æç²ã10.1. OpenVPN ãã³ãã«ã®äœæã
é©åã«èšèšããã VPN ãã³ãã«ã¯ãå®å šã§ãªããããã¯ãŒã¯äžã移åããããŒã¿ãé ãæ¹æ³ã§ããªã¢ãŒã ã¯ã©ã€ã¢ã³ããšãµãŒããŒã®éã«çŽæ¥æ¥ç¶ãæäŸããŸãã ã ããäœïŒ æå·åã䜿çšããŠãããè¡ãããšãã§ããå€ãã®ããŒã«ããã§ã«èŠãŠããŸããã VPN ã®çã®äŸ¡å€ã¯ããã³ãã«ãéãããšã§ããªã¢ãŒã ãããã¯ãŒã¯ããã¹ãŠããŒã«ã«ã§ãããã®ããã«æ¥ç¶ã§ããããšã§ãã ããæå³ããã€ãã¹ã䜿çšããŠããããšã«ãªããŸãã
ãã®æ¡åŒµãããã¯ãŒã¯ã䜿çšãããšã管çè ã¯ã©ãããã§ããµãŒããŒäžã§äœæ¥ãå®è¡ã§ããŸãã ããããããéèŠãªããšã¯ãè€æ°ã®å Žæã«ãªãœãŒã¹ãåæ£ããŠããäŒæ¥ã¯ããªãœãŒã¹ãå¿ èŠãšãããã¹ãŠã®ã°ã«ãŒããã©ãã«ããŠããªãœãŒã¹ããã¹ãŠè¡šç€ºããã¢ã¯ã»ã¹ã§ããããã«ã§ããããšã§ã (å³ 10.1)ã
ãã³ãã«èªäœã¯å®å šãä¿èšŒãããã®ã§ã¯ãããŸããã ãã ããæå·åæšæºã® 2 ã€ããããã¯ãŒã¯æ§é ã«å«ããããšãã§ããããã«ããã»ãã¥ãªãã£ã®ã¬ãã«ãå€§å¹ ã«åäžããŸãã ãªãŒãã³ãœãŒã¹ã® OpenVPN ããã±ãŒãžã䜿çšããŠäœæããããã³ãã«ã§ã¯ããã§ã«èª¬æãããã®ãšåã TLS/SSL æå·åã䜿çšãããŸãã OpenVPN ã¯å©çšå¯èœãªå¯äžã®ãã³ããªã³ã° ãªãã·ã§ã³ã§ã¯ãããŸããããæãããç¥ãããŠãããã®ã® XNUMX ã€ã§ãã ããã¯ãIPsec æå·åã䜿çšãã代æ¿ã®ã¬ã€ã€ãŒ XNUMX ãã³ãã« ãããã³ã«ããããããã«é«éã§å®å šã§ãããšèããããŠããŸãã
ããŒã ã®å šå¡ãå€åºäžãå¥ã®å»ºç©ã§äœæ¥ããŠãããšãã«å®å šã«éä¿¡ã§ããããã«ããããšèããŠããŸãã? ãããè¡ãã«ã¯ãOpenVPN ãµãŒããŒãäœæããŠãã¢ããªã±ãŒã·ã§ã³ã®å ±æãšãµãŒããŒã®ããŒã«ã« ãããã¯ãŒã¯ç°å¢ãžã®ã¢ã¯ã»ã¹ãèš±å¯ããå¿ èŠããããŸãã ãããæ©èœãããã«ã¯ãXNUMX ã€ã®ä»®æ³ãã·ã³ãŸã㯠XNUMX ã€ã®ã³ã³ãããå®è¡ããã ãã§æžã¿ãŸããXNUMX ã€ã¯ãµãŒããŒ/ãã¹ããšããŠæ©èœãããã XNUMX ã€ã¯ã¯ã©ã€ã¢ã³ããšããŠæ©èœããŸãã VPN ã®æ§ç¯ã¯åçŽãªããã»ã¹ã§ã¯ãªããããå šäœåãç解ããããã«æ°åãè²»ãã䟡å€ã¯ããã§ãããã
10.1.1. OpenVPN ãµãŒããŒã®æ§æ
å§ããåã«ã圹ç«ã€ã¢ããã€ã¹ãããã€ãæäŸããŸãã ãããèªåã§è¡ãå Žå (ããããããšã匷ããå§ãããŸã)ããã¹ã¯ãããäžã§è€æ°ã®ã¿ãŒããã« ãŠã£ã³ããŠãéããŠããããããç°ãªããã·ã³ã«æ¥ç¶ããŠäœæ¥ããããšã«ãªãã§ãããã ããæç¹ã§ãŠã£ã³ããŠã«ééã£ãã³ãã³ããå ¥åããŠããŸãå±éºæ§ããããŸãã ãããåé¿ããã«ã¯ãhostname ã³ãã³ãã䜿çšããŠãã³ãã³ã ã©ã€ã³ã«è¡šç€ºããããã·ã³åããçŸåšã©ãã«ããããæ確ã«ç€ºããã®ã«å€æŽããŸãã ãããå®è¡ããããæ°ããèšå®ãæå¹ã«ããããã«ãµãŒããŒãããã°ã¢ãŠãããå床ãã°ã€ã³ããå¿ èŠããããŸãã ããã¯æ¬¡ã®ããã«ãªããŸãã
ãã®ã¢ãããŒãã«åŸããäœæ¥ããåãã·ã³ã«é©åãªååãä»ããããšã§ãèªåãã©ãã«ããããç°¡åã«è¿œè·¡ã§ããŸãã
