Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

Configurazione OpenVPN su Android 7.0 con tls-auth —

Avendo cambiato il server Openvpn, rigenerato chiavi e certificati e aggiunto l’auth -tls ho dovuto riscrivere anche i client per android che come la volta precedente sono con estensione .ovpn

Si tratta ora di creare il file .ovpn che contiene come per apple  sia le istruzioni relative alla connessione al server Openvpn che i certificati ca.crt, android01.crt e androi01.key  racchiusi tra tag in questo modo:

client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 775
remote yyy.yyy.yyy.yyy 775

resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
compress lz4-v2
verb 3
key-direction 1
<ca>
—–BEGIN CERTIFICATE—–
MIIDVTCCAr6gAwIBAgIJAJIIm5Kj+g2yMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV
BAYTAklUMQswCQYDVQQIEwJNSTEOMAwGA1UEBxMFTWlsYW4xEzARBgNVBAoTClpp
bmNvbWV0YWwxFjAUBgNVBAMTDVppbmNvbWV0YWwgQ0ExIjAgBgkqhkiG9w0BCQEW
E3N1cHBvcnRAZHluYW1pY2EuaXQwHhcNMTAwNDAyMTIxMTM1WhcNMjAwMzMwMTIx
MTM1WjB7MQswCQYDVQQGEwJJVDELMAkGA1UECBMCTUkxDjAMBgNVBAcTBU1pbGFu
MRMwEQYDVQQKEwpaaW5jb21ldGFsMRYwFAYDVQQDEw1aaW5jb21ldGFsIENBMSIw
IAYJKoZIhvcNAQkBFhNzdXBwb3J0QGR5bmFtaWNhLml0MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCyVVR5XjbvF9KZpzc4OuqJkiI25+kdf8cgllS1+GHcorhQ
—–END CERTIFICATE—–
</ca>
<cert>
—–BEGIN CERTIFICATE—–
MIIDtTCCAx6gAwIBAgIBFDANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJJVDEL
MAkGA1UECBMCTUkxDjAMBgNVBAcTBU1pbGFuMRMwEQYDVQQKEwpaaW5jb21ldGFs
MRYwFAYDVQQDEw1aaW5jb21ldGFsIENBMSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0
QGR5bmFtaWNhLml0MB4XDTE1MDkyNDA2NTc0NloXDTI1MDkyMTA2NTc0NlowgZIx
CzAJBgNVBAYTAklUMQswCQYDVQQIEwJNSTEOMAwGA1UEBxMFTWlsYW4xEzARBgNV
BAoTClppbmNvbWV0YWwxHDAaBgNVBAsUE1N5c3RlbSAmIE5ldHdvcmtpbmcxDzAN
BgNVBAMTBmlwYWQwMTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEBkeW5hbWljYS5p
cUQRn5xIhO4sraeLfRvUZgBOVkLlZOX3qj7jsx0FhJ/R7LEJw09wJjE=
—–END CERTIFICATE—–
</cert>
<key>
—–BEGIN PRIVATE KEY—–
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANqSCOiPCxxsqS9U
ytCHBuXwtNb34zpyH/biM8zrLZml9jiLmaFiQVN/0H5mcar4X0ii5/gXbU8nLFlv
sjvldBhwz7QlBrQoimg6SOgqWSiq1owMHkXSCqI7ZmtyEXgh7taGbS0SzUyeBOsZ
DhQbOUJCzFbTq/1ywYUHu9fj/8oNAgMBAAECgYEAghxuyynj3l7c8/0Q4sOOmrEI
—–END PRIVATE KEY—–
</key>

<tls-auth>
—–BEGIN OpenVPN Static key V1—–
9fb1d5631195e587cdafc1e6c9133053
7aa9dafd570eaff6adf2f47a03c40755
d8601e321224968e24633a422d08b07e
d6c163f998fd0593cb5f060abc03d4a9
bf8f812d76423d7ba35655349d4da461
4d4dc6a82f886e69436ec650afca5e81
ef731864613c231af03f4c0fd86fe3ba
14e155dd866eb440879dc8b62e959f5c
7649ac21828513ea63c08dbbe73a3542
769dd5c81787a19511d181595b607265
48a5782ae2860b5df19c0bf1a7c21119
6192561a16cb1778d1911f949d73a467
a41c9f2ede078ea859d896d47552a094
be52f94bb26c30d0469db1a88a8c7753
0e305c79d5f9f277006d3d6000fac1d1
—–END OpenVPN Static key V1—–
</tls-auth>

e sul server nella directory ccd creo il file android01 che contiene:

ifconfig-push 172.27.1.50 172.27.1.51
push “route 192.168.2.0 255.255.255.0”
push “dhcp-option DOMAIN myfirm.local”
push “dhcp-option DNS 192.168.2.224”
push “dhcp-option DNS 192.168.3.227”

 

Un restart al server OpenVPN per fargli digerire le modifiche e di nuovo spediamo usando la mail spediamo il file android01.ovpn al tablet una volta arrivata la mail si scarica l’allegato si apre  OpenVPN Connect e si sceglie OVPN Profile per importarlo, una volta fatto si fa scorrere il tastino che appare e dopo pochi secondi si e’ bellamente connessi.


Categorised as: Linux | Networking | Work

Comments are disabled on this post


Comments are closed.