centos6.4 openvpn 설치 및 설정

Openvpn 설치전 미리해야 하는 것 : lzo, openssl, gcc-c++ 등

yum install lzo lzo-devel  (lzo 패키지는 VPN 접속 시 패킷의 암호화 압축에 사용된다.)

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm

# yum install openvpn -y

# yum install openssl-devel

#  /usr/share/doc/openvpn-2.3.2/

mkdir /etc/openvpn

# cd /usr/share/easy-rsa

—————————————————————————————

# vi vars

export KEY_SIZE=2048

-> 1024 혹은 2048로 고르면 된다.

export KEY_COUNTRY=”KR”

-> 한국어는 KR 65

export KEY_PROVINCE=”SEOUL”

-> 서울 SEOUL

export KEY_CITY=”SEOUL”

-> 서울 SEOUL

export KEY_ORG=”OPENVPN-Shin”

-> KEY로 쓸 이름

export KEY_EMAIL=”이메일”

-> Email

# source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys

# clean-all

————————————————————————————————————–

- Root CA 생성

# ./build-ca

 

# ./build-ca

Generating a 2048 bit RSA private key ….+++ ……..+++ writing new private key to ‘ca.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [KR]: State or Province Name (full name) [SEOUL]: Locality Name (eg, city) [SEOUL]: Organization Name (eg, company) [OPENVPN-SHIN]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server’s hostname) [OPENVPN-SHIN CA]: Name []: Email Address [이메일]:

 keys 폴더가 생성 (/usr/share/easy-rea/keys

——————————————————————————————————

- Server Key 생성

# ./build-key-server server

* 모두 Enter 후 마지막에 두 개만 y (중요한 것은 commonName을 Server 와 Client가 다르게 설정되어야 한다.)

Generating a 2048 bit RSA private key ……………………………………………..+++ ………….+++ writing new private key to ‘server.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [KR]: State or Province Name (full name) [SEOUL]: Locality Name (eg, city) [SEOUL]: Organization Name (eg, company) [OPENVPN-SHIN]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server’s hostname) [server]: Name []: Email Address [redkreuz@empal.com]:

Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows countryName RINTABLE:’KR’ stateOrProvinceName RINTABLE:’SEOUL’ localityName RINTABLE:’SEOUL’ organizationName RINTABLE:’OPENVPN-SHIN’ commonName RINTABLE:’server’ emailAddress :IA5STRING:’redkreuz@empal.com’

Certificate is to be certified until Nov 2 13:39:32 2022 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

——————————————————————————————————————————-

- Clinet Key 생성

 

# ./build-key SHIN

* 모두 Enter 후 마지막에 두 개만 y (중요한 것은 commonName을 Server 와 Client가 다르게 설정되어야 한다.)

Generating a 2048 bit RSA private key ……………………………………….+++ ………………………+++ writing new private key to ‘SHIN.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [KR]: State or Province Name (full name) [SEOUL]: Locality Name (eg, city) [SEOUL]: Organization Name (eg, company) [OPENVPN-SHIN]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server’s hostname) [SHIN]: Name []: Email Address [redkreuz@empal.com]:

Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows countryName RINTABLE:’KR’ stateOrProvinceName RINTABLE:’SEOUL’ localityName RINTABLE:’SEOUL’ organizationName RINTABLE:’OPENVPN-SHIN’ commonName RINTABLE:’SHIN’ emailAddress :IA5STRING:’redkreuz@empal.com’

Certificate is to be certified until Nov 2 13:41:30 2022 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

—————————————————————————————————-

 

# ./build-dh

-> 2048bit 혹은 1024bit에 따라 길이가 다르다.. 페이지 상 보이는 것을 줄였다.

Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time …………………………………………………………………………………………………………………………………

…………………………………………………………………………………………………………………………………

………………………………………………………+……………………………………………………………..+……….

……………+……………….+……………………………………………………………………………..+……..+……….

++*++*

 

————————————————————————————————————

# cd /etc/openvpn

- Config 파일의 사본을 만들어 놓자.

# cp server.conf server.conf.org

# mv server.conf SHIN.conf

————————————————————————————————————–

- Config파일 수정

1) 접속 시 ID, Password 입력 필요 없어도 접속 가능 한 경우

# vi SHIN.conf

VPN에서 사용하는 Port 변경

32 port 1194

 

VPN에서 사용하는 프로토콜(tcp, udp) 변경

36 proto udp

53 dev tun0

 

key 파일의 경로를 지정해 준다.

 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt

 cert /etc/openvpn/easy-rsa/2.0/keys/server.crt

 key /etc/openvpn/easy-rsa/2.0/keys/server.key # This file should be kept secret

 

경로를 지정해 준다.

 dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem

 

VPN Client 에 할당할 IP

server 10.8.0.0 255.255.255.0

* VPN 클라이언트 사이에 통신이 가능하게 된다. (기본은 주석 처리 되어 있다.)

204 client-to-client

* Client인증서 하나로 여러대의 PC에서 사용할 수 있게 한다. (기본 주석 처리)

217 duplicate-cn

* 최대 연결수를 설정해 준다. 100명까지 접속할 수 있다. (기본 주석 처리)

255 max-clients 100

——————————————————————————————-

ip forward 설정

 # echo 1 > /proc/sys/net/ipv4/ip_forward

——————————————————————————————

# vi /etc/sysctl.conf

 # Controls IP packet forwarding net.ipv4.ip_forward = 1

——————————————————————————————

- 사용자 추가 및 Key 복사

# adduser shin

# mkdir /home/shin/keys

# cd /usr/share/easy-rsa/keys

# cp SHIN.* /home/shin/keys

# cp ca.crt /home/shin/keys

# cp dh2048.pem /home/shin/keys

———————————————————————————————————————–

실행

/usr/sbin/openvpn /etc/openvpn/shin.conf