OpenVPNで外出先のMBAからさくらVPS通して自宅サーバにつなげる環境をつくるの巻
自宅 - さくらVPS - Macbook Air
で繋いで、自宅のファイルサーバに置いてある音楽ファイルを
外出先のMBAでiTunes通して聞けないかなーと思ったんですけど
ちと重くて無理っぽかった。
OpenVPN、構築メモ。
参考元
http://www.openvpn.jp/howto.html
オフィシャル最強です。
環境としては
MBA(192.168.10.1) | OpenVPN (10.8.0.6) | sakura VPS(Global IP) OpenVPN (10.8.0.1) | OpenVPN (10.8.0.10) | 自宅サーバ(192.168.200.3)
こんな感じで繋ぎます。OpenVPN専用のセグメントをつくり
そのセグメントを通してやりとりを行うって感じですね。
sakura vps
まずはダウンロードしてくる。 $ cd /usr/local/src $ wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz $ tar xzf openvpn-2.2.2.tar.gz $ cd openvpn-2.2.2 ; pwd $ ./configure configure: error: Or try ./configure --disable-lzo lzoで圧縮して通信する場合は必要 $ sudo yum install lzo-devel.x86_64 $ ./configure $ make $ sudo make install インストール完了。 /etc/openvpnディレクトリを作成して 設定ファイルをコピー。 $ mkdir /etc/openvpn $ ls -ld /etc/openvpn $ cp -ip sample-config-files/server.conf /etc/openvpn/ $ cp -ip sample-scripts/openvpn.init /etc/init.d/openvpn 鍵ファイルとかを作成する。 $ cd /usr/local/src/openvpn-2.2.2/easy-rsa/1.0 $ . ./vars $ ./clean-all $ ./build-ca Generating a 1024 bit RSA private key .....++++++ ..........................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]:JP State or Province Name (full name) [NA]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address [me@myhost.mydomain]: $ ここで設定した内容と、後述する鍵ファイルの内容が違っていたら ファイル生成されません。(当たり前) サーバ用のkeyを作成。 $ ./build-key server Generating a 1024 bit RSA private key ...............................++++++ .............++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]:JP State or Province Name (full name) [NA]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:server Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/src/openvpn-2.2.2/easy-rsa/1.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'NA' localityName :PRINTABLE:'BISHKEK' organizationName :PRINTABLE:'OpenVPN-TEST' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Jun 20 16:21:05 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated client1用のkeyを作成 $ ./build-key client1 Generating a 1024 bit RSA private key .........++++++ ..++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]:JP State or Province Name (full name) [NA]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:client1 Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/src/openvpn-2.2.2/easy-rsa/1.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'NA' localityName :PRINTABLE:'BISHKEK' organizationName :PRINTABLE:'OpenVPN-TEST' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Jun 20 16:21:40 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated client2用のkeyを作成。 $ ./build-key client2 Generating a 1024 bit RSA private key ...........................++++++ ......++++++ writing new private key to 'client2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]:JP State or Province Name (full name) [NA]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:client2 Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/src/openvpn-2.2.2/easy-rsa/1.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'NA' localityName :PRINTABLE:'BISHKEK' organizationName :PRINTABLE:'OpenVPN-TEST' commonName :PRINTABLE:'client2' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Jun 20 16:21:54 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $ $ ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ......................................................................................+............................+..................................................+..........................................+.........................+...............................................................................................+...................+.....................................................+............+....+.....................................................................................................