wiki:vpn_start
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
wiki:vpn_start [2018/05/04 16:33] bdu created |
— (current) | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== VPN - Starting the VPN client ===== | ||
| - | ===== Launching OpenVPN ===== | ||
| - | |||
| - | ==== Firewall ==== | ||
| - | |||
| - | Set the appropriate [[wiki:firewall|Firewall]] rules to accept OpenVPN traffic: | ||
| - | <code iptables /etc/firewall.d/10_openvpn.rules> | ||
| - | *filter | ||
| - | # OpenVPN ports | ||
| - | -A INPUT -p udp -m udp --sport 1194 -j ACCEPT | ||
| - | -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT | ||
| - | COMMIT | ||
| - | </code> | ||
| - | |||
| - | Or disable the firewall (only during test phase!) with: | ||
| - | <code bash>/etc/init.d/firewall stop</code> | ||
| - | |||
| - | ==== Start OpenVPN ==== | ||
| - | |||
| - | Put the OpenVPN main configuration file in ''/user/rootfs_rw/etc/openvpn/'' and launch it with (replace with the appropriate file name): | ||
| - | <code bash>openvpn --config /etc/openvpn/client-openvpn-ibts.conf 2>&1 | logger &</code> | ||
| - | |||
| - | Check that OpenVPN client is well launched on your gateway: | ||
| - | <code bash> | ||
| - | ps | grep [o]penvpn | ||
| - | 31342 root 4700 S openvpn --config /etc/openvpn/client-openvpn-ibts.conf</code> | ||
| - | |||
| - | Check with the ''ifconfig'' command that the ''vpn0'' interface is now active. | ||
| - | |||
| - | Once everything is working, you can add initialization scripts to enable the VPN automatically. Don't forget to enable the firewall again if it was disabled. | ||
| - | |||
| - | ===== Launching IPsec / strongSwan ===== | ||
| - | |||
| - | ==== Firewall ==== | ||
| - | |||
| - | Set the appropriate [[wiki:firewall|Firewall]] rules to accept IPsec traffic: | ||
| - | |||
| - | <code iptables /etc/firewall.d/10_ipsec.rules> | ||
| - | *filter | ||
| - | # OpenVPN ports | ||
| - | -A INPUT -p udp -m udp --sport 500 -j ACCEPT | ||
| - | -A OUTPUT -p udp -m udp --dport 500 -j ACCEPT | ||
| - | -A INPUT -p udp -m udp --sport 4500 -j ACCEPT | ||
| - | -A OUTPUT -p udp -m udp --dport 4500 -j ACCEPT | ||
| - | COMMIT | ||
| - | </code> | ||
| - | |||
| - | Or disable the firewall (only during test phase!) with: | ||
| - | <code bash>/etc/init.d/firewall stop</code> | ||
| - | |||
| - | ==== Start ipsec ==== | ||
| - | |||
| - | Two TKM daemons can be used: | ||
| - | |||
| - | * If the ''/etc/ipsec.secrets'' file is used, and the P12 file is stored as clear in the filesystem: use ''charon'' | ||
| - | * If the ''/etc/ipsec.secrets'' file is empty, and the secrets and P12 files are stored ciphered in the TrustZone: use ''charon-tkm'' | ||
| - | |||
| - | To do so, either add the ''<nowiki>--daemon charon</nowiki>'' or ''<nowiki>--daemon charon-tkm</nowiki>'' to the command line, or set the ''DAEMON_NAME'' environment variable to the desired value. For example, if the TrustZone is used: | ||
| - | |||
| - | <code bash> | ||
| - | export DAEMON_NAME=charon-tkm | ||
| - | |||
| - | # or, alternatively | ||
| - | ipsec start <other ipsec options...> --daemon charon-tkm | ||
| - | </code> | ||
| - | |||
| - | If the TrustZone is not used, here is how the VPN should be started: | ||
| - | |||
| - | <code bash> | ||
| - | export DAEMON_NAME=charon | ||
| - | |||
| - | # or, alternatively | ||
| - | ipsec start <other ipsec options...> --daemon charon | ||
| - | </code> | ||
| - | |||
| - | To troubleshoot, the ''<nowiki>--nofork</nowiki>'' switch can be added to the command line. This will prevent the daemon from forking, and will log all output to the console (instead of syslog). | ||
| - | |||
| - | Once everything is working, you can add initialization scripts to enable the VPN automatically. Don't forget to enable the firewall again. | ||
wiki/vpn_start.1525444399.txt.gz · Last modified: 2019/01/17 10:01 (external edit)
