Come per il server apt-get install openvpn e quindi cd \/etc\/openvpn.<\/p>\n
Personalmente preferisco creare una dir $nomeserverkeys e li cacciare dentro quello che mi serve, lo trovo pi\u00f9 comodo e ordinato ed evita di trovarsi in braghe di tela se il client e’ client di pi\u00f9 server cosa comunissima per altro quindi nello specifico siamo su “grecale” e creo la dir libecciokey dove copio i certificati e le chiavi.<\/p>\n
\u00c8 ora di preparare il file di configurazione che puo’ chiamarsi client.conf piuttosto che clientperlibeccio.conf\u00a0 o quello che vi pare in modo da poter avere n file $client .conf\u00a0 quanti ve ne servono, sarebbe in teoria possibile indicare pi\u00f9 remote nello stesso file ma per mia forma mentis preferisco un file univoco per ogni remote host.<\/p>\n
vim clientperlibeccio.conf<\/p>\n
### connessione con lan di casa
\nclient
\ndefinisce il tipo di connessione come client<\/p>\n
dev tun<\/p>\n
anche qui\u00a0 definisce il device da usare<\/p>\n
proto udp come sul server definisce il protocollo<\/p>\n
remote xxx.xxxx.xx.xxx 7207<\/p>\n
L’indirizzo IP remoto e la porta a cui connettersi, si pu\u00f2 tranquillamente usare una FQDN<\/a> se lo si ha a disposizione.<\/p>\n resolv-retry infinite<\/p>\n in teoria sarebbe inutile visto che usiamo un IP e non un\u00a0 FQDN\u00a0 e per di pi\u00f9 non abbiamo diversi remote\u00a0 ma in sostanza vuol dire non smettere di risolvere il nome mai.<\/p>\n nobind<\/p>\n non bindare il servizio su una specifica porta in locale a un netstat -tulp grecale risponde:<\/p>\n grecale:\/etc\/openvpn# netstat -tulp persist-key stesso discorso del server<\/p>\n ca libecciokeys\/ca.crt come nel server il path di certificati e chiavi<\/p>\n remote-cert-tls server<\/p>\n serve a autenticare la connessione alla fine dell’articolo 2 esempi di log che chirificheranno la questione<\/p>\n cipher BF-CBC<\/p>\n stessa cifratura del server<\/p>\n comp-lzo<\/p>\n stessa compressione del server<\/p>\n ping 10<\/p>\n il tempo in secondi per mandare il ping di keepalive<\/p>\n verb 3<\/p>\n la verbosit\u00e0 dei log<\/p>\n mute 10<\/p>\n soppressione dei messaggi ripetuti.<\/p>\n facendo ripartire openvpn se tutto corretto anche qui si trovera’ il device tun0 con ifconfig.<\/p>\n <\/p>\n Come accennavo prima, senza la direttiva\u00a0 remote-cert-tls server nei log si trovano un sacco di avvisi come questo:<\/p>\n Come per il server apt-get install openvpn e quindi cd \/etc\/openvpn. Personalmente preferisco creare una dir $nomeserverkeys e li cacciare dentro quello che mi serve, lo trovo pi\u00f9 comodo e ordinato ed evita di trovarsi in braghe di tela se il client e’ client di pi\u00f9 server cosa comunissima per altro quindi nello specifico siamo […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,7,6],"tags":[],"class_list":["post-499","post","type-post","status-publish","format-standard","hentry","category-linux","category-sistemi-operativi","category-work"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/499","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=499"}],"version-history":[{"count":11,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/499\/revisions"}],"predecessor-version":[{"id":1364,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/499\/revisions\/1364"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=499"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nActive Internet connections (only servers)
\nProto Recv-Q Send-Q Local Address\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Foreign Address\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 State\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PID\/Program name
\ntcp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 *:ftp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 *:*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LISTEN\u00a0\u00a0\u00a0\u00a0\u00a0 22505\/proftpd: (acc
\ntcp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 *:ssh\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0 *:*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0\u00a0\u00a0 LISTEN\u00a0\u00a0\u00a0\u00a0\u00a0 1104\/sshd
\ntcp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 localhost:smtp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 *:*\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0\u00a0\u00a0\u00a0 LISTEN\u00a0\u00a0\u00a0\u00a0\u00a0 1164\/master
\ntcp6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0 [::]:ssh\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [::]:*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LISTEN\u00a0\u00a0\u00a0\u00a0\u00a0 1104\/sshd
\nudp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 *:60878\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 *:*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0 27059\/openvpn<\/p>\n
\npersist-tun<\/p>\n
\ncert libecciokeys\/libeccio.crt
\nkey libecciokeys\/libeccio.key
\ntls-auth libecciokeys\/ta.key 1<\/p>\novpn-client1[18325]: WARNING: No server certificate verification method has been enabled.\r\nSee http:\/\/openvpn.net\/howto.html#mitm<\/a> for more info.\r\n\r\ncon la direttiva invece:<\/pre>\n
ovpn-client1[18545]: Validating certificate key usage\r\novpn-client1[18545]: ++ Certificate has key usage 00a0, expects 00a0\r\novpn-client1[18545]: VERIFY KU OK\r\novpn-client1[18545]: Validating certificate extended key usage\r\novpn-client1[18545]: ++ Certificate has EKU (str) TLS Web Server\r\nAuthentication, expects TLS Web Server Authentication\r\novpn-client1[18545]: VERIFY EKU OK.<\/pre>\n","protected":false},"excerpt":{"rendered":"