목차
<title>OpenVPN</title>
현재상태와 희망
다음의 머신들이 서로 연결되길 기대
- 공인 IP를 쓰고 있는 머신 : vpn서버를 설치하여 vpn 라우터역할을 수행하기를 기대
- 사설 IP를 쓰고 있는 머신 : vpn 서버에 연결되어 vpn ip를 받아서 p2p연결이 가능하도록 기대
- 다른 사설 IP를 쓰고 있는 머신 : vpn 서버에 연결해, 다른 사설 ip 머신에 연결되도록 기대
- 사설 ip 머신끼리 서로 연결되도록 기대.
설치
프로그램 설치
- 둘다 http://openvpn.net 에서 가장 최신 프로그램을 받아서 설치한다.
- 맥용은 아래 참고용 주소에서 받아서 설치해야 한다. ( 테스트 전 )
키파일 생성
연결보다 더 귀찮은게 키 파일 생성인데, 인터넷에 자세히 설명되어 있어서 참고 하면 된다.
( http://www.runpcrun.com/howtoopenvpn )
CA 만들기
윈도우즈용 vpn이라면 easy-rsa 폴더에서 명령어를 실행하면 된다.
- 맨 처음에는 init-config 를 실행하면 샘플파일의 이름을 변경하게 된다.
- openssl.cnf
- vars.bat
vars.bat 파일 내용을 수정
set으로 시작되는 부분만 수정하면된다.
- set KEY_COUNTRY=JP
- set KEY_PROVINCE=CHIYODA
- set KEY_CITY=TOKYO
- set KEY_ORG=YourCompany or YourSomething
- set KEY_EMAIL=your email
ca를 만든다.
C:\Program Files\OpenVPN\easy-rsa> vars.bat C:\Program Files\OpenVPN\easy-rsa> clean-all.bat C:\Program Files\OpenVPN\easy-rsa> build-ca.bat
vars.bat 에서 수정한 내용을 한번 더 확인하는 정도 인데, 이 중에 Common Name는 제대로 써주는게 좋다. 이 커먼네임이 각 컴퓨터의 고유한 이름이 되기 땀시 그렇다.
파일을 백업하든지 뭐하든지 .. ( 삽질할 것 같으면 백업해 두는 게 좋다. ) 끝났으면, config 폴더로 카피해 둔다.
C:\Program Files\OpenVPN\easy-rsa> copy keys\ca.crt ..\config\
[color=red]Important: Key files (.key) are very sensitive and should be kept safe and never sent over insecure (unencrypted) channels. The Certificate Authority key (ca.key) is particularly important - if it is lost or comprimised then you will have to replace all your keys and certificates.[/color]
서버용 키를 만든다
아까의 창이면 그대로 간다. ( 작업은 이어서 계속 같은 창에서 하는게 좋다. )
C:\Program Files\OpenVPN\easy-rsa> vars C:\Program Files\OpenVPN\easy-rsa> build-key-server ((server-name))
vars.bat에서 기록한 내용을 다시 재차 확인하는 과정을 거치게 되고, 다시 커먼네임을 묻는 차례가 온다.
Common Name (eg, your name or your server's hostname) []: ((server-name))
패스워드는 쓰지 않아도 상관없다. 다음은,
C:\Program Files\OpenVPN\easy-rsa> build-dh
이 작업은 몇분 걸린다. 그리고 화면에 진행 상태가 쭉쭉 표시되야 한다. 그렇지 않으면 잘 안되는 것이므로 다시 할 것.
그리고 config 폴더에 내용을 카피
C:\Program Files\OpenVPN\easy-rsa> copy keys\((server-name)).crt ..\config\ C:\Program Files\OpenVPN\easy-rsa> copy keys\((server-name)).key ..\config\ C:\Program Files\OpenVPN\easy-rsa> copy keys\dh1024.pem ..\config\
VPN routing 기능 켜기
서버쪽에만 해당되는 부분이다.
윈도우즈
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ParametersValue: IPEnableRouterType: REG_DWORDData: 0x00000001 (1)
To allow VPN clients to communicate with systems on the LAN (other than the VPN server), you need to add the VPN network to your router(s) configuration. For a simple stub network you would do this by adding a static route to the default gateway to direct traffic for 10.8.0.0/24 to the server.
Network: 10.8.0.0 Subnet Mask: 255.255.255.0 Next Hop Address: 192.168.0.1
To do this with on an IPCop firewall, add a line to the /etc/rc.d/rc.local file.
#!/bin/sh /sbin/route add -net 10.8.0.0/24 gw 192.168.0.1
You can also add this route at the command line to avoid rebooting the router.
root@ipcop:~ # route add -net 10.8.0.0/24 gw 192.168.0.1
클라용 키를 만든다
서버키를 만든 머신에서 클라이언트용 키도 같이 만들어야한다. 같은 머신에서 아래 순서대로 쭈욱 진행해본다.