ãã¹ãåã䜿çšããåŸãåŸç¶ã®ã³ãã³ããå®è¡ãããšãè¿·æãªããã¹ã OpenVPN ãµãŒããŒã解決ã§ããŸãããã¡ãã»ãŒãžã衚瀺ãããå ŽåããããŸãã /etc/hosts ãã¡ã€ã«ãé©åãªæ°ãããã¹ãåã§æŽæ°ãããšãåé¡ã解決ãããã¯ãã§ãã
OpenVPN çšã«ãµãŒããŒãæºåãã
OpenVPN ããµãŒããŒã«ã€ã³ã¹ããŒã«ããã«ã¯ãopenvpn ãš easy-rsa (æå·åããŒçæããã»ã¹ã管çãããã) ã® 2 ã€ã®ããã±ãŒãžãå¿ èŠã§ãã CentOS ãŠãŒã¶ãŒã¯ã第 2 ç« ã§è¡ã£ãããã«ãå¿ èŠã«å¿ããŠãŸã epel-release ãªããžããªãã€ã³ã¹ããŒã«ããå¿ èŠããããŸãããµãŒã㌠ã¢ããªã±ãŒã·ã§ã³ãžã®ã¢ã¯ã»ã¹ããã¹ãã§ããããã«ããããã«ãApache Web ãµãŒã㌠(Ubuntu ã§ã¯ apacheXNUMXãCentOS ã§ã¯ httpd) ãã€ã³ã¹ããŒã«ããããšãã§ããŸãã
ãµãŒããŒãã»ããã¢ããããŠããéã22 (SSH) ãš 1194 (OpenVPN ã®ããã©ã«ã ããŒã) ãé€ããã¹ãŠã®ããŒãããããã¯ãããã¡ã€ã¢ãŠã©ãŒã«ãã¢ã¯ãã£ãã«ããããšããå§ãããŸãã ãã®äŸã¯ãUbuntu äžã§ ufw ãã©ã®ããã«åäœãããã瀺ããŠããŸããã第 9 ç« ã® CentOS firewalld ããã°ã©ã ããŸã èŠããŠãããšæããŸãã
# ufw enable
# ufw allow 22
# ufw allow 1194
ãµãŒããŒäžã®ãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹éã®å éšã«ãŒãã£ã³ã°ãæå¹ã«ããã«ã¯ã/etc/sysctl.conf ãã¡ã€ã«å ã® 4 è¡ (net.ipv1.ip_forward = XNUMX) ã®ã³ã¡ã³ãã解é€ããå¿ èŠããããŸãã ããã«ããããªã¢ãŒã ã¯ã©ã€ã¢ã³ãã¯æ¥ç¶åŸã«å¿ èŠã«å¿ããŠãªãã€ã¬ã¯ããããããã«ãªããŸãã æ°ãããªãã·ã§ã³ãæ©èœãããã«ã¯ãsysctl -p ãå®è¡ããŸãã
# nano /etc/sysctl.conf
# sysctl -p
ããã§ãµãŒããŒç°å¢ã¯å®å šã«æ§æãããŸããããæºåãæŽãåã«ããã¹ãããšããŸã XNUMX ã€ãããŸãã次ã®æé ãå®äºããå¿ èŠããããŸã (詳现ã¯æ¬¡ã«èª¬æããŸã)ã
- easy-rsa ããã±ãŒãžã§æäŸãããã¹ã¯ãªããã䜿çšããŠããµãŒããŒäžã«å ¬éããŒåºç€ (PKI) æå·åããŒã®ã»ãããäœæããŸãã åºæ¬çã«ãOpenVPN ãµãŒããŒã¯ç¬èªã®èªèšŒå± (CA) ãšããŠãæ©èœããŸãã
- ã¯ã©ã€ã¢ã³ãã«é©åãªããŒãæºåãã
- ãµãŒããŒã®server.confãã¡ã€ã«ãæ§æããŸãã
- OpenVPN ã¯ã©ã€ã¢ã³ããã»ããã¢ãããã
- VPNã確èªããŠãã ãã
æå·åããŒã®çæ
ç©äºãã·ã³ãã«ã«ããããã«ãOpenVPN ãµãŒããŒãå®è¡ãããŠããã®ãšåããã·ã³äžã«äž»èŠãªã€ã³ãã©ã¹ãã©ã¯ãã£ãã»ããã¢ããã§ããŸãã ãã ããã»ãã¥ãªãã£ã®ãã¹ã ãã©ã¯ãã£ã¹ã§ã¯ãéåžžãéçšå±éã«ã¯å¥ã® CA ãµãŒããŒã䜿çšããããšãæšå¥šãããŸãã OpenVPN ã§äœ¿çšããæå·åã㌠ãªãœãŒã¹ãçæããã³é åžããããã»ã¹ãå³ã«ç€ºããŸãã 10.2.
