# emerge openvpn easy-rsa
初期化(OpenVPNインストール後に1回だけ実施)
# mkdir -p /etc/openvpn/easyrsa/
# cd /etc/openvpn/easyrsa/
# /usr/share/easy-rsa/easyrsa init-pki
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa/pki
CA証明書・秘密鍵作成
# /usr/share/easy-rsa/easyrsa build-ca
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
..........................................................................+++++
e is 65537 (0x010001)
Can't load /etc/openvpn/easyrsa/pki/.rnd into RNG
140240369948480:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/etc/openvpn/easyrsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easyrsa/pki/ca.crt
# cp -a pki/ca.crt /etc/openvpn/
サーバ証明書・秘密鍵作成
# /usr/share/easy-rsa/easyrsa build-server-full server nopass
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
............................+++++
.............................+++++
writing new private key to '/etc/openvpn/easyrsa/pki/private/server.key.E4llUsB6Vr'
-----
Using configuration from /usr/share/easy-rsa/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easyrsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 16 13:54:51 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
# cp -a pki/issued/server.crt /etc/openvpn/
# cp -a pki/private/server.key /etc/openvpn/
DH(Diffie Hellman)パラメータ作成
# /usr/share/easy-rsa/easyrsa gen-dh
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...............................................+.......................................
~~~~~~
.................................................+........++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/easyrsa/pki/dh.pem
# cp -a pki/dh.pem /etc/openvpn/
証明書廃止リスト作成
(ダミーで証明書を作成し削除することで作成)
※ CRLのデフォルトの有効期限が180日しか無いので、サーバ証明書やクライアント証明書と同じ3650日にする。
# /usr/share/easy-rsa/easyrsa build-client-full dummy nopass
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
.....+++++
........................+++++
writing new private key to '/etc/openvpn/easyrsa/pki/private/dummy.key.fISgzJPxey'
-----
Using configuration from /usr/share/easy-rsa/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easyrsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'dummy'
Certificate is to be certified until Apr 16 14:07:16 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
# /usr/share/easy-rsa/easyrsa revoke dummy
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = dummy
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /usr/share/easy-rsa/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easyrsa/pki/private/ca.key:
Revoking Certificate 841C87A17F97C7572B818156630443C9.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
# EASYRSA_CRL_DAYS=3650 /usr/share/easy-rsa/easyrsa gen-crl
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Using configuration from /usr/share/easy-rsa/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easyrsa/pki/private/ca.key:
An updated CRL has been created.
CRL file: /etc/openvpn/easyrsa/pki/crl.pem
# cp -a pki/crl.pem /etc/openvpn/
# chmod o+r /etc/openvpn/crl.pem
# rm pki/issued/dummy.crt pki/private/dummy.key pki/reqs/dummy.req
CRLの有効期限が見たければ、下記コマンドで見られる。
# openssl crl -inform pem -in pki/crl.pem -text
tls-authを使用するための共有静的鍵を生成
# openvpn --genkey --secret /etc/openvpn/ta.key
VPNクライアントのすべての通信をVPNゲートウェイを通したいので、ポートの転送を設定する。
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o br0 -j MASQUERADE
※ 10.9.0.0/24は、サーバ側のServerディレクティブの設定が「server 10.9.0.0 255.255.255.0」なっている場合。
※ br0は、サーバのEthernetインターフェースがbr0の場合。eth0のときもある。
openvpnサーバの設定
# cat /etc/openvpn/openvpn.conf
tls-server
port 1194
proto tcp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
server 10.9.0.0 255.255.255.0
persist-key
persist-tun
ifconfig-pool-persist ipp.txt
push "redirect-gateway autlocal"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
user openvpn
group openvpn
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
crl-verify crl.pem
client-to-client
auth SHA256
=============================================
クライアント証明書の作成
# /usr/share/easy-rsa/easyrsa build-client-full client1 nopass
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
.....+++++
.............................................+++++
writing new private key to '/etc/openvpn/easyrsa/pki/private/client1.key.9y3UUqlVoW'
-----
Using configuration from /usr/share/easy-rsa/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easyrsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client1'
Certificate is to be certified until Apr 16 15:12:27 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
opvnファイルを作る
# cat << EOF > /etc/openvpn/client1.ovpn
> client
> dev tun0
> proto tcp
> remote 1194
> remote-cert-tls server
> auth SHA256
> cipher BF-CBC
> comp-lzo adaptive
> EOF
# echo '' >> /etc/openvpn/client1.ovpn
# grep -A 30 'BEGIN CERTIFICATE' pki/ca.crt >> /etc/openvpn/client1.ovpn
# echo ' ' >> /etc/openvpn/client1.ovpn
# echo '' >> /etc/openvpn/client1.ovpn
# cat pki/private/client1.key >> /etc/openvpn/client1.ovpn
# echo ' ' >> /etc/openvpn/client1.ovpn
# echo '' >> /etc/openvpn/client1.ovpn
# grep -A 30 'BEGIN CERTIFICATE' pki/issued/client1.crt >> /etc/openvpn/client1.ovpn
# echo ' ' >> /etc/openvpn/client1.ovpn
# echo 'key-direction 1' >> /etc/openvpn/client1.ovpn
# echo '' >> /etc/openvpn/client1.ovpn
# grep -A 30 'BEGIN OpenVPN Static key V1' /etc/openvpn/ta.key >> /etc/openvpn/client1.ovpn
# echo ' ' >> /etc/openvpn/client1.ovpn
作成したclient1.ovpnをVPNクライアントに転送する。
=============================================
テストをして、うまくいくことがわかったら、VPNサーバ側のポート転送の設定を保存させる。
/etc/sysctl.conf に
net.ipv4.ip_forward = 1
を追加
iptablesの保存
# cat /var/lib/iptables/rules-save
cat: /var/lib/iptables/rules-save: No such file or directory
# /etc/init.d/iptables save
* Saving iptables state ... [ ok ]
# cat /var/lib/iptables/rules-save
# Generated by iptables-save v1.6.1 on Sat May 2 12:43:10 2020
*filter
:INPUT ACCEPT [15341:2273915]
:FORWARD ACCEPT [1151:705989]
:OUTPUT ACCEPT [15290:3209579]
COMMIT
# Completed on Sat May 2 12:43:10 2020
# Generated by iptables-save v1.6.1 on Sat May 2 12:43:10 2020
*nat
:PREROUTING ACCEPT [1747:453695]
:INPUT ACCEPT [446:46187]
:OUTPUT ACCEPT [7812:706619]
:POSTROUTING ACCEPT [7812:706619]
[341:88404] -A POSTROUTING -s 10.9.0.0/24 -o br0 -j MASQUERADE
COMMIT
# Completed on Sat May 2 12:43:10 2020
# rc-update add iptables default
* service iptables added to runlevel default
0 件のコメント:
コメントを投稿