VPNƒT[ƒo[\’z(OpenVPN)

ÅIXV“úF 2017.06.27

<<ƒgƒbƒvƒy[ƒW <<V’…î•ņ <<‹tˆø‚ŦW <<ƒŠƒ“ƒNW <<ƒTƒCƒg“āŒŸõ <<ƒƒ‹ƒ}ƒK <<Scientific Linux‚ÅŽĐ‘îƒT[ƒo[\’z <<Fedora‚ÅŽĐ‘îƒT[ƒo[\’z

ĄŠT—v

OpenVPN(OpenVPN“ú–{Œęî•ņƒTƒCƒg)‚ðŽg—p‚ĩ‚ÄSSL-VPN•ûŽŪ‚ĖƒCƒ“ƒ^[ƒlƒbƒgVPN‚ð\’z‚ĩAŠO•”‚Đ‚įOpenVPNŒo—R‚ÅLAN‚ɈĀ‘S‚ɐڑą‚Å‚Ŧ‚é‚æ‚Ī‚É‚·‚éB‚Č‚ĻAVPNƒNƒ‰ƒCƒAƒ“ƒg‚ÍWindowsƒ}ƒVƒ“‚Ļ‚æ‚ŅiPhone‚Æ‚·‚éB

y‘O’ņ‚Æ‚·‚éƒlƒbƒgƒ[ƒNƒCƒ[ƒWz


y‘O’ņ‚Æ‚·‚éƒlƒbƒgƒ[ƒNðŒz
LANƒlƒbƒgƒ[ƒNƒAƒhƒŒƒX:192.168.1.0/24
VPNƒT[ƒo[IPƒAƒhƒŒƒX:192.168.1.30
VPN—p‰ž‘zƒlƒbƒgƒ[ƒNƒAƒhƒŒƒX:10.8.0.0/24Ķ
VPNƒT[ƒo[‰ž‘zIPƒAƒhƒŒƒX:10.8.0.1Ķ

ĶVPN‚ł͉ž‘z‚Ėƒvƒ‰ƒCƒx[ƒgIPƒAƒhƒŒƒX‚ðƒT[ƒo[^ƒNƒ‰ƒCƒAƒ“ƒg‚Æ‚ā‚ÉŠ„“–‚ĂāA‚ŧ‚Ė‰ž‘zƒAƒhƒŒƒX‚ÅVPN’ʐM‚ðs‚Ī‚ŠA‚ą‚ą‚ł́AŒģX‚ĖLAN“āƒvƒ‰ƒCƒx[ƒgIPƒAƒhƒŒƒX(192.168.1.X)‚ðŽw’č‚ĩ‚đΏۃzƒXƒg‚ÖƒAƒNƒZƒX‚Å‚Ŧ‚é‚æ‚Ī‚É‚·‚éB


ĄOpenVPNƒCƒ“ƒXƒg[ƒ‹(ƒT[ƒo[‘Ī)

[root@centos ~]# yum -y install openssl-devel lzo-devel pam-devel@Đ@OpenVPNƒCƒ“ƒXƒg[ƒ‹‚É•K—v‚ČƒpƒbƒP[ƒW‚ðƒCƒ“ƒXƒg[ƒ‹

[root@centos ~]# wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.4.tar.gz@Đ@OpenVPNƒ_ƒEƒ“ƒ[ƒh

ĶÅV”Å‚ĖURL‚̓_ƒEƒ“ƒ[ƒhƒy[ƒW‚ÅŠm”F‚·‚é‚ą‚Æ

[root@centos ~]# rpmbuild -tb --clean openvpn-2.3.4.tar.gz@Đ@OpenVPN‚ĖRPMƒpƒbƒP[ƒWķŽ

[root@centos ~]# yum -y localinstall ~/rpmbuild/RPMS/x86_64/openvpn-2.3.4-1.x86_64.rpm@Đ@ķŽ‚ĩ‚―OpenVPN‚ĖRPMƒpƒbƒP[ƒW‚ðƒCƒ“ƒXƒg[ƒ‹

[root@centos ~]# rm -f ~/rpmbuild/RPMS/x86_64/openvpn-*@Đ@ķŽ‚ĩ‚―OpenVPN‚ĖRPMƒpƒbƒP[ƒW‚ðíœ

[root@centos ~]# rm -f openvpn-2.3.4.tar.gz@Đ@ƒ_ƒEƒ“ƒ[ƒh‚ĩ‚―ƒtƒ@ƒCƒ‹‚ðíœ

[root@centos ~]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip@Đ@easy-rsaƒ_ƒEƒ“ƒ[ƒh

[root@centos ~]# unzip master.zip@Đ@easy-rsa‰ð“€

[root@centos ~]# cp -r easy-rsa-master/easyrsa3/ /etc/openvpn/@Đ@easyrsa3‚ðŠ’č‚ĖƒfƒBƒŒƒNƒgƒŠ‚ÖƒRƒs[

[root@centos ~]# rm -rf easy-rsa-master/@Đ@‰ð“€æƒfƒBƒŒƒNƒgƒŠ‚ðíœ

[root@centos ~]# rm -f master.zip@Đ@ƒ_ƒEƒ“ƒ[ƒh‚ĩ‚―ƒtƒ@ƒCƒ‹‚ðíœ

ĄOpenVPNÝ’č(ƒT[ƒo[‘Ī)

i‚PjCAØ–ū‘E”é–§ŒŪėŽ
[root@centos ~]# cd /etc/openvpn/easyrsa3/@Đ@easyrsa3ƒfƒBƒŒƒNƒgƒŠ‚ÖˆÚ“Ū

[root@centos easyrsa3]# ./easyrsa init-pki@Đ@‰Šú‰ŧĶOpenVPNƒCƒ“ƒXƒg[ƒ‹ŒãÅ‰‚Ė1‰ņ‚Ė‚Ý

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa3/pki

[root@centos easyrsa3]# ./easyrsa build-ca@Đ@CAØ–ū‘E”é–§ŒŪėŽ
Generating a 2048 bit RSA private key
......................................................+++
........................................+++
writing new private key to '/root/easy-rsa-master/easyrsa3/pki/private/ca.key'
Enter PEM pass phrase:@Đ@”CˆÓ‚ĖƒpƒXƒtƒŒ[ƒY‚ð‰ž“š
Verifying - Enter PEM pass phrase:@Đ@”CˆÓ‚ĖƒpƒXƒtƒŒ[ƒY‚ð‰ž“šiŠm”Fj
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:centossrv.com@Đ@ƒTƒCƒg–ži—á:centossrv.comj‚ð‰ž“š

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/root/easy-rsa-master/easyrsa3/pki/ca.crt

[root@centos easyrsa3]# cp pki/ca.crt /etc/openvpn/@Đ@CAØ–ū‘‚ðOpenVPNÝ’čƒtƒ@ƒCƒ‹Ši”[ƒfƒBƒŒƒNƒgƒŠ‚ÖƒRƒs[
ĶCA”é–§ŒŪ‚ÍŒãq‚·‚éƒT[ƒo[Ø–ū‘E”é–§ŒŪėŽŽžAƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘E”é–§ŒŪėŽŽž‚Ė‚ÝŽg—p‚·‚é‚Ė‚ŃRƒs[•s—v

i‚QjƒT[ƒo[Ø–ū‘E”é–§ŒŪėŽ
[root@centos easyrsa3]# ./easyrsa build-server-full server nopass@Đ@ƒT[ƒo[Ø–ū‘E”é–§ŒŪėŽ
Generating a 2048 bit RSA private key
.......+++
.....+++
writing new private key to '/etc/openvpn/easyrsa3/pki/private/server.key'
-----
Using configuration from /etc/openvpn/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key:@Đ@CA”é–§ŒŪ‚ĖƒpƒXƒtƒŒ[ƒY‚ð‰ž“š
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'server'
Certificate is to be certified until Jul 10 12:48:56 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

