Metaphorical Dream

2007年 07月 10日 ( 2 )

OpenVPN構築 その2


以下、続きからお楽しみください。

4-1.認証局の事前準備
(WPA実装時にOpenSSLをいじったので、認証局のオペレーションもだいぶ板についてきたよ。)

vi /etc/openvpn/easy-rsa/vars

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
一番下の方

export KEY_COUNTRY="JP"①
export KEY_PROVINCE="Tokyo"②
export KEY_CITY="Shinagawa"③
export KEY_ORG="t.com"④
export KEY_EMAIL="a@t.com"⑤
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
①=国名
②=都道府県名
③=市区町村名
④=会社(組織)名
⑤=メアド


4-2.認証局設立

cd /etc/openvpn/easy-rsa/
. ./vars
./build-ca

#もし、上記コマンドを打った際にウダウダ言われたら、これ↓
rm -rf /etc/openvpn/easy-rsa/keys
./clean-all

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
Generating a 1024 bit RSA private key
....++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:①
State or Province Name (full name) [Tokyo]:②
Locality Name (eg, city) [Shinagawa]:③
Organization Name (eg, company) [t.com]:④
Organizational Unit Name (eg, section) []:⑤
Common Name (eg, your name or your server's hostname) [t.com CA]:⑥
Email Address [a@t.com]:⑦
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~

①~④=Enterキーを連打
⑤=Enterキー or 任意の文字列(会社組織であれば部署名など)
⑥~⑦=Enterキーを連打
(んまぁ、連打しなくても1回押せばいいやぁ(笑))


4-3.Server証明書の作成

. ./vars
./build-key-server server

#引数に"server"と入力
#もしくは、任意のserver名でも、CommonNameと一致させればOK

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
Generating a 1024 bit RSA private key
..............................++++++
.....................++++++
writing new private key to 'linux3.md.jp.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:①
State or Province Name (full name) [Tokyo]:②
Locality Name (eg, city) [Shinagawa]:③
Organization Name (eg, company) [t.com]:④
Organizational Unit Name (eg, section) []:⑤
Common Name (eg, your name or your server's hostname) [server]:⑥
Email Address [a@t.com]:⑦

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:⑧
An optional company name []:⑨
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Tokyo'
localityName :PRINTABLE:'Shinagawa'
organizationName :PRINTABLE:'t.com'
organizationalUnitName:PRINTABLE:''
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'a@t.com'
Certificate is to be certified until Jul 5 07:38:34 2017 GMT (3650 days)
Sign the certificate? [y/n]:y⑩


1 out of 1 certificate requests certified, commit? [y/n]y⑪
Write out database with 1 new entries
Data Base Updated
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
①~④=Enterキーを連打
⑤=Enterキー or 任意の文字列(会社組織であれば部署名など)
⑥~⑨=Enterキーを連打
⑩~⑪="y"を入力


4-4.Diffie Hellman(DH)パラメータの生成

./build-dh

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....................................+.....................................
...........................................................................
......++*++*++*
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
#マシンスペックにより時間が掛かる。


4-5.Client証明書の作成

. ./vars
./build-key-pass client1

#引数に"client1"と入力
#もしくは、任意のclient名でも、CommonNameと一致させればOK

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
Generating a 1024 bit RSA private key
....................................++++++
....................++++++
writing new private key to 'metaphor-v1.key'
Enter PEM pass phrase:A1
Verifying - Enter PEM pass phrase:A2
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:①
State or Province Name (full name) [Tokyo]:②
Locality Name (eg, city) [Shinagawa]:③
Organization Name (eg, company) [t.com]:④
Organizational Unit Name (eg, section) []:⑤
Common Name (eg, your name or your server's hostname) [client1]:⑥
Email Address [a@t.com]:⑦

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:⑧
An optional company name []:⑨
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Tokyo'
localityName :PRINTABLE:'Shinagawa'
organizationName :PRINTABLE:'t.com'
organizationalUnitName:PRINTABLE:''
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'a@t.com'
Certificate is to be certified until Jul 5 07:38:34 2017 GMT (3650 days)
Sign the certificate? [y/n]:y⑩


