よくわからないエンジニア

よく分からないエンジニア(無音鈴鹿)の日々の記録

よくわからないエンジニア

CentOS7(Raspberry Pi3) OpenVPNのインストール

Raspberry Piの2号機移設計画再び。
今回はOpenVPNを突っ込んで行きます。うまく動いてくれると良いのですが。

目次

インストール

最新のOpenVPNをダウンロードしてconfigureかけます。

# cd /usr/local/src
# wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz
# tar xvfz openvpn-2.4.3.tar.gz
# cd openvpn-2.4.3/
# ./configure --prefix=/usr/local/openvpn-2.4.3
・
・
・
configure: error: openssl check failed

openssl-develをyumで入れます。

# yum install openssl-devel
# ./configure --prefix=/usr/local/openvpn-2.4.3
・
・
configure: error: lzo enabled but missing

今度はlzo-develを入れます。

# yum install lzo-devel
# ./configure --prefix=/usr/local/openvpn-2.4.3
・
・
configure: error: libpam required but missing

今度はpam-develを入れます。

# yum install pam-devel
# ./configure --prefix=/usr/local/openvpn-2.4.3

これでやっといけました。makeとmake installしていきます。

# make
# make install
# cd /usr/local/
# ln -s openvpn-2.4.3 openvpn

認証周り

次は認証周りを設定していきます。easyrsaを使います。

# cd /usr/local/src
# wget https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
# tar xzf EasyRSA-3.0.1.tgz
# cd EasyRSA-3.0.1/

証明書と鍵を作ります。使い方わからなかったので以下サイト参考にしてます。

VPNサーバー構築(OpenVPN) - CentOSで自宅サーバー構築

# ./easyrsa init-pki
# ./easyrsa build-ca
# ./easyrsa build-ca
Generating a 2048 bit RSA private key
....................+++
...............................................................+++
writing new private key to '/usr/local/src/EasyRSA-3.0.1/pki/private/ca.key.enWaIA2exV'
Enter PEM pass phrase:(パスフレーズ入力)
Verifying - Enter PEM pass phrase:(パスフレーズ再入力)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:centos7.unknownengineer.com(自分のホスト名)

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/src/EasyRSA-3.0.1/pki/ca.crt
#./easyrsa build-server-full server nopass
(さっきのパスフレーズを入力)
# mkdir -p /usr/local/openvpn/etc
# cp -p pki/ca.crt /usr/local/openvpn/etc
# cp -p pki/issued/server.crt /usr/local/openvpn/etc
# cp -p pki/private/server.key /usr/local/openvpn/etc
# ./easyrsa gen-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
DH parameters of size 2048 created at /usr/local/src/EasyRSA-3.0.1/pki/dh.pem
# cp -p pki/dh.pem /usr/local/openvpn/etc/
# ./easyrsa build-client-full dmy nopass
Generating a 2048 bit RSA private key
.........+++
.......................+++
writing new private key to '/usr/local/src/EasyRSA-3.0.1/pki/private/dmy.key.18iFA8gcPs'
-----
Using configuration from /usr/local/src/EasyRSA-3.0.1/openssl-1.0.cnf
Enter pass phrase for /usr/local/src/EasyRSA-3.0.1/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'dmy'
Certificate is to be certified until Jul 13 08:20:07 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
# ./easyrsa revoke dmy


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = dmy


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes (←入力&Enter)
Using configuration from /usr/local/src/EasyRSA-3.0.1/openssl-1.0.cnf
Enter pass phrase for /usr/local/src/EasyRSA-3.0.1/pki/private/ca.key:
Revoking Certificate 02.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

# rm -rf pki/issued/dmy.crt
# rm -rf pki/private/dmy.key
# rm -rf pki/reqs/dmy.req

# cp -p vars vars.sample
# vim vars
set_var EASYRSA_CRL_DAYS        3650
# vim vars.sample
set_var EASYRSA_CRL_DAYS        3650
# ./easyrsa gen-crl
# cp pki/crl.pem /usr/local/openvpn/etc/
# chmod o+r /usr/local/openvpn/etc/crl.pem

とりあえずできたっぽい。(証明書関連って何やってるのかわからないよね…)

openvpnの設定

configファイルを作成します。とりあえず元は以下を参考にして作ります。
openvpn/server.conf at master · OpenVPN/openvpn · GitHub

# vim /usr/local/openvpn/etc/server.conf.sample
# cp -p /usr/local/openvpn/etc/server.conf.sample /usr/local/openvpn/etc/server.conf
# vim server.conf
# diff -u server.conf.sample server.conf
--- server.conf.sample  2017-07-15 17:53:39.765973293 +0900
+++ server.conf 2017-07-15 17:46:44.248841166 +0900
@@ -75,14 +75,14 @@
 # Any X509 key management system can be used.
 # OpenVPN can also use a PKCS #12 formatted key file
 # (see "pkcs12" directive in man page).
-ca ca.crt
-cert server.crt
-key server.key  # This file should be kept secret
+ca /usr/local/openvpn/etc/ca.crt
+cert /usr/local/openvpn/etc/server.crt
+key /usr/local/openvpn/etc/server.key  # This file should be kept secret

 # Diffie hellman parameters.
 # Generate your own with:
-#   openssl dhparam -out dh2048.pem 2048
-dh dh2048.pem
+#   openvpn dhparam -out dh2048.pem 2048
+dh /usr/local/openvpn/etc/dh.pem

 # Network topology
 # Should be subnet (addressing via IP)
@@ -140,6 +140,7 @@
 # back to the OpenVPN server.
 ;push "route 192.168.10.0 255.255.255.0"
 ;push "route 192.168.20.0 255.255.255.0"
+push "route 192.168.1.0 255.255.255.0"

 # To assign specific IP addresses to specific
 # clients or if a connecting client has a private
@@ -241,7 +242,7 @@
 # a copy of this key.
 # The second parameter should be '0'
 # on the server and '1' on the clients.
-tls-auth ta.key 0 # This file is secret
+tls-auth /usr/local/openvpn/etc/ta.key 0 # This file is secret

 # Select a cryptographic cipher.
 # This config item must be copied to
@@ -271,8 +272,8 @@
 #
 # You can uncomment this out on
 # non-Windows systems.
-;user nobody
-;group nobody
+user nobody
+group nobody

 # The persist options will try to avoid
 # accessing certain resources on restart
@@ -294,7 +295,7 @@
 # while "log-append" will append to it.  Use one
 # or the other (but not both).
 ;log         openvpn.log
-;log-append  openvpn.log
+log-append  /var/log/openvpn.log

 # Set the appropriate level of log
 # file verbosity.
@@ -313,3 +314,6 @@
 # Notify the client that when the server restarts so it
 # can automatically reconnect.
 explicit-exit-notify 1
+
+management localhost 7505
+crl-verify /usr/local/openvpn/etc/crl.pem

起動用スクリプト

systemdで起動する準備をします。

# vim /etc/systemd/system/openvpn-server.service

[Unit]
Description=OpenVPN service
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=simple
PrivateTmp=true
ExecStart=/usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/etc/server.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true

最初上手く起動しなかったんですが、Type=simpleにしたら上手く起動出来ました。
とりあえずこんな感じで。