[root@centos easyrsa3]# cp pki/issued/server.crt /etc/openvpn/@Đ@ƒT[ƒo[Ø–ū‘‚ðOpenVPNÝ’čƒtƒ@ƒCƒ‹Ši”[ƒfƒBƒŒƒNƒgƒŠ‚ÖƒRƒs[

[root@centos easyrsa3]# cp pki/private/server.key /etc/openvpn/@Đ@ƒT[ƒo[”é–§ŒŪ‚ðOpenVPNÝ’čƒtƒ@ƒCƒ‹Ši”[ƒfƒBƒŒƒNƒgƒŠ‚ÖƒRƒs[

i‚RjDH(Diffie Hellman)ƒpƒ‰ƒ[ƒ^ėŽ
[root@centos easyrsa3]# ./easyrsa gen-dh@Đ@DHƒpƒ‰ƒ[ƒ^ėŽ
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
`
DH parameters of size 2048 created at /root/easy-rsa-master/easyrsa3/pki/dh.pem
ĶŽžŠÔ‚Š‚Đ‚Đ‚éę‡‚Š‚ ‚é

[root@centos easyrsa3]# cp pki/dh.pem /etc/openvpn/@Đ@DHƒpƒ‰ƒ[ƒ^‚ðOpenVPNÝ’čƒtƒ@ƒCƒ‹Ši”[ƒfƒBƒŒƒNƒgƒŠ‚ÖƒRƒs[

i‚SjØ–ū‘”pŽ~ƒŠƒXƒgėŽ
“Á’č‚ĖVPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚į‚ĖVPNÚ‘ą‚ð‹ÖŽ~‚Å‚Ŧ‚é‚æ‚Ī‚É‚·‚é‚―‚߁AØ–ū‘”pŽ~ƒŠƒXƒg‚ðėŽ‚·‚éB
ĶØ–ū‘”pŽ~ƒŠƒXƒg‚́AŽĀÛ‚ɃNƒ‰ƒCƒAƒ“ƒgØ–ū‘‚ðėŽ‚ĩ‚Ä‚Đ‚į”pŽ~‚ðs‚í‚Č‚Ē‚ƍėŽ‚Å‚Ŧ‚Č‚Ē‚Ė‚ŁAƒ_ƒ~[‚ĖƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘‚ð‚Ē‚Á‚―‚ņėŽ&”pŽ~‚·‚é‚ą‚Æ‚É‚æ‚čØ–ū‘”pŽ~ƒŠƒXƒg‚ðėŽ‚·‚é
[root@centos easyrsa3]# ./easyrsa build-client-full dmy nopass@Đ@ƒ_ƒ~[‚ĖƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘ėŽ
Generating a 2048 bit RSA private key
.............................................+++
...........+++
writing new private key to '/etc/openvpn/easyrsa3/pki/private/dmy.key'
-----
Using configuration from /etc/openvpn/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key:@Đ@CA”é–§ŒŪ‚ĖƒpƒXƒtƒŒ[ƒY‚ð‰ž“š
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'dmy'
Certificate is to be certified until Jul 10 12:52:28 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

[root@centos easyrsa3]# ./easyrsa revoke dmy@Đ@ƒ_ƒ~[‚ĖƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘”pŽ~


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = dmy


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes@Đ@yes‰ž“š
Using configuration from /etc/openvpn/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key:
Revoking Certificate 03.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

[root@centos easyrsa3]# rm -f /etc/openvpn/easyrsa3/pki/issued/dmy.crt@Đ@dmyØ–ū‘—ލ폜

[root@centos easyrsa3]# rm -f /etc/openvpn/easyrsa3/pki/private/dmy.key@Đ@dmyØ–ū‘—ލ폜

[root@centos easyrsa3]# rm -f /etc/openvpn/easyrsa3/pki/reqs/dmy.req@Đ@dmyØ–ū‘—ލ폜

[root@centos easyrsa3]# cp vars.example vars@Đ@Easy-RSAƒpƒ‰ƒ[ƒ^Ý’čƒtƒ@ƒCƒ‹‚ðƒTƒ“ƒvƒ‹‚æ‚čƒRƒs[

[root@centos easyrsa3]# vi vars.example@Đ@Easy-RSAƒpƒ‰ƒ[ƒ^Ý’čƒtƒ@ƒCƒ‹•ŌW
set_var EASYRSA_CRL_DAYS        3650@Đ@s“Š‚Ė#‚ðíœiƒRƒƒ“ƒg‰ðœj‚ĩ‚ďؖū‘”pŽ~ƒŠƒXƒg‚Ė—LŒøŠúŒĀ‚ð3650“ú‚ɕύX
ĶØ–ū‘”pŽ~ƒŠƒXƒg‚Ė—LŒøŠúŒĀ‚͏‰ŠúÝ’č‚Å‚Í180“ú‚Æ‚Č‚Á‚Ä‚Ļ‚čAŠúŒĀ‚ŠØ‚ę‚é‚―‚Ņ‚ɏؖū‘”pŽ~ƒŠƒXƒg‚ĖÄėŽ‚ð‚ĩ‚Č‚Ŋ‚ę‚΂Ȃį‚Č‚­A‰^—p‚Š”ÏŽG‚Č‚―‚߁AƒT[ƒo[Ø–ū‘AƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘‚Ė‰ŠúÝ’č’l‚Æ“Ŋ‚ķ3650“ú‚É‚·‚é

[root@centos easyrsa3]# ./easyrsa gen-crl@Đ@Ø–ū‘”pŽ~ƒŠƒXƒg‚ðėŽ
Using configuration from /etc/openvpn/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key:

An updated CRL has been created.
CRL file: /etc/openvpn/easyrsa3/pki/crl.pem

[root@centos easyrsa3]# /bin/cp /etc/openvpn/easyrsa3/pki/crl.pem /etc/openvpn/@Đ@Ø–ū‘”pŽ~ƒŠƒXƒg‚ðOpenVPNÝ’čƒtƒ@ƒCƒ‹Ši”[ƒfƒBƒŒƒNƒgƒŠ‚ÖƒRƒs[

[root@centos easyrsa3]# chmod o+r /etc/openvpn/crl.pem@Đ@Ø–ū‘”pŽ~ƒŠƒXƒg‚ÖŽQÆŒ ŒĀ•t‰Á

[root@centos easyrsa3]# cd@Đ@easyrsa3ƒfƒBƒŒƒNƒgƒŠ‚ð”ē‚Ŋ‚é

i‚TjOpenVPNÝ’č
[root@centos ~]# openvpn --genkey --secret /etc/openvpn/ta.key@Đ@TLS”FØŒŪ‚ðOpenVPNÝ’čƒtƒ@ƒCƒ‹Ši”[ƒfƒBƒŒƒNƒgƒŠ‚֍ėŽ

[root@centos ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/@Đ@OpenVPNÝ’čƒtƒ@ƒCƒ‹‚ðƒTƒ“ƒvƒ‹‚æ‚čƒRƒs[

