LoginSignup
12
12

More than 5 years have passed since last update.

@hidenorly(はろ)

OpenVPN server を Raspberry Pi3 上にたててみる

Posted at

Overview

Raspberry Pi3にOpenVPN serverを立てて、unsecureなnetworkでWiFiなどを使う時の対策をします。

以下は、Ubuntu Mate 15.10 on Raspberry Pi3での設定です。

Dynamic DNSの設定は、こちら をご参考に.

Setup OpenVPN server

# apt-get update
# apt-get upgrade
# apt-get install openvpn openssl
# apt-get install openvpn libssl-dev openssl easy-rsa

key lengthの変更

# cd /etc/openvpn/easy-rsa
# vim vars
#export EASY_RSA="`pwd`"
export EASY_RSA="/etc/openvpn/easy-rsa"
#export KEY_SIZE=1024
export KEY_SIZE=2048
# source ./vars

keyの生成

# cd /etc/openvpn/easy-rsa
# ./clean-all

# ./build-ca
..snip..
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:Tokyo
Locality Name (eg, city) [SanFrancisco]:XXX-ku
Organization Name (eg, company) [Fort-Funston]:hoge company
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:VPN
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:raspi
Name [EasyRSA]:Taro Hoge
Email Address [me@myhost.mydomain]:taro.hoge@gmail.com

# ./build-key-server raspi
..snip..
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:Tokyo
Locality Name (eg, city) [SanFrancisco]:XXX-ku
Organization Name (eg, company) [Fort-Funston]:hoge company
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:VPN
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:raspi
Name [EasyRSA]:Taro Hoge
Email Address [me@myhost.mydomain]:taro.hoge@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Tokyo'
localityName          :PRINTABLE:'XXX-ku'
organizationName      :PRINTABLE:'hoge company'
organizationalUnitName:PRINTABLE:'VPN'
commonName            :PRINTABLE:'raspi'
name                  :PRINTABLE:'Taro Hoge'
emailAddress          :IA5STRING:'taro.hoge@gmail.com'
Certificate is to be certified until Apr  XX XX:XX:XX 2026 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# ./build-key-pass User1
..snip..
writing new private key to 'User1.key'
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase: 
..snip..
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [CA]:Tokyo
Locality Name (eg, city) [SanFrancisco]:XXX-ku
Organization Name (eg, company) [Fort-Funston]:hoge company
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:VPN
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:raspi
Name [EasyRSA]:Taro Hoge
Email Address [me@myhost.mydomain]:taro.hoge@gmail.com
..snip..

# cd keys
# openssl rsa -in User1.key -des3 -out User1.3des.key
Enter pass phrase for User1.key: 
writing RSA key
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase: 

# cd ..
/etc/openvpn/easy-rsa# ./build-dh
# openvpn --genkey --secret keys/ta.key

OpenVPNの設定

/etc/openvpn/server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/raspi.crt
key /etc/openvpn/easy-rsa/keys/raspi.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.10.XX 255.255.255.0"
push "dhcp-option DNS 192.168.10.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
/etc/openvpn/easy-rsa/keys/default.txt
client
dev tun
proto udp
remote example.mydns.jp 1194 # あなたのraspiのDNSの名前に
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20

networkの設定

# ufw allow 1194

ルータのPort開けも忘れずに。

  • 192.168.10.xxはraspberry Pi3のlocal IP address
  • enxb827eb602ceaは、$ ifconfigで確認して使いましょう.
/etc/ufw/before.rules
# rules for NAT Table of iptables
# required line for ufw
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from OpenVPN through eth0.
-A POSTROUTING -s 10.8.0.0/24 -o enxb827eb602cea -j MASQUERADE

COMMIT

..snip..

-A ufw-before-input -i tun+ -j ACCEPT
-A ufw-before-output -i tun+ -j ACCEPT
-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT

COMMIT
/etc/ufw/sysctrl.conf
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

でよいはずだが、うまく行かなければ以下も行う。

/etc/sysctl.conf
#net.ipv4.ip_forward=1
net.ipv4.ip_forward=1

# sysctl -p
/etc/rc.local
iptables -t nat -A INPUT -i enxb827eb602cea -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enxb827eb602cea -j SNAT --to-source 192.168.10.xx

OpenVPNの起動

# service openvpn start
# update-rc.d openvpn defaults

OVPNの生成

Androidのopenvpn clientなどではovpnファイルがあると便利なので、
その生成の方法について。

/etc/openvpn/easy-rsa/keys/MakeOVPN.sh
#!/bin/bash 

# Default Variable Declarations 
DEFAULT="Default.txt" 
FILEEXT=".ovpn" 
CRT=".crt" 
KEY=".3des.key" 
CA="ca.crt" 
TA="ta.key" 

#Ask for a Client name 
echo "Please enter an existing Client Name:"
read NAME 


#1st Verify that client’s Public Key Exists 
if [ ! -f $NAME$CRT ]; then 
 echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT" 
 exit 
fi 
echo "Client’s cert found: $NAME$CR" 


#Then, verify that there is a private key for that client 
if [ ! -f $NAME$KEY ]; then 
 echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY" 
 exit 
fi 
echo "Client’s Private Key found: $NAME$KEY"

#Confirm the CA public key exists 
if [ ! -f $CA ]; then 
 echo "[ERROR]: CA Public Key not found: $CA" 
 exit 
fi 
echo "CA public Key found: $CA" 

#Confirm the tls-auth ta key file exists 
if [ ! -f $TA ]; then 
 echo "[ERROR]: tls-auth Key not found: $TA" 
 exit 
fi 
echo "tls-auth Private Key found: $TA" 

#Ready to make a new .opvn file - Start by populating with the 
default file 
cat $DEFAULT > $NAME$FILEEXT 

#Now, append the CA Public Cert 
echo "<ca>" >> $NAME$FILEEXT 
cat $CA >> $NAME$FILEEXT 
echo "</ca>" >> $NAME$FILEEXT

#Next append the client Public Cert 
echo "<cert>" >> $NAME$FILEEXT 
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT 
echo "</cert>" >> $NAME$FILEEXT 

#Then, append the client Private Key 
echo "<key>" >> $NAME$FILEEXT 
cat $NAME$KEY >> $NAME$FILEEXT 
echo "</key>" >> $NAME$FILEEXT 

#Finally, append the TA Private Key 
echo "<tls-auth>" >> $NAME$FILEEXT 
cat $TA >> $NAME$FILEEXT 
echo "</tls-auth>" >> $NAME$FILEEXT 

echo "Done! $NAME$FILEEXT Successfully Created."

# chmod 700 MakeOVPN.sh
# ./MakeOVPN.sh
12
12
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
12
12