OpenVPN avec une clé partagée

Cette méthode consiste à créer une clé de chiffrement symétrique, que l'on va communiquer aux deux bouts du tunnel. Simple, efficace et relativement sécurisé.

En effet, il va y avoir ici :

un chiffrement des données dans le tunnel ;
une (pseudo) authentification des extrémités, si l'on suppose que le secret partagé ne l'est bien qu'entre les deux extrémités souhaitées.

Création du secret

C'est openvpn qui se charge lui-même de l'opération. Créons ce secret sur cyclope :

cyclope:~# openvpn --genkey --secret shared.key

Ce qui nous donne dans le répertoire de root (mais nous aurions pu la créer ailleurs) :

cyclope:~# cat shared.key 
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
f7257a2e6711515f6599d18748910696
7cd9ed0fbd09060e936a0a96584c5c29
1b1ba87ac953aa6f09d5e03e4d9b815c
2b849998f8fede8394edfa965d58d5eb
bd811c44df8d4b2fee59e2ca1d300942
79cc16e2da898b3c5d81ac8dd595c276
1517d3893178924e4b8b79b9add4efcd
e65685b2f813808b0852f9f283588762
3c544069b06e45a00ea799d4ddbd3916
925d71f4577ea4693fe380fd7d534ff0
5a6cb5048ce4f7d62c996d545d6f92ae
a59d828dbb7c5e16d8ce2ebf8238cbfb
0dccf02e0dafed1442ef8e11cb452c93
2c9691ee67ffafd1bce0c6c89736944b
8977756470622841278ad45e924f9bff
74004f2850fd8c72efd8de48b628d0c3
-----END OpenVPN Static key V1-----

Il ne nous reste plus qu'à copier un exemplaire de ce secret sur aaron par un moyen sécurisé, scp par exemple, et de tester le tunnel en ajoutant l'appel à ce secret.

Sur aaron

La commande :

aaron:~# openvpn --port 8147 --dev tun1 --ifconfig 192.168.25.1 192.168.25.2 --comp-lzo --verb 5 --secret /root/shared.key

Et la réponse :