OpenVPN ãã€ã³ã¹ããŒã«ãããšã/etc/openvpn/ ãã£ã¬ã¯ããªãèªåçã«äœæãããŸããããã®äžã«ã¯ãŸã äœããããŸããã openvpn ããã³ easy-rsa ããã±ãŒãžã«ã¯ãæ§æã®åºç€ãšããŠäœ¿çšã§ãããµã³ãã« ãã³ãã¬ãŒã ãã¡ã€ã«ãä»å±ããŠããŸãã èªèšŒããã»ã¹ãéå§ããã«ã¯ãeasy-rsa ãã³ãã¬ãŒã ãã£ã¬ã¯ããªã /usr/share/ ãã /etc/openvpn ã«ã³ããŒããeasy-rsa/ ãã£ã¬ã¯ããªã«å€æŽããŸãã
# cp -r /usr/share/easy-rsa/ /etc/openvpn
$ cd /etc/openvpn/easy-rsa
easy-rsa ãã£ã¬ã¯ããªã«ã¯ãããªãã®æ°ã®ã¹ã¯ãªãããå«ãŸããããã«ãªããŸãã ããŒãã«å 10.1 ã«ã¯ãããŒã®äœæã«äœ¿çšããããŒã«ããªã¹ããããŠããŸãã
äžèšã®æäœã«ã¯ root æš©éãå¿ èŠãªã®ã§ãsudo su ãä»ã㊠root ã«ãªãå¿ èŠããããŸãã
æåã«æäœãããã¡ã€ã«ã¯ vars ãšããååã§ããã®ãã¡ã€ã«ã«ã¯ easy-rsa ãããŒãçæãããšãã«äœ¿çšããç°å¢å€æ°ãå«ãŸããŠããŸãã ãã§ã«ååšããããã©ã«ãå€ã®ä»£ããã«ç¬èªã®å€ã䜿çšããã«ã¯ããã¡ã€ã«ãç·šéããå¿ èŠããããŸãã ãã¡ã€ã«ã¯æ¬¡ã®ããã«ãªããŸã (ãªã¹ã 10.1)ã
ãªã¹ã10.1ã ãã¡ã€ã« /etc/openvpn/easy-rsa/vars ã®äž»ãªãã©ã°ã¡ã³ã
export KEY_COUNTRY="CA"
export KEY_PROVINCE="ON"
export KEY_CITY="Toronto"
export KEY_ORG="Bootstrap IT"
export KEY_EMAIL="[email protected]"
export KEY_OU="IT"
vars ãã¡ã€ã«ãå®è¡ãããšããã®å€ãã·ã§ã«ç°å¢ã«æž¡ãããããã§æ°ããããŒã®å 容ã«å«ãŸããŸãã sudo ã³ãã³ãèªäœãæ©èœããªãã®ã¯ãªãã§ãã? æåã®ã¹ããã㧠vars ãšããååã®ã¹ã¯ãªãããç·šéããŠããé©çšããããã§ãã and ãé©çšãããšãvars ãã¡ã€ã«ããã®å€ãã·ã§ã«ç°å¢ã«æž¡ããæ°ããããŒã®å 容ã«å€ãå«ãŸããããšãæå³ããŸãã
æªå®äºã®ããã»ã¹ãå®äºããã«ã¯ãå¿ ãæ°ããã·ã§ã«ã䜿çšããŠãã¡ã€ã«ãåå®è¡ããŠãã ããã ãããå®äºãããšãå¥ã®ã¹ã¯ãªãã clean-all ãå®è¡ã㊠/etc/openvpn/easy-rsa/keys/ ãã£ã¬ã¯ããªå ã®ã³ã³ãã³ããåé€ããããã«æ±ããããã³ããã衚瀺ãããŸãã
åœç¶ã®ããšãªããã次ã®ã¹ãããã§ã¯ clean-all ã¹ã¯ãªãããå®è¡ããç¶ã㊠pkitool ã¹ã¯ãªããã䜿çšããŠã«ãŒã蚌ææžãäœæãã build-ca ãå®è¡ããŸãã vars ã«ãã£ãŠæäŸããã ID èšå®ã確èªããããã«æ±ããããŸãã
# ./clean-all
# ./build-ca
Generating a 2048 bit RSA private key
次ã«ãbuild-key-server ã¹ã¯ãªãããç¶ããŸãã æ°ããã«ãŒã蚌ææžãšãšãã«åã pkitool ã¹ã¯ãªããã䜿çšãããããã㌠ãã¢ã®äœæã確èªããããã®åã質åã衚瀺ãããŸãã ããŒã¯æž¡ããåŒæ°ã«åºã¥ããŠååãä»ããããŸãããã®ãã·ã³äžã§è€æ°ã® VPN ãå®è¡ããŠããå Žåãé€ããéåžžã¯æ¬¡ã®äŸã®ããã«ãµãŒããŒã«ãªããŸãã
# ./build-key-server server
[...]