1 out of 1 certificate requests certified, commit? [y/n]y⑪
Write out database with 1 new entries
Data Base Updated
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
A1~2=client1用のパスフレーズを入力
①~④=Enterキーを連打
⑤=Enterキー or 任意の文字列(会社組織であれば部署名など)
⑥~⑨=Enterキーを連打
⑩~⑪="y"を入力


4-6.必要なものをexport
#以下のファイルがClientで必要

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key

#これらのファイルをクライアントPCにコピー
#コピー方法はお任せで。(書くのが面倒くださいだけ)


4-7.起動スクリプトの編集

#2-3.で作成したスクリプトにOpenVPNスタート&ストップ用
#スクリプトを埋め込む。

vi /etc/rc.d/init.d/vpn

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
touch /var/lock/subsys/network


#ブリッジモードの有効化
/etc/openvpn/bridge-start

#OpenVPNサーバの起動①
/etc/openvpn/openvpn.init start②

;;
stop)

#OpenVPNサーバの停止③
/etc/openvpn/openvpn.init stop④

#ブリッジモードの無効化
/etc/openvpn/bridge-stop


# If this is a final shutdown/halt, check for network FS,
# and unmount them even if the user didn't turn on netfs
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
①~④を追記


追加項目

TLS認証を行うには。

5-1.ta.keyの作成
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key

vi /etc/openvpn/server.conf

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0①
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
①=コメントアウト+ta.keyのパス指定+"0"を入力

5-2.Client側に"ta.key"をコピー
5-3.Client側では、コメントアウト+ta.keyのパス指定+"1"を入力

[PR]
by mdesign21 | 2007-07-10 22:45 | IT系

OpenVPN構築 その1

Condition:Mobility検証が難航

ということで、以下にアップ。
ごめん。最後はオレの完全なる...ψ(。。 )メモメモ になってしまってる(^^;

このブログ文字数制限あるんだ。うぜぇなぁ。

#OpenVPNでのBridgeネットワーク構築方法

1-1.TAPデバイス作成用ツールのインスト確認

rpm -q bridge-utils
rpm -q sysfsutils


1-2.インストされていなければ、以下

yum -y install bridge-utils

#依存関係でbridge-utilsをインストすれば、
#sysfsutilsもおまけで一緒にインストしてくれちゃう。


1-3.OpenVPNのrpmインスト

yum -y install openvpn


1-4.Bridge時は、networkサービス内でOpenVPNを起動させるため、chkconfigからOpenVPNを削除

chkconfig --del openvpn


1-5.設定に必要なファイルを/etc/openvpn配下にコピー
cp -R /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa
cp -R /usr/share/doc/openvpn-2.1/sample-config-files/ /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.1/sample-scripts/ /etc/openvpn/


1-6.念のため、cd
cd /etc/openvpn/

2-1.まずは、bridge周りの設定から。
cp sample-scripts/bridge-st* ./
chmod 755 bridge-st*
vi /etc/openvpn/bridge-start

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.3.10"①
eth_netmask="255.255.255.0"②
eth_broadcast="192.168.3.255"③

for t in $tap; do
openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
brctl addif $br $t
done

for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~

#①~③を自分の環境に合わせて変更。
#①~③で設定する値は、br0のintに割り当てるアドレス情報になる。
#なので、基本的にはOpenVPN鯖マシンと同じアドレスでOK。
#Bridgeだからね。
#OpenVPN鯖マシンと異なるアドレスにしたら?って質問は、自分で確認してください。
#ただし設定自体は可能です。br0=192.168.0.2 eth0=192.168.0.1ってことも可能。


2-2.言わずもがな。IPフォワードの設定
echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0①

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~

#①を"1"に変更


2-3.起動スクリプトの作成

#ネットワーク機能→ブリッジ機能→OpenVPNサーバ
#OpenVPNサーバ→ブリッジ機能→ネットワーク機能
#鯖マシンの起動&shutdown時は上記の順番が重要

cp /etc/rc.d/init.d/network /etc/rc.d/init.d/vpn
vi /etc/rc.d/init.d/vpn

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
touch /var/lock/subsys/network


#ブリッジモードの有効化①
/etc/openvpn/bridge-start②

;;
stop)

#ブリッジモードの無効化③
/etc/openvpn/bridge-stop④


# If this is a final shutdown/halt, check for network FS,
# and unmount them even if the user didn't turn on netfs
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~