Sat Nov 15 17:42:06 2008 us=754964 Current Parameter Settings:
Sat Nov 15 17:42:06 2008 us=755921   config = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=756229   mode = 0
Sat Nov 15 17:42:06 2008 us=756485   persist_config = DISABLED
Sat Nov 15 17:42:06 2008 us=756784   persist_mode = 1
Sat Nov 15 17:42:06 2008 us=757012   show_ciphers = DISABLED
Sat Nov 15 17:42:06 2008 us=757239   show_digests = DISABLED
Sat Nov 15 17:42:06 2008 us=757466   show_engines = DISABLED
Sat Nov 15 17:42:06 2008 us=757693   genkey = DISABLED
Sat Nov 15 17:42:06 2008 us=757923   key_pass_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=758153   show_tls_ciphers = DISABLED
Sat Nov 15 17:42:06 2008 us=758384   proto = 0
Sat Nov 15 17:42:06 2008 us=758611   local = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=758838   remote_list = NULL
Sat Nov 15 17:42:06 2008 us=759066   remote_random = DISABLED
Sat Nov 15 17:42:06 2008 us=759297   local_port = 8147
Sat Nov 15 17:42:06 2008 us=759526   remote_port = 8147
Sat Nov 15 17:42:06 2008 us=759760   remote_float = DISABLED
Sat Nov 15 17:42:06 2008 us=760023   ipchange = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=760259   bind_local = ENABLED
Sat Nov 15 17:42:06 2008 us=760488   dev = 'tun1'
Sat Nov 15 17:42:06 2008 us=760762   dev_type = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=760991   dev_node = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=761218   tun_ipv6 = DISABLED
Sat Nov 15 17:42:06 2008 us=761445   ifconfig_local = '192.168.25.1'
Sat Nov 15 17:42:06 2008 us=761686   ifconfig_remote_netmask = '192.168.25.2'
Sat Nov 15 17:42:06 2008 us=761919   ifconfig_noexec = DISABLED
Sat Nov 15 17:42:06 2008 us=762150   ifconfig_nowarn = DISABLED
Sat Nov 15 17:42:06 2008 us=762380   shaper = 0
Sat Nov 15 17:42:06 2008 us=762610   tun_mtu = 1500
Sat Nov 15 17:42:06 2008 us=762836   tun_mtu_defined = ENABLED
Sat Nov 15 17:42:06 2008 us=763079   link_mtu = 1500
Sat Nov 15 17:42:06 2008 us=763307   link_mtu_defined = DISABLED
Sat Nov 15 17:42:06 2008 us=763538   tun_mtu_extra = 0
Sat Nov 15 17:42:06 2008 us=763765   tun_mtu_extra_defined = DISABLED
Sat Nov 15 17:42:06 2008 us=763996   fragment = 0
Sat Nov 15 17:42:06 2008 us=764224   mtu_discover_type = -1
Sat Nov 15 17:42:06 2008 us=764452   mtu_test = 0
Sat Nov 15 17:42:06 2008 us=764769   mlock = DISABLED
Sat Nov 15 17:42:06 2008 us=765002   keepalive_ping = 0
Sat Nov 15 17:42:06 2008 us=765230   keepalive_timeout = 0
Sat Nov 15 17:42:06 2008 us=765458   inactivity_timeout = 0
Sat Nov 15 17:42:06 2008 us=765685   ping_send_timeout = 0
Sat Nov 15 17:42:06 2008 us=765913   ping_rec_timeout = 0
Sat Nov 15 17:42:06 2008 us=766141   ping_rec_timeout_action = 0
Sat Nov 15 17:42:06 2008 us=766372   ping_timer_remote = DISABLED
Sat Nov 15 17:42:06 2008 us=766607   remap_sigusr1 = 0
Sat Nov 15 17:42:06 2008 us=766836   explicit_exit_notification = 0
Sat Nov 15 17:42:06 2008 us=767066   persist_tun = DISABLED
Sat Nov 15 17:42:06 2008 us=767294   persist_local_ip = DISABLED
Sat Nov 15 17:42:06 2008 us=767524   persist_remote_ip = DISABLED
Sat Nov 15 17:42:06 2008 us=767754   persist_key = DISABLED
Sat Nov 15 17:42:06 2008 us=767982   mssfix = 1450
Sat Nov 15 17:42:06 2008 us=768208   passtos = DISABLED
Sat Nov 15 17:42:06 2008 us=768437   resolve_retry_seconds = 1000000000
Sat Nov 15 17:42:06 2008 us=768714   connect_retry_seconds = 5
Sat Nov 15 17:42:06 2008 us=768945   username = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=769174   groupname = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=769401   chroot_dir = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=769628   cd_dir = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=769869   writepid = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=770099   up_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=770327   down_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=770554   down_pre = DISABLED
Sat Nov 15 17:42:06 2008 us=770781   up_restart = DISABLED
Sat Nov 15 17:42:06 2008 us=771008   up_delay = DISABLED
Sat Nov 15 17:42:06 2008 us=771235   daemon = DISABLED
Sat Nov 15 17:42:06 2008 us=771463   inetd = 0
