CentOS 7
Sponsored Link

OpenVPN : VPN サーバーの設定
2015/06/26
 
OpenVPN をインストールして、仮想プライベートネットワーク経由でローカルネットワークに接続できるよう設定します。
ここでは以下のような環境を例に OpenVPN サーバーをブリッジモードで設定します。
サーバー側の br0, tap0 インターフェースはサービスにより自動生成され、クライアント側の tap0 のIPアドレスはサーバーから自動で割り当てられます。 クライアントはVPN接続後、サーバーと同一ネットワーク内の任意のコンピューターへアクセス可能となります。
前提条件として、ルーターに IPマスカレードの設定をしておく必要があります。
以下の例の場合、Wan 側の x.x.x.x:1194 宛にきたパケットを 192.168.0.30:1194 へフォワードするよう設定します。
              +----------------------+
              | [  OpenVPN Server  ] |
          tap0|    dlp.srv.world     |eth0
              |                      |
              +-----------+----------+
         192.168.0.30:1194|br0
                          |
               192.168.0.1|
                   +------+-----+
-------------------|   Router   |---------------------
                   +------+-----+
                          |x.x.x.x:1194
          +---------------+--------------+    Internet
          |                              |
----------+------------------------------+------------
          |     +------------------+     |
          | tap0|                  |eth0 |
          +-----+    VPN Client    +-----+
     192.168.0.x|                  |10.0.0.10
                +------------------+

[1] OpenVPN をインストールします。
# EPELからインストール

[root@dlp ~]#
yum --enablerepo=epel -y install openvpn easy-rsa net-tools bridge-utils
[2] CA 証明書を作成します。
[root@dlp ~]#
cd /usr/share/easy-rsa/2.0

[root@dlp 2.0]#
vi vars
# 64行目:自身の環境に合わせて変更

export KEY_COUNTRY="
JP
"
export KEY_PROVINCE="
Hiroshima
"
export KEY_CITY="
Hiroshima
"
export KEY_ORG="
GTS
"
export KEY_EMAIL="
root@dlp.srv.world
"
export KEY_OU="
Server_World
"
[root@dlp 2.0]#
source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
[root@dlp 2.0]#
./clean-all

[root@dlp 2.0]#
./build-ca

Generating a 2048 bit RSA private key
..............+++
...+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:    
# Enter

State or Province Name (full name) [Hiroshima]:    
# Enter

Locality Name (eg, city) [Hiroshima]:    
# Enter

Organization Name (eg, company) [GTS]:    
# Enter

Organizational Unit Name (eg, section) [Server_World]:    
# Enter

Common Name (eg, your name or your server's hostname) [GTS CA]:    
# Enter

Name [EasyRSA]:
Server-CA
   
# 任意の名前に変更

Email Address [root@dlp.srv.world]:    
# Enter

[3] サーバー証明書を作成します。
[root@dlp ~]#
cd /usr/share/easy-rsa/2.0

[root@dlp 2.0]#
./build-key-server server

Generating a 2048 bit RSA private key
.................................................+++
.................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:    
# Enter

State or Province Name (full name) [Hiroshima]:    
# Enter

Locality Name (eg, city) [Hiroshima]:    
# Enter

Organization Name (eg, company) [GTS]:    
# Enter

Organizational Unit Name (eg, section) [Server_World]:    
# Enter

Common Name (eg, your name or your server's hostname) [server]:    
# Enter

Name [EasyRSA]:
Server-CRT
   
# 任意の名前に変更

Email Address [root@dlp.srv.world]:    
# Enter


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Hiroshima'
localityName          :PRINTABLE:'Hiroshima'
organizationName      :PRINTABLE:'GTS'
organizationalUnitName:T61STRING:'Server_World'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'Server-CRT'
emailAddress          :IA5STRING:'root@dlp.srv.world'
Certificate is to be certified until Jun 23 05:59:34 2025 GMT (3650 days)
# 内容を確認して yes で進む

Sign the certificate? [y/n]:
y

# yes で進む

1 out of 1 certificate requests certified, commit? [y/n]
y

Write out database with 1 new entries
Data Base Updated
[4] Diffie Hellman ( DH ) パラメータを生成します。
[root@dlp ~]#
cd /usr/share/easy-rsa/2.0

[root@dlp 2.0]#
./build-dh

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
[5] クライアント証明書を作成します。
[root@dlp ~]#
cd /usr/share/easy-rsa/2.0

[root@dlp 2.0]#
./build-key client01

Generating a 2048 bit RSA private key
............+++
.......................................................+++
writing new private key to 'client01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:    
# Enter

