OpenVPN : インストール/設定2015/03/31 |
|
OpenVPN をインストールして、仮想プライベートネットワーク経由でローカルネットワークに接続できるよう設定します。
ここでは以下のような環境を例に OpenVPN サーバーをブリッジモードで設定します。
サーバー側の br0, tap0 インターフェースはサービスにより自動生成され、クライアント側の tap0 のIPアドレスはサーバーから自動で割り当てられます。 クライアントはVPN接続後、サーバーと同一ネットワーク内の任意のコンピューターへアクセス可能となります。 前提条件として、ルーターに IPマスカレードの設定をしておく必要があります。 以下の例の場合、Wan 側の x.x.x.x:1194 宛にきたパケットを 192.168.0.30:1194 へフォワードするよう設定します。
+----------------------+
| [ OpenVPN Server ] |
tap0| dlp.srv.world |eth0
| |
+-----------+----------+
192.168.0.30:1194|br0
|
192.168.0.1|
+------+-----+
-------------------| Router |---------------------
+------+-----+
|x.x.x.x:1194
+---------------+--------------+ Internet
| |
----------+------------------------------+------------
| +------------------+ |
| tap0| |eth0 |
+-----+ VPN Client +-----+
192.168.0.x| |10.0.0.10
+------------------+
|
| [1] | OpenVPN をインストールします。 |
|
# EPELからインストール [root@dlp ~]# yum --enablerepo=epel -y install openvpn easy-rsa bridge-utils
|
| [2] | CA 証明書を作成します。 |
|
[root@dlp ~]# cd /usr/share/easy-rsa/2.0
[root@dlp 2.0]#
vi vars # 64行目:自身の環境に合わせて変更 export KEY_COUNTRY=" JP "export KEY_PROVINCE=" Hiroshima "export KEY_CITY=" Hiroshima "export KEY_ORG=" GTS "export KEY_EMAIL=" root@dlp.srv.world "export KEY_OU=" Server_World "
source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys [root@dlp 2.0]# ./clean-all [root@dlp 2.0]# ./build-ca Generating a 2048 bit RSA private key ..............+++ ...+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) [Server_World]: # Enter Common Name (eg, your name or your server's hostname) [GTS CA]: # Enter Name [EasyRSA]: Server-CA # 任意の名前に変更 Email Address [root@dlp.srv.world]: # Enter
|
| [3] | サーバー証明書を作成します。 |
|
[root@dlp ~]# cd /usr/share/easy-rsa/2.0 [root@dlp 2.0]# ./build-key-server server Generating a 2048 bit RSA private key .................................................+++ .................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) [Server_World]: # Enter Common Name (eg, your name or your server's hostname) [server]: # Enter Name [EasyRSA]: Server-CRT # 任意の名前に変更 Email Address [root@dlp.srv.world]: # Enter Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'GTS' organizationalUnitName:T61STRING:'Server_World' commonName :PRINTABLE:'server' name :PRINTABLE:'Server-CRT' emailAddress :IA5STRING:'root@dlp.srv.world' Certificate is to be certified until Mar 28 12:30:50 2025 GMT (3650 days) # 内容を確認して yes で進む Sign the certificate? [y/n]: y # yes で進む 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entries Data Base Updated |
| [4] | Diffie Hellman ( DH ) パラメータを生成します。 |
|
[root@dlp ~]# cd /usr/share/easy-rsa/2.0 [root@dlp 2.0]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time |
| [5] | クライアント証明書を作成します。 |
|
[root@dlp ~]# cd /usr/share/easy-rsa/2.0 [root@dlp 2.0]# ./build-key client01 Generating a 2048 bit RSA private key ............+++ .......................................................+++ writing new private key to 'client01.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) [Server_World]: # Enter Common Name (eg, your name or your server's hostname) [client01]: # Enter Name [EasyRSA]: client01 # 任意の名前に変更 Email Address [root@dlp.srv.world]: # Enter Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'GTS' organizationalUnitName:T61STRING:'Server_World' commonName :PRINTABLE:'client01' name :PRINTABLE:'client01' emailAddress :IA5STRING:'root@dlp.srv.world' Certificate is to be certified until Mar 28 12:40:16 2025 GMT (3650 days) # 内容を確認して yes で進む Sign the certificate? [y/n]: y # yes で進む 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entries Data Base Updated |
| [6] | OpenVPN サーバーを設定して起動します。 |
|
[root@dlp ~]# cp -pR /usr/share/easy-rsa/2.0/keys /etc/openvpn/keys [root@dlp ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
[root@dlp ~]#
vi /etc/openvpn/server.conf # 32行目:必要があれば変更 (OpenVPN サーバーがリスンするポート) port 1194 # 35行目:tcp をコメント解除し udp をコメント化 proto tcp ; proto udp
# 52行目:tap を利用するブリッジモードに変更 dev tap0 ; dev tun
# 78行目:コピーした証明書のパスに変更 ca keys/ca.crt cert keys/server.crt key keys/server.key
# 85行目:コピーした証明書のパスに変更 dh keys/dh2048.pem
# 101行目:コメント化 ; server 10.8.0.0 255.255.255.0
# 120行目:コメント解除して変更 [ブリッジに割り当てるIP マスク クライアントに割り当てるIPの範囲] server-bridge 192.168.0.30 255.255.255.0 192.168.0.150 192.168.0.199
# 231行目:キープアライブ (10秒毎に生存確認, 120秒無応答でダウンと判断) keepalive 10 120 # 256行目:圧縮を有効にする comp-lzo # 274行目:persist オプションを有効にする persist-key persist-tun # 289行目:コメント解除しログファイルを指定 log /var/log/openvpn.log log-append /var/log/openvpn.log
# 299行目:ログレベルを指定 (0 は fatal errors のみ, 9 は軽微なログまで全て出力) verb 3 cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-start /etc/openvpn/openvpn-startup [root@dlp ~]# cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-stop /etc/openvpn/openvpn-shutdown [root@dlp ~]# chmod 755 /etc/openvpn/openvpn-startup /etc/openvpn/openvpn-shutdown
[root@dlp ~]#
vi /etc/openvpn/openvpn-startup # 17-20行目:変更 eth="eth0" # 必要があれば変更 eth_ip=" 192.168.0.30 " # ブリッジに割り当てるIP eth_netmask=" 255.255.255.0 " # サブネットマスク eth_broadcast=" 192.168.0.255 " # ブロードキャストアドレス
# 最終行に追記 : ゲートウェイを定義
eth_gw="192.168.0.1"
route add default gw $eth_gw
[root@dlp ~]#
vi /etc/rc.d/init.d/openvpn # 133行目:コメント解除 echo 1 > /proc/sys/net/ipv4/ip_forward /etc/rc.d/init.d/openvpn start Starting openvpn: Wed Apr 1 20:44:57 2015 TUN/TAP device tap0 opened Wed Apr 1 20:44:57 2015 Persist state set to: ON device tap0 entered promiscuous mode br0: port 2(tap0) entering forwarding state br0: port 1(eth0) entering forwarding state [ OK ] [root@dlp ~]# chkconfig openvpn on
|
| [7] |
/etc/openvpn/keys 配下の「ca.crt」,「client01.crt」,「client01.key」の 三ファイルを VPN 接続したいクライアントコンピュータへ転送しておきます。
以上で OpenVPN サーバーの設定は完了です。
|
| Sponsored Link |