#### OpenVPN Ubuntu Jaunty 64bit sur vps OpenVZ

### Sur Host :

# Verification
lsmod | grep tun



# Autoriser le vps a utiliser tun
vzctl set 101 --devices c:10:200:rw --save
vzctl set 101 --capability net_admin:on --save
# Demarrer le vps
vzctl start 101
vzctl exec 101 mkdir -p /dev/net
vzctl exec 101 mknod /dev/net/tun c 10 200
vzctl exec 101 chmod 600 /dev/net/tun

# Entrer sur le vps
vzctl enter 101

## Sur Vps :

# Config rapide
apt-get update
apt-get upgrade
apt-get install bash-completion language-pack-fr 
tzselect

# Bash-Completion
vim /etc/bash.bashrc
// Decommenter la partie bash-completion

# Installation OpenVPN
apt-get install openvpn openssl

# Variable
OPENVPN_SERVER=vpn.botux.fr
OPENVPN_CLIENTS="user1 user2"
OPENVPN_IPRANGE=10.8.0
OPENVPN_LOCALDOMAIN=botux.vpn
KEY_COUNTRY=FR
KEY_PROVINCE=73
KEY_CITY=CHAMBERY
KEY_ORG="$OPENVPN_SERVER Virtual Private Network Server"
KEY_EMAIL=contact@botux.fr
KEY_SIZE=2048

# Installation des scripts easy-rsa
mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
if [ -e /etc/openvpn/easy-rsa/openssl.cnf ]; then rm /etc/openvpn/easy-rsa/openssl.cnf; fi
gunzip /etc/openvpn/easy-rsa/openssl*.cnf.gz
cp /etc/openvpn/easy-rsa/openssl*.cnf /etc/openvpn/easy-rsa/openssl.cnf
sed -i -e '/commonName[\t ]*=[\t ]*Common/a\
commonName_default\t\t= $ENV::KEY_COMMONNAME' \
    /etc/openvpn/easy-rsa/openssl.cnf;

# Mettre a jours les fichiers de config
if [ ! $KEY_SIZE ]; then KEY_SIZE=1024; fi
sed -i -e "s/\(export D=\).*/\1\"\/etc\/openvpn\"/" \
       -e "s/\(export KEY_CONFIG=\).*/\1\"\/etc\/openvpn\/easy-rsa\/openssl.cnf\"/" \
       -e "s/\(export KEY_SIZE=\).*/\1\"$KEY_SIZE\"/" \
       -e "s/\(export KEY_COUNTRY=\).*/\1\"$KEY_COUNTRY\"/" \
       -e "s/\(export KEY_PROVINCE=\).*/\1\"$KEY_PROVINCE\"/" \
       -e "s/\(export KEY_CITY=\).*/\1\"$KEY_CITY\"/" \
       -e "s/\(export KEY_ORG=\).*/\1\"$KEY_ORG\"/" \
       -e "s/\(export KEY_EMAIL=\).*/\1\"$KEY_EMAIL\"/" \
       /etc/openvpn/easy-rsa/vars
echo "export OPENVPN_SERVER=\"$OPENVPN_SERVER\"
export OPENVPN_CLIENTS=\"$OPENVPN_CLIENTS\"
export OPENVPN_IPRANGE=\"$OPENVPN_IPRANGE\"
export OPENVPN_LOCALDOMAIN=\"$OPENVPN_LOCALDOMAIN\"
" >> /etc/openvpn/easy-rsa/vars

# edit vars
vim /etc/openvpn/easy-rsa/vars
## and modifie the env vars to : /etc/openvpn/easy-rsa

# Creation de l'autorité de certification
source /etc/openvpn/easy-rsa/vars
export KEY_COMMONNAME="ca.$OPENVPN_SERVER"
/etc/openvpn/easy-rsa/clean-all
/etc/openvpn/easy-rsa/build-ca

# Création du certificat du serveur | Reponse y,y
source /etc/openvpn/easy-rsa/vars
export KEY_COMMONNAME="$OPENVPN_SERVER"
/etc/openvpn/easy-rsa/build-key-server server

# Création des certificats des clients | Reponse y,y
source /etc/openvpn/easy-rsa/vars
for OPENVPN_CLIENT in $OPENVPN_CLIENTS; do
  export KEY_COMMONNAME="$OPENVPN_CLIENT.client.$OPENVPN_SERVER";
  /etc/openvpn/easy-rsa/build-key $OPENVPN_CLIENT;
done

# Génération des paramètres de Diffie Hellman
source /etc/openvpn/easy-rsa/vars
/etc/openvpn/easy-rsa/build-dh
cp -R /etc/openvpn/easy-rsa/keys /etc/openvpn/