Sat Nov 15 17:42:06 2008 us=771689   log = DISABLED
Sat Nov 15 17:42:06 2008 us=771916   suppress_timestamps = DISABLED
Sat Nov 15 17:42:06 2008 us=772146   nice = 0
Sat Nov 15 17:42:06 2008 us=772374   verbosity = 5
Sat Nov 15 17:42:06 2008 us=772641   mute = 0
Sat Nov 15 17:42:06 2008 us=772871   gremlin = 0
Sat Nov 15 17:42:06 2008 us=773098   status_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=773332   status_file_version = 1
Sat Nov 15 17:42:06 2008 us=773560   status_file_update_freq = 60
Sat Nov 15 17:42:06 2008 us=773788   occ = ENABLED
Sat Nov 15 17:42:06 2008 us=774017   rcvbuf = 65536
Sat Nov 15 17:42:06 2008 us=774245   sndbuf = 65536
Sat Nov 15 17:42:06 2008 us=774474   socks_proxy_server = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=774705   socks_proxy_port = 0
Sat Nov 15 17:42:06 2008 us=774933   socks_proxy_retry = DISABLED
Sat Nov 15 17:42:06 2008 us=775163   fast_io = DISABLED
Sat Nov 15 17:42:06 2008 us=775391   comp_lzo = ENABLED
Sat Nov 15 17:42:06 2008 us=775620   comp_lzo_adaptive = ENABLED
Sat Nov 15 17:42:06 2008 us=775851   route_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=776082   route_default_gateway = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=776311   route_noexec = DISABLED
Sat Nov 15 17:42:06 2008 us=776552   route_delay = 0
Sat Nov 15 17:42:06 2008 us=776823   route_delay_window = 30
Sat Nov 15 17:42:06 2008 us=777051   route_delay_defined = DISABLED
Sat Nov 15 17:42:06 2008 us=777282   management_addr = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=777514   management_port = 0
Sat Nov 15 17:42:06 2008 us=777742   management_user_pass = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=777974   management_log_history_cache = 250
Sat Nov 15 17:42:06 2008 us=778205   management_echo_buffer_size = 100
Sat Nov 15 17:42:06 2008 us=778434   management_query_passwords = DISABLED
Sat Nov 15 17:42:06 2008 us=778664   management_hold = DISABLED
Sat Nov 15 17:42:06 2008 us=778895   shared_secret_file = '/root/shared.key'
Sat Nov 15 17:42:06 2008 us=779127   key_direction = 0
Sat Nov 15 17:42:06 2008 us=779357   ciphername_defined = ENABLED
Sat Nov 15 17:42:06 2008 us=779603   ciphername = 'BF-CBC'
Sat Nov 15 17:42:06 2008 us=779833   authname_defined = ENABLED
Sat Nov 15 17:42:06 2008 us=780064   authname = 'SHA1'
Sat Nov 15 17:42:06 2008 us=780293   keysize = 0
Sat Nov 15 17:42:06 2008 us=780521   engine = DISABLED
Sat Nov 15 17:42:06 2008 us=780792   replay = ENABLED
Sat Nov 15 17:42:06 2008 us=781022   mute_replay_warnings = DISABLED
Sat Nov 15 17:42:06 2008 us=781485   replay_window = 64
Sat Nov 15 17:42:06 2008 us=781733   replay_time = 15
Sat Nov 15 17:42:06 2008 us=781962   packet_id_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=782193   use_iv = ENABLED
Sat Nov 15 17:42:06 2008 us=782422   test_crypto = DISABLED
Sat Nov 15 17:42:06 2008 us=782651   tls_server = DISABLED
Sat Nov 15 17:42:06 2008 us=782879   tls_client = DISABLED
Sat Nov 15 17:42:06 2008 us=783109   key_method = 2
Sat Nov 15 17:42:06 2008 us=783340   ca_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=783570   dh_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=783798   cert_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=784027   priv_key_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=784258   pkcs12_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=784486   cipher_list = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=784757   tls_verify = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=784986   tls_remote = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=785215   crl_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=785445   ns_cert_type = 0
Sat Nov 15 17:42:06 2008 us=785675   tls_timeout = 2
Sat Nov 15 17:42:06 2008 us=785905   renegotiate_bytes = 0
Sat Nov 15 17:42:06 2008 us=786136   renegotiate_packets = 0
Sat Nov 15 17:42:06 2008 us=786366   renegotiate_seconds = 3600
Sat Nov 15 17:42:06 2008 us=786599   handshake_window = 60
Sat Nov 15 17:42:06 2008 us=786842   transition_window = 3600
Sat Nov 15 17:42:06 2008 us=787075   single_session = DISABLED
Sat Nov 15 17:42:06 2008 us=787307   tls_exit = DISABLED
