Ubuntu-20.04에 OpenVPN 설치하기
Beyond Here
Environment
Device : Odroid-HC2
OS : Ubuntu-20.04
Host : test(192.168.101.100/24)
VPN Network : 10.8.0.0/24
파일 정보
ca.crt : CA(Certificate Authority) crt
dh2048.pem : DH(Diffie-Hellman) parameters
ta.key : tls-auth key
test.key : OpenVPN Server key
test.crt : OpenVPN Server crt
test.conf : Server 설정
test-1.key : OpenVPN Client-1 key
test-1.crt : OpenVPN Client-1 crt
test-1.ovpn : OpenVPN Client-1 설정
test-2.key : OpenVPN Client-2 key
test-2.crt : OpenVPN Client-2 crt
test-2.ovpn : OpenVPN Client-2 설정
1. VPN용 계정 생성
$ sudo adduser vpn
$ sudo nano /etc/group
Chanage Connfiguration
sudo:x:27:odroid,test
==>
sudo:x:27:odroid,test,vpn
su vpn
2. Openvpn 설치
$ sudo apt install openvpn easy-rsa -y
3. CA(Certificate Authority) 생성
$ ls
$ make-cadir easy-rsa
$ ls
$ cd easy-rsa
$ cp vars vars.orig
$ nano vars
설정 변경
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit
==>
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "NY"
set_var EASYRSA_REQ_CITY "NY"
set_var EASYRSA_REQ_ORG "TEST"
set_var EASYRSA_REQ_EMAIL "test@test.com"
set_var EASYRSA_REQ_OU "TEST"
$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ cp ./pki/ca.crt ~/
4. 서버용 Key 생성
$ ./easyrsa gen-req test nopass
$ ./easyrsa sign-req server test
$ cp ./pki/private/test.key ./pki/issued/test.crt ~/
5. DH(Diffie-Hellman) 생성
$ ./easyrsa gen-dh
$ cp ./pki/dh.pem ~/dh2048.pem
6. tls-auth key (ta.key) 생성
$ openvpn --genkey --secret ta.key
$ cp ./ta.key ~/
7. IP Forward 설정
$ sudo cp /etc/sysctl.conf /etc/sysctl.conf.orig
$ sudo nano /etc/sysctl.conf
Chanage Configuration
#net.ipv4.ip_forward=1
==>
net.ipv4.ip_forward=1
$ sudo sysctl -p
8. 서버측 설정
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ./
$ gzip -d server.conf.gz
$ cp server.conf test.conf
$ nano test.conf
설정 변경
cert server.crt
key server.key # This file should be kept secret
==>
cert test.crt
key test.key # This file should be kept secret
server 10.8.0.0 255.255.255.0
==>
server 10.8.0.0 255.255.255.0
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
==>
push "route 192.168.101.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;push "redirect-gateway def1 bypass-dhcp"
==>
push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
==>
push "dhcp-option DNS 192.168.101.210"
push "dhcp-option DNS 8.8.8.8"
;user nobody
;group nogroup
==>
;user nobody
;group nogroup
$ cp test.conf ~/
9. 클라이언트 설정
클라이언트1용 Key 생성
$ ./easyrsa gen-req test-1 nopass
$ ./easyrsa sign-req client test-1
$ cp ./pki/issued/test-1.crt pki/private/test-1.key ~/
클라이언트2용 Key 생성
$ ./easyrsa gen-req test-2 nopass
$ ./easyrsa sign-req client test-2
$ cp ./pki/issued/test-2.crt pki/private/test-2.key ~/
10. 클라이언트용 OpenVPN 설정
Environment
Remote Server : XXX.XXXX.XXX
Remote Port : YYYY
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ./
$ cp client.conf ~/test-1.ovpn
$ cp client.conf ~/test-2.ovpn
$ cd ~/
$ nano test-1.opvn
설정 변경
remote my-server-1 1194
==>
remote XXX.XXXX.XXX YYYY
;user nobody
;group nogroup
==>
;user nobody
;group nogroup
cert client.crt
key client.key
==>
cert test-1.crt
key test-1.key
$ nano test-1.opvn
설정 변경
remote my-server-1 1194
==>
remote XXX.XXXX.XXX YYYY
;user nobody
;group nogroup
==>
;user nobody
;group nogroup
cert client.crt
key client.key
==>
cert test-2.crt
key test-2.key
11. OpenVPN 서버 서비스 기동
$ sudo ls /etc/openvpn/
$ sudo cp ca.crt dh2048.pem ta.key test*.* /etc/openvpn/
$ sudo ls /etc/openvpn/
$ sudo systemctl start openvpn@test
$ sudo journalctl -u openvpn@test -xe
12. OpenVPN 클라이언트 기동
서버 측 네트워크 장비(공유기 등) 설정 변경
클라이언트에 파일 복사
클라이언트에 OpenVPN 설치