# yum -y install openvpn
CA証明書/鍵作成# cp -r /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/ /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa/
# chmod +x *
# source vars
# ./clean-all
# ./build-ca
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:(県名とか)
Locality Name (eg, city) [SanFrancisco]:(市名とか)
Organization Name (eg, company) [Fort-Funston]:(会社名とか)
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:(名前とかサーバー名とか)
Name []:
Email Address [me@myhost.mydomain]:(メールアドレス)
# cp keys/ca.crt /etc/openvpn/
サーバー証明書/秘密鍵作成# cd /etc/openvpn/easy-rsa/
# chmod +x *
# source vars
# ./clean-all
# ./build-ca
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:(県名とか)
Locality Name (eg, city) [SanFrancisco]:(市名とか)
Organization Name (eg, company) [Fort-Funston]:(会社名とか)
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:(名前とかサーバー名とか)
Name []:
Email Address [me@myhost.mydomain]:(メールアドレス)
# cp keys/ca.crt /etc/openvpn/
# ./build-key-server server
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:(県名とか)
Locality Name (eg, city) [SanFrancisco]:(市名とか)
Organization Name (eg, company) [Fort-Funston]:(会社名とか)
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:(サーバー名とか)
Name []:
Email Address [me@myhost.mydomain]:(メールアドレス)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Enter
An optional company name []:Enter
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:''
stateOrProvinceName :PRINTABLE:''
localityName :PRINTABLE:''
organizationName :PRINTABLE:''
commonName :PRINTABLE:''
emailAddress :IA5STRING:''
Certificate is to be certified until May 21 09:56:14 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# cp keys/server.crt /etc/openvpn/
# cp keys/server.key /etc/openvpn/
DHパラメータ作成Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:(県名とか)
Locality Name (eg, city) [SanFrancisco]:(市名とか)
Organization Name (eg, company) [Fort-Funston]:(会社名とか)
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:(サーバー名とか)
Name []:
Email Address [me@myhost.mydomain]:(メールアドレス)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Enter
An optional company name []:Enter
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:''
stateOrProvinceName :PRINTABLE:''
localityName :PRINTABLE:''
organizationName :PRINTABLE:''
commonName :PRINTABLE:''
emailAddress :IA5STRING:''
Certificate is to be certified until May 21 09:56:14 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# cp keys/server.crt /etc/openvpn/
# cp keys/server.key /etc/openvpn/
# ./build-dh
# cp keys/dh1024.pem /etc/openvpn/
証明書廃止リスト作成# cp keys/dh1024.pem /etc/openvpn/
# ./build-key dmy
すべてEnterで、最後はyでOK。
# vi openssl.cnf
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0
↓ #をつけてコメント
#[ pkcs11_section ]
#engine_id = pkcs11
#dynamic_path = /usr/lib/engines/engine_pkcs11.so
#MODULE_PATH = $ENV::PKCS11_MODULE_PATH
#PIN = $ENV::PKCS11_PIN
#init = 0
# ./revoke-full dmy
# cp keys/crl.pem /etc/openvpn/
# cd
OpenVPN設定すべてEnterで、最後はyでOK。
# vi openssl.cnf
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0
↓ #をつけてコメント
#[ pkcs11_section ]
#engine_id = pkcs11
#dynamic_path = /usr/lib/engines/engine_pkcs11.so
#MODULE_PATH = $ENV::PKCS11_MODULE_PATH
#PIN = $ENV::PKCS11_PIN
#init = 0
# ./revoke-full dmy
# cp keys/crl.pem /etc/openvpn/
# cd
# openvpn --genkey --secret /etc/openvpn/ta.key
# cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
# cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
server 10.8.0.0 255.255.255.0
↓ に変更
server 192.168.11.0 255.255.255.0
;push "route 192.168.20.0 255.255.255.0"
↓ に変更
push "route 219.103.34.226 255.255.255.255"
;tls-auth ta.key 0 # This file is secret
↓ ;を取ってコメント解除
tls-auth ta.key 0 # This file is secret
;user nobody
;group nobody
↓ ;を取ってコメント解除
user nobody
group nobody
;log-append openvpn.log
↓ に変更
log-append /var/log/openvpn.log
下記を追加
management localhost 7505
crl-verify crl.pem
ログ設定# cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
# cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
server 10.8.0.0 255.255.255.0
↓ に変更
server 192.168.11.0 255.255.255.0
;push "route 192.168.20.0 255.255.255.0"
↓ に変更
push "route 219.103.34.226 255.255.255.255"
;tls-auth ta.key 0 # This file is secret
↓ ;を取ってコメント解除
tls-auth ta.key 0 # This file is secret
;user nobody
;group nobody
↓ ;を取ってコメント解除
user nobody
group nobody
;log-append openvpn.log
↓ に変更
log-append /var/log/openvpn.log
下記を追加
management localhost 7505
crl-verify crl.pem
# vi /etc/logrotate.d/openvpn
下記を記述
/var/log/openvpn.log {
missingok
notifempty
sharedscripts
postrotate
/etc/rc.d/init.d/openvpn restart 2>&1 > /dev/null || true
endscript
}
OpenVPN起動下記を記述
/var/log/openvpn.log {
missingok
notifempty
sharedscripts
postrotate
/etc/rc.d/init.d/openvpn restart 2>&1 > /dev/null || true
endscript
}
# vi /etc/rc.d/init.d/openvpn
#echo 1 > /proc/sys/net/ipv4/ip_forward
↓ #を取ってコメント解除
echo 1 > /proc/sys/net/ipv4/ip_forward
# service openvpn start
クライアント用証明書/鍵作成#echo 1 > /proc/sys/net/ipv4/ip_forward
↓ #を取ってコメント解除
echo 1 > /proc/sys/net/ipv4/ip_forward
# service openvpn start
# cd /etc/openvpn/easy-rsa/
# source vars
# ./build-key-pass (クライアント名)
はじめに接続用のパスワードを入力し、後聞かれることはサーバーのときと同様に。
サーバー側の設定はこれで終わりです。# source vars
# ./build-key-pass (クライアント名)
はじめに接続用のパスワードを入力し、後聞かれることはサーバーのときと同様に。
0 件のコメント:
コメントを投稿