Sat Nov 15 17:42:06 2008 us=787535   tls_auth_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=787850   server_network = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=788097   server_netmask = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=788337   server_bridge_ip = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=788616   server_bridge_netmask = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=788861   server_bridge_pool_start = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=789101   server_bridge_pool_end = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=789333   ifconfig_pool_defined = DISABLED
Sat Nov 15 17:42:06 2008 us=789575   ifconfig_pool_start = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=789817   ifconfig_pool_end = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=790060   ifconfig_pool_netmask = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=790291   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=790527   ifconfig_pool_persist_refresh_freq = 600
Sat Nov 15 17:42:06 2008 us=790761   ifconfig_pool_linear = DISABLED
Sat Nov 15 17:42:06 2008 us=790994   n_bcast_buf = 256
Sat Nov 15 17:42:06 2008 us=791225   tcp_queue_limit = 64
Sat Nov 15 17:42:06 2008 us=791454   real_hash_size = 256
Sat Nov 15 17:42:06 2008 us=791684   virtual_hash_size = 256
Sat Nov 15 17:42:06 2008 us=791914   client_connect_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=792147   learn_address_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=792380   client_disconnect_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=792652   client_config_dir = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=792887   ccd_exclusive = DISABLED
Sat Nov 15 17:42:06 2008 us=793131   tmp_dir = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=793334   push_ifconfig_defined = DISABLED
Sat Nov 15 17:42:06 2008 us=793548   push_ifconfig_local = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=793761   push_ifconfig_remote_netmask = 0.0.0.0
Sat Nov 15 17:42:06 2008 us=793965   enable_c2c = DISABLED
Sat Nov 15 17:42:06 2008 us=794166   duplicate_cn = DISABLED
Sat Nov 15 17:42:06 2008 us=794369   cf_max = 0
Sat Nov 15 17:42:06 2008 us=794572   cf_per = 0
Sat Nov 15 17:42:06 2008 us=794774   max_clients = 1024
Sat Nov 15 17:42:06 2008 us=794977   max_routes_per_client = 256
Sat Nov 15 17:42:06 2008 us=795182   client_cert_not_required = DISABLED
Sat Nov 15 17:42:06 2008 us=795387   username_as_common_name = DISABLED
Sat Nov 15 17:42:06 2008 us=795592   auth_user_pass_verify_script = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=795799   auth_user_pass_verify_script_via_file = DISABLED
Sat Nov 15 17:42:06 2008 us=796006   client = DISABLED
Sat Nov 15 17:42:06 2008 us=796207   pull = DISABLED
Sat Nov 15 17:42:06 2008 us=796410   auth_user_pass_file = '[UNDEF]'
Sat Nov 15 17:42:06 2008 us=796661 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Sat Nov 15 17:42:06 2008 us=798465 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 17:42:06 2008 us=798743 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 17:42:06 2008 us=799255 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 17:42:06 2008 us=799485 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 17:42:06 2008 us=799753 LZO compression initialized
Sat Nov 15 17:42:06 2008 us=850486 TUN/TAP device tun1 opened
Sat Nov 15 17:42:06 2008 us=850907 TUN/TAP TX queue length set to 100
Sat Nov 15 17:42:06 2008 us=851230 ifconfig tun1 192.168.25.1 pointopoint 192.168.25.2 mtu 1500
Sat Nov 15 17:42:06 2008 us=865884 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Nov 15 17:42:06 2008 us=866409 Local Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Sat Nov 15 17:42:06 2008 us=866663 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Sat Nov 15 17:42:06 2008 us=867004 Local Options hash (VER=V4): '6963813b'
Sat Nov 15 17:42:06 2008 us=867286 Expected Remote Options hash (VER=V4): '3210d11a'
Sat Nov 15 17:42:06 2008 us=867602 Socket Buffers: R=[110592->131072] S=[110592->131072]
Sat Nov 15 17:42:06 2008 us=867859 UDPv4 link local (bound): [undef]:8147
Sat Nov 15 17:42:06 2008 us=868086 UDPv4 link remote: [undef]