C:\Program Files\OpenVPN\easy-rsa> vars C:\Program Files\OpenVPN\easy-rsa> build-key ((new client name like client1))
해당 서버에서 옮기는 방법을 찾아낸다. 아래에서는 플로피에 옮긴다고 가정.
C:\Program Files\OpenVPN\easy-rsa> copy keys\fred.crt a:\ C:\Program Files\OpenVPN\easy-rsa> copy keys\fred.key a:\ C:\Program Files\OpenVPN\easy-rsa> copy keys\ca.crt a:\
마지막으로 클라이언트 파일에 저장
C:\Program Files\OpenVPN\easy-rsa> copy a:\fred.crt ..\config\ C:\Program Files\OpenVPN\easy-rsa> copy a:\fred.key ..\config\ C:\Program Files\OpenVPN\easy-rsa> copy a:\ca.crt ..\config\
클라이언트를 실행한다.
config 파일
서버쪽
## server.ovpn ## port 1194 proto udp dev tun ca ca.crt cert kisvr.crt key kisvr.key dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo cipher BF-CBC max-clients 4 persist-key persist-tun status openvpn-status.log verb 3 ## 아래 주석들도 필요한줄 알았는데 필요 없더라능. ##push "route 192.168.0.0 255.255.255.0" ##push "dhcp-option DNS 10.8.0.1" ##push "dhcp-option WINS 10.8.0.1"
클라이언트 콘피그 파일
클라이언트는 기동시 아이피를 발급받게 되어 있어서, 아래 설정 사항에서 크게 바뀌지 않을 것으로 생각한다.
client proto udp dev tun remote //MyVPNServerIP// 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert kieun.crt key kieun.key cipher BF-CBC comp-lzo verb 3
실행
솔직히 문서에는 나오지 않았었는데.. 잘 안되면 한번쯤 각 머신들을 리부팅해보고 하는것이 좋다.
서로 ping이 되지 않으면 연결되지 않은 것임.
Including multiple machines on the client side when using a routed VPN (dev tun)
In a typical road-warrior or remote access scenario, the client machine connects to the VPN as a single machine. But suppose the client machine is a gateway for a local LAN (such as a home office), and you would like each machine on the client LAN to be able to route through the VPN.
For this example, we will assume that the client LAN is using the 192.168.4.0/24 subnet, and that the VPN client is using a certificate with a common name of client2. Our goal is to set up the VPN so that any machine on the client LAN can communicate with any machine on the server LAN through the VPN.
Before setup, there are some basic prerequisites which must be followed:
The client LAN subnet (192.168.4.0/24 in our example) must not be exported to the VPN by the server or any other client sites which are using the same subnet. Every subnet which is joined to the VPN via routing must be unique. The client must have a unique Common Name in its certificate (“client2” in our example), and the duplicate-cn flag must not be used in the OpenVPN server configuration file. First, make sure that IP and TUN/TAP forwarding is enabled on the client machine.
Next, we will deal with the necessary configuration changes on the server side. If the server configuration file does not currently reference a client configuration directory, add one now:
client-config-dir ccdIn the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs. On Linux this tends to be /etc/openvpn and on Windows it is usually \Program Files\OpenVPN\config. When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client. If a matching file is found, it will be read and processed for additional configuration file directives to be applied to the named client.
The next step is to create a file called client2 in the ccd directory. This file should contain the line:
iroute 192.168.4.0 255.255.255.0
This will tell the OpenVPN server that the 192.168.4.0/24 subnet should be routed to client2.
Next, add the following line to the main server config file (not the ccd/client2 file):
route 192.168.4.0 255.255.255.0
Why the redundant route and iroute statements, you might ask? The reason is that route controls the routing from the kernel to the OpenVPN server (via the TUN interface) while iroute controls the routing from the OpenVPN server to the remote clients. Both are necessary.
Next, ask yourself if you would like to allow network traffic between client2's subnet (192.168.4.0/24) and other clients of the OpenVPN server. If so, add the following to the server config file.
client-to-client push "route 192.168.4.0 255.255.255.0"
This will cause the OpenVPN server to advertise client2's subnet to other connecting clients.
The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs 192.168.4.0/24 to the OpenVPN server box (you won't need this if the OpenVPN server box is the gateway for the server LAN). Suppose you were missing this step and you tried to ping a machine (not the OpenVPN server itself) on the server LAN from 192.168.4.8? The outgoing ping would probably reach the machine, but then it wouldn't know how to route the ping reply, because it would have no idea how to reach 192.168.4.0/24. The rule of thumb to use is that when routing entire LANs through the VPN (when the VPN server is not the same machine as the LAN gateway), make sure that the gateway for the LAN routes all VPN subnets to the VPN server machine.
Similarly, if the client machine running OpenVPN is not also the gateway for the client LAN, then the gateway for the client LAN must have a route which directs all subnets which should be reachable through the VPN to the OpenVPN client machine.