VPNサーバー(OpenVPN)の設定



##############################################################################
● VPNサーバー(OpenVPN)の設定

1) OpenVPN がインストールされていない場合はインストールする

[root@localhost ~]# rpm -qa | grep openvpn
[root@localhost ~]#                             <--- インストールされていない

インストールされていない場合はインストール
[root@localhost ~]# yum -y install openvpn      <--- インストールする

確認
[root@localhost ~]# rpm -qa | grep openvpn
openvpn-2.3.1-3.el6.i686


2) 新しい OpenVPN には easy-rsa が含まれていないので、別途インストールする

[root@localhost ~]# rpm -qa | grep easy-rsa
[root@localhost ~]#                             <--- インストールされていない
[root@localhost ~]# yum -y install easy-rsa     <--- インストールする

確認
[root@localhost ~]# rpm -qa | grep easy-rsa
easy-rsa-2.2.0-2.el6.noarch

3) ブリッジユーティリティがインストールされていない場合はインストールする

[root@localhost ~]# rpm -qa | grep bridge-utils
bridge-utils-1.2-10.el6.i686

インストールされていない場合はインストール
[root@localhost ~]# yum -y install bridge-utils

4) 設定ファイル、証明書/鍵保存用ディレクトリをコピーする

[root@localhost ~]# cd /etc/openvpn

[root@localhost openvpn]# cp -r /usr/share/easy-rsa/2.0/ easy-rsa

[root@localhost openvpn]# cp /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/server.conf .

(既存システムがあるなら、設定ファイルはコピーして使用する)

    設定例は以下の条件の場合

    OpenVPNサーバーのポートが 1194
    プロトコルは TCP を使用
    接続方式はブリッジ接続
    OpeVPNサーバーのIPアドレスが 192.168.1.2
    クライアントへのIPアドレス割り当て範囲が 192.168.1.221 - 192.168.1.230
    OpnVPNサーバーがsamba サーバー(WINSサポート)も兼ねている

[root@localhost ~]# cd /etc/openvpn
[root@localhost openvpn]# vi server.conf

;local a.b.c.d
local 192.168.1.2
    :
    :
    :
port 1194
    :
    :
proto tcp
;proto udp
    :
    :
;dev tap
;dev tun
dev tap0
    :
    :
;ca ca.crt
;cert server.crt
;key server.key  # This file should be kept secret
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
    :
    :
;dh dh1024.pem
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
    :
    :
;server 10.8.0.0 255.255.255.0
    :
    :
ifconfig-pool-persist ipp.txt
    :
    :
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
server-bridge 192.168.1.2 255.255.255.0 192.168.1.221 192.168.1.230
    :
    :
push "route 192.168.1.0 255.255.255.0"
    :
    :
;push "dhcp-option DNS 192.168.1.2"
push "dhcp-option WINS 192.168.1.2"
    :
    :
keepalive 10 120
    :
    :
comp-lzo
    :
    :
;user nobody
;group nobody
user nobody
group nobody
    :
    :
persist-key
persist-tun
    :
    :
status /var/log/openvpn-status.log
    :
    :
;log-append  openvpn.log
log-append  /var/log/openvpn.log
    :
    :
verb 3
    :
    :

5) 証明書/鍵を作成する際の環境変数設定用スクリプトを編集

[root@localhost ~]# cd /etc/openvpn/easy-rsa
[root@localhost easy-rsa]# vi vars

export KEY_COUNTRY="JP"             <-- サーバー所在地(国名)を指定
export KEY_PROVINCE="Kanagawa"      <-- サーバー所在地(都道府県名)を指定
export KEY_CITY="Yokohama-city"     <-- サーバー所在地(市区町村名)を指定
export KEY_ORG="gusuku.org"         <--組織名を指定
export KEY_EMAIL="root@gusuku.org"  <-- サーバー管理者メールアドレスを指定
export KEY_EMAIL=root@gusuku.org    <-- サーバー管理者メールアドレスを指定
export KEY_CN="www.gusuku.org"      <-- サーバーのホスト名
export KEY_NAME=                    <-- 変更
export KEY_OU=                      <-- 変更
export PKCS11_MODULE_PATH=          <-- 変更
export PKCS11_PIN=1234


6) 環境変数をセットして認証局の証明書を作成

[root@localhost easy-rsa]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@localhost easy-rsa]# ./clean-all
[root@localhost easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.................++++++
.................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:                  <-- Enter
State or Province Name (full name) [Kanagawa]:      <-- Enter
Locality Name (eg, city) [Yokohama-city]:           <-- Enter
Organization Name (eg, company) [gusuku.org]:       <-- Enter
Organizational Unit Name (eg, section) []:          <-- Enter
Common Name (eg, your name or your server's hostname) [www.gusuku.org]: <-- Enter
Name []:                                            <-- Enter
Email Address [root@gusuku.org]:                    <-- Enter