[root@centos ~]# vi /etc/openvpn/server.conf@Đ@OpenVPNÝ’čƒtƒ@ƒCƒ‹•ŌW
dev tun@Đ@VPNƒCƒ“ƒ^ƒtƒF[ƒX‚Æ‚ĩ‚ÄTUN‚ðŽw’č(ƒfƒtƒHƒ‹ƒg)

dh dh.pem@Đ@DHƒpƒ‰ƒ[ƒ^ƒtƒ@ƒCƒ‹–ž‚ðŽw’č

server 10.8.0.0 255.255.255.0@Đ@VPNƒNƒ‰ƒCƒAƒ“ƒgŠ„“–‚ăAƒhƒŒƒX”͈͂Ƃĩ‚Ä10.8.0.0/24‚ðŽw’č(ƒfƒtƒHƒ‹ƒg)

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"@Đ@’Į‰Á(LAN(—á:192.168.1.0/24)‚Ö‚Ėƒ‹[ƒg‚ðVPNƒT[ƒo[Œo—R‚É‚·‚é)

tls-auth ta.key 0 # This file is secret@Đ@s“Š‚Ė;‚ðíœ‚ĩ‚ăRƒƒ“ƒg‰ðœ(TLS”FØ—LŒø‰ŧ)

user nobody@Đ@s“Š‚Ė;‚ðíœ‚ĩ‚ăRƒƒ“ƒg‰ðœ(OpenVPNŽĀsŒ ŒĀ‚ð‰š‚°‚é)
group nobody@Đ@s“Š‚Ė;‚ðíœ‚ĩ‚ăRƒƒ“ƒg‰ðœ(OpenVPNŽĀsŒ ŒĀ‚ð‰š‚°‚é)

log-append  /var/log/openvpn.log@Đ@s“Š‚Ė;‚ðíœ‚ĩ‚ăRƒƒ“ƒg‰ðœ(ƒƒO‚ð/var/log/openvpn.log‚É‹L˜^‚·‚é)

management localhost 7505@Đ@ÅIs‚Ö’Į‰Á(ŠĮ—ƒCƒ“ƒ^ƒtƒF[ƒX‚Ė—LŒø‰ŧĶŒãq)

crl-verify crl.pem@Đ@ÅIs‚Ö’Į‰Á(Ø–ū‘”pŽ~ƒŠƒXƒg‚Ė—LŒø‰ŧ)

ÅIs‚ÖˆČ‰š‚ð’Į‰Á(OpenVPNŒo—R‚ÅSamba‚Ö‚ĖƒAƒNƒZƒX‚ŠƒGƒ‰[‚É‚Č‚éę‡)
i’jiPhone‚Đ‚įOpenVPN‚֐ڑą‚·‚éę‡AƒAƒvƒŠ‚ŠfragmentƒIƒvƒVƒ‡ƒ“–Ē‘Ήž‚Ė‚―‚߁AƒAƒvƒŠ‚Őڑą‚Í‚Å‚Ŧ‚é‚Šƒlƒbƒgƒ[ƒN‚ÖƒAƒNƒZƒX‚Å‚Ŧ‚Č‚­‚Č‚é‚Ė‚ʼnš‹LÝ’č‚͍s‚í‚Č‚Ē‚ą‚Æ
fragment 1280
mssfix 1280
link-mtu 1400

i‚UjVPNƒCƒ“ƒ^ƒtƒF[ƒX—pƒtƒ@ƒCƒAƒEƒH[ƒ‹ŽĐ“ŪÝ’č
[root@centos ~]# vi /etc/openvpn/openvpn-startup@Đ@OpenVPN‹N“ŪŽžŽĀsƒXƒNƒŠƒvƒgV‹KėŽ
#!/bin/bash

# VPNƒCƒ“ƒ^ƒtƒF[ƒXiptablesƒ‹[ƒ‹íœƒXƒNƒŠƒvƒgŽĀsĶ•K{
/etc/openvpn/openvpn-shutdown

# VPNƒT[ƒo[‚Đ‚į‚Ė‘—M‚ð‹–‰ÂĶ•K{
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

# VPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚įVPNƒT[ƒo[‚Ö‚ĖƒAƒNƒZƒX‚ð‹–‰Â‚·‚éę‡
iptables -I INPUT -i tun+ -j ACCEPT

# VPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚įLAN‚Ö‚ĖƒAƒNƒZƒX‚ð‹–‰Â‚·‚éę‡
# (—á‚Æ‚ĩ‚ÄVPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚į192.168.1.0/24‚Ö‚ĖƒAƒNƒZƒX‚ð‹–‰Â‚·‚éę‡)
# Ķ192.168.1.0/24‘Ī‚ĖŠe’[––‚Ėƒtƒ@ƒCƒAƒEƒH[ƒ‹“™‚ÅVPNƒNƒ‰ƒCƒAƒ“ƒg(10.8.0.0/24)‚Đ‚į‚ĖƒAƒNƒZƒX‚ð‹–‰Â‚·‚é‚ą‚Æ
iptables -I FORWARD -i tun+ -d 192.168.1.0/24 -j ACCEPT

# VPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚įLAN“ā“Á’čƒ}ƒVƒ“‚Ė‚Ý‚Ö‚ĖƒAƒNƒZƒX‚ð‹–‰Â‚·‚éę‡
# (—á‚Æ‚ĩ‚ÄVPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚į192.168.1.30‚Ö‚ĖƒAƒNƒZƒX‚ð‹–‰Â‚·‚éę‡)
# Ķ192.168.1.30‘Ī‚Ėƒtƒ@ƒCƒAƒEƒH[ƒ‹“™‚ÅVPNƒNƒ‰ƒCƒAƒ“ƒg(10.8.0.0/24)‚Đ‚į‚ĖƒAƒNƒZƒX‚ð‹–‰Â‚·‚é‚ą‚Æ
iptables -I FORWARD -i tun+ -d 192.168.1.30 -j ACCEPT

[root@centos ~]# chmod +x /etc/openvpn/openvpn-startup@Đ@OpenVPN‹N“ŪŽžŽĀsƒXƒNƒŠƒvƒg‚ÖŽĀsŒ ŒĀ•t‰Á

i‚VjVPNƒCƒ“ƒ^ƒtƒF[ƒX—pƒtƒ@ƒCƒAƒEƒH[ƒ‹ŽĐ“ŪÝ’č‰ðœ
[root@centos ~]# vi /etc/openvpn/openvpn-shutdown@Đ@OpenVPN’âŽ~ŽžŽĀsƒXƒNƒŠƒvƒgV‹KėŽ
#!/bin/bash

# VPNƒCƒ“ƒ^ƒtƒF[ƒX(tun+)—piptablesƒ‹[ƒ‹íœŠÖ”
delete() {
    rule_number=`iptables -L $target --line-numbers -n -v|grep tun.|awk '{print $1}'|sort -r`
    for num in $rule_number
    do
        iptables -D $target $num
    done
}

# VPNƒCƒ“ƒ^ƒtƒF[ƒX(tun+)—piptablesŽóMƒ‹[ƒ‹íœ
target='INPUT'
delete

# VPNƒCƒ“ƒ^ƒtƒF[ƒX(tun+)—piptables“]‘—ƒ‹[ƒ‹íœ
target='FORWARD'
delete

# VPNƒCƒ“ƒ^ƒtƒF[ƒX(tun+)—piptables‘—Mƒ‹[ƒ‹íœ
target='OUTPUT'
delete

[root@centos ~]# chmod +x /etc/openvpn/openvpn-shutdown@Đ@OpenVPN’âŽ~ŽžŽĀsƒXƒNƒŠƒvƒg‚ÖŽĀsŒ ŒĀ•t‰Á

i‚WjOpenVPNƒƒOƒ[ƒe[ƒVƒ‡ƒ“Ý’č
[root@centos ~]# vi /etc/logrotate.d/openvpn@Đ@OpenVPNƒƒOƒ[ƒe[ƒVƒ‡ƒ“Ý’čƒtƒ@ƒCƒ‹V‹KėŽ
/var/log/openvpn.log {
    missingok
    notifempty
    sharedscripts
    postrotate
        systemctl restart openvpn 2>&1 > /dev/null || true
    endscript
}