# Génération d'une clef TLS
openvpn --genkey --secret /etc/openvpn/keys/ta.key

## Configuration du serveur OpenVPN

# Recuperation des templates
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz

# Ajuster avec les variables
source /etc/openvpn/easy-rsa/vars
sed -i  \
    -e "s/^ca ca\.crt/ca \/etc\/openvpn\/keys\/ca\.crt/" \
    -e "s/^cert server\.crt/cert \/etc\/openvpn\/keys\/server\.crt/" \
    -e "s/^key server\.key/key \/etc\/openvpn\/keys\/server\.key/" \
    -e "s/^dh[\t ]*dh1024.pem/dh \/etc\/openvpn\/keys\/dh$KEY_SIZE.pem/" \
    -e "s/^server[\t ].*$/server $OPENVPN_IPRANGE\.0 255\.255\.255\.0/" \
    -e 's/^;client-to-client/client-to-client/' \
    -e 's/^;\(tls-auth \)\(ta.key.*\)$/\1\/etc\/openvpn\/keys\/\2/' \
    -e 's/^;\(.*# Triple-DES\)$/\1/' \
    -e 's/^\(status \).*/\1\/var\/log\/openvpn-status.log/' \
    -e 's/^group[ \t]*nobody$/group nogroup/' \
    /etc/openvpn/server.conf

# Redemarrage openvpn
/etc/init.d/openvpn restart

## Configuration des clients

source /etc/openvpn/easy-rsa/vars
for OPENVPN_CLIENT in $OPENVPN_CLIENTS; do
  cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/;
  sed -i  \
      -e "s/^remote[\t ]*my-server-1[\t ].*/remote $OPENVPN_SERVER 1194/" \
      -e 's/^group[ \t]*nobody$/group nogroup/' \
      -e "s/^ca ca\.crt/ca \/etc\/openvpn\/keys\/ca\.crt/" \
      -e "s/^cert client\.crt/cert \/etc\/openvpn\/keys\/$OPENVPN_CLIENT\.crt/" \
      -e "s/^key client\.key/key \/etc\/openvpn\/keys\/$OPENVPN_CLIENT\.key/" \
      -e "s/;\(ns-cert-type[\t ]*server.*\)/\1/" \
      -e "s/;tls-auth[\t ]*ta.key[\t ]*1.*/tls-auth \/etc\/openvpn\/keys\/ta.key 1/" \
      /etc/openvpn/client.conf;

  egrep "^cipher " /etc/openvpn/server.conf \
        >> /etc/openvpn/client.conf;

  tar cf /etc/openvpn/$OPENVPN_CLIENT.tar /etc/openvpn/client.conf;
  tar rf /etc/openvpn/$OPENVPN_CLIENT.tar /etc/openvpn/keys/ca.crt;
  tar rf /etc/openvpn/$OPENVPN_CLIENT.tar /etc/openvpn/keys/$OPENVPN_CLIENT.crt;
  tar rf /etc/openvpn/$OPENVPN_CLIENT.tar /etc/openvpn/keys/$OPENVPN_CLIENT.key;
  tar rf /etc/openvpn/$OPENVPN_CLIENT.tar /etc/openvpn/keys/ta.key;

  if [ -e /etc/openvpn/client.conf ]; then rm /etc/openvpn/client.conf; fi;
done

# Configuration avancé des clients

mkdir /etc/openvpn/clients-configs
echo "
# Configurations avancées.
client-config-dir /etc/openvpn/clients-configs" \
     >> /etc/openvpn/server.conf

## Regles NAT

ifconfig venet0:0 | grep inet | \
    sed -e 's/.*:\([0-9\.]*\)[0-9]\{1,3\} .*:\([0-9\.]*\) .*:\([0-9\.]*\).*/push "route \10 \3"/g' \
    >> /etc/openvpn/server.conf

# Script init.d
gunzip --to-stdout /usr/share/doc/iptables/examples/oldinitdscript.gz > /etc/init.d/iptables
chmod +x /etc/init.d/iptables
mkdir /var/lib/iptables
update-rc.d iptables defaults

# Autoriser nat sur le system
sed -i -e 's/\(ip_forward=\).*/\1yes/g' /etc/network/options
echo 1 > /proc/sys/net/ipv4/ip_forward

# Mise en place des regles
iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o venet0:0 -j MASQUERADE
/etc/init.d/iptables save active




??????????
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.8.0.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.8.0.0/24' -o eth0 -j MASQUERADE
??????????