[vpn-server] FreeBSD11 Openvpn install

FreeBSD11 Openvpn install

 

주의사항: Openvpn Server 의 경우 인증서를 만들어 Client 와통신을 합니다. 

openvpn Server 와 openvpn Client 는 time sync 가 반드시 필요 합니다.  time sync 없이 openvpn 연결시 인증서 오류가 발생합니다.

 

openvpn ports 설치를 진행하기전

ports update 를 합니다.

time sync

root@bsd11:~ # date
Thu Jan  4 07:52:58 KST 2018
root@bsd11:~ # ntpdate time.bora.net
 3 Jan 22:53:21 ntpdate[913]: step time server 203.248.240.140 offset -32391.713806 sec
root@bsd11:~ # date
Wed Jan  3 22:53:22 KST 2018
root@bsd11:~ #

 

 

portsupdate 

root@bsd11:~ # portsnap fetch
root@bsd11:~ # portsnap update
root@bsd11:~ # portsnap fetch update

 

설치

root@bsd11:~ # whereis openvpn
openvpn: /usr/ports/security/openvpn
root@bsd11:~ # cd /usr/ports/security/openvpn && make install clean

 

 

설치완료후 메세지

====> Compressing man pages (compress-man)
===> Staging rc.d startup script(s)
===>  Installing for openvpn-2.4.4
===>  Checking if openvpn already installed
===>   Registering installation for openvpn-2.4.4
Installing openvpn-2.4.4...
### ------------------------------------------------------------------------
###  Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
###  startup. See /usr/local/etc/rc.d/openvpn for details.
### ------------------------------------------------------------------------
###  Connect to VPN server as a client with this command to include
###  the client.up/down scripts in the initialization:
###  openvpn-client <spec>.ovpn
### ------------------------------------------------------------------------
###  For compatibility notes when interoperating with older OpenVPN
###  versions, please, see <http://openvpn.net/relnotes.html>
### ------------------------------------------------------------------------

===> SECURITY REPORT:
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/openvpn

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/openvpn

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
http://openvpn.net/index.php/open-source.html
===>  Cleaning for easy-rsa-3.0.1_1
===>  Cleaning for openvpn-2.4.4
root@bsd11:/usr/ports/security/openvpn #

 

 

openvpn 디렉토리 생성 및 config 파일복사

root@bsd11:~ # mkdir /usr/local/etc/openvpn
root@bsd11:~ # cd /usr/local/etc/openvpn/
root@bsd11:/usr/local/etc/openvpn # cp /usr/local/share/examples/openvpn/sample-config-files/server.conf openvpn.conf

 

openvpn.conf 파일 수정

root@bsd11:/usr/local/etc/openvpn # vi openvpn.conf
user nobody
group nobody
;tls-auth ta.key 0 # This file is secret

 

easy-rsa 디렉토리 복사

root@bsd11:~ # cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

 

vars 파일 수정

root@bsd11:~ # vi /usr/local/etc/openvpn/easy-rsa/vars

set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@example.net"
set_var EASYRSA_REQ_OU          "My Organizational Unit"


set_var EASYRSA_KEY_SIZE        2048

set_var EASYRSA_CA_EXPIRE       3650

set_var EASYRSA_CERT_EXPIRE     3650

 

 

ca 생성

root@bsd11:~ # cd /usr/local/etc/openvpn/easy-rsa
root@bsd11:/usr/local/etc/openvpn/easy-rsa # sh
# ./easyrsa.real help

Note: using Easy-RSA configuration from: ./vars

Easy-RSA 3 usage and overview

USAGE: easyrsa [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, run:
  ./easyrsa help COMMAND

For a listing of options that can be supplied before the command, use:
  ./easyrsa help options

Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.

  init-pki
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <filename_base> [ cmd-opts ]
  sign-req <type> <filename_base>
  build-client-full <filename_base> [ cmd-opts ]
  build-server-full <filename_base> [ cmd-opts ]
  revoke <filename_base>
  gen-crl
  update-db
  show-req <filename_base> [ cmd-opts ]
  show-cert <filename_base> [ cmd-opts ]
  import-req <request_file_path> <short_basename>
  export-p7 <filename_base> [ cmd-opts ]
  export-p12 <filename_base> [ cmd-opts ]
  set-rsa-pass <filename_base> [ cmd-opts ]
  set-ec-pass <filename_base> [ cmd-opts ]

DIRECTORY STATUS (commands would take effect on these locations)
  EASYRSA: /usr/local/share/easy-rsa
      PKI:  /usr/local/share/easy-rsa/pki

# ./easyrsa.real init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/share/easy-rsa/pki

# ./easyrsa.real build-ca

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..................+++
....+++
writing new private key to '/usr/local/share/easy-rsa/pki/private/ca.key.Q7bkrn24VV'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/share/easy-rsa/pki/ca.crt

#

Enter PEM pass phrase: password 입력

 

 

# ./easyrsa.real build-server-full openvpn-server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........+++
...........................................+++
writing new private key to '/usr/local/share/easy-rsa/pki/private/openvpn-server.key.r2NNHwSv7b'
-----
Using configuration from /usr/local/share/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/share/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'openvpn-server'
Certificate is to be certified until Dec 31 15:59:10 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
#

