構築したいVPNのイメージは以下の通り。
- VPN構成はルーティング方式。
(ブリッジ方式は…よく分からん。違いについてはhttp://www.atmarkit.co.jp/flinux/special/openvpn/openvpnb.html参照。)
- OpenVPNサーバのあるネットワークを192.168.100.0/24とする。
- OpenVPNサーバのIPアドレスは192.168.100.100。
- OpenVPNで使う仮想アドレス空間は10.100.100.0/24。
- クライアント側はemobileでInternetに接続、もしくはBBモバイルポイントなどの無線LANからアクセス。
- クライアントはOpenVPNサーバと、もしくはファイルサーバ(192.168.100.101)にのみアクセス可能。
- プロトコルはひとまず限定しない。
まずserver.confの元ファイルを/etc/openvpn/にコピーする。圧縮されているのでgunzipで展開。
degas@debian:~$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ degas@debian:~$ cd /etc/openvpn/ degas@debian:/etc/openvpn$ sudo gunzip server.conf.gz degas@debian:/etc/openvpn$ ls -l 合計 16 drwxr-xr-x 4 root root 4096 2008-01-16 14:27 easy-rsa -rw-r--r-- 1 root root 9971 2008-01-16 17:35 server.conf
server.confを変更していく。
まずCA証明書、サーバ証明書、サーバ秘密鍵の場所を適合するように変更。server.confは/etc/openvpn/にあるが、証明書などは/etc/openvpn/easy-rsa/keys/にあるため。
# SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca easy-rsa/keys/ca.crt cert easy-rsa/keys/server.crt key easy-rsa/keys/server.key # This file should be kept secret
同様にDHパラメータのディレクトリ指定も変更。
# Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh easy-rsa/keys/dh1024.pem
仮想アドレス空間を変更。
# Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.100.100.0 255.255.255.0
OpenVPNサーバのあるネットワークにアクセスできるよう変更。
# Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. push "route 192.168.100.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0"
手動で起動し、server.confに問題がないか確認。
degas@debian:/etc/openvpn$ sudo openvpn /etc/openvpn/server.conf Wed Jan 16 18:51:37 2008 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007 Wed Jan 16 18:51:37 2008 Diffie-Hellman initialized with 1024 bit key Wed Jan 16 18:51:37 2008 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Wed Jan 16 18:51:38 2008 TUN/TAP device tun0 opened Wed Jan 16 18:51:38 2008 ifconfig tun0 10.100.100.1 pointopoint 10.8.0.2 mtu 1500 Wed Jan 16 18:51:38 2008 route add -net 10.100.100.0 netmask 255.255.255.0 gw 10.8.0.2 Wed Jan 16 18:51:38 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Wed Jan 16 18:51:38 2008 UDPv4 link local (bound): [undef]:1194 Wed Jan 16 18:51:38 2008 UDPv4 link remote: [undef] Wed Jan 16 18:51:38 2008 MULTI: multi_init called, r=256 v=256 Wed Jan 16 18:51:38 2008 IFCONFIG POOL: base=10.100.100.4 size=62 Wed Jan 16 18:51:38 2008 IFCONFIG POOL LIST Wed Jan 16 18:51:38 2008 Initialization Sequence Completed
問題なし。ではCtrl-Cで止める。
Wed Jan 16 18:55:14 2008 event_wait : Interrupted system call (code=4) Wed Jan 16 18:55:14 2008 TCP/UDP: Closing socket Wed Jan 16 18:55:14 2008 route del -net 10.100.100.0 netmask 255.255.255.0 Wed Jan 16 18:55:14 2008 Closing TUN/TAP interface Wed Jan 16 18:55:14 2008 SIGINT[hard,] received, process exiting