Nous n'avons plus de vilain « warning » nous signalant que les données circulent en clair, nous avons à la place les informations sur la méthode de chiffrement.

Sur cyclope

La commande :

cyclope:/etc/openvpn# openvpn --remote 82.127.57.95  --port 8147 --dev tun1 --ifconfig 192.168.25.2 192.168.25.1 --comp-lzo --verb 5 --secret /root/shared.key

Et la réponse :

Sat Nov 15 17:48:47 2008 us=847763 Current Parameter Settings:
Sat Nov 15 17:48:47 2008 us=849252   config = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=850003   mode = 0
Sat Nov 15 17:48:47 2008 us=850695   persist_config = DISABLED
Sat Nov 15 17:48:47 2008 us=851472   persist_mode = 1
Sat Nov 15 17:48:47 2008 us=852164   show_ciphers = DISABLED
Sat Nov 15 17:48:47 2008 us=852859   show_digests = DISABLED
Sat Nov 15 17:48:47 2008 us=853550   show_engines = DISABLED
Sat Nov 15 17:48:47 2008 us=854244   genkey = DISABLED
Sat Nov 15 17:48:47 2008 us=854939   key_pass_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=855703   show_tls_ciphers = DISABLED
Sat Nov 15 17:48:47 2008 us=856406   proto = 0
Sat Nov 15 17:48:47 2008 us=857097   local = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=857794   remote_list[0] = {'82.127.57.95', 8147}
Sat Nov 15 17:48:47 2008 us=858488   remote_random = DISABLED
Sat Nov 15 17:48:47 2008 us=860129   local_port = 8147
Sat Nov 15 17:48:47 2008 us=860657   remote_port = 8147
Sat Nov 15 17:48:47 2008 us=861336   remote_float = DISABLED
Sat Nov 15 17:48:47 2008 us=862029   ipchange = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=862720   bind_local = ENABLED
Sat Nov 15 17:48:47 2008 us=864281   dev = 'tun1'
Sat Nov 15 17:48:47 2008 us=864789   dev_type = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=865482   dev_node = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=866171   tun_ipv6 = DISABLED
Sat Nov 15 17:48:47 2008 us=866860   ifconfig_local = '192.168.25.2'
Sat Nov 15 17:48:47 2008 us=867794   ifconfig_remote_netmask = '192.168.25.1'
Sat Nov 15 17:48:47 2008 us=868492   ifconfig_noexec = DISABLED
Sat Nov 15 17:48:47 2008 us=869183   ifconfig_nowarn = DISABLED
Sat Nov 15 17:48:47 2008 us=869875   shaper = 0
Sat Nov 15 17:48:47 2008 us=870569   tun_mtu = 1500
Sat Nov 15 17:48:47 2008 us=871472   tun_mtu_defined = ENABLED
Sat Nov 15 17:48:47 2008 us=871991   link_mtu = 1500
Sat Nov 15 17:48:47 2008 us=872506   link_mtu_defined = DISABLED
Sat Nov 15 17:48:47 2008 us=872892   tun_mtu_extra = 0
Sat Nov 15 17:48:47 2008 us=873233   tun_mtu_extra_defined = DISABLED
Sat Nov 15 17:48:47 2008 us=873575   fragment = 0
Sat Nov 15 17:48:47 2008 us=873914   mtu_discover_type = -1
Sat Nov 15 17:48:47 2008 us=874253   mtu_test = 0
Sat Nov 15 17:48:47 2008 us=874588   mlock = DISABLED
Sat Nov 15 17:48:47 2008 us=874710   keepalive_ping = 0
Sat Nov 15 17:48:47 2008 us=874814   keepalive_timeout = 0
Sat Nov 15 17:48:47 2008 us=874918   inactivity_timeout = 0
Sat Nov 15 17:48:47 2008 us=875021   ping_send_timeout = 0
Sat Nov 15 17:48:47 2008 us=875124   ping_rec_timeout = 0
Sat Nov 15 17:48:47 2008 us=875674   ping_rec_timeout_action = 0
Sat Nov 15 17:48:47 2008 us=875793   ping_timer_remote = DISABLED
Sat Nov 15 17:48:47 2008 us=875899   remap_sigusr1 = 0
