FreeBSD11 Openvpn install
주의사항: Openvpn Server 의 경우 인증서를 만들어 Client 와통신을 합니다.
openvpn Server 와 openvpn Client 는 time sync 가 반드시 필요 합니다. time sync 없이 openvpn 연결시 인증서 오류가 발생합니다.
openvpn ports 설치를 진행하기전
ports update 를 합니다.
time sync
root@bsd11:~ # date
Thu Jan 4 07:52:58 KST 2018
root@bsd11:~ # ntpdate time.bora.net
3 Jan 22:53:21 ntpdate[913]: step time server 203.248.240.140 offset -32391.713806 sec
root@bsd11:~ # date
Wed Jan 3 22:53:22 KST 2018
root@bsd11:~ #
portsupdate
root@bsd11:~ # portsnap fetch
root@bsd11:~ # portsnap update
root@bsd11:~ # portsnap fetch update
설치
root@bsd11:~ # whereis openvpn
openvpn: /usr/ports/security/openvpn
root@bsd11:~ # cd /usr/ports/security/openvpn && make install clean
설치완료후 메세지
====> Compressing man pages (compress-man)
===> Staging rc.d startup script(s)
===> Installing for openvpn-2.4.4
===> Checking if openvpn already installed
===> Registering installation for openvpn-2.4.4
Installing openvpn-2.4.4...
### ------------------------------------------------------------------------
### Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
### startup. See /usr/local/etc/rc.d/openvpn for details.
### ------------------------------------------------------------------------
### Connect to VPN server as a client with this command to include
### the client.up/down scripts in the initialization:
### openvpn-client <spec>.ovpn
### ------------------------------------------------------------------------
### For compatibility notes when interoperating with older OpenVPN
### versions, please, see <http://openvpn.net/relnotes.html>
### ------------------------------------------------------------------------
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/openvpn
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/openvpn
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://openvpn.net/index.php/open-source.html
===> Cleaning for easy-rsa-3.0.1_1
===> Cleaning for openvpn-2.4.4
root@bsd11:/usr/ports/security/openvpn #
openvpn 디렉토리 생성 및 config 파일복사
root@bsd11:~ # mkdir /usr/local/etc/openvpn
root@bsd11:~ # cd /usr/local/etc/openvpn/
root@bsd11:/usr/local/etc/openvpn # cp /usr/local/share/examples/openvpn/sample-config-files/server.conf openvpn.conf
openvpn.conf 파일 수정
root@bsd11:/usr/local/etc/openvpn # vi openvpn.conf
user nobody
group nobody
;tls-auth ta.key 0 # This file is secret
easy-rsa 디렉토리 복사
root@bsd11:~ # cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa
vars 파일 수정
root@bsd11:~ # vi /usr/local/etc/openvpn/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
ca 생성
root@bsd11:~ # cd /usr/local/etc/openvpn/easy-rsa
root@bsd11:/usr/local/etc/openvpn/easy-rsa # sh
# ./easyrsa.real help
Note: using Easy-RSA configuration from: ./vars
Easy-RSA 3 usage and overview
USAGE: easyrsa [options] COMMAND [command-options]
A list of commands is shown below. To get detailed usage and help for a
command, run:
./easyrsa help COMMAND
For a listing of options that can be supplied before the command, use:
./easyrsa help options
Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.
init-pki
build-ca [ cmd-opts ]
gen-dh
gen-req <filename_base> [ cmd-opts ]
sign-req <type> <filename_base>
build-client-full <filename_base> [ cmd-opts ]
build-server-full <filename_base> [ cmd-opts ]
revoke <filename_base>
gen-crl
update-db
show-req <filename_base> [ cmd-opts ]
show-cert <filename_base> [ cmd-opts ]
import-req <request_file_path> <short_basename>
export-p7 <filename_base> [ cmd-opts ]
export-p12 <filename_base> [ cmd-opts ]
set-rsa-pass <filename_base> [ cmd-opts ]
set-ec-pass <filename_base> [ cmd-opts ]
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: /usr/local/share/easy-rsa
PKI: /usr/local/share/easy-rsa/pki
# ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/share/easy-rsa/pki
# ./easyrsa.real build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..................+++
....+++
writing new private key to '/usr/local/share/easy-rsa/pki/private/ca.key.Q7bkrn24VV'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/share/easy-rsa/pki/ca.crt
#
Enter PEM pass phrase: password 입력
# ./easyrsa.real build-server-full openvpn-server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........+++
...........................................+++
writing new private key to '/usr/local/share/easy-rsa/pki/private/openvpn-server.key.r2NNHwSv7b'
-----
Using configuration from /usr/local/share/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/share/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'openvpn-server'
