綾小路龍之介の素人思考

[Debian] OpenVPN クライアント

証明書認証方式の OpenVPN サーバにクライアントで接続することを考える。

クライアント側で OpenVPN のインストール。OpenVPN はクライアントもサーバもパッケージの名前は同じ。

# apt-get install openvpn
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  liblzo2-2 libpkcs11-helper1
Suggested packages:
  openssl resolvconf
The following NEW packages will be installed:
  liblzo2-2 libpkcs11-helper1 openvpn
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 633 kB of archives.
After this operation, 1,523 kB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1 http://ftp.jp.debian.org/debian/ wheezy/main liblzo2-2 i386 2.06-1 [66.2 kB]
Get:2 http://ftp.jp.debian.org/debian/ wheezy/main libpkcs11-helper1 i386 1.09-1 [49.2 kB]
Get:3 http://ftp.jp.debian.org/debian/ wheezy/main openvpn i386 2.2.1-8+deb7u2 [517 kB]
Fetched 633 kB in 4s (129 kB/s)
Preconfiguring packages ...
Selecting previously unselected package liblzo2-2:i386.
(Reading database ... 18779 files and directories currently installed.)
Unpacking liblzo2-2:i386 (from .../liblzo2-2_2.06-1_i386.deb) ...
Selecting previously unselected package libpkcs11-helper1:i386.
Unpacking libpkcs11-helper1:i386 (from .../libpkcs11-helper1_1.09-1_i386.deb) ...
Selecting previously unselected package openvpn.
Unpacking openvpn (from .../openvpn_2.2.1-8+deb7u2_i386.deb) ...
Processing triggers for man-db ...
Setting up liblzo2-2:i386 (2.06-1) ...
Setting up libpkcs11-helper1:i386 (1.09-1) ...
Setting up openvpn (2.2.1-8+deb7u2) ...
Restarting virtual private network daemon.:.

サーバ側でクライアントの証明書を作成。名前は client2。作成された証明書は./keysディレクトリに格納される。

# cd /etc/openvpn/easy-rsa/
# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# ./build-key client2
Generating a 1024 bit RSA private key
...............++++++
..........++++++
writing new private key to 'client2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [client2]:
Name [changeme]:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'client2'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jul  3 13:40:48 2024 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

サーバ側で作成した証明書をサーバ側からクライアント側の ~/ に移動。

# ls keys/ca.crt keys/client2.* -la
-rw-r--r-- 1 root root 1383 Jun  7 11:23 keys/ca.crt
-rw-r--r-- 1 root root 3999 Jul  6 22:41 keys/client2.crt
-rw-r--r-- 1 root root  729 Jul  6 22:40 keys/client2.csr
-rw------- 1 root root  916 Jul  6 22:40 keys/client2.key
# scp keys/ca.crt keys/client2.crt keys/client2.key ******@************:~/
******@************'s password:
ca.crt            100% 1383     1.4KB/s   00:00
client2.crt       100% 3999     3.9KB/s   00:00
client2.key       100%  916     0.9KB/s   00:00

クライアント側で先ほど移動したファイルを /etc/openvpn/ に移動。設定ファイル client.conf のひな型を /etc/openvpn にコピー。コピーしたファイルを編集。

# mv /home/******/ca.crt /home/******/client2.* /etc/openvpn/
# cp -a /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
# vi /etc/openvpn/client.conf
# diff /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.conf
36,37c36,37
< ;proto tcp
< proto udp
---
> proto tcp
> ;proto udp
42c42
< remote my-server-1 1194
---
> ;remote my-server-1 1194
43a44,45
> remote ************** 443
> remote ************* 443
89,90c91,94
< cert client.crt
< key client.key
---
> ;cert client.crt
> ;key client.key
> cert client2.crt
> key client2.key

クライアント側で OpenVPN クライアントを再起動。

# /etc/init.d/openvpn restart
# ifconfig -a tun
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:***.***.***.***  P-t-P:***.***.***.***  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

さて、

# apt-get install resolvconf
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  resolvconf
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 69.0 kB of archives.
After this operation, 135 kB of additional disk space will be used.
Get:1 http://ftp.jp.debian.org/debian/ wheezy/main resolvconf all 1.67 [69.0 kB]
Fetched 69.0 kB in 0s (72.3 kB/s)
Preconfiguring packages ...
Selecting previously unselected package resolvconf.
(Reading database ... 18935 files and directories currently installed.)
Unpacking resolvconf (from .../resolvconf_1.67_all.deb) ...
Processing triggers for man-db ...
Setting up resolvconf (1.67) ...
Processing triggers for resolvconf ...

リファレンス

  1. OpenVPN - Debian Wiki
  2. OpenVPNで使用できる認証方法 | OpenVPN.JP
  3. OpenVPN
  4. OpenVPN - ArchWiki

ソーシャルブックマーク

  1. はてなブックマーク
  2. Google Bookmarks
  3. del.icio.us

ChangeLog

  1. Posted: 2010-09-26T18:00:51+09:00
  2. Modified: 2010-09-26T18:00:51+09:00
  3. Generated: 2017-06-30T23:09:16+09:00