by ·0 Comments

cacti realtime plugin

1.x Version 부터는 별도의 설치가 필요 하지 않습니다.

자세한 내용은 아래 사이트 참고 부탁 드립니다.

https://docs.cacti.net/plugin:realtime

Please note that this plugin has been merged into the base of Cacti 1.x on GitHub. Older versions of this plugin are maintained here for reference only.

Provides a method to view Cacti graphs with a resolution of upto 5 seconds.

추가 플러그인https://github.com/Cacti

 

 

Console -> Configuration -> Users -> Admin -> Permissions

Realtime Graphs 체크

 

Console -> Configuration -> Settings -> Visual

Real-time Graphs 항목

Graph Timespan : 30 Seconds

Refresh Interval : 5 Seconds

 

Graphs -> 이동후 모니터링 항목의 Time Graph View 버튼 클릭

Time Graph View 아래 버튼의 경우 Realtime 버튼 입니다. 

 

Real-time 버튼 클릭 

 

 

by ·0 Comments

Centos7 openvpn install

 

주의사항: Openvpn Server 의 경우 인증서를 만들어 Client 와통신을 합니다. 

openvpn Server 와 openvpn Client 는 time sync 가 반드시 필요 합니다.  time sync 없이 openvpn 연결시 인증서 오류가 발생합니다.

 

time sync

[root@centos74 ~]# date
Thu Jan 11 00:44:42 KST 2018
[root@centos74 ~]# ntpdate time.bora.net
10 Jan 15:44:53 ntpdate[11354]: step time server 203.248.240.140 offset -32401.179524 sec
[root@centos74 ~]# date
Wed Jan 10 15:45:02 KST 2018
[root@centos74 ~]#

 

 

epel-release repo install

[root@centos74 ~]# yum install -y epel-release

 

 

openvpn easy-rsa install

[root@centos74 ~]# yum install -y openvpn easy-rsa

 

 

sysctl.conf 

[root@centos74 ~]# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@centos74 ~]# sysctl -p

 

 

openvpn confing

server.conf 파일 카피 
[root@centos74 ~]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/
server.conf 파일 수정
[root@centos74 ~]# vi /etc/openvpn/server.conf
user nobody
group nobody
;tls-auth ta.key 0 # This file is secret

 

 

Create keys

[root@centos74 ~]# mkdir -p /etc/openvpn/easy-rsa/keys
[root@centos74 ~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
vars file 수정
아래 내용을 적절하게 수정합니다.
[root@centos74 ~]# vi /etc/openvpn/easy-rsa/vars

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@example.net"
set_var EASYRSA_REQ_OU          "My Organizational Unit"


[root@centos74 ~]# cd /etc/openvpn/easy-rsa/
[root@centos74 easy-rsa]# source ./vars
[root@centos74 easy-rsa]# ./clean-all

key 생성
[root@centos74 easy-rsa]# ./build-ca
Generating a 2048 bit RSA private key
...........................+++
......................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
[root@centos74 easy-rsa]#

 

 

build-key-server

[root@centos74 easy-rsa]# ./build-key-server server
Generating a 2048 bit RSA private key
.................+++
.....+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jan  8 06:58:01 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos74 easy-rsa]#

 

 

build-dh

[root@centos74 easy-rsa]# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................................................
~중략

 

 

Client key 생성

[root@centos74 ~]# cd /etc/openvpn/easy-rsa
[root@centos74 easy-rsa]# ./build-key client
Generating a 2048 bit RSA private key
..............................................+++
......................+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [client]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'client'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jan  8 07:00:23 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos74 easy-rsa]#

 

 

key file 복사

/openvpn/easy-rsa/keys/
[root@centos74 keys]# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/

 

 

ta.key 생성 및 복사 (ta.key 부분을 주석 처리 하였다면 아래 key 생성 과정은 생략합니다.)