ĄOpenVPN‹N“Ū(ƒT[ƒo[‘Ī)

i‚PjOpenVPN‹N“Ū
[root@centos ~]# vi /etc/rc.d/init.d/openvpn@Đ@OpenVPN‹N“ŪƒXƒNƒŠƒvƒg•ŌW
        echo 1 > /proc/sys/net/ipv4/ip_forward@Đ@s“Š‚Ė#‚ðíœ‚ĩ‚ăRƒƒ“ƒg‰ðœ(ƒpƒPƒbƒg“]‘——LŒø‰ŧ)

[root@centos ~]# systemctl daemon-reload@Đ@OpenVPN‹N“ŪƒXƒNƒŠƒvƒg•ÏX”―‰fĶCentOS7‚Ėę‡

[root@centos ~]# /etc/rc.d/init.d/openvpn start@Đ@OpenVPN‹N“Ū

[root@centos ~]# chkconfig openvpn on@Đ@OpenVPNŽĐ“Ū‹N“ŪÝ’č

i‚QjUDP1194”Ôƒ|[ƒgŠJ•ú
yƒ‹[ƒ^[z
ƒ‹[ƒ^[‘Ī‚ĖÝ’č‚ŁAUDP1194”Ôƒ|[ƒg‚Ö‚ĖƒAƒNƒZƒX‚ðƒT[ƒo[‚É“]‘—‚·‚é‚æ‚Ī‚É‚·‚éB
Ķƒ‹[ƒ^[‚ĖÝ’č‚ÍŠeƒ‹[ƒ^[‚Ėƒ}ƒjƒ…ƒAƒ‹‚Ü‚―‚̓[ƒJ[•Ęƒ‹[ƒ^[ƒ|[ƒgŠJ•úŽč‡‚ðŽQÆ

yƒtƒ@ƒCƒAƒEƒH[ƒ‹z
ƒT[ƒo[‘Ī‚Ėƒtƒ@ƒCƒAƒEƒH[ƒ‹Ý’č‚ŁAUDP1194”Ôƒ|[ƒg‚Ö‚ĖƒAƒNƒZƒX‚ð‹–‰Â‚·‚é‚æ‚Ī‚É‚·‚éB
ƒT[ƒo[‘Ī‚Ėƒtƒ@ƒCƒAƒEƒH[ƒ‹Ý’č‚ŁAVPNƒCƒ“ƒ^ƒtƒF[ƒX—pƒtƒ@ƒCƒAƒEƒH[ƒ‹‚ðÝ’č‚·‚éB
Ķƒtƒ@ƒCƒAƒEƒH[ƒ‹Ý’č‚Í‚ą‚ŋ‚į‚ðŽQÆ

ƒ|[ƒgŠJ•úŠm”Fƒc[ƒ‹‚ŁuIPv‚ɃT[ƒo[–ž(—á:centossrv.com)Auƒ|[ƒg”ԍ†v‚É1194‚Æ“ü—́AuUDPv‚ð‘I‘ð‚ĩ‚āuŠm”Fvƒ{ƒ^ƒ“‚ð‰Ÿ‰š‚ĩAƒ|[ƒg‚ÍŠJ•ú‚ģ‚ę‚Ä‚Ē‚Ü‚·‚Æ•\ŽĶ‚ģ‚ę‚é‚ą‚Æ‚ðŠm”FB

i‚Rjƒ‹[ƒ^[‚ÉVPNƒT[ƒo[‚ð’Į‰ÁĶVPNƒT[ƒo[‚Šƒ‹[ƒ^[‚Ėę‡‚ÍŽĀŽ{•s—v
ƒ‹[ƒ^[‘Ī‚ŁAˆķæ‚ŠVPN(—á:10.8.0.0/24)‚ĖƒAƒNƒZƒX‚ÍVPNƒT[ƒo[(—á:192.168.1.30)‚ðŒo—R‚·‚é‚æ‚Ī‚Ƀ‹[ƒg‚ð’Į‰Á‚·‚éB
Ķƒ‹[ƒ^[‚ĖÝ’č‚ÍŠeƒ‹[ƒ^[‚Ėƒ}ƒjƒ…ƒAƒ‹‚ðŽQÆ
Ķƒ‹[ƒ^[‚ŠLinux‚Ėę‡‚ĖÝ’č‚ÍˆČ‰š‚ðŽQÆ
[root@Router ~]# echo "any net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.30" >> /etc/sysconfig/static-routes@Đ@10.8.0.0/24Œü‚Ŋƒ‹[ƒg‚ð192.168.1.30Œo—R‚Æ‚·‚éÝ’č‚ð’Į‰Á

[root@Router ~]# /etc/rc.d/init.d/network reload@Đ@ƒlƒbƒgƒ[ƒNÄ‹N“Ū(ã‹Lƒ‹[ƒgÝ’č”―‰f)

[root@Router ~]# route@Đ@ƒ‹[ƒg’Į‰ÁŠm”F
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
EEEE
10.8.0.0        192.168.1.30    255.255.255.0   UG    0      0        0 eth0@Đ@’Į‰Á‚ģ‚ę‚―ƒ‹[ƒg
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
EEEE


ĄOpenVPNƒCƒ“ƒXƒg[ƒ‹(ƒNƒ‰ƒCƒAƒ“ƒg‘Ī)

i‚PjOpenVPNƒCƒ“ƒXƒg[ƒ‹iWindowsj
OpenVPNƒ_ƒEƒ“ƒ[ƒhƒy[ƒW‚Đ‚įuInstallerv‚ðƒ_ƒEƒ“ƒ[ƒh‚ĩ‚ăCƒ“ƒXƒg[ƒ‹‚·‚éB

i‚QjOpenVPNƒCƒ“ƒXƒg[ƒ‹iiPhone‚Ėę‡j
OpenVPN Connect‚ðƒCƒ“ƒXƒg[ƒ‹‚·‚éB


ĄOpenVPNÝ’č(ƒNƒ‰ƒCƒAƒ“ƒg‘Ī)

i‚PjƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘E”é–§ŒŪėŽ(ƒpƒXƒtƒŒ[ƒY”FØ‚ ‚č)ĶƒT[ƒo[‘Īė‹Æ
iPhone‚Ėę‡‚ÍOpenVPN Connect‚ŠƒpƒXƒtƒŒ[ƒY”FØ–Ē‘Ήž‚Ė‚―‚ߎŸ€‚Ėui‚QjƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘E”é–§ŒŪėŽ(ƒpƒXƒtƒŒ[ƒY”FØ‚Č‚ĩ)v‚ðs‚ĪB
[root@centos ~]# cd /etc/openvpn/easyrsa3/@Đ@easyrsa3ƒfƒBƒŒƒNƒgƒŠ‚ÖˆÚ“Ū