Certificate is to be certified until Dec 31 15:59:10 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
#
Enter pass phrase for /usr/local/share/easy-rsa/pki/private/ca.key: password 입력
Check
# ./easyrsa.real show-cert openvpn-server
Note: using Easy-RSA configuration from: ./vars
Showing cert details for 'openvpn-server'.
This file is stored at:
/usr/local/share/easy-rsa/pki/issued/openvpn-server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer:
commonName = Easy-RSA CA
Validity
Not Before: Jan 2 15:59:10 2018 GMT
Not After : Dec 31 15:59:10 2027 GMT
Subject:
commonName = openvpn-server
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
D4:AC:62:B0:E7:A9:A4:4B:C8:43:49:8D:3B:0F:44:8E:E8:EB:E5:2E
X509v3 Authority Key Identifier:
keyid:20:8C:CA:99:40:06:4B:E8:B8:97:C4:BE:13:1C:15:D4:66:29:2E:37
DirName:/CN=Easy-RSA CA
serial:D0:15:39:F6:19:C6:C3:30
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
#
client key 생성
# ./easyrsa.real build-client-full client
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............................................................................................................................+++
......+++
writing new private key to '/usr/local/share/easy-rsa/pki/private/client.key.1744F02uFf'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /usr/local/share/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/share/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Dec 31 16:00:49 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
#
password 입력
# ./easyrsa.real gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................................................................
~중략
key 파일 복사
root@bsd11:~ # cd /usr/local/etc/openvpn/easy-rsa/pki
root@bsd11:/usr/local/etc/openvpn/easy-rsa/pki # cp dh.pem \
ca.crt \
issued/openvpn-server.crt \
private/openvpn-server.key \
/usr/local/etc/openvpn/
openvpn.conf 파일수정
root@bsd11:~ # vi /usr/local/etc/openvpn/openvpn.conf
user nobody
group nobody
# (see "pkcs12" directive in man page).
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key # This file should be kept secret
# on the server and '1' on the clients.
#tls-auth ta.key 0 # This file is secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh dh.pem
remote-cert-tls client
client 설정
root@bsd11:~ # cd /usr/local/etc/openvpn/
root@bsd11:/usr/local/etc/openvpn # cp /usr/local/share/examples/openvpn/sample-config-files/client.conf .
root@bsd11:/usr/local/etc/openvpn # vi client.conf
remote 192.168.0.10 1194
# Try to preserve some state across restarts.
ca ca.crt
cert client.crt
key client.key
#tls-auth ta.key 1
openvpn enable
root@bsd11:~ # sysrc openvpn_enable="YES"
openvpn_enable: -> YES
root@bsd11:~ # sysrc openvpn_if="tun"
openvpn_if: -> tun
root@bsd11:~ #
openvpn start
root@bsd11:~ # service openvpn start
Starting openvpn.
root@bsd11:~ #
tun device 확인
root@bsd11:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:9b:2a:24
hwaddr 00:0c:29:9b:2a:24
inet 192.168.0.10 netmask 0xffffff80 broadcast 192.168.0.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::20c:29ff:fe9b:2a24%tun0 prefixlen 64 scopeid 0x3
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: tun
Opened by PID 44459
root@bsd11:~ #
test user 생성
root@bsd11:~ # pw user add test -m
root@bsd11:~ # passwd test
Changing local password for test
key 값 복사
root@bsd11:/home/test # cp /usr/local/etc/openvpn/ca.crt .
root@bsd11:/home/test # cp /usr/local/etc/openvpn/client.conf .
root@bsd11:/home/test # cp /usr/local/etc/openvpn/easy-rsa/pki/private/client.key .
root@bsd11:/home/test # cp /usr/local/etc/openvpn/easy-rsa/pki/issued/client.crt .
root@bsd11:/home/test # mv client.conf client.ovpn
windows
C:\Program Files\OpenVPN\config 디렉토리로 파일 복사후 테스트 진행

openvpn client 이용 접속 테스트

ping test (openvpn tun device 로 ping 테스트를 진행 합니다.)

ssh 접속 확인

crt 및 key 파일 opvn 파일로 만들기
ca.crt / client.crt / client.key
cat 으로 확인한 내용을 client.ovpn 파일에 등록 합니다.
root@bsd11:/home/test # cat ca.crt
root@bsd11:/home/test # cat client.crt
root@bsd11:/home/test # cat client.key
<ca></ca> 문법으로 아래와 같이 등록 하시면 됩니다.
root@bsd11:/home/test # vi client.ovpn
#ca ca.crt
#cert client.crt
#key client.key
<ca>
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIJANWmpHXX73e/MA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
~중략
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
~중략
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>
접속 테스트시 C:\Program Files\OpenVPN\config 경로에 client.ovpn 파일 하나만 있으면 됩니다.

ping Test 및 ssh 연결 테스트를 진행 합니다.