Sat Nov 15 17:48:47 2008 us=876002   explicit_exit_notification = 0
Sat Nov 15 17:48:47 2008 us=876104   persist_tun = DISABLED
Sat Nov 15 17:48:47 2008 us=876238   persist_local_ip = DISABLED
Sat Nov 15 17:48:47 2008 us=876344   persist_remote_ip = DISABLED
Sat Nov 15 17:48:47 2008 us=876618   persist_key = DISABLED
Sat Nov 15 17:48:47 2008 us=876735   mssfix = 1450
Sat Nov 15 17:48:47 2008 us=876836   passtos = DISABLED
Sat Nov 15 17:48:47 2008 us=876943   resolve_retry_seconds = 1000000000
Sat Nov 15 17:48:47 2008 us=877046   connect_retry_seconds = 5
Sat Nov 15 17:48:47 2008 us=877148   username = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877251   groupname = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877354   chroot_dir = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877456   cd_dir = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877559   writepid = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877661   up_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877763   down_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=877865   down_pre = DISABLED
Sat Nov 15 17:48:47 2008 us=877966   up_restart = DISABLED
Sat Nov 15 17:48:47 2008 us=878068   up_delay = DISABLED
Sat Nov 15 17:48:47 2008 us=878168   daemon = DISABLED
Sat Nov 15 17:48:47 2008 us=878270   inetd = 0
Sat Nov 15 17:48:47 2008 us=878370   log = DISABLED
Sat Nov 15 17:48:47 2008 us=878471   suppress_timestamps = DISABLED
Sat Nov 15 17:48:47 2008 us=878574   nice = 0
Sat Nov 15 17:48:47 2008 us=878675   verbosity = 5
Sat Nov 15 17:48:47 2008 us=878777   mute = 0
Sat Nov 15 17:48:47 2008 us=878877   gremlin = 0
Sat Nov 15 17:48:47 2008 us=878978   status_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=879082   status_file_version = 1
Sat Nov 15 17:48:47 2008 us=880451   status_file_update_freq = 60
Sat Nov 15 17:48:47 2008 us=880862   occ = ENABLED
Sat Nov 15 17:48:47 2008 us=881262   rcvbuf = 65536
Sat Nov 15 17:48:47 2008 us=881733   sndbuf = 65536
Sat Nov 15 17:48:47 2008 us=882075   socks_proxy_server = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=883751   socks_proxy_port = 0
Sat Nov 15 17:48:47 2008 us=884239   socks_proxy_retry = DISABLED
Sat Nov 15 17:48:47 2008 us=884935   fast_io = DISABLED
Sat Nov 15 17:48:47 2008 us=885449   comp_lzo = ENABLED
Sat Nov 15 17:48:47 2008 us=886142   comp_lzo_adaptive = ENABLED
Sat Nov 15 17:48:47 2008 us=886661   route_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=887423   route_default_gateway = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=887945   route_noexec = DISABLED
Sat Nov 15 17:48:47 2008 us=888634   route_delay = 0
Sat Nov 15 17:48:47 2008 us=889152   route_delay_window = 30
Sat Nov 15 17:48:47 2008 us=889305   route_delay_defined = DISABLED
Sat Nov 15 17:48:47 2008 us=889595   management_addr = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=889709   management_port = 0
Sat Nov 15 17:48:47 2008 us=889812   management_user_pass = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=889917   management_log_history_cache = 250
Sat Nov 15 17:48:47 2008 us=890021   management_echo_buffer_size = 100
Sat Nov 15 17:48:47 2008 us=890124   management_query_passwords = DISABLED
Sat Nov 15 17:48:47 2008 us=890228   management_hold = DISABLED

