{"id":4738,"date":"2021-06-27T15:18:21","date_gmt":"2021-06-27T06:18:21","guid":{"rendered":"https:\/\/lab4ict.com\/system\/?p=4738"},"modified":"2023-06-25T10:03:12","modified_gmt":"2023-06-25T01:03:12","slug":"ubuntu-server-20-04%e3%81%a7vpn%e3%82%b5%e3%83%bc%e3%83%90%e3%82%92%e6%a7%8b%e7%af%89%e3%81%99%e3%82%8b%ef%bc%81%ef%bc%88openvpn%ef%bc%89","status":"publish","type":"post","link":"https:\/\/lab4ict.com\/system\/archives\/4738","title":{"rendered":"OpenVPN\u30b5\u30fc\u30d0\u3092\u69cb\u7bc9\u3059\u308b\uff01Ubuntu Server (20.04)"},"content":{"rendered":"

Ubuntu Server (20.04)\u3067VPN\u30b5\u30fc\u30d0\u3092\u69cb\u7bc9\u3057\u307e\u3059\u3002<\/p>\n

OpenVPN\u7528\u306e\u30b5\u30fc\u30d0\u306e\u8a2d\u5b9a\u3092\u5909\u66f4\u3059\u308b\uff01<\/h2>\n

\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304b\u3089\u5358\u72ec\u3067VPN\u63a5\u7d9a\u3059\u308b\u306e\u307f\u306e\u5834\u5408\u306f\u5fc5\u8981\u3042\u308a\u307e\u305b\u3093\u304c\u3001OpenVPN\u306b\u63a5\u7d9a\u3055\u308c\u305f\u4ed6\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u63a5\u7d9a\u3059\u308b\u5834\u5408\u306a\u3069\u306e\u305f\u3081\u306b\u3001OpenVPN\u7528\u306e\u30b5\u30fc\u30d0\u306b\u5bfe\u3057\u3066\u3001IP\u306e\u30d5\u30a9\u30fc\u30ef\u30fc\u30c7\u30a3\u30f3\u30b0\u304c\u53ef\u80fd\u306b\u306a\u308b\u3088\u3046\u306b\u8a2d\u5b9a\u5909\u66f4\u3057\u307e\u3059\u3002\u8a2d\u5b9a\u3092\u6709\u52b9\u306b\u3059\u308b\u305f\u3081\u306b\u300csysctl -p\u300d\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b\u304b\u3001\u30b5\u30fc\u30d0\u3092\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n

\r\n# vi \/etc\/sysctl.conf\r\n...\r\nnet.ipv4.ip_forward = 1\r\n...\r\n# sysctl -p\r\nnet.ipv4.ip_forward = 1\r\n<\/pre>\n
OpenVPN\u3068ease-rsa\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\uff01<\/h2>\n
OpenVPN\u3068ease-rsa\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002<\/p>\n
\r\n# apt install openvpn easy-rsa\r\n<\/pre>\n
\u8a3c\u660e\u66f8\u4f5c\u6210\u7528\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u4f5c\u6210\u3059\u308b\uff01<\/h2>\n
\u8a3c\u660e\u66f8\u4f5c\u6210\u7528\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n
\r\n# make-cadir ~\/openvpn-certs\r\n# cd openvpn-certs\r\n ls -l\r\ntotal 20\r\nlrwxrwxrwx 1 root root   27 Jun 27 11:06 easyrsa -> \/usr\/share\/easy-rsa\/easyrsa\r\n-rw-r--r-- 1 root root 4651 Jun 27 11:06 openssl-easyrsa.cnf\r\n-rw-r--r-- 1 root root 8576 Jun 27 11:06 vars\r\nlrwxrwxrwx 1 root root   30 Jun 27 11:06 x509-types -> \/usr\/share\/easy-rsa\/x509-types\r\n<\/pre>\n
\u8a3c\u660e\u66f8\u4f5c\u6210\u7528\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u521d\u671f\u5316\u3059\u308b\uff01<\/h2>\n
\u8a3c\u660e\u66f8\u4f5c\u6210\u7528\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u521d\u671f\u5316\u3057\u307e\u3059\u3002<\/p>\n
\r\n# .\/easyrsa init-pki\r\n\r\nNote: using Easy-RSA configuration from: .\/vars\r\n\r\ninit-pki complete; you may now create a CA or requests.\r\nYour newly created PKI dir is: \/root\/openvpn-certs\/pki\r\n<\/pre>\n
CA\u5c40\u3092\u4f5c\u6210\u3059\u308b\uff01<\/h2>\n
CA\u5c40\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002CN\u306f\u5185\u90e8\u7684\u306b\u4f7f\u7528\u3055\u308c\u308b\u3060\u3051\u306a\u306e\u3067\u3001\u9069\u5f53\u3067\u3082\u5927\u4e08\u592b\u3067\u3059\u3002\u4f5c\u6210\u5b8c\u4e86\u3057\u305f\u3089\u3001\u300c\/etc\/openvpn\u300d\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002<\/p>\n
