クライアント側で OpenVPN のインストール。OpenVPN はクライアントもサーバもパッケージの名前は同じ。
# apt-get install openvpn Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: liblzo2-2 libpkcs11-helper1 Suggested packages: openssl resolvconf The following NEW packages will be installed: liblzo2-2 libpkcs11-helper1 openvpn 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 633 kB of archives. After this operation, 1,523 kB of additional disk space will be used. Do you want to continue [Y/n]? Y Get:1 http://ftp.jp.debian.org/debian/ wheezy/main liblzo2-2 i386 2.06-1 [66.2 kB] Get:2 http://ftp.jp.debian.org/debian/ wheezy/main libpkcs11-helper1 i386 1.09-1 [49.2 kB] Get:3 http://ftp.jp.debian.org/debian/ wheezy/main openvpn i386 2.2.1-8+deb7u2 [517 kB] Fetched 633 kB in 4s (129 kB/s) Preconfiguring packages ... Selecting previously unselected package liblzo2-2:i386. (Reading database ... 18779 files and directories currently installed.) Unpacking liblzo2-2:i386 (from .../liblzo2-2_2.06-1_i386.deb) ... Selecting previously unselected package libpkcs11-helper1:i386. Unpacking libpkcs11-helper1:i386 (from .../libpkcs11-helper1_1.09-1_i386.deb) ... Selecting previously unselected package openvpn. Unpacking openvpn (from .../openvpn_2.2.1-8+deb7u2_i386.deb) ... Processing triggers for man-db ... Setting up liblzo2-2:i386 (2.06-1) ... Setting up libpkcs11-helper1:i386 (1.09-1) ... Setting up openvpn (2.2.1-8+deb7u2) ... Restarting virtual private network daemon.:.
サーバ側でクライアントの証明書を作成。名前は client2。作成された証明書は./keysディレクトリに格納される。
# cd /etc/openvpn/easy-rsa/ # . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys # ./build-key client2 Generating a 1024 bit RSA private key ...............++++++ ..........++++++ writing new private key to 'client2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [client2]: Name [changeme]: Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'client2' name :PRINTABLE:'changeme' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Jul 3 13:40:48 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
サーバ側で作成した証明書をサーバ側からクライアント側の ~/ に移動。
# ls keys/ca.crt keys/client2.* -la -rw-r--r-- 1 root root 1383 Jun 7 11:23 keys/ca.crt -rw-r--r-- 1 root root 3999 Jul 6 22:41 keys/client2.crt -rw-r--r-- 1 root root 729 Jul 6 22:40 keys/client2.csr -rw------- 1 root root 916 Jul 6 22:40 keys/client2.key # scp keys/ca.crt keys/client2.crt keys/client2.key ******@************:~/ ******@************'s password: ca.crt 100% 1383 1.4KB/s 00:00 client2.crt 100% 3999 3.9KB/s 00:00 client2.key 100% 916 0.9KB/s 00:00
クライアント側で先ほど移動したファイルを /etc/openvpn/ に移動。設定ファイル client.conf のひな型を /etc/openvpn にコピー。コピーしたファイルを編集。
# mv /home/******/ca.crt /home/******/client2.* /etc/openvpn/ # cp -a /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/ # vi /etc/openvpn/client.conf # diff /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.conf 36,37c36,37 < ;proto tcp < proto udp --- > proto tcp > ;proto udp 42c42 < remote my-server-1 1194 --- > ;remote my-server-1 1194 43a44,45 > remote ************** 443 > remote ************* 443 89,90c91,94 < cert client.crt < key client.key --- > ;cert client.crt > ;key client.key > cert client2.crt > key client2.key
クライアント側で OpenVPN クライアントを再起動。
# /etc/init.d/openvpn restart
# ifconfig -a tun
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:***.***.***.*** P-t-P:***.***.***.*** Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
さて、
# apt-get install resolvconf Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: resolvconf 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 69.0 kB of archives. After this operation, 135 kB of additional disk space will be used. Get:1 http://ftp.jp.debian.org/debian/ wheezy/main resolvconf all 1.67 [69.0 kB] Fetched 69.0 kB in 0s (72.3 kB/s) Preconfiguring packages ... Selecting previously unselected package resolvconf. (Reading database ... 18935 files and directories currently installed.) Unpacking resolvconf (from .../resolvconf_1.67_all.deb) ... Processing triggers for man-db ... Setting up resolvconf (1.67) ... Processing triggers for resolvconf ...