48:47 2008 us=878978 status_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=879082 status_file_version = 1
Sat Nov 15 17:48:47 2008 us=880451 status_file_update_freq = 60
Sat Nov 15 17:48:47 2008 us=880862 occ = ENABLED
Sat Nov 15 17:48:47 2008 us=881262 rcvbuf = 65536
Sat Nov 15 17:48:47 2008 us=881733 sndbuf = 65536
Sat Nov 15 17:48:47 2008 us=882075 socks_proxy_server = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=883751 socks_proxy_port = 0
Sat Nov 15 17:48:47 2008 us=884239 socks_proxy_retry = DISABLED
Sat Nov 15 17:48:47 2008 us=884935 fast_io = DISABLED
Sat Nov 15 17:48:47 2008 us=885449 comp_lzo = ENABLED
Sat Nov 15 17:48:47 2008 us=886142 comp_lzo_adaptive = ENABLED
Sat Nov 15 17:48:47 2008 us=886661 route_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=887423 route_default_gateway = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=887945 route_noexec = DISABLED
Sat Nov 15 17:48:47 2008 us=888634 route_delay = 0
Sat Nov 15 17:48:47 2008 us=889152 route_delay_window = 30
Sat Nov 15 17:48:47 2008 us=889305 route_delay_defined = DISABLED
Sat Nov 15 17:48:47 2008 us=889595 management_addr = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=889709 management_port = 0
Sat Nov 15 17:48:47 2008 us=889812 management_user_pass = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=889917 management_log_history_cache = 250
Sat Nov 15 17:48:47 2008 us=890021 management_echo_buffer_size = 100
Sat Nov 15 17:48:47 2008 us=890124 management_query_passwords = DISABLED
Sat Nov 15 17:48:47 2008 us=890228 management_hold = DISABLED
Sat Nov 15 17:48:47 2008 us=890332 shared_secret_file = '/root/shared.key
Sat Nov 15 17:48:47 2008 us=890439 key_direction = 0
Sat Nov 15 17:48:47 2008 us=890545 ciphername_defined = ENABLED
Sat Nov 15 17:48:47 2008 us=890651 ciphername = 'BF-CBC'
Sat Nov 15 17:48:47 2008 us=890756 authname_defined = ENABLED
Sat Nov 15 17:48:47 2008 us=890861 authname = 'SHA1'
Sat Nov 15 17:48:47 2008 us=890965 keysize = 0'
Sat Nov 15 17:48:47 2008 us=891068 engine = DISABLED
Sat Nov 15 17:48:47 2008 us=891230 replay = ENABLED
Sat Nov 15 17:48:47 2008 us=891348 mute_replay_warnings = DISABLED
Sat Nov 15 17:48:47 2008 us=891456 replay_window = 64
Sat Nov 15 17:48:47 2008 us=891561 replay_time = 15
Sat Nov 15 17:48:47 2008 us=891665 packet_id_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=891768 use_iv = ENABLED
Sat Nov 15 17:48:47 2008 us=891871 test_crypto = DISABLED
Sat Nov 15 17:48:47 2008 us=891975 tls_server = DISABLED
Sat Nov 15 17:48:47 2008 us=892078 tls_client = DISABLED
Sat Nov 15 17:48:47 2008 us=892184 key_method = 2
Sat Nov 15 17:48:47 2008 us=892286 ca_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892390 dh_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892493 cert_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892597 priv_key_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892701 pkcs12_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892807 cipher_list = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892912 tls_verify = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=893019 tls_remote = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=893125 crl_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=893231 ns_cert_type = 0
Sat Nov 15 17:48:47 2008 us=893338 tls_timeout = 2
Sat Nov 15 17:48:47 2008 us=893445 renegotiate_bytes = 0
Sat Nov 15 17:48:47 2008 us=893552 renegotiate_packets = 0
Sat Nov 15 17:48:47 2008 us=893659 renegotiate_seconds = 3600
Sat Nov 15 17:48:47 2008 us=893766 handshake_window = 60
Sat Nov 15 17:48:47 2008 us=893873 transition_window = 3600
Sat Nov 15 17:48:47 2008 us=893977 single_session = DISABLED
Sat Nov 15 17:48:47 2008 us=894083 tls_exit = DISABLED
Sat Nov 15 17:48:47 2008 us=894189 tls_auth_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=894428 server_network = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=894555 server_netmask = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=894673 server_bridge_ip = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=894792 server_bridge_netmask = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=894912 server_bridge_pool_start = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=895031 server_bridge_pool_end = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=895140 ifconfig_pool_defined = DISABLED
Sat Nov 15 17:48:47 2008 us=897711 ifconfig_pool_start = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=898297 ifconfig_pool_end = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=898672 ifconfig_pool_netmask = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=899060 ifconfig_pool_persist_filename = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=899615 ifconfig_pool_persist_refresh_freq = 600