[root@centos74 ~]# cd /etc/openvpn/easy-rsa/keys/
[root@centos74 keys]# openvpn --genkey --secret ta.key
[root@centos74 keys]# cp ta.key /etc/openvpn/

 

 

 

openvpn enable & start

[root@centos74 ~]# systemctl -f enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
[root@centos74 log]# systemctl start openvpn@server
[root@centos74 log]# systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-12-29 20:00:05 KST; 3s ago
 Main PID: 5628 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─5628 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

Dec 29 20:00:05 centos74 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Dec 29 20:00:05 centos74 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@centos74 log]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.10  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::5054:ff:fe19:15ad  prefixlen 64  scopeid 0x20<link>
        ether 52:54:00:19:15:ad  txqueuelen 1000  (Ethernet)
        RX packets 22621  bytes 10113060 (9.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18917  bytes 1870121 (1.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 12  bytes 1404 (1.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 1404 (1.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::4436:6805:8730:580a  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@centos74 log]#

 

 

user 생성

[root@centos74 ~]# useradd -m test
[root@centos74 ~]# passwd test
Changing password for user test.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@centos74 ~]#

 

 

 

client key 복사 (vpn 연결 테스트를 진행하기 위하여 key 파일을 복사 합니다.)

[root@centos74 ~]# cd /etc/openvpn/easy-rsa/keys/
[root@centos74 keys]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/client.conf .
[root@centos74 keys]# cp ca.crt client.crt client.key client.conf /home/test
[root@centos74 ~]# cd /home/test/
[root@centos74 test]# mv client.conf client.ovpn
[root@centos74 test]# vi /home/test/client.ovpn

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################


remote 192.168.0.10 1194
user nobody
group nobody
#tls-auth ta.key 1

 

 

https://openvpn.net/index.php/open-source/downloads.html에서 client app 를 다운 합니다.

Openvpn Server 에서 아래 파일을 Down 합니다.

C:\Program Files\OpenVPN\config 에 카피 합니다.

 

openvpn client 이용하여 접속을 합니다. (openvpn client 실행시 관리자 권한으로 실행을 합니다.)

 

10.8.0.1 로 접속 

 

client.ovpn 파일 합치기

[root@centos610 test]# cp client.ovpn client.ovpn.org
[root@centos610 test]# cat ca.crt >> client.ovpn
[root@centos610 test]# cat client.crt >> client.ovpn
[root@centos610 test]# cat client.key >> client.ovpn
[root@centos610 test]# vi client.ovpn

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
~
-----END CERTIFICATE-----
</cert>
<key>
-----END PRIVATE KEY-----
</key>

 

by ·0 Comments

FreeBSD11 Openvpn install

 

주의사항: Openvpn Server 의 경우 인증서를 만들어 Client 와통신을 합니다. 

openvpn Server 와 openvpn Client 는 time sync 가 반드시 필요 합니다.  time sync 없이 openvpn 연결시 인증서 오류가 발생합니다.

 

openvpn ports 설치를 진행하기전

ports update 를 합니다.

time sync

root@bsd11:~ # date
Thu Jan  4 07:52:58 KST 2018
root@bsd11:~ # ntpdate time.bora.net
 3 Jan 22:53:21 ntpdate[913]: step time server 203.248.240.140 offset -32391.713806 sec
root@bsd11:~ # date
Wed Jan  3 22:53:22 KST 2018
root@bsd11:~ #

 

 

portsupdate 

root@bsd11:~ # portsnap fetch
root@bsd11:~ # portsnap update
root@bsd11:~ # portsnap fetch update

 

설치

root@bsd11:~ # whereis openvpn
openvpn: /usr/ports/security/openvpn
root@bsd11:~ # cd /usr/ports/security/openvpn && make install clean

 

 

설치완료후 메세지

====> Compressing man pages (compress-man)
===> Staging rc.d startup script(s)
===>  Installing for openvpn-2.4.4
===>  Checking if openvpn already installed
===>   Registering installation for openvpn-2.4.4
Installing openvpn-2.4.4...
### ------------------------------------------------------------------------
###  Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
###  startup. See /usr/local/etc/rc.d/openvpn for details.
### ------------------------------------------------------------------------
###  Connect to VPN server as a client with this command to include
###  the client.up/down scripts in the initialization:
###  openvpn-client <spec>.ovpn
### ------------------------------------------------------------------------
###  For compatibility notes when interoperating with older OpenVPN
###  versions, please, see <http://openvpn.net/relnotes.html>
### ------------------------------------------------------------------------

