OpenVPNサーバ構築1

OpenVPNサーバ構築

対象PC

host sv01.itdo.jp
IP 192.168.0.10
OS CentOS5

1)OpenVPNインストール

rpmforgeリポジトリダウンロード

# wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm 

rpmforgeリポジトリインストール

# rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.i386.rpm 

rpmforgeリポジトリ削除

# rm -f rpmforge-release-0.3.6-1.el5.rf.i386.rpm 

・基本リポジトリとの競合を避けるため、デフォルトで無効処理

# sed -i ‘s/enabled = 1/enabled = 0/g’ /etc/yum.repos.d/rpmforge.repo

 

  ・OpenVPNインストール

 

# yum -y –enablerepo=rpmforge install openvpn
2)CA認証局の構築

 

・TLS認証実現のためOpenVPNパッケージ同梱のツールを利用して
 証明書と秘密鍵を作成する。

□ CA証明書・秘密鍵の作成
  ・証明書/鍵作成用ディレクトリをコピー 

 

# cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/ /etc/openvpn/easy-rsa

 

  ・証明書/鍵作成用ディレクトリへ移動

 

# cd /etc/openvpn/easy-rsa/

 

  ・各スクリプト実行権限付与

 

# chmod +x *

 

  ・証明書/鍵作成用環境変数設定ファイル編集

 

# vi vars

 

    以下を参照に編集

 

  export KEY_COUNTRY=”JP”
export KEY_PROVINCE=”Yamanashi”
export KEY_CITY=”Kofu”
export KEY_ORG=”filesv01.itdo.jp”
export KEY_EMAIL=”miyamoto@itdo.jp”

 

   ・証明書/鍵作成用環境変数設定ファイル内容をシステムに反映

 

# source vars

 

  ・証明書/鍵作成先ディレクトリを初期化 

 

# ./clean-all

 

  ・CA証明書・秘密鍵の作成 

# ./build-ca  
Generating a 1024 bit RSA private key  
………….++++++  
……..++++++  
writing new private key to ‘ca.key’  
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]:
空Enter
State or Province Name (full name) [Yamanashi]:
空Enter
Locality Name (eg, city) [Kofu]:
空Enter
Organization Name (eg, company) [filesv01.itdo.jp]: 空Enter
Organizational Unit Name (eg, section) []: 空Enter
Common Name (eg, your name or your server’s hostname) [filesv01.itdo.jp CA]: 空Enter
Email Address [miyamoto@itdo.jp]:
空Enter

  ・CA証明書をOpenVPN設定ファイル格納ディレクトリにコピー 

 

# cp keys/ca.crt /etc/openvpn/

 

 □ サーバー証明書・秘密鍵の作成

 

# ./build-key-server server  
Generating a 1024 bit RSA private key  
……………………………..++++++  
……………++++++  
writing new private key to ‘server.key’  
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]:
空Enter
State or Province Name (full name) [Yamanashi]:
空Enter
Locality Name (eg, city) [Kofu]:
空Enter
Organization Name (eg, company) [filesv01.itdo.jp]: 空Enter
Organizational Unit Name (eg, section) []: 空Enter
Common Name (eg, your name or your server’s hostname) [server]: 空Enter
Email Address [miyamoto@itdo.jp]:
空Enter
   
Please enter the following ‘extra’ attributes   
to be sent with your certificate request  
A challenge password []: 空Enter
An optional company name []: 空Enter
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf  
Check that the request matches the signature  
Signature ok  
The Subject’s Distinguished Name is as follows  
countryName      :PRINTABLE:’JP’  
stateOrProvinceName     :PRINTABLE:’Yamanashi’  
localityName     :PRINTABLE:’Kofu’  
organizationName     :PRINTABLE:’centossv01′  
commonName     :PRINTABLE:’server’  
emailAddress      :IA5STRING:’goverdoing@gmail.com’  
Certificate is to be certified until Sep 14 19:41:16 2017 GMT (3650 days)  
Sign the certificate? [y/n]:y y応答
   
1 out of 1 certificate requests certified, commit? [y/n]y y応答
Write out database with 1 new entries  
Data Base Updated  

 

  ・サーバ証明書をOpenVPN設定ファイル格納ディレクトリにコピー

 

# cp keys/ca.crt /etc/openvpn/

 

  ・サーバ秘密鍵をOpenVPN設定ファイル格納ディレクトリにコピー

 

# cp keys/server.key /etc/openvpn/

 

□ DH(Diffie Hellman)パラメータ作成
  ・DHパラメータ作成 

 

# ./build-dh

 

  ・DHパラメータをOpenVPN設定ディレクトリにコピー

 

# cp keys/dh1024.pem /etc/openvpn/

コメントを残す

メールアドレスが公開されることはありません。