読者です 読者をやめる 読者になる 読者になる

OpenVPNで外出先のMBAからさくらVPS通して自宅サーバにつなげる環境をつくるの巻

OpenVPN

自宅 - さくらVPS - Macbook Air

で繋いで、自宅のファイルサーバに置いてある音楽ファイルを
外出先のMBAiTunes通して聞けないかなーと思ったんですけど
ちと重くて無理っぽかった。

OpenVPN、構築メモ。

参考元
http://www.openvpn.jp/howto.html

オフィシャル最強です。


環境としては

 MBA(192.168.10.1)
 |
 OpenVPN (10.8.0.6) 
 |
 sakura VPS(Global IP)
 OpenVPN (10.8.0.1)
 |
 OpenVPN (10.8.0.10)
 |
 自宅サーバ(192.168.200.3)

こんな感じで繋ぎます。OpenVPN専用のセグメントをつくり
そのセグメントを通してやりとりを行うって感じですね。

sakura vps

中継地点となるVPSOpenVPNの設定をします。

まずはダウンロードしてくる。

$ cd /usr/local/src
$ wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
$ tar xzf openvpn-2.2.2.tar.gz
$ cd openvpn-2.2.2 ; pwd
$ ./configure
configure: error: Or try ./configure --disable-lzo

lzoで圧縮して通信する場合は必要

$ sudo yum install lzo-devel.x86_64
$ ./configure
$ make 
$ sudo make install

インストール完了。

/etc/openvpnディレクトリを作成して
設定ファイルをコピー。

$ mkdir /etc/openvpn
$ ls -ld /etc/openvpn
$ cp -ip sample-config-files/server.conf /etc/openvpn/
$ cp -ip sample-scripts/openvpn.init /etc/init.d/openvpn


鍵ファイルとかを作成する。

$ cd /usr/local/src/openvpn-2.2.2/easy-rsa/1.0
$ . ./vars
$ ./clean-all
$ ./build-ca 
Generating a 1024 bit RSA private key
.....++++++
..........................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:JP
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [me@myhost.mydomain]:
$ 

ここで設定した内容と、後述する鍵ファイルの内容が違っていたら
ファイル生成されません。(当たり前)

サーバ用のkeyを作成。

$ ./build-key server
Generating a 1024 bit RSA private key
...............................++++++
.............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:JP
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/src/openvpn-2.2.2/easy-rsa/1.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'NA'
localityName          :PRINTABLE:'BISHKEK'
organizationName      :PRINTABLE:'OpenVPN-TEST'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jun 20 16:21:05 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


client1用のkeyを作成

$ ./build-key client1
Generating a 1024 bit RSA private key
.........++++++
..++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:JP
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client1
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/src/openvpn-2.2.2/easy-rsa/1.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'NA'
localityName          :PRINTABLE:'BISHKEK'
organizationName      :PRINTABLE:'OpenVPN-TEST'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jun 20 16:21:40 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


client2用のkeyを作成。

$ ./build-key client2
Generating a 1024 bit RSA private key
...........................++++++
......++++++
writing new private key to 'client2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:JP
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client2
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/src/openvpn-2.2.2/easy-rsa/1.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'NA'
localityName          :PRINTABLE:'BISHKEK'
organizationName      :PRINTABLE:'OpenVPN-TEST'
commonName            :PRINTABLE:'client2'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jun 20 16:21:54 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

$ 
$ ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
......................................................................................+............................+..................................................+..........................................+.........................+...............................................................................................+...................+.....................................................+............+....+.....................................................................................................+..............................+....................................+...........................................+.....+.......................+........................+..........+..........................................+..................++*++*++*
$ 
$ 
$ ls -a keys/
.   ca.crt  client1.crt  client1.key  client2.csr  dh1024.pem  serial      server.csr
..  ca.key  client1.csr  client2.crt  client2.key  index.txt   server.crt  server.key
$ 

こんな感じでファイルができる。
できたファイルをコピーする。

$ cd kyes/
$ cp -ip ca.crt server.crt server.key dh1024.pem /etc/openvpn/


$ grep -E '^[a-z]' /etc/openvpn/server.conf 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client