===> SECURITY REPORT:
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/openvpn

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/openvpn

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
http://openvpn.net/index.php/open-source.html
===>  Cleaning for easy-rsa-3.0.1_1
===>  Cleaning for openvpn-2.4.4
root@bsd11:/usr/ports/security/openvpn #

 

 

openvpn 디렉토리 생성 및 config 파일복사

root@bsd11:~ # mkdir /usr/local/etc/openvpn
root@bsd11:~ # cd /usr/local/etc/openvpn/
root@bsd11:/usr/local/etc/openvpn # cp /usr/local/share/examples/openvpn/sample-config-files/server.conf openvpn.conf

 

openvpn.conf 파일 수정

root@bsd11:/usr/local/etc/openvpn # vi openvpn.conf
user nobody
group nobody
;tls-auth ta.key 0 # This file is secret

 

easy-rsa 디렉토리 복사

root@bsd11:~ # cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

 

vars 파일 수정

root@bsd11:~ # vi /usr/local/etc/openvpn/easy-rsa/vars

set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@example.net"
set_var EASYRSA_REQ_OU          "My Organizational Unit"


set_var EASYRSA_KEY_SIZE        2048

set_var EASYRSA_CA_EXPIRE       3650

set_var EASYRSA_CERT_EXPIRE     3650

 

 

ca 생성

root@bsd11:~ # cd /usr/local/etc/openvpn/easy-rsa
root@bsd11:/usr/local/etc/openvpn/easy-rsa # sh
# ./easyrsa.real help

Note: using Easy-RSA configuration from: ./vars

Easy-RSA 3 usage and overview

USAGE: easyrsa [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, run:
  ./easyrsa help COMMAND

For a listing of options that can be supplied before the command, use:
  ./easyrsa help options

Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.

  init-pki
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <filename_base> [ cmd-opts ]
  sign-req <type> <filename_base>
  build-client-full <filename_base> [ cmd-opts ]
  build-server-full <filename_base> [ cmd-opts ]
  revoke <filename_base>
  gen-crl
  update-db
  show-req <filename_base> [ cmd-opts ]
  show-cert <filename_base> [ cmd-opts ]
  import-req <request_file_path> <short_basename>
  export-p7 <filename_base> [ cmd-opts ]
  export-p12 <filename_base> [ cmd-opts ]
  set-rsa-pass <filename_base> [ cmd-opts ]
  set-ec-pass <filename_base> [ cmd-opts ]

DIRECTORY STATUS (commands would take effect on these locations)
  EASYRSA: /usr/local/share/easy-rsa
      PKI:  /usr/local/share/easy-rsa/pki

# ./easyrsa.real init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/share/easy-rsa/pki

# ./easyrsa.real build-ca

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..................+++
....+++
writing new private key to '/usr/local/share/easy-rsa/pki/private/ca.key.Q7bkrn24VV'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/share/easy-rsa/pki/ca.crt

#

Enter PEM pass phrase: password 입력

 

 

# ./easyrsa.real build-server-full openvpn-server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........+++
...........................................+++
writing new private key to '/usr/local/share/easy-rsa/pki/private/openvpn-server.key.r2NNHwSv7b'
-----
Using configuration from /usr/local/share/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/share/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'openvpn-server'
Certificate is to be certified until Dec 31 15:59:10 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
#

Enter pass phrase for /usr/local/share/easy-rsa/pki/private/ca.key: password 입력

 

Check

# ./easyrsa.real show-cert openvpn-server

Note: using Easy-RSA configuration from: ./vars

Showing cert details for 'openvpn-server'.
This file is stored at:
/usr/local/share/easy-rsa/pki/issued/openvpn-server.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Easy-RSA CA
        Validity
            Not Before: Jan  2 15:59:10 2018 GMT
            Not After : Dec 31 15:59:10 2027 GMT
        Subject:
            commonName                = openvpn-server
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                D4:AC:62:B0:E7:A9:A4:4B:C8:43:49:8D:3B:0F:44:8E:E8:EB:E5:2E
            X509v3 Authority Key Identifier:
                keyid:20:8C:CA:99:40:06:4B:E8:B8:97:C4:BE:13:1C:15:D4:66:29:2E:37
                DirName:/CN=Easy-RSA CA
                serial:D0:15:39:F6:19:C6:C3:30