Sat Nov 15 17:48:47 2008 us=890332   shared_secret_file = '/root/shared.key
Sat Nov 15 17:48:47 2008 us=890439   key_direction = 0
Sat Nov 15 17:48:47 2008 us=890545   ciphername_defined = ENABLED
Sat Nov 15 17:48:47 2008 us=890651   ciphername = 'BF-CBC'
Sat Nov 15 17:48:47 2008 us=890756   authname_defined = ENABLED
Sat Nov 15 17:48:47 2008 us=890861   authname = 'SHA1'
Sat Nov 15 17:48:47 2008 us=890965   keysize = 0'
Sat Nov 15 17:48:47 2008 us=891068   engine = DISABLED
Sat Nov 15 17:48:47 2008 us=891230   replay = ENABLED
Sat Nov 15 17:48:47 2008 us=891348   mute_replay_warnings = DISABLED
Sat Nov 15 17:48:47 2008 us=891456   replay_window = 64
Sat Nov 15 17:48:47 2008 us=891561   replay_time = 15
Sat Nov 15 17:48:47 2008 us=891665   packet_id_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=891768   use_iv = ENABLED
Sat Nov 15 17:48:47 2008 us=891871   test_crypto = DISABLED
Sat Nov 15 17:48:47 2008 us=891975   tls_server = DISABLED
Sat Nov 15 17:48:47 2008 us=892078   tls_client = DISABLED
Sat Nov 15 17:48:47 2008 us=892184   key_method = 2
Sat Nov 15 17:48:47 2008 us=892286   ca_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892390   dh_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892493   cert_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892597   priv_key_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892701   pkcs12_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892807   cipher_list = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=892912   tls_verify = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=893019   tls_remote = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=893125   crl_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=893231   ns_cert_type = 0
Sat Nov 15 17:48:47 2008 us=893338   tls_timeout = 2
Sat Nov 15 17:48:47 2008 us=893445   renegotiate_bytes = 0
Sat Nov 15 17:48:47 2008 us=893552   renegotiate_packets = 0
Sat Nov 15 17:48:47 2008 us=893659   renegotiate_seconds = 3600
Sat Nov 15 17:48:47 2008 us=893766   handshake_window = 60
Sat Nov 15 17:48:47 2008 us=893873   transition_window = 3600
Sat Nov 15 17:48:47 2008 us=893977   single_session = DISABLED
Sat Nov 15 17:48:47 2008 us=894083   tls_exit = DISABLED
Sat Nov 15 17:48:47 2008 us=894189   tls_auth_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=894428   server_network = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=894555   server_netmask = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=894673   server_bridge_ip = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=894792   server_bridge_netmask = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=894912   server_bridge_pool_start = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=895031   server_bridge_pool_end = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=895140   ifconfig_pool_defined = DISABLED
Sat Nov 15 17:48:47 2008 us=897711   ifconfig_pool_start = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=898297   ifconfig_pool_end = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=898672   ifconfig_pool_netmask = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=899060   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=899615   ifconfig_pool_persist_refresh_freq = 600
Sat Nov 15 17:48:47 2008 us=900676   ifconfig_pool_linear = DISABLED
Sat Nov 15 17:48:47 2008 us=901202   n_bcast_buf = 256
Sat Nov 15 17:48:47 2008 us=901590   tcp_queue_limit = 64
Sat Nov 15 17:48:47 2008 us=901932   real_hash_size = 256
Sat Nov 15 17:48:47 2008 us=902271   virtual_hash_size = 256
Sat Nov 15 17:48:47 2008 us=902609   client_connect_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=902954   learn_address_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=903360   client_disconnect_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=903706   client_config_dir = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=904047   ccd_exclusive = DISABLED
Sat Nov 15 17:48:47 2008 us=904388   tmp_dir = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=904728   push_ifconfig_defined = DISABLED
Sat Nov 15 17:48:47 2008 us=905084   push_ifconfig_local = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=905442   push_ifconfig_remote_netmask = 0.0.0.0
Sat Nov 15 17:48:47 2008 us=905783   enable_c2c = DISABLED
Sat Nov 15 17:48:47 2008 us=906129   duplicate_cn = DISABLED
Sat Nov 15 17:48:47 2008 us=906469   cf_max = 0
Sat Nov 15 17:48:47 2008 us=906809   cf_per = 0
Sat Nov 15 17:48:47 2008 us=907150   max_clients = 1024
Sat Nov 15 17:48:47 2008 us=907550   max_routes_per_client = 256
Sat Nov 15 17:48:47 2008 us=907895   client_cert_not_required = DISABLED
Sat Nov 15 17:48:47 2008 us=908239   username_as_common_name = DISABLED
Sat Nov 15 17:48:47 2008 us=908584   auth_user_pass_verify_script = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=909652   auth_user_pass_verify_script_via_file = DISABLED
Sat Nov 15 17:48:47 2008 us=910080   client = DISABLED
Sat Nov 15 17:48:47 2008 us=910480   pull = DISABLED
Sat Nov 15 17:48:47 2008 us=911004   auth_user_pass_file = '[UNDEF]'
Sat Nov 15 17:48:47 2008 us=911590 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Sat Nov 15 17:48:47 2008 us=930468 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 17:48:47 2008 us=931249 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 17:48:47 2008 us=932250 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 17:48:47 2008 us=932794 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 17:48:47 2008 us=933445 LZO compression initialized
Sat Nov 15 17:48:47 2008 us=988633 TUN/TAP device tun1 opened
Sat Nov 15 17:48:47 2008 us=989602 TUN/TAP TX queue length set to 100
Sat Nov 15 17:48:47 2008 us=990265 ifconfig tun1 192.168.25.2 pointopoint 192.168.25.1 mtu 1500
Sat Nov 15 17:48:48 2008 us=16600 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Nov 15 17:48:48 2008 us=16998 Local Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Sat Nov 15 17:48:48 2008 us=17112 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Sat Nov 15 17:48:48 2008 us=17383 Local Options hash (VER=V4): '3210d11a'
Sat Nov 15 17:48:48 2008 us=17565 Expected Remote Options hash (VER=V4): '6963813b'
Sat Nov 15 17:48:48 2008 us=17795 Socket Buffers: R=[110592->131072] S=[110592->131072]
Sat Nov 15 17:48:48 2008 us=17940 UDPv4 link local (bound): [undef]:8147
Sat Nov 15 17:48:48 2008 us=18059 UDPv4 link remote: 82.127.57.95:8147
WRSat Nov 15 17:48:58 2008 us=894383 Peer Connection Initiated with 82.127.57.95:8147
Sat Nov 15 17:49:00 2008 us=39348 Initialization Sequence Completed