Certificate is to be certified until Aug 15 23:52:34 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
OpenVPN ã¯ãDiffie-Hellman ã¢ã«ãŽãªãºã (build-dh ã䜿çš) ã«ãã£ãŠçæããããã©ã¡ãŒã¿ãŒã䜿çšããŠãæ°ããæ¥ç¶ã®èªèšŒãããŽã·ãšãŒãããŸãã ããã§äœæããããã¡ã€ã«ã¯æ©å¯ã§ããå¿ èŠã¯ãããŸããããçŸåšã¢ã¯ãã£ã㪠RSA ããŒã® build-dh ã¹ã¯ãªããã䜿çšããŠçæããå¿ èŠããããŸãã å°æ¥çã«æ°ãã RSA ããŒãäœæããå Žåã¯ãDiffie-Hellman ãã¡ã€ã«ãæŽæ°ããå¿ èŠããããŸãã
# ./build-dh
ãµãŒããŒåŽã®ããŒã¯ /etc/openvpn/easy-rsa/keys/ ãã£ã¬ã¯ããªã«çœ®ãããããšã«ãªããŸãããOpenVPN ã¯ãããèªèããŸããã ããã©ã«ãã§ã¯ãOpenVPN 㯠/etc/openvpn/ ã§ããŒãæ€çŽ¢ãããããããŒãã³ããŒããŸãã
# cp /etc/openvpn/easy-rsa/keys/server* /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn
ã¯ã©ã€ã¢ã³ãæå·åããŒã®æºå
ãã§ã«èŠãããã«ãTLS æå·åã§ã¯äžèŽããããŒã®ãã¢ã䜿çšãããŸããXNUMX ã€ã¯ãµãŒããŒã«ã€ã³ã¹ããŒã«ããããã XNUMX ã€ã¯ãªã¢ãŒã ã¯ã©ã€ã¢ã³ãã«ã€ã³ã¹ããŒã«ãããŸãã ããã¯ãã¯ã©ã€ã¢ã³ã ããŒãå¿ èŠã«ãªãããšãæå³ããŸãã ç§ãã¡ã®å€ãå人ã§ãã pkitool ã¯ããŸãã«ããã«å¿ èŠãªãã®ã§ãã ãã®äŸã§ã¯ã/etc/openvpn/easy-rsa/ ãã£ã¬ã¯ããªã§ããã°ã©ã ãå®è¡ãããšãã«ãããã« client åŒæ°ãæž¡ã㊠client.crt ããã³ client.key ãšãããã¡ã€ã«ãçæããŸãã
# ./pkitool client
ããã§ãkeys/ ãã£ã¬ã¯ããªã«ãŸã ããå ã® ca.crt ãã¡ã€ã«ãšãšãã«ãXNUMX ã€ã®ã¯ã©ã€ã¢ã³ã ãã¡ã€ã«ãã¯ã©ã€ã¢ã³ãã«å®å šã«è»¢éãããã¯ãã§ãã æææš©ãšã¢ã¯ã»ã¹æš©ããããããããã¯ããã»ã©ç°¡åã§ã¯ãªãå ŽåããããŸãã æãç°¡åãªæ¹æ³ã¯ããœãŒã¹ ãã¡ã€ã«ã®å 容 (ããã³ãã®å 容ã®ã¿) ã PC ã®ãã¹ã¯ãããäžã§å®è¡ãããŠããã¿ãŒããã«ã«æåã§ã³ããŒããããšã§ã (ããã¹ããéžæããå³ã¯ãªãã¯ããŠã¡ãã¥ãŒãã [ã³ããŒ] ãéžæããŸã)ã 次ã«ãããããã¯ã©ã€ã¢ã³ãã«æ¥ç¶ãããŠãã XNUMX çªç®ã®ç«¯æ«ã§äœæããã®ãšåãååã®æ°ãããã¡ã€ã«ã«è²Œãä»ããŸãã
ãããã誰ã§ãåãåã£ãŠè²Œãä»ããããšãã§ããŸãã åãåã/貌ãä»ãæäœãå¯èœãª GUI ã«åžžã«ã¢ã¯ã»ã¹ã§ããããã§ã¯ãªãããã代ããã«ç®¡çè ã®ç«å Žã«ãªã£ãŠèããŠãã ããã ãã¡ã€ã«ããŠãŒã¶ãŒã®ããŒã ãã£ã¬ã¯ããªã«ã³ããŒã (ãªã¢ãŒã scp æäœã§ã¢ã¯ã»ã¹ã§ããããã«ãããã)ããªã¢ãŒã scp æäœãå®è¡ã§ããããã«ãchown ã䜿çšããŠãã¡ã€ã«ã®æææš©ã root ããéåžžã®é root ãŠãŒã¶ãŒã«å€æŽããŸãã ãã¹ãŠã®ãã¡ã€ã«ãçŸåšã€ã³ã¹ããŒã«ãããŠãããã¢ã¯ã»ã¹ã§ããããšã確èªããŠãã ããã å°ãåŸã§ããããã¯ã©ã€ã¢ã³ãã«ç§»åããŸãã