7) サーバー証明書を作成

[root@localhost easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
................++++++
........................................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:                  <-- Enter
State or Province Name (full name) [Kanagawa]:      <-- Enter
Locality Name (eg, city) [Yokohama-city]:           <-- Enter
Organization Name (eg, company) [gusuku.org]:       <-- Enter
Organizational Unit Name (eg, section) []:          <-- Enter
Common Name (eg, your name or your server's hostname) [server]:www.gusuku.org
Name []:                                            <-- Enter
Email Address [root@gusuku.org]:                    <-- Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Kanagawa'
localityName          :PRINTABLE:'Yokohama-city'
organizationName      :PRINTABLE:'gusuku.org'
commonName            :PRINTABLE:'www.gusuku.org'
emailAddress          :IA5STRING:'root@gusuku.org'
Certificate is to be certified until Aug  8 08:05:03 2023 GMT (3650 days)
Sign the certificate? [y/n]:y                               <-- y+Enter


1 out of 1 certificate requests certified, commit? [y/n]y   <-- y+Enter
Write out database with 1 new entries
Data Base Updated


8) DHパラメータを作成

[root@localhost easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
........................................................................+......................+..............................................+.......................+.................................+........................................................................................................................................................................................+................................................+...........+............................................................................................................+.................+.........+....................+...+................+....................................................................................................+................+.........................................................+..................................+............+.................................................................+..................................................................................+......................................................................................+........+.............................+...........+.....................................+................................................................+..............................................+..........+..................+.........................................+.......+..........+....+............................+.................+.....................+........................................+....................................................................................................................................................+.....................................+...................................+.......................+..............................+..........+.....+..........................................................................................+.................................................+.......+...+................+................+........................................................................................................+................................................................................................................................................................+....................................................................................+...........................................................................+...........................+......................................+..................+...........................+..........+...................................................+..............................................+............................................+.+......+............................................................................................................+....+............+.......................+......................+...............+..+...............................+................................+.....................+...................................................................................................................................+...+............................+.......................+............................+.................................................+.........................................................................................................................................................................+.........+.................................+..........................................................+............+............................................+........+............................................................................................................................+..+.............+..............................................................................................................+........................................++*++*++*


9) サーバー移行の場合は元のサーバーからキーをコピーする

[root@localhost ~]# cd /etc/openvpn/easy-rsa

念のために元にキーを保存
[root@localhost ~]# mv keys keys.org

[root@localhost ~]# scp -rp old_host:/etc/openvpn/easy-rsa/keys .


10) ブリッジ接続の為のスクリプトを作成

・スタート時のスクリプト
[root@localhost ~]# vi /etc/openvpn/bridge-start

---ここから-------------------------------------------------------------------
#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.2"                <---変更
eth_netmask="255.255.255.0"         <---変更
eth_broadcast="192.168.1.255"       <---変更
eth_gateway="192.168.1.1"           <---追加

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

sleep 10                                    <---追加
route add -net 0.0.0.0 gw $eth_gateway $br  <---追加

exit 0
---ここまで-------------------------------------------------------------------

・ストップ時のスクリプト 
[root@localhost ~]# vi /etc/openvpn/bridge-stop

---ここから-------------------------------------------------------------------
#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

sleep 3                                     <---追加

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
done

exit 0                                      <---追加

---ここまで-------------------------------------------------------------------


11) OpenVPNの起動、停止時に実行されるようにシンボリックリンクを作成

[root@localhost ~]# ln -s /etc/openvpn/bridge-start /etc/openvpn/openvpn-startup
[root@localhost ~]# ln -s /etc/openvpn/bridge-stop /etc/openvpn/openvpn-shutdown

12) tap0 インターフェイスとTCPのポート1194への接続許可の設定

[root@localhost ~]# vi /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MyFirewall - [0:0]
-A INPUT -j MyFirewall
-A FORWARD -j MyFirewall
-A MyFirewall -m state --state ESTABLISHED,RELATED -j ACCEPT
-A MyFirewall -p icmp -j ACCEPT
-A MyFirewall -i lo -j ACCEPT
-A MyFirewall -i tap+ -j ACCEPT
-A MyFirewall -s 192.168.1.0/24 -j ACCEPT
-A MyFirewall -m udp -p udp --dport 53 -j ACCEPT
-A MyFirewall -m udp -p udp --dport 123 -j ACCEPT
-A MyFirewall -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A MyFirewall -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A MyFirewall -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A MyFirewall -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A MyFirewall -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A MyFirewall -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT
-A MyFirewall -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A MyFirewall -m state --state NEW -m tcp -p tcp --dport 1194 -j ACCEPT
-A MyFirewall -m state --state NEW -m tcp -p tcp --dport 8090 -j ACCEPT
-A MyFirewall -j REJECT --reject-with icmp-host-prohibited
COMMIT


13) 必要ならルーターのポートマッピングを設定する

    外部からの TCP 1194 ポートへの接続は VPNサーバーに転送するように設定

14) ブート時にサーバーを起動する設定を行う

[root@localhost ~]# chkconfig openvpn on

14) サーバーを起動する

[root@localhost ~]# service openvpn start




戻る