#①~④を追記
#概ね、179行目辺りなんだけど、見つからなければ、
#vi上で"touch /var/lock/subsys/network"を検索
#
#ようするに、/etc/rc.d/init.d/vpnのスクリプトで
#
#case "$1" in
# start)
#
#の一番最後に"bridge-start"スクリプトを実行し
#
# stop)
#
#の一番最初に"bridge-stop"スクリプトを実行する。
#
#勘の良い人なら解るだろうけど、
#さらに、#ブリッジモードの有効化の直後に、
#OpenVPN本体のスクリプトをスタートさせ、
#ブリッジモードの無効化の直前に、
#OpenVPN本体のスクリプトをストップさせるようにする。
#
#ただ、今の段階ではBridge機能が正常動作するかを確認するため
#あえてOpenVPN本体のスクリプト実行はさせない。


2-4.Bridgeスクリプトの有効化とnetworkスクリプトの無効化

chkconfig --del network
chkconfig --add vpn

2-5.networkスクリプトをストップ、Bridgeスクリプトをスタート
/etc/rc.d/init.d/network stop
/etc/rc.d/init.d/vpn start
/etc/rc.d/init.d/vpn restart

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~
Sun Jul 1 19:34:12 2007 TUN/TAP device tap0 opened
Sun Jul 1 19:34:12 2007 Persist state set to: OFF
インターフェース eth0 を終了中: [ OK ]
ループバックインターフェースを終了中 [ OK ]
IPv4 パケット転送を無効化中: net.ipv4.ip_forward = 0
[ OK ]
ループバックインターフェイスを呼び込み中 [ OK ]
インターフェース eth0 を活性化中: [ OK ]
Sun Jul 1 19:34:17 2007 TUN/TAP device tap0 opened
Sun Jul 1 19:34:17 2007 Persist state set to: ON
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~

#"/etc/rc.d/init.d/vpn restart"した際、上記のようなメッセージとなれば、
#Bridge機能としてはOKです。


3-1.OpenVPN鯖本体の稼動準備

cp sample-scripts/openvpn.init ./
chmod 755 openvpn.init
cp sample-config-files/server.conf ./


3-2.OpenVPN鯖本体の設定

vi /etc/openvpn/server.conf

~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194①

# TCP or UDP server?
;proto tcp
proto udp②

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap0③
;dev tun



# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/easy-rsa/keys/ca.crt④
cert /etc/openvpn/easy-rsa/keys/server.crt⑤
key /etc/openvpn/easy-rsa/keys/server.key⑥

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/easy-rsa/keys/dh1024.pem⑦

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
;server 10.8.0.0 255.255.255.0⑧

# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
;ifconfig-pool-persist ipp.txt⑨

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
server-bridge 10.0.0.0 255.255.255.0 10.0.0.10 10.0.0.20⑩

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.0 255.255.255.0"⑪
;push "route 192.168.20.0 255.255.255.0"



# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client⑫



# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES



# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody⑬
group nobody⑭

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn-status.log⑮

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log /var/log/openvpn.log⑯
;log-append openvpn.log



management localhost 7505⑰
~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~・~

①Portの指定
②Protocolの指定
③Intの指定=Tap0を指定
④後ほど作成 rootCAの証明書格納パス
⑤後ほど作成 Server証明書の格納パス
⑥後ほど作成 ServerKeyファイルの格納パス
⑦後ほど作成 dhファイルの格納パス
⑧コメントアウト
⑨コメントアウト
⑩Bridgeモードで起動させるための設定
# 書式:server-bridge [OpenVPNサーバのアドレス] [ネットマスク] [クライアントに割り振るアドレス範囲]
⑪Clientに鯖側NWへの経路を伝えるための設定
# 書式:push “route [OpenVPNサーバ側のネットワークアドレス] [ネットマスク]”
⑫コメントアウト
# クライアント同士の通信を可能にするための設定
⑬コメントアウト
# OpenVPNデーモン起動ユーザの指定
⑭コメントアウト
# OpenVPNデーモン起動グループの指定
⑮ログパス指定
⑯ログパス指定
⑰OpenVPN管理intの起動設定

[PR]
by mdesign21 | 2007-07-10 22:44 | IT系