# cp /etc/openvpn/easy-rsa/keys/client.key /home/ubuntu/
# cp /etc/openvpn/easy-rsa/keys/ca.crt /home/ubuntu/
# cp /etc/openvpn/easy-rsa/keys/client.crt /home/ubuntu/
# chown ubuntu:ubuntu /home/ubuntu/client.key
# chown ubuntu:ubuntu /home/ubuntu/client.crt
# chown ubuntu:ubuntu /home/ubuntu/ca.crt
æå·åããŒã®å®å šãªã»ãããæºåã§ããããVPN ã®äœææ¹æ³ããµãŒããŒã«äŒããå¿ èŠããããŸãã ããã¯ãserver.conf ãã¡ã€ã«ã䜿çšããŠè¡ãããŸãã
ããŒã¹ãããŒã¯ã®æ°ãæžãã
ã¿ã€ãã³ã°ãå€ãããã®ã§ããããïŒ æ¬åŒ§ã§å±éãããšãããã XNUMX ã€ã®ã³ãã³ãã XNUMX ã€ã«æžããããšãã§ããŸãã ããã XNUMX ã€ã®äŸãæ€èšããã°ãäœãèµ·ãã£ãŠããã®ãç解ã§ãããšæããŸãã ããã«éèŠãªã®ã¯ããããã®ååãæ°åãå Žåã«ãã£ãŠã¯æ°çŸã®èŠçŽ ãå«ãæäœã«é©çšããæ¹æ³ãç解ã§ããããã«ãªããŸãã
# cp /etc/openvpn/easy-rsa/keys/{ca.crt,client.{key,crt}} /home/ubuntu/ # chown ubuntu:ubuntu /home/ubuntu/{ca.crt,client.{key,crt}}
server.conf ãã¡ã€ã«ã®ã»ããã¢ãã
server.conf ãã¡ã€ã«ãã©ã®ãããªãã®ã§ããã¹ãããç¥ãã«ã¯ã©ãããã°ããã§ãããã? /usr/share/ ããã³ããŒãã easy-rsa ãã£ã¬ã¯ã㪠ãã³ãã¬ãŒããèŠããŠããŸãã? OpenVPN ãã€ã³ã¹ããŒã«ãããšã/etc/openvpn/ ã«ã³ããŒã§ããå§çž®ãããæ§æãã³ãã¬ãŒã ãã¡ã€ã«ãæ®ããŸãã ãã³ãã¬ãŒããã¢ãŒã«ã€ããããŠãããšããäºå®ã«åºã¥ããŠã䟿å©ãªããŒã« zcat ã玹ä»ããŸãã
cat ã³ãã³ãã䜿çšããŠãã¡ã€ã«ã®ããã¹ãå 容ãç»é¢ã«åºåããããšã¯ãã§ã«ãåç¥ã§ããããããã¡ã€ã«ã gzip ã䜿çšããŠå§çž®ãããŠããå Žåã¯ã©ããªãã§ãããã? ãã€ã§ããã¡ã€ã«ã解åã§ããcat ã¯åãã§ãã®ãã¡ã€ã«ãåºåããŸãããå¿ èŠä»¥äžã« XNUMX ïœ XNUMX ã¹ãããå€ããªããŸãã ãæ³åã®ãšãããzcat ã³ãã³ããçºè¡ãããšã解åãããããã¹ãã XNUMX ã¹ãããã§ã¡ã¢ãªã«ããŒãã§ããŸãã 次ã®äŸã§ã¯ãããã¹ããç»é¢ã«åºåãã代ããã«ãserver.conf ãšããæ°ãããã¡ã€ã«ã«ãªãã€ã¬ã¯ãããŸãã
# zcat
/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
> /etc/openvpn/server.conf
$ cd /etc/openvpn
ãã¡ã€ã«ã«ä»å±ããåºç¯ã§åœ¹ç«ã€ããã¥ã¡ã³ãã¯èã«çœ®ããŠãç·šéãå®äºãããšãã«ãã¡ã€ã«ãã©ã®ããã«èŠããããèŠãŠã¿ãŸãããã ã»ãã³ãã³ (;) ã¯ãOpenVPN ã«æ¬¡ã®è¡ãèªã¿åããªãããŸãã¯å®è¡ããªãããã«æ瀺ããããšã«æ³šæããŠãã ãã (ãªã¹ã 10.2)ã
ãããã®èšå®ã®ããã€ããèŠãŠã¿ãŸãããã
- ããã©ã«ãã§ã¯ãOpenVPN ã¯ããŒã 1194 ã§å®è¡ãããŸãããããå€æŽããŠãããšãã°ã¢ã¯ãã£ããã£ãããã«é衚瀺ã«ããããä»ã®ã¢ã¯ãã£ããªãã³ãã«ãšã®ç«¶åãåé¿ãããããããšãã§ããŸãã 1194 ã§ã¯ã¯ã©ã€ã¢ã³ããšã®æå°éã®èª¿æŽãå¿ èŠãªããããã®æ¹æ³ã§è¡ãã®ãæåã§ãã
- OpenVPN ã¯ãäŒéå¶åŸ¡ãããã³ã« (TCP) ãŸãã¯ãŠãŒã¶ãŒ ããŒã¿ã°ã©ã ãããã³ã« (UDP) ã®ããããã䜿çšããŠããŒã¿ãéä¿¡ããŸãã TCP ã¯å°ãé ããããããŸããããä¿¡é Œæ§ãé«ãããã³ãã«ã®äž¡ç«¯ã§å®è¡ãããŠããã¢ããªã±ãŒã·ã§ã³ã«ãã£ãŠç解ãããå¯èœæ§ãé«ããªããŸãã