Rien à dire de plus.

Contrôle

Depuis aaron :

aaron:~# ping -c 4 192.168.25.2
PING 192.168.25.2 (192.168.25.2) 56(84) bytes of data.
64 bytes from 192.168.25.2: icmp_seq=1 ttl=64 time=53.2 ms
64 bytes from 192.168.25.2: icmp_seq=2 ttl=64 time=52.3 ms
64 bytes from 192.168.25.2: icmp_seq=3 ttl=64 time=49.9 ms
64 bytes from 192.168.25.2: icmp_seq=4 ttl=64 time=50.9 ms

--- 192.168.25.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 49.942/51.613/53.256/1.309 ms

Si ça marche dans un sens, il n'y a pas de raison que ce ne soit pas pareil dans l'autre :

cyclope:~# ping -c 4 192.168.25.1
PING 192.168.25.1 (192.168.25.1) 56(84) bytes of data.
64 bytes from 192.168.25.1: icmp_seq=1 ttl=64 time=52.8 ms
64 bytes from 192.168.25.1: icmp_seq=2 ttl=64 time=59.7 ms
64 bytes from 192.168.25.1: icmp_seq=3 ttl=64 time=50.9 ms
64 bytes from 192.168.25.1: icmp_seq=4 ttl=64 time=51.1 ms

--- 192.168.25.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 50.980/53.681/59.734/3.574 ms

Conclusion intermédiaire

Nous disposons ici d'un tunnel relativement sécurisé. Il le sera aussi longtemps que le secret partagé, ne sera pas trop partagé, c'est à dire qu'il ne le sera qu'entre aaron et cyclope.

Dans l'étape suivante, en utilisant TLS et des certificats, nous pourrons non seulement chiffrer les données mais également faire une authentification mutuelle de chaque bout du tunnel.