OpenVPNサーバ構築

対象PC

host	sv01.itdo.jp
IP	192.168.0.10
OS	CentOS5

1)OpenVPNインストール

rpmforgeリポジトリダウンロード

# wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm 

rpmforgeリポジトリインストール

# rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.i386.rpm 

rpmforgeリポジトリ削除

# rm -f rpmforge-release-0.3.6-1.el5.rf.i386.rpm 

・基本リポジトリとの競合を避けるため、デフォルトで無効処理

# sed -i ‘s/enabled = 1/enabled = 0/g’ /etc/yum.repos.d/rpmforge.repo

 

　　・OpenVPNインストール

 

# yum -y –enablerepo=rpmforge install openvpn

２）CA認証局の構築

 

・TLS認証実現のためOpenVPNパッケージ同梱のツールを利用して
　証明書と秘密鍵を作成する。

□ CA証明書・秘密鍵の作成
　　・証明書/鍵作成用ディレクトリをコピー 

 

# cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/ /etc/openvpn/easy-rsa

 

　　・証明書/鍵作成用ディレクトリへ移動

 

# cd /etc/openvpn/easy-rsa/

 

　　・各スクリプト実行権限付与

 

# chmod +x *

 

　　・証明書/鍵作成用環境変数設定ファイル編集

 

# vi vars

 

 　　　以下を参照に編集

 

export KEY_COUNTRY=”JP” export KEY_PROVINCE=”Yamanashi” export KEY_CITY=”Kofu” export KEY_ORG=”filesv01.itdo.jp” export KEY_EMAIL=”miyamoto@itdo.jp”

 

 　　・証明書/鍵作成用環境変数設定ファイル内容をシステムに反映

 

# source vars

 

　　・証明書/鍵作成先ディレクトリを初期化 

 

# ．/clean-all

 

　　・CA証明書・秘密鍵の作成 

# ．/build-ca
Generating a 1024 bit RSA private key
………….++++++
……..++++++
writing new private key to ‘ca.key’
—– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —–
Country Name (2 letter code) [JP]:	空Enter
State or Province Name (full name) [Yamanashi]:	空Enter
Locality Name (eg, city) [Kofu]:	空Enter
Organization Name (eg, company) [filesv01.itdo.jp]:	空Enter
Organizational Unit Name (eg, section) []:	空Enter
Common Name (eg, your name or your server’s hostname) [filesv01.itdo.jp CA]:	空Enter
Email Address [miyamoto@itdo.jp]:	空Enter

　　・CA証明書をOpenVPN設定ファイル格納ディレクトリにコピー 

 

# cp keys/ca.crt /etc/openvpn/

 

 □ サーバー証明書・秘密鍵の作成

 

# ．/build-key-server server
Generating a 1024 bit RSA private key
……………………………..++++++
……………++++++
writing new private key to ‘server.key’
—– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —–
Country Name (2 letter code) [JP]:	空Enter
State or Province Name (full name) [Yamanashi]:	空Enter
Locality Name (eg, city) [Kofu]:	空Enter
Organization Name (eg, company) [filesv01.itdo.jp]:	空Enter
Organizational Unit Name (eg, section) []:	空Enter
Common Name (eg, your name or your server’s hostname) [server]:	空Enter
Email Address [miyamoto@itdo.jp]:	空Enter
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:	空Enter
An optional company name []:	空Enter
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName      :PRINTABLE:’JP’
stateOrProvinceName     :PRINTABLE:’Yamanashi’
localityName     :PRINTABLE:’Kofu’
organizationName     :PRINTABLE:’centossv01′
commonName     :PRINTABLE:’server’
emailAddress      :IA5STRING:’goverdoing@gmail.com’
Certificate is to be certified until Sep 14 19:41:16 2017 GMT (3650 days)
Sign the certificate? [y/n]:y	y応答
1 out of 1 certificate requests certified, commit? [y/n]y	y応答
Write out database with 1 new entries
Data Base Updated

 

　　・サーバ証明書をOpenVPN設定ファイル格納ディレクトリにコピー

 

# cp keys/ca.crt /etc/openvpn/

 

　　・サーバ秘密鍵をOpenVPN設定ファイル格納ディレクトリにコピー

 

# cp keys/server.key /etc/openvpn/

 

□ DH(Diffie Hellman)パラメータ作成
　　・DHパラメータ作成 

 

# ．/build-dh

 

　　・DHパラメータをOpenVPN設定ディレクトリにコピー

 

# cp keys/dh1024.pem /etc/openvpn/