I want to use a fixed IP, but I wanted to create it myself, not some service I built a VPN server. There are the following protocols for VPN.
IPsec L2TP PPTP SSL-VPN OpenVPN Shadowsocks
This time I created it with OpenVPN.
There are multiple authentication methods, but the certificate method. We will issue a certificate for each client that connects.
Looking at the official website, it was installed with rpm, but since it was possible to install with dnf normally, I will do it with dnf.
dnf -y update dnf -y install openvpn easy-rsa
Create a server certificate or client certificate with easy-rsa.
Initialize the certificate authority.
[root@hoge 3]# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /usr/share/easy-rsa/3/pki
Create a certificate authority.
[root@hoge 3]# ./easyrsa build-ca Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Enter New CA Key Passphrase: #Any password Re-Enter New CA Key Passphrase: #Any password Generating RSA private key, 2048 bit long modulus (2 primes) ............+++++ ..........................................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: # Specify anything. You can leave the default CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /usr/share/easy-rsa/3/pki/ca.crt
Generate DH parameters.
[root@hoge 3]# ./easyrsa gen-dh Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ........................................................................................................+....+ DH parameters of size 2048 created at /usr/share/easy-rsa/3/pki/dh.pem
From creating a server private key to signing a certificate
[root@hoge 3]# ./easyrsa build-server-full server nopass Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating a RSA private key ..................+++++ ............................................................................+++++ writing new private key to '/usr/share/easy-rsa/3/pki/easy-rsa-36402.InOa0s/tmp.ILGl7B' ----- Using configuration from /usr/share/easy-rsa/3/pki/easy-rsa-36402.InOa0s/tmp.omwcm1 Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key: #Enter the password you set when creating the certificate authority Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Apr 9 05:25:22 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated
From creating a private key on the client side to signing a certificate By adding nopass, you will not be asked for the password when connecting to the VPN.
[root@hoge 3]# ./easyrsa build-client-full client0 nopass Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating a RSA private key ........+++++ ..........+++++ writing new private key to '/usr/share/easy-rsa/3/pki/easy-rsa-36518.woJCtP/tmp.DYeRlx' ----- Using configuration from /usr/share/easy-rsa/3/pki/easy-rsa-36518.woJCtP/tmp.6ttbFr Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key: #Enter the password you set when creating the certificate authority Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client0' Certificate is to be certified until Apr 9 05:25:48 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated
TLS private key generation
cd /etc/openvpn/server openvpn --genkey --secret ta.key
Create an OpenVPN configuration file.
port 1194 #Listen port Accept on the above port with proto udp #udp dev tun # Use dev tap when bridging with the LAN side network of the server by VPN. Set to tun when routing with OpenVPN server ca /usr/share/easy-rsa/3/pki/ca.crt # cert /usr/share/easy-rsa/3/pki/issued/server.crt #server certificate key /usr/share/easy-rsa/3/pki/private/server.key #server private key dh /usr/share/easy-rsa/3/pki/dh.pem #DH key server 10.8.0.0 255.255.255.0 # Address band to be assigned to the client. It is also the address attached to dev tun. ifconfig-pool-persist /etc/openvpn/server/ipp.txt push "redirect-gateway def1 bypass-dhcp bypass-dns" # Make all client communication via OpenVPN. Bypass at the back is set to pass local only for dhcp and dns communication. Bypass-dhcp is required especially in an environment using DHCP. If you do not bypass dns, write push "dhcp-option DNS 188.8.131.52" below client-to-client #VPN Allow communication between clients keepalive 10 120 # Send alive monitoring packet to the client once every 10 seconds. If it doesn't come back for 120 seconds, the client is considered down tls-auth /etc/openvpn/server/ta.key 0 #TLS cipher AES-256-CBC persist-key persist-tun comp-lzo status openvpn-status.log verb 3 explicit-exit-notify 1
@server is the configuration file name. (/Etc/openvpn/server/server.conf)
systemctl enable openvpn-serv[email protected] systemctl start [email protected]
Set to allow openvpn. Conoha's VPS has a global IP attached to eth0, so make eth0 external
nmcli connection modify eth0 connection.zone external nmcli connection modify tun0 connection.zone trusted firewall-cmd --zone=external --add-service=openvpn --permanent firewall-cmd --reload
[root@hoge ~]# firewall-cmd --list-all --zone=external external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: openvpn ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
Download the certificate you just created to any directory on your macbook.
scp -i ~/.ssh/test.pem [email protected]:/usr/share/easy-rsa/3/pki/ca.crt ./ scp -i ~/.ssh/test.pem [email protected]:/usr/share/easy-rsa/3/pki/issued/client0.crt ./ scp -i ~/.ssh/test.pem [email protected]:/usr/share/easy-rsa/3/pki/private/client0.key ./ scp -i ~/.ssh/test.pem [email protected]:/etc/openvpn/server/ta.key ./
Download and launch Tunnelblick https://tunnelblick.net/
Create a configuration file in text.
client dev tun proto udp remote XXX.XXX.XXX.XXX 1194 #destination and port resolv-retry infinite nobind persist-key persist-tun Downloaded with ca /Users/hoge/workspace/openvpn/ca.crt #scp Downloaded with cert /Users/hoge/workspace/openvpn/client0.crt #scp key /Users/hoge/workspace/openvpn/client0.key Downloaded with #scp tls-auth /Users/hoge/workspace/openvpn/ta.key 1 Downloaded with #scp cipher AES-256-CBC comp-lzo verb 3
If you perform curl and the response result is the global IP of the VPN server, you are connected successfully.
% curl ipinfo.io/ip/ XXX.XXX.XXX.XXX
Try adding MTU or MSS settings on the server or client side The tun MTU defaults to 1500.
mssfix XXXX tun-mtu XXXX