Overview
Raspberry Pi3にOpenVPN serverを立てて、unsecureなnetworkでWiFiなどを使う時の対策をします。
以下は、Ubuntu Mate 15.10 on Raspberry Pi3での設定です。
Dynamic DNSの設定は、こちら をご参考に.
Setup OpenVPN server
# apt-get update
# apt-get upgrade
# apt-get install openvpn openssl
# apt-get install openvpn libssl-dev openssl easy-rsa
key lengthの変更
# cd /etc/openvpn/easy-rsa
# vim vars
#export EASY_RSA="`pwd`"
export EASY_RSA="/etc/openvpn/easy-rsa"
#export KEY_SIZE=1024
export KEY_SIZE=2048
# source ./vars
keyの生成
# cd /etc/openvpn/easy-rsa
# ./clean-all
# ./build-ca
..snip..
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:Tokyo
Locality Name (eg, city) [SanFrancisco]:XXX-ku
Organization Name (eg, company) [Fort-Funston]:hoge company
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:VPN
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:raspi
Name [EasyRSA]:Taro Hoge
Email Address [me@myhost.mydomain]:taro.hoge@gmail.com
# ./build-key-server raspi
..snip..
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:Tokyo
Locality Name (eg, city) [SanFrancisco]:XXX-ku
Organization Name (eg, company) [Fort-Funston]:hoge company
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:VPN
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:raspi
Name [EasyRSA]:Taro Hoge
Email Address [me@myhost.mydomain]:taro.hoge@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Tokyo'
localityName :PRINTABLE:'XXX-ku'
organizationName :PRINTABLE:'hoge company'
organizationalUnitName:PRINTABLE:'VPN'
commonName :PRINTABLE:'raspi'
name :PRINTABLE:'Taro Hoge'
emailAddress :IA5STRING:'taro.hoge@gmail.com'
Certificate is to be certified until Apr XX XX:XX:XX 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# ./build-key-pass User1
..snip..
writing new private key to 'User1.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
..snip..
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:Tokyo
Locality Name (eg, city) [SanFrancisco]:XXX-ku
Organization Name (eg, company) [Fort-Funston]:hoge company
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:VPN
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:raspi
Name [EasyRSA]:Taro Hoge
Email Address [me@myhost.mydomain]:taro.hoge@gmail.com
..snip..
# cd keys
# openssl rsa -in User1.key -des3 -out User1.3des.key
Enter pass phrase for User1.key:
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
# cd ..
/etc/openvpn/easy-rsa# ./build-dh
# openvpn --genkey --secret keys/ta.key
OpenVPNの設定
/etc/openvpn/server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/raspi.crt
key /etc/openvpn/easy-rsa/keys/raspi.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.10.XX 255.255.255.0"
push "dhcp-option DNS 192.168.10.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
/etc/openvpn/easy-rsa/keys/default.txt
client
dev tun
proto udp
remote example.mydns.jp 1194 # あなたのraspiのDNSの名前に
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
networkの設定
# ufw allow 1194
ルータのPort開けも忘れずに。
- 192.168.10.xxはraspberry Pi3のlocal IP address
- enxb827eb602ceaは、
$ ifconfig
で確認して使いましょう.
/etc/ufw/before.rules
# rules for NAT Table of iptables
# required line for ufw
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from OpenVPN through eth0.
-A POSTROUTING -s 10.8.0.0/24 -o enxb827eb602cea -j MASQUERADE
COMMIT
..snip..
-A ufw-before-input -i tun+ -j ACCEPT
-A ufw-before-output -i tun+ -j ACCEPT
-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT
COMMIT
/etc/ufw/sysctrl.conf
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
でよいはずだが、うまく行かなければ以下も行う。
/etc/sysctl.conf
#net.ipv4.ip_forward=1
net.ipv4.ip_forward=1
# sysctl -p
/etc/rc.local
iptables -t nat -A INPUT -i enxb827eb602cea -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enxb827eb602cea -j SNAT --to-source 192.168.10.xx
OpenVPNの起動
# service openvpn start
# update-rc.d openvpn defaults
OVPNの生成
Androidのopenvpn clientなどではovpnファイルがあると便利なので、
その生成の方法について。
/etc/openvpn/easy-rsa/keys/MakeOVPN.sh
#!/bin/bash
# Default Variable Declarations
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
CA="ca.crt"
TA="ta.key"
#Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME
#1st Verify that client’s Public Key Exists
if [ ! -f $NAME$CRT ]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit
fi
echo "Client’s cert found: $NAME$CR"
#Then, verify that there is a private key for that client
if [ ! -f $NAME$KEY ]; then
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
exit
fi
echo "Client’s Private Key found: $NAME$KEY"
#Confirm the CA public key exists
if [ ! -f $CA ]; then
echo "[ERROR]: CA Public Key not found: $CA"
exit
fi
echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists
if [ ! -f $TA ]; then
echo "[ERROR]: tls-auth Key not found: $TA"
exit
fi
echo "tls-auth Private Key found: $TA"
#Ready to make a new .opvn file - Start by populating with the
default file
cat $DEFAULT > $NAME$FILEEXT
#Now, append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT
#Next append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT
#Then, append the client Private Key
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT
#Finally, append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT
echo "Done! $NAME$FILEEXT Successfully Created."
# chmod 700 MakeOVPN.sh
# ./MakeOVPN.sh