openvpn 설치 (centos 7)

openvpn 설치 (centos 7)

원문 참고

http://blog.shakii.co.kr/135 https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7

Openvpn 설치

[root@localhost ~]# yum install epel-release [root@localhost ~]# yum install openvpn easy-rsa [root@localhost ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

[root@localhost ~]# vim /etc/openvpn/server.conf

dh dh2048.pem push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" user nobody group nobody comp-lzo ;tls-auth ta.key 0 # This file is secret

EASY-RSA 3.0

https://www.sys-dev.cat/blog/3/

openvpn 서버 인증키

mkdir -p /etc/openvpn/easy-rsa cp -rf /usr/share/easy-rsa/3.0/* /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass (엔터 입력) ./easyrsa gen-req server nopass ./easyrsa sign-req server server (yes 입력) ./easyrsa gen-dh cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn cp /etc/openvpn/easy-rsa/pki/reqs/server.req /etc/openvpn cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/dh2048.pem

openvpn 클라이언트

./easyrsa gen-req client nopass (엔터) ./easyrsa sign-req client client (yes 입력)

EASY-RSA 2.0

[root@localhost ~]# mkdir -p /etc/openvpn/easy-rsa/keys

[root@localhost ~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

[root@localhost ~]# vi /etc/openvpn/easy-rsa/vars

# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain" export KEY_OU="MyOrganizationalUnit" # X509 Subject Field export KEY_NAME="EasyRSA" # PKCS11 Smart Card # export PKCS11_MODULE_PATH="/usr/lib/changeme.so" # export PKCS11_PIN=1234 # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below # You will also need to make sure your OpenVPN server config has the duplicate-cn option set # export KEY_CN="CommonName"

[root@localhost ~]# cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf root@localhost ~]# cd /etc/openvpn/easy-rsa [root@localhost easy-rsa]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys [root@localhost easy-rsa]# ./clean-all

[root@localhost easy-rsa]# ./build-ca 

Generating a 2048 bit RSA private key .............................................................................................+++ .....................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KR]: State or Province Name (full name) [MIDDLE]: Locality Name (eg, city) [SEOUL]: Organization Name (eg, company) [SMILESERV]: Organizational Unit Name (eg, section) [NIHAO-VPN]: Common Name (eg, your name or your server's hostname) [SMILESERV CA]: Name [OPENVPN-SERVER]: Email Address [takakocap@smilesrv.com]:

[root@localhost easy-rsa]# ./build-key-server server

Generating a 2048 bit RSA private key .....................................................+++ ..................................................................................................................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KR]: State or Province Name (full name) [MIDDLE]: Locality Name (eg, city) [SEOUL]: Organization Name (eg, company) [SMILESERV]: Organizational Unit Name (eg, section) [NIHAO-VPN]: Common Name (eg, your name or your server's hostname) [server]: Name [OPENVPN-SERVER]: Email Address [takakocap@smilesrv.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName           :PRINTABLE:'KR' stateOrProvinceName   :PRINTABLE:'MIDDLE' localityName          :PRINTABLE:'SEOUL' organizationName      :PRINTABLE:'SMILESERV' organizationalUnitName:PRINTABLE:'NIHAO-VPN' commonName            :PRINTABLE:'server' name                  :PRINTABLE:'OPENVPN-SERVER' emailAddress          :IA5STRING:'takakocap@smilesrv.com' Certificate is to be certified until Dec 11 02:04:55 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

[root@localhost easy-rsa]# ./build-dh

Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..................+...........................................................+...................

[root@localhost easy-rsa]# cd /etc/openvpn/easy-rsa/keys [root@localhost keys]# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn [root@localhost keys]# cd /etc/openvpn/easy-rsa [root@localhost easy-rsa]# ./build-key client

Generating a 2048 bit RSA private key .......................................+++ ................................................................+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KR]: State or Province Name (full name) [MIDDLE]: Locality Name (eg, city) [SEOUL]: Organization Name (eg, company) [SMILESERV]: Organizational Unit Name (eg, section) [NIHAO-VPN]: Common Name (eg, your name or your server's hostname) [client]: Name [OPENVPN-SERVER]: Email Address [takakocap@smilesrv.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName           :PRINTABLE:'KR' stateOrProvinceName   :PRINTABLE:'MIDDLE' localityName          :PRINTABLE:'SEOUL' organizationName      :PRINTABLE:'SMILESERV' organizationalUnitName:PRINTABLE:'NIHAO-VPN' commonName            :PRINTABLE:'client' name                  :PRINTABLE:'OPENVPN-SERVER' emailAddress          :IA5STRING:'takakocap@smilesrv.com' Certificate is to be certified until Dec 11 02:06:59 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

[root@localhost easy-rsa]# systemctl -f enable openvpn@server.service Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service. [root@localhost easy-rsa]# systemctl start openvpn@server.service

error)

Dec  8 17:44:24 [localhost] systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server... Dec  8 17:44:25 [localhost] openvpn: Fri Dec  8 17:44:25 2017 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2) Dec  8 17:44:25 [localhost] openvpn: Options error: --tls-auth fails with 'ta.key': No such file or directory (errno=2) Dec  8 17:44:25 [localhost] openvpn: Options error: Please correct these errors. Dec  8 17:44:25 [localhost] openvpn: Use --help for more information. Dec  8 17:44:25 [localhost] systemd: openvpn@server.service: main process exited, code=exited, status=1/FAILURE Dec  8 17:44:25 [localhost] systemd: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server. Dec  8 17:44:25 [localhost] systemd: Unit openvpn@server.service entered failed state. Dec  8 17:44:25 [localhost] systemd: openvpn@server.service failed.

solve)

vim /etc/openvpn/server.conf

;tls-auth ta.key 0 # This file is secret