Centos7 openvpn install
주의사항: Openvpn Server 의 경우 인증서를 만들어 Client 와통신을 합니다.
openvpn Server 와 openvpn Client 는 time sync 가 반드시 필요 합니다. time sync 없이 openvpn 연결시 인증서 오류가 발생합니다.
time sync
[root@centos74 ~]# date Thu Jan 11 00:44:42 KST 2018 [root@centos74 ~]# ntpdate time.bora.net 10 Jan 15:44:53 ntpdate[11354]: step time server 203.248.240.140 offset -32401.179524 sec [root@centos74 ~]# date Wed Jan 10 15:45:02 KST 2018 [root@centos74 ~]#
epel-release repo install
[root@centos74 ~]# yum install -y epel-release
openvpn easy-rsa install
[root@centos74 ~]# yum install -y openvpn easy-rsa
sysctl.conf
[root@centos74 ~]# vi /etc/sysctl.conf net.ipv4.ip_forward = 1 [root@centos74 ~]# sysctl -p
openvpn confing
server.conf 파일 카피 [root@centos74 ~]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/ server.conf 파일 수정 [root@centos74 ~]# vi /etc/openvpn/server.conf user nobody group nobody ;tls-auth ta.key 0 # This file is secret
Create keys
[root@centos74 ~]# mkdir -p /etc/openvpn/easy-rsa/keys [root@centos74 ~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ vars file 수정 아래 내용을 적절하게 수정합니다. [root@centos74 ~]# vi /etc/openvpn/easy-rsa/vars # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL "me@example.net" set_var EASYRSA_REQ_OU "My Organizational Unit" [root@centos74 ~]# cd /etc/openvpn/easy-rsa/ [root@centos74 easy-rsa]# source ./vars [root@centos74 easy-rsa]# ./clean-all key 생성 [root@centos74 easy-rsa]# ./build-ca Generating a 2048 bit RSA private key ...........................+++ ......................................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [Fort-Funston CA]: Name [EasyRSA]: Email Address [me@myhost.mydomain]: [root@centos74 easy-rsa]#
build-key-server
[root@centos74 easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key .................+++ .....+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Jan 8 06:58:01 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@centos74 easy-rsa]#
build-dh
[root@centos74 easy-rsa]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............................................................................. ~중략
Client key 생성
[root@centos74 ~]# cd /etc/openvpn/easy-rsa [root@centos74 easy-rsa]# ./build-key client Generating a 2048 bit RSA private key ..............................................+++ ......................+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [client]: Name [EasyRSA]: Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'client' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Jan 8 07:00:23 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@centos74 easy-rsa]#
key file 복사
/openvpn/easy-rsa/keys/ [root@centos74 keys]# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
ta.key 생성 및 복사 (ta.key 부분을 주석 처리 하였다면 아래 key 생성 과정은 생략합니다.)
[root@centos74 ~]# cd /etc/openvpn/easy-rsa/keys/ [root@centos74 keys]# openvpn --genkey --secret ta.key [root@centos74 keys]# cp ta.key /etc/openvpn/
openvpn enable & start
[root@centos74 ~]# systemctl -f enable openvpn@server Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service. [root@centos74 log]# systemctl start openvpn@server [root@centos74 log]# systemctl status openvpn@server.service ● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2017-12-29 20:00:05 KST; 3s ago Main PID: 5628 (openvpn) Status: "Initialization Sequence Completed" CGroup: /system.slice/system-openvpn.slice/openvpn@server.service └─5628 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf Dec 29 20:00:05 centos74 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server... Dec 29 20:00:05 centos74 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server. [root@centos74 log]# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.10 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::5054:ff:fe19:15ad prefixlen 64 scopeid 0x20<link> ether 52:54:00:19:15:ad txqueuelen 1000 (Ethernet) RX packets 22621 bytes 10113060 (9.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 18917 bytes 1870121 (1.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 12 bytes 1404 (1.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12 bytes 1404 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2 inet6 fe80::4436:6805:8730:580a prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3 bytes 144 (144.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@centos74 log]#
user 생성
[root@centos74 ~]# useradd -m test [root@centos74 ~]# passwd test Changing password for user test. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@centos74 ~]#
client key 복사 (vpn 연결 테스트를 진행하기 위하여 key 파일을 복사 합니다.)
[root@centos74 ~]# cd /etc/openvpn/easy-rsa/keys/ [root@centos74 keys]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/client.conf . [root@centos74 keys]# cp ca.crt client.crt client.key client.conf /home/test [root@centos74 ~]# cd /home/test/ [root@centos74 test]# mv client.conf client.ovpn [root@centos74 test]# vi /home/test/client.ovpn ################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# remote 192.168.0.10 1194 user nobody group nobody #tls-auth ta.key 1
https://openvpn.net/index.php/open-source/downloads.html에서 client app 를 다운 합니다.
Openvpn Server 에서 아래 파일을 Down 합니다.
C:\Program Files\OpenVPN\config 에 카피 합니다.
openvpn client 이용하여 접속을 합니다. (openvpn client 실행시 관리자 권한으로 실행을 합니다.)
10.8.0.1 로 접속
client.ovpn 파일 합치기
[root@centos610 test]# cp client.ovpn client.ovpn.org [root@centos610 test]# cat ca.crt >> client.ovpn [root@centos610 test]# cat client.crt >> client.ovpn [root@centos610 test]# cat client.key >> client.ovpn [root@centos610 test]# vi client.ovpn <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> Certificate: ~ -----END CERTIFICATE----- </cert> <key> -----END PRIVATE KEY----- </key>