State or Province Name (full name) [Hiroshima]:    
# Enter

Locality Name (eg, city) [Hiroshima]:    
# Enter

Organization Name (eg, company) [GTS]:    
# Enter

Organizational Unit Name (eg, section) [Server_World]:    
# Enter

Common Name (eg, your name or your server's hostname) [client01]:    
# Enter

Name [EasyRSA]:
client01
   
# 任意の名前に変更

Email Address [root@dlp.srv.world]:    
# Enter


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Hiroshima'
localityName          :PRINTABLE:'Hiroshima'
organizationName      :PRINTABLE:'GTS'
organizationalUnitName:T61STRING:'Server_World'
commonName            :PRINTABLE:'client01'
name                  :PRINTABLE:'client01'
emailAddress          :IA5STRING:'root@dlp.srv.world'
Certificate is to be certified until Jun 23 06:01:37 2025 GMT (3650 days)
# 内容を確認して yes で進む

Sign the certificate? [y/n]:
y

# yes で進む

1 out of 1 certificate requests certified, commit? [y/n]
y

Write out database with 1 new entries
Data Base Updated
[6] OpenVPN サーバーを設定して起動します。
[root@dlp ~]#
cp -pR /usr/share/easy-rsa/2.0/keys /etc/openvpn/keys

[root@dlp ~]#
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/

[root@dlp ~]#
vi /etc/openvpn/server.conf
# 32行目:必要があれば変更 (OpenVPN サーバーがリスンするポート)

port 1194
# 35行目:tcp をコメント解除し udp をコメント化

proto tcp
;
proto udp
# 52行目:tap を利用するブリッジモードに変更

dev
tap0

;
dev tun
# 78行目:コピーした証明書のパスに変更

ca
keys/ca.crt

cert
keys/server.crt

key
keys/server.key
# 85行目:コピーした証明書のパスに変更

dh
keys/dh2048.pem
# 101行目:コメント化

;
server 10.8.0.0 255.255.255.0
# 120行目:コメント解除して変更 [ブリッジに割り当てるIP マスク クライアントに割り当てるIPの範囲]

server-bridge
192.168.0.30 255.255.255.0 192.168.0.150 192.168.0.199
# 231行目:キープアライブ (10秒毎に生存確認, 120秒無応答でダウンと判断)

keepalive 10 120
# 256行目:圧縮を有効にする

comp-lzo
# 274行目:persist オプションを有効にする

persist-key
persist-tun
# 289行目:コメント解除しログファイルを指定

log
/var/log/openvpn.log

log-append
/var/log/openvpn.log
# 299行目:ログレベルを指定 (0 は fatal errors のみ, 9 は軽微なログまで全て出力)

verb 3
[root@dlp ~]#
cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-start /etc/openvpn/openvpn-startup

[root@dlp ~]#
cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-stop /etc/openvpn/openvpn-shutdown

[root@dlp ~]#
chmod 755 /etc/openvpn/openvpn-startup /etc/openvpn/openvpn-shutdown

[root@dlp ~]#
vi /etc/openvpn/openvpn-startup
# 17-20行目:変更

eth="eth0"
# 必要があれば変更

eth_ip="
192.168.0.30
"
# ブリッジに割り当てるIP

eth_netmask="
255.255.255.0
"
# サブネットマスク

eth_broadcast="
192.168.0.255
"
# ブロードキャストアドレス
# 最終行に追記 : ゲートウェイを定義

eth_gw="192.168.0.1"
route add default gw $eth_gw
[root@dlp ~]#
cp /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/openvpn-bridge.service

[root@dlp ~]#
vi /usr/lib/systemd/system/openvpn-bridge.service
# [Service] セクションを以下のように変更

[Service]
PrivateTmp=true
Type=forking
PIDFile=/var/run/openvpn/openvpn.pid
ExecStartPre=/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
ExecStartPre=/etc/openvpn/openvpn-startup
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/openvpn.pid --cd /etc/openvpn/ --config server.conf
ExecStopPost=/etc/openvpn/openvpn-shutdown
ExecStopPost=/bin/echo 0 > /proc/sys/net/ipv4/ip_forward
[root@dlp ~]#
systemctl start openvpn-bridge

[ 1367.964300] device tap0 entered promiscuous mode
[ 1367.967487] IPv6: ADDRCONF(NETDEV_UP): tap0: link is not ready
[ 1367.971388] br0: port 1(eth0) entered forwarding state
[ 1367.972534] br0: port 1(eth0) entered forwarding state
[ 1368.006320] IPv6: ADDRCONF(NETDEV_CHANGE): tap0: link becomes ready
[ 1368.007546] br0: port 2(tap0) entered forwarding state
[ 1368.008452] br0: port 2(tap0) entered forwarding state
[root@dlp ~]#
systemctl enable openvpn-bridge

[7]
/etc/openvpn/keys 配下の「ca.crt」,「client01.crt」,「client01.key」の 三ファイルを VPN 接続したいクライアントコンピュータへ転送しておきます。 以上で OpenVPN サーバーの設定は完了です。

 
Tweet