\r\n# .\/easyrsa build-ca nopass\r\n...\r\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:OPENVPN CA\r\n\r\nCA creation complete and you may now import and sign cert requests.\r\nYour new CA certificate file for publishing is at:\r\n\/root\/openvpn-certs\/pki\/ca.crt\r\n\r\n# cp pki\/ca.crt \/etc\/openvpn\r\n<\/pre>\n
OpenVPN\u30b5\u30fc\u30d0\u7528\u306e\u8a3c\u660e\u66f8\u3092\u4f5c\u6210\u3059\u308b\uff01<\/h2>\n
OpenVPN\u30b5\u30fc\u30d0\u7528\u306e\u8a3c\u660e\u66f8\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u4f5c\u6210\u304c\u5b8c\u4e86\u3057\u305f\u3089\u3001\u300cserver.crt\u300d\u3001\u300cserver.key\u300d\u3092\u300c\/etc\/openvpn\u300d\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002<\/p>\n
\r\n# .\/easyrsa build-server-full server nopass\r\n\r\nNote: using Easy-RSA configuration from: .\/vars\r\nUsing SSL: openssl OpenSSL 1.1.1f  31 Mar 2020\r\nGenerating a RSA private key\r\n...............................+++++\r\n...............................................................................................................+++++\r\nwriting new private key to '\/root\/openvpn-certs\/pki\/private\/server.key.33mZwbU6B6'\r\n-----\r\nUsing configuration from \/root\/openvpn-certs\/pki\/safessl-easyrsa.cnf\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncommonName            :ASN.1 12:'server'\r\nCertificate is to be certified until Jun 11 02:30:25 2024 GMT (1080 days)\r\n\r\nWrite out database with 1 new entries\r\nData Base Updated\r\n# cp pki\/issued\/server.crt \/etc\/openvpn\r\n# cp pki\/private\/server.key \/etc\/openvpn\r\n<\/pre>\n
DH\u9375\u3092\u4f5c\u6210\u3059\u308b\uff01<\/h2>\n
DH\u9375\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u4f5c\u6210\u304c\u5b8c\u4e86\u3057\u305f\u3089\u3001\u300cdh.pem\u300d\u3092\u300c\/etc\/openvpn\u300d\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002<\/p>\n
\r\n# .\/easyrsa gen-dh\r\n\r\nNote: using Easy-RSA configuration from: .\/vars\r\n\r\nUsing SSL: openssl OpenSSL 1.1.1f  31 Mar 2020\r\nGenerating DH parameters, 2048 bit long safe prime, generator 2\r\nThis is going to take a long time\r\n...\r\n\r\nDH parameters of size 2048 created at \/root\/openvpn-certs\/pki\/dh.pem\r\n\r\n# cp pki\/dh.pem \/etc\/openvpn\r\n<\/pre>\n
CRL\u3092\u4f5c\u6210\u3059\u308b\uff01<\/h2>\n
CRL\u3092\u4f5c\u6210\u3057\u3066\u304a\u304d\u307e\u3059\u3002<\/p>\n
\r\n# .\/easyrsa gen-crl\r\n\r\nNote: using Easy-RSA configuration from: .\/vars\r\n\r\nUsing SSL: openssl OpenSSL 1.1.1f  31 Mar 2020\r\nUsing configuration from \/root\/openvpn-certs\/pki\/safessl-easyrsa.cnf\r\n\r\nAn updated CRL has been created.\r\nCRL file: \/root\/openvpn-certs\/pki\/crl.pem\r\n\r\n<\/pre>\n
OpenVPN\u30b5\u30fc\u30d0\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u6210\u3059\u308b\uff01<\/h2>\n
OpenVPN\u30b5\u30fc\u30d0\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002dh\u9375\u30d5\u30a1\u30a4\u30eb\u306e\u540d\u524d\u306e\u5909\u66f4\u3068\u3001tls-auth\u3092\u7121\u52b9\u5316\u3057\u3001\u554f\u984c\u89e3\u6790\u7528\u306b\u30ed\u30b0\u306e\u30d5\u30a1\u30a4\u30eb\u51fa\u529b\u3092\u6709\u52b9\u306b\u3057\u307e\u3059\u3002<\/p>\n