Enter pass phrase for /usr/local/share/easy-rsa/pki/private/ca.key: password 입력

 

Check

# ./easyrsa.real show-cert openvpn-server

Note: using Easy-RSA configuration from: ./vars

Showing cert details for 'openvpn-server'.
This file is stored at:
/usr/local/share/easy-rsa/pki/issued/openvpn-server.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Easy-RSA CA
        Validity
            Not Before: Jan  2 15:59:10 2018 GMT
            Not After : Dec 31 15:59:10 2027 GMT
        Subject:
            commonName                = openvpn-server
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                D4:AC:62:B0:E7:A9:A4:4B:C8:43:49:8D:3B:0F:44:8E:E8:EB:E5:2E
            X509v3 Authority Key Identifier:
                keyid:20:8C:CA:99:40:06:4B:E8:B8:97:C4:BE:13:1C:15:D4:66:29:2E:37
                DirName:/CN=Easy-RSA CA
                serial:D0:15:39:F6:19:C6:C3:30

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
#

 

 

client key 생성

# ./easyrsa.real build-client-full client

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............................................................................................................................+++
......+++
writing new private key to '/usr/local/share/easy-rsa/pki/private/client.key.1744F02uFf'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /usr/local/share/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/share/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Dec 31 16:00:49 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
#

password  입력

 

 

# ./easyrsa.real gen-dh

Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................................................................
~중략

 

 

key 파일 복사

root@bsd11:~ # cd /usr/local/etc/openvpn/easy-rsa/pki
root@bsd11:/usr/local/etc/openvpn/easy-rsa/pki # cp dh.pem \
 ca.crt \
 issued/openvpn-server.crt \
 private/openvpn-server.key \
 /usr/local/etc/openvpn/

 

 

openvpn.conf 파일수정

root@bsd11:~ # vi /usr/local/etc/openvpn/openvpn.conf
user nobody
group nobody

# (see "pkcs12" directive in man page).
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key  # This file should be kept secret

# on the server and '1' on the clients.
#tls-auth ta.key 0 # This file is secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
dh dh.pem
remote-cert-tls client

 

 

client 설정

root@bsd11:~ # cd /usr/local/etc/openvpn/
root@bsd11:/usr/local/etc/openvpn # cp /usr/local/share/examples/openvpn/sample-config-files/client.conf .
root@bsd11:/usr/local/etc/openvpn # vi client.conf

remote 192.168.0.10 1194


# Try to preserve some state across restarts.

ca ca.crt
cert client.crt
key client.key

#tls-auth ta.key 1

 

openvpn enable

root@bsd11:~ # sysrc openvpn_enable="YES"
openvpn_enable:  -> YES
root@bsd11:~ # sysrc openvpn_if="tun"
openvpn_if:  -> tun
root@bsd11:~ #

 

openvpn start

root@bsd11:~ # service openvpn start
Starting openvpn.
root@bsd11:~ #

 

tun device 확인

root@bsd11:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:9b:2a:24
        hwaddr 00:0c:29:9b:2a:24
        inet 192.168.0.10 netmask 0xffffff80 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::20c:29ff:fe9b:2a24%tun0 prefixlen 64 scopeid 0x3
        inet 10.8.0.1 --> 10.8.0.2  netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: tun
        Opened by PID 44459
root@bsd11:~ #

 

test user 생성

root@bsd11:~ # pw user add test -m
root@bsd11:~ # passwd test
Changing local password for test

 

key 값 복사

root@bsd11:/home/test # cp /usr/local/etc/openvpn/ca.crt .
root@bsd11:/home/test # cp /usr/local/etc/openvpn/client.conf .
root@bsd11:/home/test # cp /usr/local/etc/openvpn/easy-rsa/pki/private/client.key .
root@bsd11:/home/test # cp /usr/local/etc/openvpn/easy-rsa/pki/issued/client.crt .
root@bsd11:/home/test # mv client.conf client.ovpn

 

 

windows

C:\Program Files\OpenVPN\config  디렉토리로 파일 복사후 테스트 진행

 

openvpn client 이용 접속 테스트

 

ping test (openvpn tun device 로 ping 테스트를 진행 합니다.)

 

ssh 접속 확인

 

crt 및 key 파일 opvn 파일로 만들기

ca.crt / client.crt / client.key

 

cat 으로 확인한 내용을 client.ovpn 파일에 등록 합니다. 

root@bsd11:/home/test # cat ca.crt
root@bsd11:/home/test # cat client.crt
root@bsd11:/home/test # cat client.key

 

<ca></ca> 문법으로 아래와 같이 등록 하시면 됩니다.

root@bsd11:/home/test # vi client.ovpn
#ca ca.crt
#cert client.crt
#key client.key
<ca>
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIJANWmpHXX73e/MA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
~중략
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
~중략
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>

 

접속 테스트시 C:\Program Files\OpenVPN\config 경로에 client.ovpn 파일 하나만 있으면 됩니다.

 

 

ping Test 및 ssh 연결 테스트를 진행 합니다.

 

댓글 남기기