I want to use a fixed IP, but I wanted to create it myself, not some service I built a VPN server. There are the following protocols for VPN.
IPsec L2TP PPTP SSL-VPN OpenVPN Shadowsocks
This time I created it with OpenVPN.
There are multiple authentication methods, but the certificate method. We will issue a certificate for each client that connects.
Looking at the official website, it was installed with rpm, but since it was possible to install with dnf normally, I will do it with dnf.
dnf -y update
dnf -y install openvpn easy-rsa
Create a server certificate or client certificate with easy-rsa.
cd /usr/share/easy-rsa/3/
Initialize the certificate authority.
[root@hoge 3]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/share/easy-rsa/3/pki
Create a certificate authority.
[root@hoge 3]# ./easyrsa build-ca
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Enter New CA Key Passphrase: #Any password
Re-Enter New CA Key Passphrase: #Any password
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
..........................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: # Specify anything. You can leave the default
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/share/easy-rsa/3/pki/ca.crt
Generate DH parameters.
[root@hoge 3]# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................................................................................................+....+
DH parameters of size 2048 created at /usr/share/easy-rsa/3/pki/dh.pem
From creating a server private key to signing a certificate
[root@hoge 3]# ./easyrsa build-server-full server nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
..................+++++
............................................................................+++++
writing new private key to '/usr/share/easy-rsa/3/pki/easy-rsa-36402.InOa0s/tmp.ILGl7B'
-----
Using configuration from /usr/share/easy-rsa/3/pki/easy-rsa-36402.InOa0s/tmp.omwcm1
Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key: #Enter the password you set when creating the certificate authority
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 9 05:25:22 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
From creating a private key on the client side to signing a certificate By adding nopass, you will not be asked for the password when connecting to the VPN.
[root@hoge 3]# ./easyrsa build-client-full client0 nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
........+++++
..........+++++
writing new private key to '/usr/share/easy-rsa/3/pki/easy-rsa-36518.woJCtP/tmp.DYeRlx'
-----
Using configuration from /usr/share/easy-rsa/3/pki/easy-rsa-36518.woJCtP/tmp.6ttbFr
Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key: #Enter the password you set when creating the certificate authority
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client0'
Certificate is to be certified until Apr 9 05:25:48 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
TLS private key generation
cd /etc/openvpn/server
openvpn --genkey --secret ta.key
Create an OpenVPN configuration file.
vi /etc/openvpn/server/server.conf
port 1194 #Listen port
Accept on the above port with proto udp #udp
dev tun # Use dev tap when bridging with the LAN side network of the server by VPN. Set to tun when routing with OpenVPN server
ca /usr/share/easy-rsa/3/pki/ca.crt #
cert /usr/share/easy-rsa/3/pki/issued/server.crt #server certificate
key /usr/share/easy-rsa/3/pki/private/server.key #server private key
dh /usr/share/easy-rsa/3/pki/dh.pem #DH key
server 10.8.0.0 255.255.255.0 # Address band to be assigned to the client. It is also the address attached to dev tun.
ifconfig-pool-persist /etc/openvpn/server/ipp.txt
push "redirect-gateway def1 bypass-dhcp bypass-dns" # Make all client communication via OpenVPN. Bypass at the back is set to pass local only for dhcp and dns communication. Bypass-dhcp is required especially in an environment using DHCP. If you do not bypass dns, write push "dhcp-option DNS 8.8.8.8" below
client-to-client #VPN Allow communication between clients
keepalive 10 120 # Send alive monitoring packet to the client once every 10 seconds. If it doesn't come back for 120 seconds, the client is considered down
tls-auth /etc/openvpn/server/ta.key 0 #TLS
cipher AES-256-CBC
persist-key
persist-tun
comp-lzo
status openvpn-status.log
verb 3
explicit-exit-notify 1
@server is the configuration file name. (/Etc/openvpn/server/server.conf)
systemctl enable [email protected]
systemctl start [email protected]
Set to allow openvpn. Conoha's VPS has a global IP attached to eth0, so make eth0 external
nmcli connection modify eth0 connection.zone external
nmcli connection modify tun0 connection.zone trusted
firewall-cmd --zone=external --add-service=openvpn --permanent
firewall-cmd --reload
[root@hoge ~]# firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: openvpn ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Download the certificate you just created to any directory on your macbook.
scp -i ~/.ssh/test.pem [email protected]:/usr/share/easy-rsa/3/pki/ca.crt ./
scp -i ~/.ssh/test.pem [email protected]:/usr/share/easy-rsa/3/pki/issued/client0.crt ./
scp -i ~/.ssh/test.pem [email protected]:/usr/share/easy-rsa/3/pki/private/client0.key ./
scp -i ~/.ssh/test.pem [email protected]:/etc/openvpn/server/ta.key ./
Download and launch Tunnelblick https://tunnelblick.net/
Create a configuration file in text.
client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194 #destination and port
resolv-retry infinite
nobind
persist-key
persist-tun
Downloaded with ca /Users/hoge/workspace/openvpn/ca.crt #scp
Downloaded with cert /Users/hoge/workspace/openvpn/client0.crt #scp
key /Users/hoge/workspace/openvpn/client0.key Downloaded with #scp
tls-auth /Users/hoge/workspace/openvpn/ta.key 1 Downloaded with #scp
cipher AES-256-CBC
comp-lzo
verb 3
If you perform curl and the response result is the global IP of the VPN server, you are connected successfully.
% curl ipinfo.io/ip/
XXX.XXX.XXX.XXX
Try adding MTU or MSS settings on the server or client side The tun MTU defaults to 1500.
mssfix XXXX
tun-mtu XXXX
Recommended Posts