Custom Search

JITAKU_SVR_Wiki

OpenVPN

・Windowsをクライアントとした場合、専用のクライアントツールを必要とする
・比較的他のVPNより転送速度が速い
・割と手軽に導入可能
・Android、iPhoneからでも接続可能(未検証)
※それぞれSTOREからOpenVPNクライアントをインストールする必要有?

サーバ環境

サーバ:Sakura VPS
OS:CentOS6.3(64bit)
RAM:1GB
CPU:2core

必要パッケージのインストール

# yum -y install openssl-devel lzo-devel pam-devel openvpn
※lzo-develをインストールするためにはepelをリポジトリに追加

# rpm -qa openssl-devel lzo-devel pam-devel openvpn
lzo-devel-2.03-3.1.el6_5.1.x86_64
pam-devel-1.1.1-20.el6.x86_64
openssl-devel-1.0.1e-30.el6_6.4.x86_64
openvpn-2.2.2-1.el6.rf.x86_64



鍵生成

# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/

# ln -s openssl-1.0.0.cnf openssl.cnf

# ls -1 | grep -v "\.cnf" | grep -v Makefile | grep -v README | grep -v keys | xargs chmod a+x

# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys

# ./clean-all
※clean-allは./keysディレクトリのファイルを消すので注意

CA(認証局)の鍵と証明書を作成

# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/

# ./build-ca

Generating a 1024 bit RSA private key
..............................++++++
................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:Japan
Locality Name (eg, city) [SanFrancisco]:Japan
Organization Name (eg, company) [Fort-Funston]:jitaku-svr.info
Organizational Unit Name (eg, section) [changeme]:jitaku-svr.info
Common Name (eg, your name or your server's hostname) [changeme]:www.jitaku-svr.info
Name [changeme]:
Email Address [mail@host.domain]:

出来上がった鍵は同ディレクトリの./keysに入る(ca.key/ca.crt)

サーバの鍵と証明書を作成

# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/

# ./build-key-server server

Generating a 1024 bit RSA private key
...++++++
.++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:Japan
Locality Name (eg, city) [SanFrancisco]:Japan
Organization Name (eg, company) [Fort-Funston]:jitaku-svr.info
Organizational Unit Name (eg, section) [changeme]:jitaku-svr.info
Common Name (eg, your name or your server's hostname) [server]:www.jitaku-svr.info
Name [changeme]:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXX
An optional company name []:XXXXXX
Using configuration from /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Japan'
localityName          :PRINTABLE:'Japan'
organizationName      :PRINTABLE:'jitaku-svr.info'
organizationalUnitName:PRINTABLE:'jitaku-svr.info'
commonName            :PRINTABLE:'www.jitaku-svr.info'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Dec 19 07:01:33 2024 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

出来上がった鍵は同ディレクトリの./keysに入る(server.key/server.crt)

Diffie-Hellmanパラメータの作成

# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/

# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................+...........................................................+................................................................+..+..............

出来上がった鍵は同ディレクトリの./keysに入る(dh1024.pem)

クライアント鍵生成

Windows用クライアントキー

# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/

# ./build-key client1

Generating a 1024 bit RSA private key
.............................++++++
...........++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:Japan
Locality Name (eg, city) [SanFrancisco]:Japan
Organization Name (eg, company) [Fort-Funston]:jitaku-svr.info
Organizational Unit Name (eg, section) [changeme]:jitaku-svr.info
Common Name (eg, your name or your server's hostname) [client1]:
Name [changeme]:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXX
An optional company name []:XXXXXX
Using configuration from /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Japan'
localityName          :PRINTABLE:'Japan'
organizationName      :PRINTABLE:'jitaku-svr.info'
organizationalUnitName:PRINTABLE:'jitaku-svr.info'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Dec 19 07:27:10 2024 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

出来上がった鍵は同ディレクトリの./keysに入る(client1.crt/client1.key)

設定ファイルの配置

# cp -p keys/ca.crt keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpn/

# cp -p /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/

server.confはopenvpnの設定ファイル。
Listenポートを変更したり、トンネルの名前、トンネル内のセグメントを変更することが出来る。

openvpnを起動する

# chkconfig openvpn on

# /etc/init.d/openvpn start

# ifconfig tun0
 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
  inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
  UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:100
  RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

# ps -ef |grep openvpn
root 25553 1 0 16:06 ? 00:00:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn --script-security 2
root 25561 24817 0 16:06 pts/0 00:00:00 grep openvpn

# netstat -an |grep 1194
udp 0 0 0.0.0.0:1194 0.0.0.0:*

# netstat -rn |grep tun
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0

Windows専用クライアント設定

インストーラの準備
http://www.openvpn.jp/document/openvpn-gui-for-windows/

上記で作成したclient1.key、client1.crt、ca.crtファイルをクライアントに配置する。
→C:\Program Files\OpenVPN\config

クライアントVPN設定ファイルの編集~

→C:\Program Files\OpenVPN\sample-config\client.ovpn
上記をC:\Program Files\OpenVPN\configに配置
client.opvnファイルの編集は以下のリンク先を参考に。

トラブルシュート

○WindowsVPNクライアントから接続できない
→ openvpnが起動しているか?Listenしているか?
→ サーバのFWが通信を遮断していないか?
→ クライアント側のネットワークがUDP/1194の送信を許可しているか?
→ openvpn_client.ovpnの設定が間違っていないか?

上記を確認してみる。 また、WindowsVPNクライアントにはログを表示させる機能が備わっているので、
ログを見てみると何か分かるかも知れない。

参考URL

http://jp.giganews.com/vyprvpn/compare-vpn-protocols.html
http://www.openvpn.jp/document/install-windows/
http://blog.suz-lab.com/2012/09/vpcopenvpncentos6.html
http://blog.suz-lab.com/2012/09/mac108centos63openvpnvpn.html


トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2015-12-22 (火) 14:00:44 (639d)