- ããŒã¿ ã³ã³ãã³ãã®ã¿ãäŒéãããããã·ã³ãã«ã§å¹çç㪠IP ãã³ãã«ãäœæããå Žåã¯ãdev tun ãæå®ã§ããŸãã äžæ¹ãè€æ°ã®ãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ (ããã³ããããè¡šããããã¯ãŒã¯) ãæ¥ç¶ããŠã€ãŒãµããã ããªããžãäœæããå¿ èŠãããå Žåã¯ãdev Tap ãéžæããå¿ èŠããããŸãã ãããäœãæå³ããã®ãç解ã§ããªãå Žåã¯ãtun åŒæ°ã䜿çšããŠãã ããã
- 次㮠2048 è¡ã¯ããµãŒããŒäžã® XNUMX ã€ã®èªèšŒãã¡ã€ã«ãšãåã«äœæãã dhXNUMX ãªãã·ã§ã³ ãã¡ã€ã«ã®ååã OpenVPN ã«äžããŸãã
- ãµãŒããŒè¡ã¯ããã°ã€ã³æã«ã¯ã©ã€ã¢ã³ãã« IP ã¢ãã¬ã¹ãå²ãåœãŠãããã«äœ¿çšãããç¯å²ãšãµãããã ãã¹ã¯ãèšå®ããŸãã
- ãªãã·ã§ã³ã®ããã·ã¥ ãã©ã¡ãŒã¿ãŒãroute 10.0.3.0 255.255.255.0ãã䜿çšãããšããªã¢ãŒã ã¯ã©ã€ã¢ã³ãããµãŒããŒã®èåŸã«ãããã©ã€ããŒã ãµããããã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸãã ãããæ©èœãããã«ã¯ããã©ã€ããŒã ãµããããã OpenVPN ãµãããã (10.8.0.0) ãèªèã§ããããã«ãµãŒããŒèªäœã«ãããã¯ãŒã¯ãèšå®ããå¿ èŠããããŸãã
- ããŒãå ±æã® localhost 80 è¡ã䜿çšãããšãããŒã 1194 ã§åä¿¡ããã¯ã©ã€ã¢ã³ã ãã©ãã£ãã¯ããããŒã 80 ã§ãªãã¹ã³ããŠããããŒã«ã« Web ãµãŒããŒã«ãªãã€ã¬ã¯ãã§ããŸãã(ããã¯ãVPN ããã¹ãããããã« Web ãµãŒããŒã䜿çšããå Žåã«äŸ¿å©ã§ã)ã次ã«ãtcp ãããã³ã«ãéžæãããå Žåã
- ãŠãŒã¶ãŒ nobody ããã³ã°ã«ãŒã nogroup è¡ã¯ãã»ãã³ãã³ (;) ãåé€ããŠæå¹ã«ããå¿ èŠããããŸãã ãªã¢ãŒã ã¯ã©ã€ã¢ã³ãã匷å¶çã«ãnobodyãããã³ãnogroupããšããŠå®è¡ãããšããµãŒããŒäžã®ã»ãã·ã§ã³ã¯ç¢ºå®ã«ç¹æš©ãæããªããªããŸãã
- log ã¯ãOpenVPN ãéå§ããããã³ã«çŸåšã®ãã° ãšã³ããªãå€ããšã³ããªãäžæžãããããšãæå®ããŸãããlog-append ã¯æ°ãããšã³ããªãæ¢åã®ãã° ãã¡ã€ã«ã«è¿œå ããŸãã openvpn.log ãã¡ã€ã«èªäœã¯ /etc/openvpn/ ãã£ã¬ã¯ããªã«æžã蟌ãŸããŸãã
ããã«ãOpenVPN ãµãŒããŒã«å ããŠè€æ°ã®ã¯ã©ã€ã¢ã³ããçžäºã«èªèã§ããããã«ãã¯ã©ã€ã¢ã³ãéã®å€ãæ§æãã¡ã€ã«ã«è¿œå ãããããšããããããŸãã èšå®ã«åé¡ããªããã°ãOpenVPN ãµãŒããŒãèµ·åã§ããŸãã
# systemctl start openvpn
OpenVPN ãš systemd ã®é¢ä¿ã®æ§è³ªãå€åããŠããããããµãŒãã¹ãéå§ããããã«æ¬¡ã®æ§æãå¿ èŠã«ãªãå ŽåããããŸã: systemctl start openvpn@serverã
ip addr ãå®è¡ããŠãµãŒããŒã®ãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ãäžèŠ§è¡šç€ºãããšãtun0 ãšããæ°ããã€ã³ã¿ãŒãã§ã€ã¹ãžã®ãªã³ã¯ãåºåãããã¯ãã§ãã OpenVPN ã¯ãåä¿¡ã¯ã©ã€ã¢ã³ãã«ãµãŒãã¹ãæäŸããããã«ãããäœæããŸãã
$ ip addr
[...]
