OpenVPN環境構築マニュアル

備忘録

Install

yum --enablerepo=epel -y install openvpn easy-rsa net-tools bridge-utils

鍵作成

cd /usr/share/easy-rsa/3

初期化

./easyrsa init-pki

CA作成

./easyrsa build-ca

=> pki/ca.crt
=> pki/private/ca.key

サーバー証明書作成

nopassで作ってdaemonで起動するときの入力コストを減らそう

./easyrsa build-server-full server nopass

=> pki/issued/server.crt
=> pki/private/server.key

DH

./easyrsa gen-dh
=> pki/dh.pem

失効リスト作成

ダミークライアントを作って一度revokeさせる

./easyrsa build-client-full dmy nopass
./easyrsa revoke dmy

yumでインストールしたeasyrsaにはvars.exampleがないので失効リストの期限調整コンフィグを作る。

vars (このファイルをeasyrsa実行ディレクトリ直下に置く)

# Easy-RSA 3 parameter settings

# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
# this file in place -- instead, you should copy the entire easy-rsa directory
# to another location so future upgrades don't wipe out your changes.

# HOW TO USE THIS FILE
#
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
# this file 'vars' if you want it to be used as a configuration file. If you do
# not, it WILL NOT be automatically read when you call easyrsa commands.
#
# It is not necessary to use this config file unless you wish to change
# operational defaults. These defaults should be fine for many uses without the
# need to copy and edit the 'vars' file.
#
# All of the editable settings are shown commented and start with the command
# 'set_var' -- this means any set_var command that is uncommented has been
# modified by the user. If you're happy with a default, there is no need to
# define the value to its default.

# NOTES FOR WINDOWS USERS
#
# Paths for Windows  *MUST* use forward slashes, or optionally double-escaped
# backslashes (single forward slashes are recommended.) This means your path to
# the openssl binary might look like this:
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"

# A little housekeeping: DON'T EDIT THIS SECTION
# 
# Easy-RSA 3.x doesn't source into the environment directly.
# Complain if a user tries to do this:
if [ -z "$EASYRSA_CALLER" ]; then
	echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
	echo "This is no longer necessary and is disallowed. See the section called" >&2
	echo "'How to use this file' near the top comments for more details." >&2
	return 1
fi

# DO YOUR EDITS BELOW THIS POINT

# This variable is used as the base location of configuration files needed by
# easyrsa.  More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
# may override this default.
#
# The default value of this variable is the location of the easyrsa script
# itself, which is also where the configuration files are located in the
# easy-rsa tree.

#set_var EASYRSA	"${0%/*}"

# If your OpenSSL command is not in the system PATH, you will need to define the
# path to it here. Normally this means a full path to the executable, otherwise
# you could have left it undefined here and the shown default would be used.
#
# Windows users, remember to use paths with forward-slashes (or escaped
# back-slashes.) Windows users should declare the full path to the openssl
# binary here if it is not in their system PATH.

#set_var EASYRSA_OPENSSL	"openssl"
#
# This sample is in Windows syntax -- edit it for your path if not using PATH:
#set_var EASYRSA_OPENSSL	"C:/Program Files/OpenSSL-Win32/bin/openssl.exe"

# Edit this variable to point to your soon-to-be-created key directory.  By
# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
# directory you are currently in).
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! (Interactive mode will prompt before acting.)

#set_var EASYRSA_PKI		"$PWD/pki"

# Define directory for temporary subdirectories.

#set_var EASYRSA_TEMP_DIR	"$EASYRSA_PKI"

# Define X509 DN mode.
# This is used to adjust what elements are included in the Subject field as the DN
# (this is the "Distinguished Name.")
# Note that in cn_only mode the Organizational fields further below aren't used.
#
# Choices are:
#   cn_only  - use just a CN value
#   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format

#set_var EASYRSA_DN	"cn_only"

# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate.  Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)

#set_var EASYRSA_REQ_COUNTRY	"US"
#set_var EASYRSA_REQ_PROVINCE	"California"
#set_var EASYRSA_REQ_CITY	"San Francisco"
#set_var EASYRSA_REQ_ORG	"Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL	"me@example.net"
#set_var EASYRSA_REQ_OU		"My Organizational Unit"

# Choose a size in bits for your keypairs. The recommended value is 2048.  Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)

#set_var EASYRSA_KEY_SIZE	2048

# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
#  * rsa
#  * ec
#  * ed

#set_var EASYRSA_ALGO		rsa

# Define the named curve, used in ec & ed modes:

#set_var EASYRSA_CURVE		secp384r1

# In how many days should the root CA key expire?

#set_var EASYRSA_CA_EXPIRE	3650

# In how many days should certificates expire?

#set_var EASYRSA_CERT_EXPIRE	825

# How many days until the next CRL publish date?  Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
set_var EASYRSA_CRL_DAYS	36500

# How many days before its expiration date a certificate is allowed to be
# renewed?
#set_var EASYRSA_CERT_RENEW	30

# Random serial numbers by default, set to no for the old incremental serial numbers
#
#set_var EASYRSA_RAND_SN	"yes"

# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature.  If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no".  When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.