[root@centos easyrsa3]# ./easyrsa build-client-full client1@Đ@ƒNƒ‰ƒCƒAƒ“ƒg–žclient1Ķ‚ĖƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘E”é–§ŒŪ(ƒpƒXƒtƒŒ[ƒY”FØ‚ ‚č)ėŽ
ĶƒNƒ‰ƒCƒAƒ“ƒg–ž‚͈ęˆÓ‚Å‚ ‚é‚ą‚ƁŠų‚ɍėŽÏ‚ĖƒNƒ‰ƒCƒAƒ“ƒg–ž‚Əd•Ą‚ĩ‚Č‚Ē‚ą‚Æ
Generating a 2048 bit RSA private key
.............+++
......................+++
writing new private key to '/etc/openvpn/easyrsa3/pki/private/client1.key'
Enter PEM pass phrase:@Đ@”CˆÓ‚ĖƒpƒXƒtƒŒ[ƒY‰ž“š
Verifying - Enter PEM pass phrase:@Đ@”CˆÓ‚ĖƒpƒXƒtƒŒ[ƒY‰ž“š(Šm”F)
-----
Using configuration from /etc/openvpn/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key:@Đ@CA”é–§ŒŪ‚ĖƒpƒXƒtƒŒ[ƒY‚ð‰ž“š
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'client1'
Certificate is to be certified until Aug 16 08:18:16 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

i‚QjƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘E”é–§ŒŪėŽ(ƒpƒXƒtƒŒ[ƒY”FØ‚Č‚ĩ)ĶƒT[ƒo[‘Īė‹Æ
iPhone‚Ėę‡‚ÍOpenVPN Connect‚ŠƒpƒXƒtƒŒ[ƒY”FØ–Ē‘Ήž‚Ė‚―‚߃pƒXƒtƒŒ[ƒY”FØ‚Č‚ĩ‚ĖƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘E”é–§ŒŪ‚ðėŽ‚·‚éB
[root@centos ~]# cd /etc/openvpn/easyrsa3/@Đ@easyrsa3ƒfƒBƒŒƒNƒgƒŠ‚ÖˆÚ“Ū

[root@centos easyrsa3]# ./easyrsa build-client-full client1 nopass@Đ@ƒNƒ‰ƒCƒAƒ“ƒg–žclient1Ķ‚ĖƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘E”é–§ŒŪ(ƒpƒXƒtƒŒ[ƒY”FØ‚Č‚ĩ)ėŽ
ĶƒNƒ‰ƒCƒAƒ“ƒg–ž‚͈ęˆÓ‚Å‚ ‚é‚ą‚ƁŠų‚ɍėŽÏ‚ĖƒNƒ‰ƒCƒAƒ“ƒg–ž‚Əd•Ą‚ĩ‚Č‚Ē‚ą‚Æ
Generating a 2048 bit RSA private key
.............................................+++
...........+++
writing new private key to '/etc/openvpn/easyrsa3/pki/private/client1.key'
-----
Using configuration from /etc/openvpn/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key:@Đ@CA”é–§ŒŪ‚ĖƒpƒXƒtƒŒ[ƒY‚ð‰ž“š
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'client1'
Certificate is to be certified until Jul 10 12:52:28 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

i‚RjOpenVPNÝ’č
ƒT[ƒo[ã‚É‚ ‚éƒNƒ‰ƒCƒAƒ“ƒgÝ’čƒtƒ@ƒCƒ‹ƒTƒ“ƒvƒ‹(/usr/share/doc/openvpn-*/sample/sample-config-files/client.conf)‚ðƒRƒs[‚ĩ‚ÄˆČ‰š‚Ė‚Æ‚Ļ‚č‚É•ŌW‚ĩAƒNƒ‰ƒCƒAƒ“ƒg‘Ī‚É”z•z‚·‚éB

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-2 1194
remote centossrv.com 1194@Đ@VPNƒT[ƒo[–ž‚ðŽw’č

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt@Đ@ƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘ƒtƒ@ƒCƒ‹–ž‚ðŽw’č
key client1.key@Đ@ƒNƒ‰ƒCƒAƒ“ƒg”é–§ŒŪƒtƒ@ƒCƒ‹–ž‚ðŽw’č

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
remote-cert-tls server@Đ@’Į‰Á("Man-in-the-Middle"UŒ‚‘΍ô)

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1@Đ@s“Š‚Ė;‚ðíœ‚ĩ‚ăRƒƒ“ƒg‰ðœ(TLS”FØ—LŒø‰ŧ)

ÅIs‚ÖˆČ‰š‚ð’Į‰Á(OpenVPNŒo—R‚ÅSamba‚Ö‚ĖƒAƒNƒZƒX‚ŠƒGƒ‰[‚É‚Č‚éę‡)
i’jƒT[ƒo[‘Ī‚Őݒč‚ĩ‚―ę‡‚Ė‚ݐݒ肷‚é‚ą‚Æ
fragment 1280
mssfix 1280
link-mtu 1400

i‚SjOpenVPNƒNƒ‰ƒCƒAƒ“ƒgƒZƒbƒgƒAƒbƒviWindows‚Ėę‡j
ƒT[ƒo[‘Ī‚Đ‚į‰š‹Lƒtƒ@ƒCƒ‹‚ðƒNƒ‰ƒCƒAƒ“ƒg‘Ī‚ÖUSBƒƒ‚ƒŠ“™‚Ė‰Â”Ā”}‘ĖŒo—R‚Ü‚―‚́ASCP“™‚ĖˆÃ†‰ŧ‚ģ‚ę‚―ƒlƒbƒgƒ[ƒNŒo—R“™‚ĖˆĀ‘S‚ČŒo˜H‚ÅŽ‚ŋž‚݁AÝ’čƒtƒ@ƒCƒ‹Ši”[ƒtƒHƒ‹ƒ_(C:\Program Files\OpenVPN\config)‚ÖŠi”[‚·‚éB
  • CAØ–ū‘(/etc/openvpn/ca.crt)
  • ƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘(/etc/openvpn/easyrsa3/pki/issued/client1.crt)
  • ƒNƒ‰ƒCƒAƒ“ƒg”é–§ŒŪ(/etc/openvpn/easyrsa3/pki/private/client1.key)
  • TLS”FØŒŪ(/etc/openvpn/ta.key)
ƒNƒ‰ƒCƒAƒ“ƒgÝ’čƒtƒ@ƒCƒ‹(client.conf)‚ðclient.ovpn‚Æ‚Ē‚Ī–ž‘O‚Őݒčƒtƒ@ƒCƒ‹Ši”[ƒtƒHƒ‹ƒ_(C:\Program Files\OpenVPN\config)‚ÖŠi”[‚·‚éB

i‚TjOpenVPNƒNƒ‰ƒCƒAƒ“ƒgƒZƒbƒgƒAƒbƒviiPhone‚Ėę‡j
ƒT[ƒo[‘Ī‚Đ‚į‰š‹Lƒtƒ@ƒCƒ‹‚ðWindowsã‚ÖUSBƒƒ‚ƒŠ“™‚Ė‰Â”Ā”}‘ĖŒo—R‚Ü‚―‚́ASCP“™‚ĖˆÃ†‰ŧ‚ģ‚ę‚―ƒlƒbƒgƒ[ƒNŒo—R“™‚ĖˆĀ‘S‚ČŒo˜H‚ÅŽ‚ŋž‚݁AiTunesŒo—R‚ÅiPhone‚ÖŠi”[‚·‚éB
  • CAØ–ū‘(/etc/openvpn/ca.crt)
  • ƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘(/etc/openvpn/easyrsa3/pki/issued/client1.crt)
  • ƒNƒ‰ƒCƒAƒ“ƒg”é–§ŒŪ(/etc/openvpn/easyrsa3/pki/private/client1.key)
  • TLS”FØŒŪ(/etc/openvpn/ta.key)
ƒNƒ‰ƒCƒAƒ“ƒgÝ’čƒtƒ@ƒCƒ‹(client.conf)‚ðclient.ovpn‚Æ‚Ē‚Ī–ž‘O‚ÅiTunesŒo—R‚ÅiPhone‚ÖŠi”[‚·‚éB