\r\n# cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz \/etc\/openvpn\/\r\n# sudo gunzip \/etc\/openvpn\/server.conf.gz\r\n# vi \/etc\/openvpn\/server.conf\r\n...\r\ndh dh.pem\r\n...\r\n;tls-auth ta.key 0 # This file is secret\r\n...l\r\nlog         \/var\/log\/openvpn\/openvpn.log\r\nlog-append  \/var\/log\/openvpn\/openvpn.log\r\n...\r\n<\/pre>\n
OpenVPN\u30b5\u30fc\u30d0\u3092\u8d77\u52d5\u3059\u308b\uff01<\/h2>\n
OpenVPN\u30b5\u30fc\u30d0\u3092\u8d77\u52d5\u3057\u307e\u3059\u3002\u554f\u984c\u306a\u304f\u8d77\u52d5\u3057\u305f\u3089\u3001\u30b5\u30fc\u30d0\u8d77\u52d5\u6642\u306e\u3082\u8d77\u52d5\u3059\u308b\u3088\u3046\u306b\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/p>\n
\r\n# systemctl start openvpn@server\r\n# systemctl status openvpn@server\r\n openvpn@server.service - OpenVPN connection to server\r\n     Loaded: loaded (\/lib\/systemd\/system\/openvpn@.service; disabled; vendor preset: enabled)\r\n     Active: active (running) since Sun 2021-06-27 15:09:17 JST; 2s ago\r\n       Docs: man:openvpn(8)\r\n             https:\/\/community.openvpn.net\/openvpn\/wiki\/Openvpn24ManPage\r\n             https:\/\/community.openvpn.net\/openvpn\/wiki\/HOWTO\r\n   Main PID: 12652 (openvpn)\r\n     Status: "Initialization Sequence Completed"\r\n      Tasks: 1 (limit: 469)\r\n     Memory: 1.0M\r\n     CGroup: \/system.slice\/system-openvpn.slice\/openvpn@server.service\r\n             \u2514\u250012652 \/usr\/sbin\/openvpn --daemon ovpn-server --status \/run\/openvpn\/server.status 10 --cd \/etc\/openvpn -->\r\n...\r\n# systemctl enable openvpn@server\r\n<\/pre>\n
\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u63a5\u7d9a\u7528\u306e\u8a3c\u660e\u66f8\u3092\u4f5c\u6210\u3059\u308b\uff01<\/h2>\n
\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u63a5\u7d9a\u7528\u306e\u8a3c\u660e\u66f8\u3092\u4f5c\u6210\u3057\u3066\u304a\u304d\u307e\u3059\u3002<\/p>\n
\r\n# .\/easyrsa build-client-full client1 nopass\r\n\r\nNote: using Easy-RSA configuration from: .\/vars\r\n\r\nUsing SSL: openssl OpenSSL 1.1.1f  31 Mar 2020\r\nGenerating a RSA private key\r\n.................+++++\r\n........+++++\r\nwriting new private key to '\/root\/openvpn-certs\/pki\/private\/client1.key.TuTcL3gKN9'\r\n-----\r\nUsing configuration from \/root\/openvpn-certs\/pki\/safessl-easyrsa.cnf\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncommonName            :ASN.1 12:'client1'\r\nCertificate is to be certified until Jun 11 06:14:31 2024 GMT (1080 days)\r\n\r\nWrite out database with 1 new entries\r\nData Base Updated\r\n<\/pre>\n
\u304a\u308f\u308a\u306b<\/h2>\n
OpenVPN\u30b5\u30fc\u30d0\u306e\u8a2d\u5b9a\u306f\u3001\u8a3c\u660e\u66f8\u4f5c\u6210\u306e\u30b9\u30c6\u30c3\u30d7\u304c\u9577\u304f\u5927\u5909\u306a\u9053\u306e\u308a\u3067\u3059\u304c\u3001\u8f9b\u62b1\u5f37\u304f\u8a2d\u5b9a\u3057\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n
\u95a2\u9023\u8a18\u4e8b<\/h2>\n
\"\u3010\u8a18\u4e8b\u4e00\u89a7\u3011OpenVPN\u3067VPN\u74b0\u5883\u3092\u69cb\u7bc9\u3059\u308b\uff01\"<\/div>
\u3010\u8a18\u4e8b\u4e00\u89a7\u3011OpenVPN\u3067VPN\u74b0\u5883\u3092\u69cb\u7bc9\u3059\u308b\uff01<\/div>
OpenVPN\u3067VPN\u74b0\u5883\u3092\u69cb\u7bc9\u3059\u308b\u8a18\u4e8b\u306e\u4e00\u89a7\u3067\u3059\u3002 OpenVPN\u66f8\u7c4d\uff08Amazon\uff09 ...<\/div><\/a><\/div>\n
OpenVPN\u66f8\u7c4d\uff08Amazon\uff09<\/h2>\n