#set_var EASYRSA_NS_SUPPORT	"no"

# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.

#set_var EASYRSA_NS_COMMENT	"Easy-RSA Generated Certificate"

# A temp file used to stage cert extensions during signing. The default should
# be fine for most users; however, some users might want an alternative under a
# RAM-based FS, such as /dev/shm or /tmp on some systems.

#set_var EASYRSA_TEMP_FILE	"$EASYRSA_PKI/extensions.temp"

# !!
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
# PLAY WITH THEM AT YOUR OWN RISK
# !!

# Broken shell command aliases: If you have a largely broken shell that is
# missing any of these POSIX-required commands used by Easy-RSA, you will need
# to define an alias to the proper path for the command.  The symptom will be
# some form of a 'command not found' error from your shell. This means your
# shell is BROKEN, but you can hack around it here if you really need. These
# shown values are not defaults: it is up to you to know what you're doing if
# you touch these.
#
#alias awk="/alt/bin/awk"
#alias cat="/alt/bin/cat"

# X509 extensions directory:
# If you want to customize the X509 extensions used, set the directory to look
# for extensions here. Each cert type you sign must have a matching filename,
# and an optional file named 'COMMON' is included first when present. Note that
# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
# fallback to $EASYRSA for the 'x509-types' dir.  You may override this
# detection with an explicit dir here.
#
#set_var EASYRSA_EXT_DIR	"$EASYRSA/x509-types"

# If you want to generate KDC certificates, you need to set the realm here.
#set_var EASYRSA_KDC_REALM      "CHANGEME.EXAMPLE.COM"

# OpenSSL config file:
# If you need to use a specific openssl config file, you can reference it here.
# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
# specific and you cannot just use a standard config file, so this is an
# advanced feature.

#set_var EASYRSA_SSL_CONF	"$EASYRSA/openssl-easyrsa.cnf"

# Default CN:
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.

#set_var EASYRSA_REQ_CN		"ChangeMe"

# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512

#set_var EASYRSA_DIGEST		"sha256"

# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
# in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode.

#set_var EASYRSA_BATCH		""

./easyrsa gen-crl
=> pki/crl.pem

chmod o+r pki/crl.pem

Client鍵作成

passフレーズあり

./easyrsa build-client-full client1

passフレーズなし

./easyrsa build-client-full client1 nopass

Server設定

今まで作ったca.crt server.crt server.key dh.pem crl.pem を/etc/openvpn/ 配下にこぴって置く。

ca.keyはクライアント証明書を作るまではサーバーに置いておく。終わったら安全なところに退避すれば万が一の時鍵を作られるのを防げる。

TLS認証鍵

openvpn --genkey --secret /etc/openvpn/ta.key

server.conf作成

作ったコンフィグを貼り付けておく。これを/etc/openvpn/server/server.conf に配置する

Defaultと違うところ

• client-config-dirを設定し、ipushでクライアント側のルーティングをブロードキャストできるようにする
• サーバー側でクライアント1番のサブネット(192.168.14.0/24)をルート指定する
• client-to-client有効
• サーバー側でクライアント1番のサブネット(192.168.14.0/24)をプッシュする
• comp-lzoで圧縮する
• TLS認証鍵を指定する。サーバー側での指定は0
• user, groupをnobodyにしてルート権限奪取を防ぐ(なので、jail化の設定は行わない)
• management consoleを開いておく
• 失効リストを有効にする

port 1194
proto udp
dev tun
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
route 192.168.14.0 255.255.255.0
client-to-client
push "route 192.168.14.0 255.255.255.0"
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log
verb 3
explicit-exit-notify 1
management localhost 7505
crl-verify /etc/openvpn/crl.pem

CCD設定

クライアント配下のサブネットをサーバーやほかのクライアントから特定クライアント経由してルーティングさせたい場合はこの設定をしないといけない。

今回はclient1の配下のサブネットに接続することとするため、特定クライアントのirouteを設定する

mkdir ccd
echo "iroute 192.168.14.0 255.255.255.0" > ccd/client1
chown openvpn. -R ccd

プロセス起動する

systemctl restart openvpn-server@server

clientコンフィグファイル

ovpnファイル内に鍵、証明書を内包する書き方。一部のずぼら機種だと、鍵ファイルではなく、コンフィグで一気に読み込ませないといけない。（まじでやめてほしい）

各ca, client証明書、client鍵、TLS認証鍵をタグで囲む。-----BEGIN～ ----- ------END～------も含める。

TLS認証鍵にはkeydirectionを指定する。

client
dev tun
proto udp
remote サーバー名orIPアドレス 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

鍵ファイルを別だしにする書き方

client
dev tun
proto udp
remote サーバー名orIPアドレス 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1