+..............................+....................................+...........................................+.....+.......................+........................+..........+..........................................+..................++*++*++* $ $ $ ls -a keys/ . ca.crt client1.crt client1.key client2.csr dh1024.pem serial server.csr .. ca.key client1.csr client2.crt client2.key index.txt server.crt server.key $ こんな感じでファイルができる。 できたファイルをコピーする。 $ cd kyes/ $ cp -ip ca.crt server.crt server.key dh1024.pem /etc/openvpn/ $ grep -E '^[a-z]' /etc/openvpn/server.conf port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 client-to-client $ openvpn /etc/openvpn/server.conf Mon Jul 2 19:05:22 2012 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Jun 23 2012 Mon Jul 2 19:05:22 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mon Jul 2 19:05:22 2012 Diffie-Hellman initialized with 1024 bit key Mon Jul 2 19:05:22 2012 WARNING: file 'server.key' is group or others accessible Mon Jul 2 19:05:22 2012 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Jul 2 19:05:22 2012 Socket Buffers: R=[124928->131072] S=[124928->131072] Mon Jul 2 19:05:22 2012 ROUTE default_gateway=219.94.244.1 Mon Jul 2 19:05:22 2012 TUN/TAP device tun0 opened Mon Jul 2 19:05:22 2012 TUN/TAP TX queue length set to 100 Mon Jul 2 19:05:22 2012 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Mon Jul 2 19:05:22 2012 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Mon Jul 2 19:05:22 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Jul 2 19:05:22 2012 UDPv4 link local (bound): [undef]:1194 Mon Jul 2 19:05:22 2012 UDPv4 link remote: [undef] Mon Jul 2 19:05:22 2012 MULTI: multi_init called, r=256 v=256 Mon Jul 2 19:05:22 2012 IFCONFIG POOL: base=10.8.0.4 size=62 Mon Jul 2 19:05:22 2012 IFCONFIG POOL LIST Mon Jul 2 19:05:22 2012 client1,10.8.0.4 Mon Jul 2 19:05:22 2012 client2,10.8.0.8 Mon Jul 2 19:05:22 2012 Initialization Sequence Completed 起動できることを確認
sakura VPSは今回中継役となるため、パケットをフォワードしたいので
$ /etc/sysctl.conf net.ipv4.ip_forward = 1 $ sysctl -p $ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
な感じでフォワードを有効化しておく必要がある。
自宅サーバ(Ubuntu)
sakura VPSで作成したファイルをscpなどでコピーしてくる。
$ apt-get install openvpn $ $ ls -a /etc/openvpn . .. ca.crt client2.conf client2.crt client2.key $ $ /etc/init.d/openvpn start $
sample-config-files/client.confを参考にclient2.confを作成
client2.conf
client dev tun proto udp remote REMOTESERVER PORT resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/client2.crt key /etc/openvpn/client2.key comp-lzo verb 3
MBA
Tunnelblick を使ってます。
わたしの場合は、
~/Library/Application\ Support/Tunnelblick/Configurations/openvpn/
の中に、client2と同様のものを置いています。
この状態で接続して成功すればもう90%は完了しています。
$ ping -c 5 10.8.0.10 PING 10.8.0.10 (10.8.0.10): 56 data bytes 64 bytes from 10.8.0.10: icmp_seq=0 ttl=64 time=31.136 ms 64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=31.349 ms 64 bytes from 10.8.0.10: icmp_seq=2 ttl=64 time=30.361 ms 64 bytes from 10.8.0.10: icmp_seq=3 ttl=64 time=31.680 ms 64 bytes from 10.8.0.10: icmp_seq=4 ttl=64 time=30.396 ms --- 10.8.0.10 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 30.361/30.984/31.680/0.524 ms
MBA -> sakura VPS -> 自宅サーバ
で疎通が取れることを確認。
$ ping -c 5 10.8.0.6 PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data. 64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=35.4 ms 64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=30.9 ms 64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=34.6 ms 64 bytes from 10.8.0.6: icmp_req=4 ttl=64 time=30.7 ms 64 bytes from 10.8.0.6: icmp_req=5 ttl=64 time=32.1 ms --- 10.8.0.6 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4002ms rtt min/avg/max/mdev = 30.776/32.778/35.415/1.905 ms
で疎通が取れることを確認。
無事OpenVPNでVPNが接続できたことになりました。
以上、カジュアルですが、自分用まとめです。