[vpn-server] Centos7 openvpn install

Centos7 openvpn install

 

주의사항: Openvpn Server 의 경우 인증서를 만들어 Client 와통신을 합니다. 

openvpn Server 와 openvpn Client 는 time sync 가 반드시 필요 합니다.  time sync 없이 openvpn 연결시 인증서 오류가 발생합니다.

 

time sync

[root@centos74 ~]# date
Thu Jan 11 00:44:42 KST 2018
[root@centos74 ~]# ntpdate time.bora.net
10 Jan 15:44:53 ntpdate[11354]: step time server 203.248.240.140 offset -32401.179524 sec
[root@centos74 ~]# date
Wed Jan 10 15:45:02 KST 2018
[root@centos74 ~]#

 

 

epel-release repo install

[root@centos74 ~]# yum install -y epel-release

 

 

openvpn easy-rsa install

[root@centos74 ~]# yum install -y openvpn easy-rsa

 

 

sysctl.conf 

[root@centos74 ~]# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@centos74 ~]# sysctl -p

 

 

openvpn confing

server.conf 파일 카피 
[root@centos74 ~]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/
server.conf 파일 수정
[root@centos74 ~]# vi /etc/openvpn/server.conf
user nobody
group nobody
;tls-auth ta.key 0 # This file is secret

 

 

Create keys

[root@centos74 ~]# mkdir -p /etc/openvpn/easy-rsa/keys
[root@centos74 ~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
vars file 수정
아래 내용을 적절하게 수정합니다.
[root@centos74 ~]# vi /etc/openvpn/easy-rsa/vars

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@example.net"
set_var EASYRSA_REQ_OU          "My Organizational Unit"


[root@centos74 ~]# cd /etc/openvpn/easy-rsa/
[root@centos74 easy-rsa]# source ./vars
[root@centos74 easy-rsa]# ./clean-all

key 생성
[root@centos74 easy-rsa]# ./build-ca
Generating a 2048 bit RSA private key
...........................+++
......................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
[root@centos74 easy-rsa]#

 

 

build-key-server

[root@centos74 easy-rsa]# ./build-key-server server
Generating a 2048 bit RSA private key
.................+++
.....+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jan  8 06:58:01 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos74 easy-rsa]#

 

 

build-dh

[root@centos74 easy-rsa]# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................................................
~중략

 

 

Client key 생성

[root@centos74 ~]# cd /etc/openvpn/easy-rsa
[root@centos74 easy-rsa]# ./build-key client
Generating a 2048 bit RSA private key
..............................................+++
......................+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [client]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'client'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jan  8 07:00:23 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos74 easy-rsa]#

 

 

key file 복사

/openvpn/easy-rsa/keys/
[root@centos74 keys]# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/

 

 

ta.key 생성 및 복사 (ta.key 부분을 주석 처리 하였다면 아래 key 생성 과정은 생략합니다.)

[root@centos74 ~]# cd /etc/openvpn/easy-rsa/keys/
[root@centos74 keys]# openvpn --genkey --secret ta.key
[root@centos74 keys]# cp ta.key /etc/openvpn/

 

 

 

openvpn enable & start

[root@centos74 ~]# systemctl -f enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
[root@centos74 log]# systemctl start openvpn@server
[root@centos74 log]# systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-12-29 20:00:05 KST; 3s ago
 Main PID: 5628 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─5628 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

Dec 29 20:00:05 centos74 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Dec 29 20:00:05 centos74 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@centos74 log]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.10  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::5054:ff:fe19:15ad  prefixlen 64  scopeid 0x20<link>
        ether 52:54:00:19:15:ad  txqueuelen 1000  (Ethernet)
        RX packets 22621  bytes 10113060 (9.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18917  bytes 1870121 (1.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 12  bytes 1404 (1.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 1404 (1.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::4436:6805:8730:580a  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@centos74 log]#

 

 

user 생성

[root@centos74 ~]# useradd -m test
[root@centos74 ~]# passwd test
Changing password for user test.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@centos74 ~]#

 

 

 

client key 복사 (vpn 연결 테스트를 진행하기 위하여 key 파일을 복사 합니다.)

[root@centos74 ~]# cd /etc/openvpn/easy-rsa/keys/
[root@centos74 keys]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/client.conf .
[root@centos74 keys]# cp ca.crt client.crt client.key client.conf /home/test
[root@centos74 ~]# cd /home/test/
[root@centos74 test]# mv client.conf client.ovpn
[root@centos74 test]# vi /home/test/client.ovpn

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################


remote 192.168.0.10 1194
user nobody
group nobody
#tls-auth ta.key 1

 

 

https://openvpn.net/index.php/open-source/downloads.html에서 client app 를 다운 합니다.

Openvpn Server 에서 아래 파일을 Down 합니다.

C:\Program Files\OpenVPN\config 에 카피 합니다.

 

openvpn client 이용하여 접속을 합니다. (openvpn client 실행시 관리자 권한으로 실행을 합니다.)

 

10.8.0.1 로 접속 

 

client.ovpn 파일 합치기

[root@centos610 test]# cp client.ovpn client.ovpn.org
[root@centos610 test]# cat ca.crt >> client.ovpn
[root@centos610 test]# cat client.crt >> client.ovpn
[root@centos610 test]# cat client.key >> client.ovpn
[root@centos610 test]# vi client.ovpn

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
~
-----END CERTIFICATE-----
</cert>
<key>
-----END PRIVATE KEY-----
</key>

 

댓글 남기기