4: tun0: mtu 1500 qdisc [...]
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
ãã¹ãŠãå®å šã«åäœãå§ããåã«ããµãŒããŒãåèµ·åããå¿ èŠãããå ŽåããããŸãã 次ã«åæ¢ããã®ã¯ã¯ã©ã€ã¢ã³ã ã³ã³ãã¥ãŒã¿ãŒã§ãã
10.1.2. OpenVPN ã¯ã©ã€ã¢ã³ãã®æ§æ
äŒçµ±çã«ããã³ãã«ã¯å°ãªããšã XNUMX ã€ã®åºå£ãåããŠå»ºèšãããŸã (ããã§ãªãå Žåã¯ãæŽçªãšåŒã°ããŸã)ã ãµãŒããŒäžã§é©åã«æ§æããã OpenVPN ã¯ãçåŽã®ãã³ãã«ã«åºå ¥ããããã©ãã£ãã¯ãéä¿¡ããŸãã ãã ããã¯ã©ã€ã¢ã³ãåŽãã€ãŸããã³ãã«ã®å察åŽã§å®è¡ããããœãããŠã§ã¢ãå¿ èŠã«ãªããŸãã
ãã®ã»ã¯ã·ã§ã³ã§ã¯ãOpenVPN ã¯ã©ã€ã¢ã³ããšããŠæ©èœããããã«ããã皮㮠Linux ã³ã³ãã¥ãŒã¿ãŒãæåã§ã»ããã¢ããããããšã«çŠç¹ãåœãŠãŸãã ããããããããã®æ©äŒãåŸãå¯äžã®æ¹æ³ã§ã¯ãããŸããã OpenVPN ã¯ãWindows ãŸã㯠macOS ãå®è¡ããŠãããã¹ã¯ãããããã³ã©ããããããããã« Android ããã³ iOS ã®ã¹ããŒããã©ã³ãã¿ãã¬ããã«ã€ã³ã¹ããŒã«ããŠäœ¿çšã§ããã¯ã©ã€ã¢ã³ã ã¢ããªã±ãŒã·ã§ã³ããµããŒãããŠããŸãã 詳现ã«ã€ããŠã¯ãopenvpn.net ãåç §ããŠãã ããã
OpenVPN ããã±ãŒãžã¯ããµãŒããŒã«ã€ã³ã¹ããŒã«ãããŠããã®ãšåãããã«ã¯ã©ã€ã¢ã³ã ãã·ã³ã«ã€ã³ã¹ããŒã«ããå¿ èŠããããŸããã䜿çšããŠããããŒã¯ãã§ã«ååšããŠãããããããã§ã¯ easy-rsa ã¯å¿ èŠãããŸããã client.conf ãã³ãã¬ãŒã ãã¡ã€ã«ããäœæããã°ããã® /etc/openvpn/ ãã£ã¬ã¯ããªã«ã³ããŒããå¿ èŠããããŸãã ä»åã¯ãã¡ã€ã«ã¯å§çž®ãããªããããéåžžã® cp ã³ãã³ãã§åé¡ãªãåŠçã§ããŸãã
# apt install openvpn
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf
/etc/openvpn/
client.conf ãã¡ã€ã«å ã®èšå®ã®ã»ãšãã©ã¯äžç®çç¶ã§ãããµãŒããŒäžã®å€ãšäžèŽããå¿ èŠããããŸãã 次ã®ãã¡ã€ã«äŸãããããããã«ãäžæã®ãã©ã¡ãŒã¿ã¯ãªã¢ãŒã 192.168.1.23 1194 ã§ãã¯ã©ã€ã¢ã³ãã«ãµãŒããŒã® IP ã¢ãã¬ã¹ãäŒããŸãã ããäžåºŠãããããµãŒããŒã®ã¢ãã¬ã¹ã§ããããšã確èªããŠãã ããã ãŸããäžéè æ»æã®å¯èœæ§ãé²ãããã«ãã¯ã©ã€ã¢ã³ã ã³ã³ãã¥ãŒã¿ã«ãµãŒããŒèšŒææžã®ä¿¡é Œæ§ã®æ€èšŒã匷å¶ããå¿ èŠããããŸãã ãããè¡ã 10.3 ã€ã®æ¹æ³ã¯ãremote-cert-tls server ãšããè¡ãè¿œå ããããšã§ã (ãªã¹ã XNUMX)ã