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
#

 

 

client key 생성

# ./easyrsa.real build-client-full client

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............................................................................................................................+++
......+++
writing new private key to '/usr/local/share/easy-rsa/pki/private/client.key.1744F02uFf'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /usr/local/share/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/share/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Dec 31 16:00:49 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
#

password  입력

 

 

# ./easyrsa.real gen-dh

Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................................................................
~중략

 

 

key 파일 복사

root@bsd11:~ # cd /usr/local/etc/openvpn/easy-rsa/pki
root@bsd11:/usr/local/etc/openvpn/easy-rsa/pki # cp dh.pem \
 ca.crt \
 issued/openvpn-server.crt \
 private/openvpn-server.key \
 /usr/local/etc/openvpn/

 

 

openvpn.conf 파일수정

root@bsd11:~ # vi /usr/local/etc/openvpn/openvpn.conf
user nobody
group nobody

# (see "pkcs12" directive in man page).
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key  # This file should be kept secret

# on the server and '1' on the clients.
#tls-auth ta.key 0 # This file is secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
dh dh.pem
remote-cert-tls client

 

 

client 설정

root@bsd11:~ # cd /usr/local/etc/openvpn/
root@bsd11:/usr/local/etc/openvpn # cp /usr/local/share/examples/openvpn/sample-config-files/client.conf .
root@bsd11:/usr/local/etc/openvpn # vi client.conf

remote 192.168.0.10 1194


# Try to preserve some state across restarts.

ca ca.crt
cert client.crt
key client.key

#tls-auth ta.key 1

 

openvpn enable

root@bsd11:~ # sysrc openvpn_enable="YES"
openvpn_enable:  -> YES
root@bsd11:~ # sysrc openvpn_if="tun"
openvpn_if:  -> tun
root@bsd11:~ #

 

openvpn start

root@bsd11:~ # service openvpn start
Starting openvpn.
root@bsd11:~ #

 

tun device 확인

root@bsd11:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:9b:2a:24
        hwaddr 00:0c:29:9b:2a:24
        inet 192.168.0.10 netmask 0xffffff80 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::20c:29ff:fe9b:2a24%tun0 prefixlen 64 scopeid 0x3
        inet 10.8.0.1 --> 10.8.0.2  netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: tun
        Opened by PID 44459
root@bsd11:~ #

 

test user 생성

root@bsd11:~ # pw user add test -m
root@bsd11:~ # passwd test
Changing local password for test

 

key 값 복사

root@bsd11:/home/test # cp /usr/local/etc/openvpn/ca.crt .
root@bsd11:/home/test # cp /usr/local/etc/openvpn/client.conf .
root@bsd11:/home/test # cp /usr/local/etc/openvpn/easy-rsa/pki/private/client.key .
root@bsd11:/home/test # cp /usr/local/etc/openvpn/easy-rsa/pki/issued/client.crt .
root@bsd11:/home/test # mv client.conf client.ovpn

 

 

windows

C:\Program Files\OpenVPN\config  디렉토리로 파일 복사후 테스트 진행

 

openvpn client 이용 접속 테스트

 

ping test (openvpn tun device 로 ping 테스트를 진행 합니다.)

 

ssh 접속 확인

 

crt 및 key 파일 opvn 파일로 만들기

ca.crt / client.crt / client.key

 

cat 으로 확인한 내용을 client.ovpn 파일에 등록 합니다. 

root@bsd11:/home/test # cat ca.crt
root@bsd11:/home/test # cat client.crt
root@bsd11:/home/test # cat client.key

 

<ca></ca> 문법으로 아래와 같이 등록 하시면 됩니다.

root@bsd11:/home/test # vi client.ovpn
#ca ca.crt
#cert client.crt
#key client.key
<ca>
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIJANWmpHXX73e/MA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
~중략
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
~중략
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>

 

접속 테스트시 C:\Program Files\OpenVPN\config 경로에 client.ovpn 파일 하나만 있으면 됩니다.

 

 

ping Test 및 ssh 연결 테스트를 진행 합니다.