Metaphorical Dream

OpenVPN構築 その2


以下、続きからお楽しみください。

4-1.認証局の事前準備
(WPA実装時にOpenSSLをいじったので、認証局のオペレーションもだいぶ板についてきたよ。)

vi /etc/openvpn/easy-rsa/vars

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
一番下の方

export KEY_COUNTRY="JP"①
export KEY_PROVINCE="Tokyo"②
export KEY_CITY="Shinagawa"③
export KEY_ORG="t.com"④
export KEY_EMAIL="a@t.com"⑤
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
①=国名
②=都道府県名
③=市区町村名
④=会社(組織)名
⑤=メアド


4-2.認証局設立

cd /etc/openvpn/easy-rsa/
. ./vars
./build-ca

#もし、上記コマンドを打った際にウダウダ言われたら、これ↓
rm -rf /etc/openvpn/easy-rsa/keys
./clean-all

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
Generating a 1024 bit RSA private key
....++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:①
State or Province Name (full name) [Tokyo]:②
Locality Name (eg, city) [Shinagawa]:③
Organization Name (eg, company) [t.com]:④
Organizational Unit Name (eg, section) []:⑤
Common Name (eg, your name or your server's hostname) [t.com CA]:⑥
Email Address [a@t.com]:⑦
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~

①~④=Enterキーを連打
⑤=Enterキー or 任意の文字列(会社組織であれば部署名など)
⑥~⑦=Enterキーを連打
(んまぁ、連打しなくても1回押せばいいやぁ(笑))


4-3.Server証明書の作成

. ./vars
./build-key-server server

#引数に"server"と入力
#もしくは、任意のserver名でも、CommonNameと一致させればOK

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
Generating a 1024 bit RSA private key
..............................++++++
.....................++++++
writing new private key to 'linux3.md.jp.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:①
State or Province Name (full name) [Tokyo]:②
Locality Name (eg, city) [Shinagawa]:③
Organization Name (eg, company) [t.com]:④
Organizational Unit Name (eg, section) []:⑤
Common Name (eg, your name or your server's hostname) [server]:⑥
Email Address [a@t.com]:⑦

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:⑧
An optional company name []:⑨
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Tokyo'
localityName :PRINTABLE:'Shinagawa'
organizationName :PRINTABLE:'t.com'
organizationalUnitName:PRINTABLE:''
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'a@t.com'
Certificate is to be certified until Jul 5 07:38:34 2017 GMT (3650 days)
Sign the certificate? [y/n]:y⑩


1 out of 1 certificate requests certified, commit? [y/n]y⑪
Write out database with 1 new entries
Data Base Updated
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
①~④=Enterキーを連打
⑤=Enterキー or 任意の文字列(会社組織であれば部署名など)
⑥~⑨=Enterキーを連打
⑩~⑪="y"を入力


4-4.Diffie Hellman(DH)パラメータの生成

./build-dh

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....................................+.....................................
...........................................................................
......++*++*++*
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
#マシンスペックにより時間が掛かる。


4-5.Client証明書の作成

. ./vars
./build-key-pass client1

#引数に"client1"と入力
#もしくは、任意のclient名でも、CommonNameと一致させればOK

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
Generating a 1024 bit RSA private key
....................................++++++
....................++++++
writing new private key to 'metaphor-v1.key'
Enter PEM pass phrase:A1
Verifying - Enter PEM pass phrase:A2
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:①
State or Province Name (full name) [Tokyo]:②
Locality Name (eg, city) [Shinagawa]:③
Organization Name (eg, company) [t.com]:④
Organizational Unit Name (eg, section) []:⑤
Common Name (eg, your name or your server's hostname) [client1]:⑥
Email Address [a@t.com]:⑦

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:⑧
An optional company name []:⑨
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Tokyo'
localityName :PRINTABLE:'Shinagawa'
organizationName :PRINTABLE:'t.com'
organizationalUnitName:PRINTABLE:''
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'a@t.com'
Certificate is to be certified until Jul 5 07:38:34 2017 GMT (3650 days)
Sign the certificate? [y/n]:y⑩


1 out of 1 certificate requests certified, commit? [y/n]y⑪
Write out database with 1 new entries
Data Base Updated
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
A1~2=client1用のパスフレーズを入力
①~④=Enterキーを連打
⑤=Enterキー or 任意の文字列(会社組織であれば部署名など)
⑥~⑨=Enterキーを連打
⑩~⑪="y"を入力


4-6.必要なものをexport
#以下のファイルがClientで必要

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key

#これらのファイルをクライアントPCにコピー
#コピー方法はお任せで。(書くのが面倒くださいだけ)


4-7.起動スクリプトの編集

#2-3.で作成したスクリプトにOpenVPNスタート&ストップ用
#スクリプトを埋め込む。

vi /etc/rc.d/init.d/vpn

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
touch /var/lock/subsys/network


#ブリッジモードの有効化
/etc/openvpn/bridge-start

#OpenVPNサーバの起動①
/etc/openvpn/openvpn.init start②

;;
stop)

#OpenVPNサーバの停止③
/etc/openvpn/openvpn.init stop④

#ブリッジモードの無効化
/etc/openvpn/bridge-stop


# If this is a final shutdown/halt, check for network FS,
# and unmount them even if the user didn't turn on netfs
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
①~④を追記


追加項目

TLS認証を行うには。

5-1.ta.keyの作成
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key

vi /etc/openvpn/server.conf

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0①
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
①=コメントアウト+ta.keyのパス指定+"0"を入力

5-2.Client側に"ta.key"をコピー
5-3.Client側では、コメントアウト+ta.keyのパス指定+"1"を入力

[PR]
by mdesign21 | 2007-07-10 22:45 | IT系