ĄOpenVPNŠm”FĶƒNƒ‰ƒCƒAƒ“ƒg‘Īė‹Æ

i‚PjVPNÚ‘ą
yWindows‚Ėę‡z
ƒXƒ^[ƒgƒƒjƒ…[|u‚·‚Ũ‚Ä‚ĖƒvƒƒOƒ‰ƒ€v|uOpenVPNv|uOpenVPN GUIv‚ð‰EƒNƒŠƒbƒN‚ĩ‚āuƒvƒƒpƒeƒBv|uŒÝŠ·Ŧvƒ^ƒu|uŠĮ—ŽŌ‚Æ‚ĩ‚Ä‚ą‚ĖƒvƒƒOƒ‰ƒ€‚ðŽĀs‚·‚év‚ðƒ`ƒFƒbƒN‚ĩ‚āuOKvĶƒCƒ“ƒXƒg[ƒ‹ŒãÅ‰‚Ė1‰ņ‚Ė‚Ý
ƒXƒ^[ƒgƒƒjƒ…[|u‚·‚Ũ‚Ä‚ĖƒvƒƒOƒ‰ƒ€v|uOpenVPNv|uOpenVPN GUIv‚ðƒNƒŠƒbƒN

ƒ^ƒXƒNƒo[ã‚ĖOpenVPN GUIƒAƒCƒRƒ“‚ðƒ_ƒuƒ‹ƒNƒŠƒbƒN

ƒpƒXƒtƒŒ[ƒY‰ž“šĶƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘ėŽŽž‚ɉž“š‚ĩ‚―ƒpƒXƒtƒŒ[ƒY

OpenVPN GUIƒAƒCƒRƒ“‚Š‰ĐF(Ú‘ą’†ó‘Ô)Ë—ΐF(Ú‘ąÏó‘Ô)•\ŽĶ‚É‚Č‚é‚ą‚Æ‚ðŠm”F

yiPhone‚Ėę‡z
OpenVPNƒAƒvƒŠ‚ð‹N“Ū



{ƒ{ƒ^ƒ“‚ð‰Ÿ‰š‚ĩ‚ăvƒƒtƒ@ƒCƒ‹‚ð“Į‚ݍž‚Þ




›‚ðƒXƒ‰ƒCƒh‚ĩ‚ÄVPNƒT[ƒo[‚֐ڑą‚·‚é




Connected‚Æ‚Č‚Á‚ď㕔‚ÉVPN‚Æ•\ŽĶ‚ģ‚ę‚é‚ą‚Æ‚ðŠm”F

i‚QjVPN‘a’ĘŠm”F
yWindows‚Ėę‡z
yVPNƒT[ƒo[‚ÖƒAƒNƒZƒX‚ð‹–‰Â‚ĩ‚Ä‚Ē‚éę‡z
C:\>ping 192.168.1.30@Đ@VPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚įVPNƒT[ƒo[(—á:192.168.1.30)‚Öping‚Š’Ę‚é‚ą‚Æ

Pinging 192.168.1.30 with 32 bytes of data:

Reply from 192.168.1.30: bytes=32 time=283ms TTL=64
Reply from 192.168.1.30: bytes=32 time=272ms TTL=64
Reply from 192.168.1.30: bytes=32 time=266ms TTL=64
Reply from 192.168.1.30: bytes=32 time=271ms TTL=64

Ping statistics for 192.168.1.30:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 266ms, Maximum = 283ms, Average = 273ms

yLAN‚ÖƒAƒNƒZƒX‚ð‹–‰Â‚ĩ‚Ä‚Ē‚éę‡z
C:\>ping 192.168.1.3@Đ@VPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚įLAN“ā‘žƒT[ƒo[(—á:192.168.1.3)‚Öping‚Š’Ę‚é‚ą‚Æ

Pinging 192.168.1.3 with 32 bytes of data:

Reply from 192.168.1.3: bytes=32 time=1485ms TTL=62
Reply from 192.168.1.3: bytes=32 time=262ms TTL=62
Reply from 192.168.1.3: bytes=32 time=255ms TTL=62
Reply from 192.168.1.3: bytes=32 time=260ms TTL=62

Ping statistics for 192.168.1.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 255ms, Maximum = 1485ms, Average = 565ms

yiPhone‚Ėę‡z
Network Ping Lite - MochaSoft‚ðƒCƒ“ƒXƒg[ƒ‹‚ĩ‚Ä‹N“Ū‚·‚é




Ping




yVPNƒT[ƒo[‚ÖƒAƒNƒZƒX‚ð‹–‰Â‚ĩ‚Ä‚Ē‚éę‡z
VPNƒT[ƒo[‚Ėƒvƒ‰ƒCƒx[ƒgIPƒAƒhƒŒƒX(—á:192.168.1.3)‚ð“ü—Í‚ĩ‚āuStartv




yLAN‚ÖƒAƒNƒZƒX‚ð‹–‰Â‚ĩ‚Ä‚Ē‚éę‡z
LAN“ā‘žƒT[ƒo[‚Ėƒvƒ‰ƒCƒx[ƒgIPƒAƒhƒŒƒX(—á:192.168.1.5)‚ð“ü—Í‚ĩ‚āuStartv

i‚RjVPNØ’f
yWindows‚Ėę‡z
ƒ^ƒXƒNƒo[ã‚ĖOpenVPN GUIƒAƒCƒRƒ“‚ðƒ_ƒuƒ‹ƒNƒŠƒbƒN‚ĩ‚ÄDisconnectƒ{ƒ^ƒ“‰Ÿ‰š

yiPhone‚Ėę‡z


‚h‚ðƒXƒ‰ƒCƒh‚ĩ‚ÄVPNƒT[ƒo[‚Đ‚įØ’f




Disconnected‚Æ‚Č‚Á‚ď㕔‚ĖVPN•\ŽĶ‚ŠÁ‚Ķ‚é‚ą‚Æ‚ðŠm”F

ĄVPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚į‚ĖƒAƒNƒZƒX‹–‰Â

VPNƒNƒ‰ƒCƒAƒ“ƒg‚ŠVPN’ʐM‚ðs‚Īę‡‚ÍVPN—p‚Ė‰ž‘zƒAƒhƒŒƒX(10.8.0.0/24)‚Å’ĘM‚ðs‚Ī‚Ė‚ŁAVPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚įƒAƒNƒZƒX‚ĩ‚―‚Ē’[––‘Ī‚Ėƒtƒ@ƒCƒAƒEƒH[ƒ‹‚âŠeƒAƒvƒŠƒP[ƒVƒ‡ƒ“‚ĖƒAƒNƒZƒX§ŒĀ“™‚ŁAVPNƒNƒ‰ƒCƒAƒ“ƒgƒAƒhƒŒƒX(10.8.0.0/24)‚Đ‚į‚ĖƒAƒNƒZƒX‚ð‹–‰Â‚·‚é‚æ‚Ī‚ɐݒč‚ĩ‚Ä‚Ļ‚­B

i‚PjVPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚įSamba‚ÖƒAƒNƒZƒX‚ĩ‚―‚Ēę‡
[root@centos ~]# vi /etc/samba/smb.conf@Đ@SambaÝ’čƒtƒ@ƒCƒ‹•ŌW
   hosts allow = 192.168.1. 127. 10.8.0.@Đ@ƒAƒNƒZƒX‹–‰ÂƒAƒhƒŒƒX‚ÉVPN‚ð’Į‰Á

