Raspberry Piの2号機移設計画再び。
今回はOpenVPNを突っ込んで行きます。うまく動いてくれると良いのですが。
目次
インストール
最新のOpenVPNをダウンロードしてconfigureかけます。
# cd /usr/local/src # wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz # tar xvfz openvpn-2.4.3.tar.gz # cd openvpn-2.4.3/ # ./configure --prefix=/usr/local/openvpn-2.4.3 ・ ・ ・ configure: error: openssl check failed
openssl-develをyumで入れます。
# yum install openssl-devel # ./configure --prefix=/usr/local/openvpn-2.4.3 ・ ・ configure: error: lzo enabled but missing
今度はlzo-develを入れます。
# yum install lzo-devel # ./configure --prefix=/usr/local/openvpn-2.4.3 ・ ・ configure: error: libpam required but missing
今度はpam-develを入れます。
# yum install pam-devel # ./configure --prefix=/usr/local/openvpn-2.4.3
これでやっといけました。makeとmake installしていきます。
# make # make install # cd /usr/local/ # ln -s openvpn-2.4.3 openvpn
認証周り
次は認証周りを設定していきます。easyrsaを使います。
# cd /usr/local/src # wget https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz # tar xzf EasyRSA-3.0.1.tgz # cd EasyRSA-3.0.1/
証明書と鍵を作ります。使い方わからなかったので以下サイト参考にしてます。
VPNサーバー構築(OpenVPN) - CentOSで自宅サーバー構築
# ./easyrsa init-pki # ./easyrsa build-ca # ./easyrsa build-ca Generating a 2048 bit RSA private key ....................+++ ...............................................................+++ writing new private key to '/usr/local/src/EasyRSA-3.0.1/pki/private/ca.key.enWaIA2exV' Enter PEM pass phrase:(パスフレーズ入力) Verifying - Enter PEM pass phrase:(パスフレーズ再入力) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:centos7.unknownengineer.com(自分のホスト名) CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /usr/local/src/EasyRSA-3.0.1/pki/ca.crt #./easyrsa build-server-full server nopass (さっきのパスフレーズを入力) # mkdir -p /usr/local/openvpn/etc # cp -p pki/ca.crt /usr/local/openvpn/etc # cp -p pki/issued/server.crt /usr/local/openvpn/etc # cp -p pki/private/server.key /usr/local/openvpn/etc # ./easyrsa gen-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time DH parameters of size 2048 created at /usr/local/src/EasyRSA-3.0.1/pki/dh.pem # cp -p pki/dh.pem /usr/local/openvpn/etc/ # ./easyrsa build-client-full dmy nopass Generating a 2048 bit RSA private key .........+++ .......................+++ writing new private key to '/usr/local/src/EasyRSA-3.0.1/pki/private/dmy.key.18iFA8gcPs' ----- Using configuration from /usr/local/src/EasyRSA-3.0.1/openssl-1.0.cnf Enter pass phrase for /usr/local/src/EasyRSA-3.0.1/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'dmy' Certificate is to be certified until Jul 13 08:20:07 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated # ./easyrsa revoke dmy Please confirm you wish to revoke the certificate with the following subject: subject= commonName = dmy Type the word 'yes' to continue, or any other input to abort. Continue with revocation: yes (←入力&Enter) Using configuration from /usr/local/src/EasyRSA-3.0.1/openssl-1.0.cnf Enter pass phrase for /usr/local/src/EasyRSA-3.0.1/pki/private/ca.key: Revoking Certificate 02. Data Base Updated IMPORTANT!!! Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent the revoked cert from being accepted. # rm -rf pki/issued/dmy.crt # rm -rf pki/private/dmy.key # rm -rf pki/reqs/dmy.req # cp -p vars vars.sample # vim vars set_var EASYRSA_CRL_DAYS 3650 # vim vars.sample set_var EASYRSA_CRL_DAYS 3650 # ./easyrsa gen-crl # cp pki/crl.pem /usr/local/openvpn/etc/ # chmod o+r /usr/local/openvpn/etc/crl.pem
とりあえずできたっぽい。(証明書関連って何やってるのかわからないよね…)
openvpnの設定
configファイルを作成します。とりあえず元は以下を参考にして作ります。
openvpn/server.conf at master · OpenVPN/openvpn · GitHub
# vim /usr/local/openvpn/etc/server.conf.sample # cp -p /usr/local/openvpn/etc/server.conf.sample /usr/local/openvpn/etc/server.conf # vim server.conf # diff -u server.conf.sample server.conf --- server.conf.sample 2017-07-15 17:53:39.765973293 +0900 +++ server.conf 2017-07-15 17:46:44.248841166 +0900 @@ -75,14 +75,14 @@ # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). -ca ca.crt -cert server.crt -key server.key # This file should be kept secret +ca /usr/local/openvpn/etc/ca.crt +cert /usr/local/openvpn/etc/server.crt +key /usr/local/openvpn/etc/server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: -# openssl dhparam -out dh2048.pem 2048 -dh dh2048.pem +# openvpn dhparam -out dh2048.pem 2048 +dh /usr/local/openvpn/etc/dh.pem # Network topology # Should be subnet (addressing via IP) @@ -140,6 +140,7 @@ # back to the OpenVPN server. ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" +push "route 192.168.1.0 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private @@ -241,7 +242,7 @@ # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. -tls-auth ta.key 0 # This file is secret +tls-auth /usr/local/openvpn/etc/ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to @@ -271,8 +272,8 @@ # # You can uncomment this out on # non-Windows systems. -;user nobody -;group nobody +user nobody +group nobody # The persist options will try to avoid # accessing certain resources on restart @@ -294,7 +295,7 @@ # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log -;log-append openvpn.log +log-append /var/log/openvpn.log # Set the appropriate level of log # file verbosity. @@ -313,3 +314,6 @@ # Notify the client that when the server restarts so it # can automatically reconnect. explicit-exit-notify 1 + +management localhost 7505 +crl-verify /usr/local/openvpn/etc/crl.pem
起動用スクリプト
systemdで起動する準備をします。
# vim /etc/systemd/system/openvpn-server.service [Unit] Description=OpenVPN service After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=simple PrivateTmp=true ExecStart=/usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/etc/server.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true
最初上手く起動しなかったんですが、Type=simpleにしたら上手く起動出来ました。
とりあえずこんな感じで。