Dans notre exemple, nous utiliserons les fichiers de configuration de OpenVPN. OpenVPN permet l'utilisation des options dans une ligne de commande, ou dans un ou plusieurs fichiers de configuration. Dans les fichiers de configuration, vous pouvez omettre "--" devant les options. Mais "--" est requis lorsque vous utilisez la ligne de commande.
Configuration des fichiers de configuration suivants :
sample-config-files/tls-office.conf
# # Sample OpenVPN configuration file for # office using SSL/TLS mode and RSA certificates/keys. # # '#' or ';' may be used to delimit comments. # Use a dynamic tun device. # For Linux 2.2 or non-Linux OSes, # you may want to use an explicit # unit number such as "tun1". # OpenVPN also supports virtual # ethernet "tap" devices. dev tun # 10.1.0.1 is our local VPN endpoint (office). # 10.1.0.2 is our remote VPN endpoint (home). ifconfig 10.1.0.1 10.1.0.2 # Our up script will establish routes # once the VPN is alive. up ./office.up # In SSL/TLS key exchange, Office will # assume server role and Home # will assume client role. tls-server # Diffie-Hellman Parameters (tls-server only) dh dh1024.pem # Certificate Authority file ca my-ca.crt # Our certificate/public key cert office.crt # Our private key key office.key # OpenVPN uses UDP port 5000 by default. # Each OpenVPN tunnel must use # a different port number. # lport or rport can be used # to denote different ports # for local and remote. ; port 5000 # Downgrade UID and GID to # "nobody" after initialization # for extra security. ; user nobody ; group nobody # If you built OpenVPN with # LZO compression, uncomment # out the following line. ; comp-lzo # Send a UDP ping to remote once # every 15 seconds to keep # stateful firewall connection # alive. Uncomment this # out if you are using a stateful # firewall. ; ping 15 # Uncomment this section for a more reliable detection when a system # loses its connection. For example, dial-ups or laptops that # travel to other locations. ; ping 15 ; ping-restart 45 ; ping-timer-rem ; persist-tun ; persist-key # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3
sample-config-files/office.up
#!/bin/bash route add -net 10.0.1.0 netmask 255.255.255.0 gw $5
sample-config-files/tls-home.conf
# # Sample OpenVPN configuration file for # home using SSL/TLS mode and RSA certificates/keys. # # '#' or ';' may be used to delimit comments. # Use a dynamic tun device. # For Linux 2.2 or non-Linux OSes, # you may want to use an explicit # unit number such as "tun1". # OpenVPN also supports virtual # ethernet "tap" devices. dev tun # Our OpenVPN peer is the office gateway. remote 1.2.3.4 # 10.1.0.2 is our local VPN endpoint (home). # 10.1.0.1 is our remote VPN endpoint (office). ifconfig 10.1.0.2 10.1.0.1 # Our up script will establish routes # once the VPN is alive. up ./home.up # In SSL/TLS key exchange, Office will # assume server role and Home # will assume client role. tls-client # Certificate Authority file ca my-ca.crt # Our certificate/public key cert home.crt # Our private key key home.key # OpenVPN uses UDP port 5000 by default. # Each OpenVPN tunnel must use # a different port number. # lport or rport can be used # to denote different ports # for local and remote. ; port 5000 # Downgrade UID and GID to # "nobody" after initialization # for extra security. ; user nobody ; group nobody # If you built OpenVPN with # LZO compression, uncomment # out the following line. ; comp-lzo # Send a UDP ping to remote once # every 15 seconds to keep # stateful firewall connection # alive. Uncomment this # out if you are using a stateful # firewall. ; ping 15 # Uncomment this section for a more reliable detection when a system # loses its connection. For example, dial-ups or laptops that # travel to other locations. ; ping 15 ; ping-restart 45 ; ping-timer-rem ; persist-tun ; persist-key # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3
sample-config-files/home.up
#!/bin/bash route add -net 10.0.0.0 netmask 255.255.255.0 gw $5