[root@centos ~]# systemctl restart smb@Đ@SambaÄ‹N“ŪĶCentOS7‚Ėę‡
[root@centos ~]# /etc/rc.d/init.d/smb restart@Đ@SambaÄ‹N“ŪĶCentOS6‚Ėę‡

i‚QjTCP Wrapper‚É‚æ‚éƒAƒNƒZƒX§ŒĀ‘ΏۊO‚Æ‚·‚éę‡
[root@centos ~]# echo "ALL: 10.8.0." >> /etc/hosts.allow@Đ@10.8.0.X‚Đ‚į‚ĖƒAƒNƒZƒX‚ð‹–‰Â

ĄVPNƒNƒ‰ƒCƒAƒ“ƒg‚ɌŒčIPƒAƒhƒŒƒX‚ðŠ„“–‚Ä‚éę‡

ŠO•”‚Đ‚į‰ïŽÐLAN‚ÖVPNÚ‘ą‚·‚éę‡“™‚ł́AVPNƒNƒ‰ƒCƒAƒ“ƒg‚ē‚ƂɃAƒNƒZƒXæ‚𐧌Ā‚ĩ‚―‚Ēę‡‚Š‚ ‚éB‚ŧ‚Ėę‡‚́AVPNƒNƒ‰ƒCƒAƒ“ƒg‚ɌŒčIPƒAƒhƒŒƒX‚ðŠ„“–‚āAIPƒAƒhƒŒƒX‚ē‚ƂɃtƒ@ƒCƒAƒEƒH[ƒ‹‚ŃAƒNƒZƒXæ‚𐧌Ā‚·‚é‚æ‚Ī‚É‚·‚éB

—á‚Æ‚ĩ‚āAƒNƒ‰ƒCƒAƒ“ƒg–žclient1‚ɌŒčIPƒAƒhƒŒƒX10.8.0.5‚ðŠ„“–‚āA10.8.0.5‚Đ‚į‚Í192.168.1.3‚Ö‚Ė‚݃AƒNƒZƒX‚ð‹–‰Â‚·‚é‚æ‚Ī‚É‚·‚éB

i‚PjOpenVPNÝ’č
[root@centos ~]# vi /etc/openvpn/server.conf@Đ@OpenVPNÝ’čƒtƒ@ƒCƒ‹•ŌW
client-config-dir ccd@Đ@s“Š‚Ė;‚ðíœ‚ĩ‚ăRƒƒ“ƒg‰ðœ(ƒNƒ‰ƒCƒAƒ“ƒg–ˆÝ’čŠi”[ƒfƒBƒŒƒNƒgƒŠ‚Ė—LŒø‰ŧ)

[root@centos ~]# mkdir /etc/openvpn/ccd@Đ@ƒNƒ‰ƒCƒAƒ“ƒg–ˆÝ’čŠi”[ƒfƒBƒŒƒNƒgƒŠėŽ

[root@centos ~]# /etc/rc.d/init.d/openvpn restart@Đ@OpenVPNÄ‹N“Ū

i‚Qjclient1ŒÅ’čIPƒAƒhƒŒƒXŠ„“–‚Ä
[root@centos ~]# vi /etc/openvpn/ccd/client1@Đ@client1Ý’čƒtƒ@ƒCƒ‹V‹KėŽ
ifconfig-push 10.8.0.5 10.8.0.6@Đ@ŒÅ’čIPƒAƒhƒŒƒX10.8.0.5‚ðŠ„“–‚Ä‚éĶ
Ķ10.8.0.5‚Æ10.8.0.6‚Ė5‚Æ6‚Ė•”•Š‚ÍˆČ‰š‚ĖŠe‘g‚ݍ‡‚í‚đ‚Đ‚įŽw’č‚·‚é‚ą‚Æ(—á‚Ķ‚΁A10.8.0.9‚Æ10.8.0.10‚ÆŽw’č‚·‚é‚Æ10.8.0.9‚ŠŠ„“–‚Ä‚į‚ę‚é)
‚―‚ū‚ĩA10.8.0.1‚Æ10.8.0.2‚Ė‘g‡‚đ‚ÍVPNƒT[ƒo[‚ĖƒAƒhƒŒƒX‚Č‚Ė‚ÅŽw’č‚ĩ‚Č‚Ē‚ą‚Æ

[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]


i‚Rjclient1—pƒtƒ@ƒCƒAƒEƒH[ƒ‹Ý’č
[root@centos ~]# iptables -I FORWARD -i tun+ -s 10.8.0.5 -d 192.168.1.3 -j ACCEPT@Đ@10.8.0.5‚Đ‚į192.168.1.3‚Ö‚ĖƒAƒNƒZƒX‚ð‹–‰Â

[root@centos ~]# echo "iptables -I FORWARD -i tun+ -s 10.8.0.5 -d 192.168.1.3 -j ACCEPT" >> /etc/openvpn/openvpn-startup@Đ@ã‹Lƒtƒ@ƒCƒAƒEƒH[ƒ‹Ý’č‚ðOpenVPN‹N“ŪŽžŽĀsƒXƒNƒŠƒvƒg‚Ö’Į‰Á

‚ą‚ę‚ŁAclient1‚ĖØ–ū‘‚ðŽg—p‚ĩ‚ÄVPNÚ‘ą‚ĩ‚―ƒNƒ‰ƒCƒAƒ“ƒg‚ɂ͌ŒčIPƒAƒhƒŒƒX10.8.0.5‚ŠŠ„“–‚Ä‚į‚ęALAN“ā‚Ė192.168.1.3‚Ö‚Ė‚݃AƒNƒZƒX‚Š‚Å‚Ŧ‚é‚æ‚Ī‚É‚Č‚éB
‚Č‚ĻAƒNƒ‰ƒCƒAƒ“ƒgÝ’čƒtƒ@ƒCƒ‹‚Š‘ķÝ‚ĩ‚Č‚Ēę‡‚ÍVPNƒT[ƒo[‚Š‹ó‚ŦIPƒAƒhƒŒƒX‚ðŠ„“–‚Ä‚é‚Ė‚ŁAŒÅ’č^”ņŒÅ’荮Ý‚Š‰Â”\B

ĄVPNƒNƒ‰ƒCƒAƒ“ƒg‚Ėíœ

‚Č‚ņ‚į‚Đ‚Ė——R(VPN’ʐM—vŒ‚Š‚Č‚­‚Č‚Á‚―A‚Ü‚―‚́AØ–ū‘‚ĖƒpƒXƒtƒŒ[ƒY‚ð–Y‚ę‚―“™Ķ)‚Å“Á’č‚ĖVPNƒNƒ‰ƒCƒAƒ“ƒg‚Đ‚į‚ĖVPNÚ‘ą‚ð‹ÖŽ~‚ĩ‚―‚Ēę‡‚́AŠY“–VPNƒNƒ‰ƒCƒAƒ“ƒg‚ŠŽg—p‚ĩ‚Ä‚Ē‚éƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘‚ð”pŽ~‚·‚ę‚΂æ‚ĒB
Ķ”pŽ~‚ĩ‚―ƒNƒ‰ƒCƒAƒ“ƒg–ž‚ŏؖū‘‚ðÄėŽ‚·‚é‚ą‚Æ‚Š‚Å‚Ŧ‚é‚Ė‚ŁAƒpƒXƒtƒŒ[ƒY‚ð–Y‚ę‚Ä‚ĩ‚Ü‚Á‚―ę‡‚́A‚Ē‚Á‚―‚ņØ–ū‘‚ð”pŽ~Œã‚É“Ŋ‚ķƒNƒ‰ƒCƒAƒ“ƒg–ž‚ŃNƒ‰ƒCƒAƒ“ƒgØ–ū‘‚ðÄėŽ‚·‚ę‚΂æ‚Ē

i‚PjƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘”pŽ~
ƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘‚ð”pŽ~‚ĩ‚āAŠY“–ƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘‚ðŽg—p‚ĩ‚―VPNÚ‘ą‚ð‚Å‚Ŧ‚Č‚Ē‚æ‚Ī‚É‚·‚éB
[root@centos ~]# cd /etc/openvpn/easyrsa3/@Đ@easyrsa3ƒfƒBƒŒƒNƒgƒŠ‚ÖˆÚ“Ū

