OpenVPN on Amazon EC2 (Ubuntu10.04) サーバー編
■前提条件
・EC2インスタンスが作成済み
・ElasticIPが割り当て済み
・セキュリティグループは以下を開放
・22/tcp
・1194/udp
■参考ブログ(かなりお世話になった)
http://blog.livedoor.jp/dynakou/search?q=openvpn
■rootパスワードをセット
$ sudo -i
# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
■OpenVPNをインストール
# apt-get install openvpn
■ディレクトリコピー
# cp -rp /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
■パラメータファイル編集
# vi /etc/openvpn/easy-rsa/2.0/vars
export KEY_COUNTRY="JP"
export KEY_PROVINCE="KYOTO"
export KEY_CITY="KYOTO"
export KEY_ORG="MyORG"
export KEY_EMAIL="foo@bar.com"
■source実行
# source /etc/openvpn/easy-rsa/2.0/vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
■ゴミ掃除
■認証局の証明書と鍵を作成(Enter連打)
# /etc/openvpn/easy-rsa/2.0/build-ca
Country Name (2 letter code) [JP]:
State or Province Name (full name) [KYOTO]:
Locality Name (eg, city) [KYOTO]:
Organization Name (eg, company) [MyORG]:
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) [MyORG CA]:
Name :
Email Address [foo@bar.com]:
■証明書と鍵ができていることを確認(ca.crt, ca.keyができている)
# ls -la /etc/openvpn/easy-rsa/2.0/keys/
■サーバー証明書を作成(Enter連打(最後に2回「y」))
# /etc/openvpn/easy-rsa/2.0/build-key-server server
Country Name (2 letter code) [JP]:
State or Province Name (full name) [KYOTO]:
Locality Name (eg, city) [KYOTO]:
Organization Name (eg, company) [MyORG]:
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) [server]:
Name :
Email Address [foo@bar.com]:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'KYOTO'
localityName :PRINTABLE:'KYOTO'
organizationName :PRINTABLE:'MyORG'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'foo@bar.com'
Certificate is to be certified until Mar 28 03:39:51 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
■証明書ができていることを確認(server.crt, server.csr, server.key ができている)
# ls -la /etc/openvpn/easy-rsa/2.0/keys/
Diffie-Hellman keyの作成
# /etc/openvpn/easy-rsa/2.0/build-dh
■dh鍵ができているか確認(dh1024.pem ができている)
# ls -la /etc/openvpn/easy-rsa/2.0/keys/
■クライアント鍵の作成(Enter連打(最後に2回「y」))
# /etc/openvpn/easy-rsa/2.0/build-key-pass client01
Generating a 1024 bit RSA private key
.........................++++++
..........++++++
writing new private key to 'client01.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
- -
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
- -
Country Name (2 letter code) [JP]:
State or Province Name (full name) [KYOTO]:
Locality Name (eg, city) [KYOTO]:
Organization Name (eg, company) [MyORG]:
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) [client01]:
Name :
Email Address [foo@bar.com]:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'KYOTO'
localityName :PRINTABLE:'KYOTO'
organizationName :PRINTABLE:'MyORG'
commonName :PRINTABLE:'client01'
emailAddress :IA5STRING:'foo@bar.com'
Certificate is to be certified until Mar 28 04:35:48 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
■クライアント鍵ができているか確認(client01.csr, client01.key ができている)
# ls -la /etc/openvpn/easy-rsa/2.0/keys/
■サーバー設定ファイルの編集
# cp -p /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
# gunzip /etc/openvpn/server.conf.gz
# vi /etc/openvpn/server.conf
■キー情報を変更
変更前
ca ca.crt
cert server.crt
key server.key # This file should be kept secret# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem
変更後
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key # This file should be kept secret# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
■バーチャルIP情報を変更
変更前
server 10.8.0.0 255.255.255.0
変更後(任意)
server 192.168.6.0 255.255.255.0
■クライアント間通信設定をコメント解除
変更前
;client-to-client
変更後
client-to-client
■OpenVPNサーバーの起動
# openvpn /etc/openvpn/server.conf
Fri Mar 30 13:04:29 2012 OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Fri Mar 30 13:04:29 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Mar 30 13:04:29 2012 Diffie-Hellman initialized with 1024 bit key
Fri Mar 30 13:04:29 2012 /usr/bin/openssl-vulnkey -q -b 1024 -m
Fri Mar 30 13:04:30 2012 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Mar 30 13:04:30 2012 ROUTE default_gateway=10.150.169.1
Fri Mar 30 13:04:30 2012 TUN/TAP device tun0 opened
Fri Mar 30 13:04:30 2012 TUN/TAP TX queue length set to 100
Fri Mar 30 13:04:30 2012 /sbin/ifconfig tun0 192.168.6.1 pointopoint 192.168.6.2 mtu 1500
Fri Mar 30 13:04:30 2012 /sbin/route add -net 192.168.6.0 netmask 255.255.255.0 gw 192.168.6.2
Fri Mar 30 13:04:30 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Mar 30 13:04:30 2012 Socket Buffers: R=[111616->131072] S=[111616->131072]
Fri Mar 30 13:04:30 2012 UDPv4 link local (bound): [undef]
Fri Mar 30 13:04:30 2012 UDPv4 link remote: [undef]
Fri Mar 30 13:04:30 2012 MULTI: multi_init called, r=256 v=256
Fri Mar 30 13:04:30 2012 IFCONFIG POOL: base=192.168.6.4 size=62
Fri Mar 30 13:04:30 2012 IFCONFIG POOL LIST
Fri Mar 30 13:04:30 2012 Initialization Sequence Completed