Sat Nov 15 17:48:47 2008 us=900676 ifconfig_pool_linear = DISABLED
Sat Nov 15 17:48:47 2008 us=901202 n_bcast_buf = 256
Sat Nov 15 17:48:47 2008 us=901590 tcp_queue_limit = 64
Sat Nov 15 17:48:47 2008 us=901932 real_hash_size = 256
Sat Nov 15 17:48:47 2008 us=902271 virtual_hash_size = 256
Sat Nov 15 17:48:47 2008 us=902609 client_connect_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=902954 learn_address_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=903360 client_disconnect_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=903706 client_config_dir = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=904047 ccd_exclusive = DISABLED
Sat Nov 15 17:48:47 2008 us=904388 tmp_dir = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=904728 push_ifconfig_defined = DISABLED
Sat Nov 15 17:48:47 2008 us=905084 push_ifconfig_local = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=905442 push_ifconfig_remote_netmask = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=905783 enable_c2c = DISABLED
Sat Nov 15 17:48:47 2008 us=906129 duplicate_cn = DISABLED
Sat Nov 15 17:48:47 2008 us=906469 cf_max = 0
Sat Nov 15 17:48:47 2008 us=906809 cf_per = 0
Sat Nov 15 17:48:47 2008 us=907150 max_clients = 1024
Sat Nov 15 17:48:47 2008 us=907550 max_routes_per_client = 256
Sat Nov 15 17:48:47 2008 us=907895 client_cert_not_required = DISABLED
Sat Nov 15 17:48:47 2008 us=908239 username_as_common_name = DISABLED
Sat Nov 15 17:48:47 2008 us=908584 auth_user_pass_verify_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=909652 auth_user_pass_verify_script_via_file = DISABLED
Sat Nov 15 17:48:47 2008 us=910080 client = DISABLED
Sat Nov 15 17:48:47 2008 us=910480 pull = DISABLED
Sat Nov 15 17:48:47 2008 us=911004 auth_user_pass_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=911590 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Sat Nov 15 17:48:47 2008 us=930468 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 17:48:47 2008 us=931249 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 17:48:47 2008 us=932250 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 17:48:47 2008 us=932794 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 17:48:47 2008 us=933445 LZO compression initialized
Sat Nov 15 17:48:47 2008 us=988633 TUN/TAP device tun1 opened
Sat Nov 15 17:48:47 2008 us=989602 TUN/TAP TX queue length set to 100
Sat Nov 15 17:48:47 2008 us=990265 ifconfig tun1 192.168.25.2 pointopoint 192.168.25.1 mtu 1500
Sat Nov 15 17:48:48 2008 us=16600 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Nov 15 17:48:48 2008 us=16998 Local Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Sat Nov 15 17:48:48 2008 us=17112 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Sat Nov 15 17:48:48 2008 us=17383 Local Options hash (VER=V4): '3210d11a'
Sat Nov 15 17:48:48 2008 us=17565 Expected Remote Options hash (VER=V4): '6963813b'
Sat Nov 15 17:48:48 2008 us=17795 Socket Buffers: R=[110592->131072] S=[110592->131072]
Sat Nov 15 17:48:48 2008 us=17940 UDPv4 link local (bound): [undef]:8147
Sat Nov 15 17:48:48 2008 us=18059 UDPv4 link remote: 82.127.57.95:8147
WRSat Nov 15 17:48:58 2008 us=894383 Peer Connection Initiated with 82.127.57.95:8147
Sat Nov 15 17:49:00 2008 us=39348 Initialization Sequence Completed
Rien à dire de plus.
===== Contrôle =====
Depuis ''aaron'' :
aaron:~# ping -c 4 192.168.25.2
PING 192.168.25.2 (192.168.25.2) 56(84) bytes of data.
64 bytes from 192.168.25.2: icmp_seq=1 ttl=64 time=53.2 ms
64 bytes from 192.168.25.2: icmp_seq=2 ttl=64 time=52.3 ms
64 bytes from 192.168.25.2: icmp_seq=3 ttl=64 time=49.9 ms
64 bytes from 192.168.25.2: icmp_seq=4 ttl=64 time=50.9 ms
--- 192.168.25.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 49.942/51.613/53.256/1.309 ms
Si ça marche dans un sens, il n'y a pas de raison que ce ne soit pas pareil dans l'autre :
cyclope:~# ping -c 4 192.168.25.1
PING 192.168.25.1 (192.168.25.1) 56(84) bytes of data.
64 bytes from 192.168.25.1: icmp_seq=1 ttl=64 time=52.8 ms
64 bytes from 192.168.25.1: icmp_seq=2 ttl=64 time=59.7 ms
64 bytes from 192.168.25.1: icmp_seq=3 ttl=64 time=50.9 ms
64 bytes from 192.168.25.1: icmp_seq=4 ttl=64 time=51.1 ms
--- 192.168.25.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 50.980/53.681/59.734/3.574 ms
===== Conclusion intermédiaire =====
Nous disposons ici d'un tunnel relativement sécurisé. Il le sera aussi longtemps que le secret partagé, ne sera pas trop partagé, c'est à dire qu'il ne le sera qu'entre ''aaron'' et ''cyclope''.
Dans l'étape suivante, en utilisant TLS et des certificats, nous pourrons non seulement chiffrer les données mais également faire une authentification mutuelle de chaque bout du tunnel.