[root@centos easyrsa3]# ./easyrsa revoke client1@Đ@client1‚ĖƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘”pŽ~


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = client1


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key:@Đ@CA”é–§ŒŪ‚ĖƒpƒXƒtƒŒ[ƒY‚ð‰ž“š
Revoking Certificate 03.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

[root@centos easyrsa3]# rm -f /etc/openvpn/easyrsa3/pki/issued/client1.crt@Đ@client1Ø–ū‘—ލ폜

[root@centos easyrsa3]# rm -f /etc/openvpn/easyrsa3/pki/private/client1.key@Đ@client1Ø–ū‘—ލ폜

[root@centos easyrsa3]# rm -f /etc/openvpn/easyrsa3/pki/reqs/client1.req@Đ@client1Ø–ū‘—ލ폜

[root@centos easyrsa3]# ./easyrsa gen-crl@Đ@Ø–ū‘”pŽ~ƒŠƒXƒg‚ðėŽ
Using configuration from /etc/openvpn/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key:

An updated CRL has been created.
CRL file: /etc/openvpn/easyrsa3/pki/crl.pem

[root@centos easyrsa3]# /bin/cp /etc/openvpn/easyrsa3/pki/crl.pem /etc/openvpn/@Đ@Ø–ū‘”pŽ~ƒŠƒXƒg‚ðOpenVPNÝ’čƒtƒ@ƒCƒ‹Ši”[ƒfƒBƒŒƒNƒgƒŠ‚ÖƒRƒs[

[root@centos easyrsa3]# chmod o+r /etc/openvpn/crl.pem@Đ@Ø–ū‘”pŽ~ƒŠƒXƒg‚ÖŽQÆŒ ŒĀ•t‰Á

[root@centos easyrsa3]# cd@Đ@easyrsa3ƒfƒBƒŒƒNƒgƒŠ‚ð”ē‚Ŋ‚é

i‚QjÚ‘ą’†ƒNƒ‰ƒCƒAƒ“ƒg‚Ė‹­§Ø’f
ƒNƒ‰ƒCƒAƒ“ƒgØ–ū‘‚ð”pŽ~‚ĩ‚Ä‚āŠY“–ƒNƒ‰ƒCƒAƒ“ƒg‚ŠÚ‘ą’†‚Å‚ ‚Á‚―ę‡‚Í‚ŧ‚Ė‚Ü‚ÜŒp‘ą‚ĩ‚ĒʐM‚Å‚Ŧ‚Ä‚ĩ‚Ü‚Ī‚Ė‚ŁA‚ŧ‚ę‚ā‹­§“I‚ɐؒf‚ĩ‚―‚Ēę‡‚ÍˆČ‰š‚ĖŽč‡‚Őؒf‚·‚éB
[root@centos ~]# telnet localhost 7505@Đ@OpenVPNŠĮ—ƒCƒ“ƒ^ƒtƒF[ƒX‹N“Ū
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
status@Đ@VPNÚ‘ąó‹ĩŠm”F
OpenVPN CLIENT LIST
Updated,Tue Nov 28 19:28:49 2006
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client1,124.211.3.180:1617,6882,7144,Tue Nov 28 19:26:53 2006@Đ@client1‚ŠÚ‘ą’†
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.253,client1,124.211.3.180:1617,Tue Nov 28 19:28:41 2006
GLOBAL STATS
Max bcast/mcast queue length,0
END
kill client1@Đ@client1‹­§Ø’f
SUCCESS: common name 'client1' found, 1 client(s) killed
status@Đ@VPNÚ‘ąó‹ĩŠm”F
OpenVPN CLIENT LIST
Updated,Tue Nov 28 19:29:05 2006
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END
exit@Đ@OpenVPNŠĮ—ƒCƒ“ƒ^ƒtƒF[ƒXI—đ
Connection closed by foreign host.

ĄOpenVPNƒAƒbƒvƒf[ƒg

[root@centos ~]# wget http://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz@Đ@OpenVPNƒ_ƒEƒ“ƒ[ƒh

ĶÅV”Å‚ĖURL‚̓_ƒEƒ“ƒ[ƒhƒy[ƒW‚ÅŠm”F‚·‚é‚ą‚Æ

[root@centos ~]# rpmbuild -tb --clean openvpn-2.4.3.tar.gz@Đ@OpenVPN‚ĖRPMƒpƒbƒP[ƒWķŽ

[root@centos ~]# yum -y localinstall ~/rpmbuild/RPMS/x86_64/openvpn-2.4.3-1.x86_64.rpm@Đ@ķŽ‚ĩ‚―OpenVPN‚ĖRPMƒpƒbƒP[ƒW‚ðƒCƒ“ƒXƒg[ƒ‹

[root@centos ~]# rm -f ~/rpmbuild/RPMS/x86_64/openvpn-*@Đ@ķŽ‚ĩ‚―OpenVPN‚ĖRPMƒpƒbƒP[ƒW‚ðíœ

[root@centos ~]# rm -f openvpn-2.4.3.tar.gz@Đ@ƒ_ƒEƒ“ƒ[ƒh‚ĩ‚―ƒtƒ@ƒCƒ‹‚ðíœ

[root@centos ~]# vi /etc/rc.d/init.d/openvpn@Đ@OpenVPN‹N“ŪƒXƒNƒŠƒvƒg•ŌW
        echo 1 > /proc/sys/net/ipv4/ip_forward@Đ@s“Š‚Ė#‚ðíœ‚ĩ‚ăRƒƒ“ƒg‰ðœ(ƒpƒPƒbƒg“]‘——LŒø‰ŧ)

[root@centos ~]# systemctl daemon-reload@Đ@OpenVPN‹N“ŪƒXƒNƒŠƒvƒg•ÏX”―‰fĶCentOS7‚Ėę‡

[root@centos ~]# /etc/rc.d/init.d/openvpn restart@Đ@OpenVPNÄ‹N“Ū






Ģ‚ą‚Ėƒy[ƒW‚Ėƒgƒbƒv‚Ö–ß‚é

LPIƒƒS Copyright© 2005-2017 fallenangels, All rights reserved.
‚ēŽĐ—R‚ɃŠƒ“ƒN‚ĩ‚Ä‚­‚ū‚ģ‚Ē(˜A—‚Í•s—v‚Å‚·)
–{ƒy[ƒW‚Ö‚Ė‚ēˆÓŒĐE‚ē—v–]AŒëŽšE’EŽšEƒŠƒ“ƒNØ‚ę“™‚Ė‚ē˜A—‚Í‚ą‚ŋ‚į‚Đ‚į‚ĻŠč‚Ē‚ĩ‚Ü‚·