$ openvpn /etc/openvpn/server.conf 
Mon Jul  2 19:05:22 2012 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Jun 23 2012
Mon Jul  2 19:05:22 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jul  2 19:05:22 2012 Diffie-Hellman initialized with 1024 bit key
Mon Jul  2 19:05:22 2012 WARNING: file 'server.key' is group or others accessible
Mon Jul  2 19:05:22 2012 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jul  2 19:05:22 2012 Socket Buffers: R=[124928->131072] S=[124928->131072]
Mon Jul  2 19:05:22 2012 ROUTE default_gateway=219.94.244.1
Mon Jul  2 19:05:22 2012 TUN/TAP device tun0 opened
Mon Jul  2 19:05:22 2012 TUN/TAP TX queue length set to 100
Mon Jul  2 19:05:22 2012 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Mon Jul  2 19:05:22 2012 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Mon Jul  2 19:05:22 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul  2 19:05:22 2012 UDPv4 link local (bound): [undef]:1194
Mon Jul  2 19:05:22 2012 UDPv4 link remote: [undef]
Mon Jul  2 19:05:22 2012 MULTI: multi_init called, r=256 v=256
Mon Jul  2 19:05:22 2012 IFCONFIG POOL: base=10.8.0.4 size=62
Mon Jul  2 19:05:22 2012 IFCONFIG POOL LIST
Mon Jul  2 19:05:22 2012 client1,10.8.0.4
Mon Jul  2 19:05:22 2012 client2,10.8.0.8
Mon Jul  2 19:05:22 2012 Initialization Sequence Completed

起動できることを確認


sakura VPSは今回中継役となるため、パケットをフォワードしたいので

$ /etc/sysctl.conf
net.ipv4.ip_forward = 1
$ sysctl -p

$ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

な感じでフォワードを有効化しておく必要がある。

自宅サーバ(Ubuntu)

sakura VPSで作成したファイルをscpなどでコピーしてくる。

$ apt-get install openvpn
$
$ ls -a /etc/openvpn 
.  ..  ca.crt  client2.conf  client2.crt  client2.key
$
$ /etc/init.d/openvpn start
$ 


sample-config-files/client.confを参考にclient2.confを作成

client2.conf

client
dev tun
proto udp
remote REMOTESERVER PORT
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client2.crt
key /etc/openvpn/client2.key
comp-lzo
verb 3


この状態で ping が 10.8.0.1 に届けばVPNは開通していることになります。

MBA

Tunnelblick を使ってます。

わたしの場合は、
~/Library/Application\ Support/Tunnelblick/Configurations/openvpn/
の中に、client2と同様のものを置いています。

この状態で接続して成功すればもう90%は完了しています。

$ ping -c 5 10.8.0.10                                                
PING 10.8.0.10 (10.8.0.10): 56 data bytes
64 bytes from 10.8.0.10: icmp_seq=0 ttl=64 time=31.136 ms
64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=31.349 ms
64 bytes from 10.8.0.10: icmp_seq=2 ttl=64 time=30.361 ms
64 bytes from 10.8.0.10: icmp_seq=3 ttl=64 time=31.680 ms
64 bytes from 10.8.0.10: icmp_seq=4 ttl=64 time=30.396 ms

--- 10.8.0.10 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 30.361/30.984/31.680/0.524 ms

MBA -> sakura VPS -> 自宅サーバ
で疎通が取れることを確認。

$ ping -c 5 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=35.4 ms
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=30.9 ms
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=34.6 ms
64 bytes from 10.8.0.6: icmp_req=4 ttl=64 time=30.7 ms
64 bytes from 10.8.0.6: icmp_req=5 ttl=64 time=32.1 ms

--- 10.8.0.6 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 30.776/32.778/35.415/1.905 ms

自宅サーバ -> sakura VPS -> MBA

で疎通が取れることを確認。
無事OpenVPNVPNが接続できたことになりました。

以上、カジュアルですが、自分用まとめです。