ããã§ã/etc/openvpn/ ãã£ã¬ã¯ããªã«ç§»åããŠããµãŒããŒãã蚌ææžããŒãæœåºã§ããããã«ãªããŸãã äŸã®ãµãŒã㌠IP ã¢ãã¬ã¹ãŸãã¯ãã¡ã€ã³åãå®éã®å€ã«çœ®ãæããŸãã
ã¯ã©ã€ã¢ã³ãäžã§ OpenVPN ãå®è¡ãããŸã§ã¯ãäœãé¢çœãããšã¯èµ·ãããªãã§ãããã ããã€ãã®åŒæ°ãæž¡ãå¿
èŠããããããã³ãã³ã ã©ã€ã³ããå®è¡ããŸãã --tls-client åŒæ°ã¯ãã¯ã©ã€ã¢ã³ããšããŠæ©èœããTLS æå·åãä»ããŠæ¥ç¶ããããšã OpenVPN ã«æ瀺ãã--config ã¯èšå®ãã¡ã€ã«ãæããŸãã
# openvpn --tls-client --config /etc/openvpn/client.conf
ã³ãã³ãåºåã泚ææ·±ãèªãã§ãæ£ããæ¥ç¶ãããŠããããšã確èªããŠãã ããã åããŠåé¡ãçºçããå Žåã¯ããµãŒããŒãšã¯ã©ã€ã¢ã³ãã®æ§æãã¡ã€ã«éã®èšå®ã®äžäžèŽããŸãã¯ãããã¯ãŒã¯æ¥ç¶/ãã¡ã€ã¢ãŠã©ãŒã«ã®åé¡ãåå ã§ããå¯èœæ§ããããŸãã ããã§ã¯ãã©ãã«ã·ã¥ãŒãã£ã³ã°ã®ãã³ããããã€ã玹ä»ããŸãã
- ã¯ã©ã€ã¢ã³ãäžã® OpenVPN æäœã®åºåã泚ææ·±ãèªãã§ãã ããã å€ãã®å Žåãå ·äœçã«äœãã§ããªãã®ãããããŠãªãã§ããªãã®ãã«ã€ããŠã®è²Žéãªã¢ããã€ã¹ãå«ãŸããŠããŸãã
- ãµãŒããŒã® /etc/openvpn/ ãã£ã¬ã¯ããªã«ãã openvpn.log ãã¡ã€ã«ãš openvpn-status.log ãã¡ã€ã«ã§ãšã©ãŒ ã¡ãã»ãŒãžã確èªããŠãã ããã
- ãµãŒããŒãšã¯ã©ã€ã¢ã³ãã®ã·ã¹ãã ãã°ã§ãOpenVPN é¢é£ã®ã¡ãã»ãŒãžãæéæå®ãããã¡ãã»ãŒãžã確èªããŸãã (journalctl -ce ã¯ææ°ã®ãšã³ããªã衚瀺ããŸãã)
- ãµãŒããŒãšã¯ã©ã€ã¢ã³ãã®éã«ã¢ã¯ãã£ããªãããã¯ãŒã¯æ¥ç¶ãããããšã確èªããŠãã ãã (ããã«ã€ããŠã¯ç¬¬ 14 ç« ã§è©³ãã説æããŸã)ã
èè ã«ã€ããŠ
ããããã»ã¯ãªã³ãã³ - ã·ã¹ãã 管çè
ãæåž«ãäœå®¶ã 圌ã¯ãLinux ã·ã¹ãã ãã¯ã©ãŠã ã³ã³ãã¥ãŒãã£ã³ã° (ç¹ã« AWS)ãDocker ãªã©ã®ã³ã³ãã ãã¯ãããžãªã©ãå€ãã®éèŠãªæè¡åéã®ç®¡çãå·çãæè²è³æã®äœæãè¡ã£ãŠããŸããã 圌ã¯ãLearn Amazon Web Services in a Month of Lunchesããšããæ¬ãå·çããŸãã (ããã³ã°ã2017 幎)ã 圌ã®ãã㪠ãã¬ãŒãã³ã° ã³ãŒã¹ã®å€ã㯠Pluralsight.com ã§èŠã€ããããšãã§ãã圌ã®ä»ã®æžç± (Linux 管çãšãµãŒããŒä»®æ³åã«é¢ãã) ãžã®ãªã³ã¯ã¯æ¬¡ã®å Žæã§å
¥æã§ããŸãã
» ãã®æ¬ã®è©³çŽ°ã«ã€ããŠã¯ããã¡ããã芧ãã ããã
»
»
Khabrozhiteley ã®å Žåãã¯ãŒãã³äœ¿çšã§ 25% å²åŒ - Linux
çŽçã®æžç±ããæ¯æãããã ããšãé»åæžç±ãé»åã¡ãŒã«ã§éä¿¡ãããŸãã
åºæïŒ habr.com