この文書の現在のバージョンと選択したバージョンの差分を表示します。
次のリビジョン | 前のリビジョン 次のリビジョン 両方とも次のリビジョン | ||
mae3xx_tips:setup_openvpn:setup_client:start [2014/09/10 10:15] admin 作成 |
mae3xx_tips:setup_openvpn:setup_client:start [2019/02/25 16:34] admin |
||
---|---|---|---|
ライン 1: | ライン 1: | ||
+ | ====== クライアント側の設定 ====== | ||
+ | |||
+ | ===== 鍵ファイル類のコピー ===== | ||
+ | |||
+ | [[mae3xx_tips:setup_openvpn:setup_server:start|]] で生成した、ca.crt およびクライアント用の **client**.crt, **client**.key ファイルをセキュアな手段で MA-E3xx に持ってきます。 | ||
+ | |||
+ | |<20em 6em 10em >| | ||
+ | ^ File ^ 内容 | | ||
+ | |ca.crt|ルートCAの証明書| | ||
+ | |client.crt|クライアントの証明書| | ||
+ | |client.key|クライアントの秘密鍵| | ||
+ | |||
+ | \\ | ||
+ | |||
+ | 上記ファイルは ''/etc/openvpn/keys/'' 以下に配置します。 | ||
+ | |||
+ | <code> | ||
+ | root@plum:~# ls -l /etc/openvpn/keys/ | ||
+ | total 16 | ||
+ | -rw-r--r-- 1 root root 1814 Feb 25 15:58 ca.crt | ||
+ | -rw-r--r-- 1 root root 5600 Feb 25 15:59 mae3xx_1.crt | ||
+ | -rw------- 1 root root 1704 Feb 25 15:59 mae3xx_1.key | ||
+ | </code> | ||
+ | |||
+ | \\ | ||
+ | |||
+ | ===== 設定ファイルの作成 ===== | ||
+ | |||
+ | OpenVPN クライアント用の設定ファイルを作成します。 | ||
+ | |||
+ | <file config client.conf> | ||
+ | ############################################## | ||
+ | # Sample client-side OpenVPN 2.0 config file # | ||
+ | # for connecting to multi-client server. # | ||
+ | # # | ||
+ | # This configuration can be used by multiple # | ||
+ | # clients, however each client should have # | ||
+ | # its own cert and key files. # | ||
+ | # # | ||
+ | # On Windows, you might want to rename this # | ||
+ | # file so it has a .ovpn extension # | ||
+ | ############################################## | ||
+ | # Specify that we are a client and that we | ||
+ | # will be pulling certain config file directives | ||
+ | # from the server. | ||
+ | client | ||
+ | |||
+ | # Use the same setting as you are using on | ||
+ | # the server. | ||
+ | # On most systems, the VPN will not function | ||
+ | # unless you partially or fully disable | ||
+ | # the firewall for the TUN/TAP interface. | ||
+ | ;dev tap | ||
+ | dev tun | ||
+ | |||
+ | # Windows needs the TAP-Win32 adapter name | ||
+ | # from the Network Connections panel | ||
+ | # if you have more than one. On XP SP2, | ||
+ | # you may need to disable the firewall | ||
+ | # for the TAP adapter. | ||
+ | ;dev-node MyTap | ||
+ | |||
+ | # Are we connecting to a TCP or | ||
+ | # UDP server? Use the same setting as | ||
+ | # on the server. | ||
+ | ;proto tcp | ||
+ | proto udp | ||
+ | |||
+ | # The hostname/IP and port of the server. | ||
+ | # You can have multiple remote entries | ||
+ | # to load balance between the servers. | ||
+ | remote openvpn-server.example.jp 1194 | ||
+ | |||
+ | # Choose a random host from the remote | ||
+ | # list for load-balancing. Otherwise | ||
+ | # try hosts in the order specified. | ||
+ | ;remote-random | ||
+ | |||
+ | # Keep trying indefinitely to resolve the | ||
+ | # host name of the OpenVPN server. Very useful | ||
+ | # on machines which are not permanently connected | ||
+ | # to the internet such as laptops. | ||
+ | resolv-retry infinite | ||
+ | |||
+ | # Most clients don't need to bind to | ||
+ | # a specific local port number. | ||
+ | nobind | ||
+ | |||
+ | # Downgrade privileges after initialization (non-Windows only) | ||
+ | ;user nobody | ||
+ | ;group nobody | ||
+ | |||
+ | # Try to preserve some state across restarts. | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | |||
+ | # If you are connecting through an | ||
+ | # HTTP proxy to reach the actual OpenVPN | ||
+ | # server, put the proxy server/IP and | ||
+ | # port number here. See the man page | ||
+ | # if your proxy server requires | ||
+ | # authentication. | ||
+ | ;http-proxy-retry # retry on connection failures | ||
+ | ;http-proxy [proxy server] [proxy port #] | ||
+ | |||
+ | # Wireless networks often produce a lot | ||
+ | # of duplicate packets. Set this flag | ||
+ | # to silence duplicate packet warnings. | ||
+ | ;mute-replay-warnings | ||
+ | |||
+ | # SSL/TLS parms. | ||
+ | # See the server config file for more | ||
+ | # description. It's best to use | ||
+ | # a separate .crt/.key file pair | ||
+ | # for each client. A single ca | ||
+ | # file can be used for all clients. | ||
+ | ca /etc/openvpn/keys/ca.crt | ||
+ | cert /etc/openvpn/keys/mae3xx_1.crt | ||
+ | key /etc/openvpn/keys/mae3xx_1.key | ||
+ | |||
+ | # Verify server certificate by checking | ||
+ | # that the certicate has the nsCertType | ||
+ | # field set to "server". This is an | ||
+ | # important precaution to protect against | ||
+ | # a potential attack discussed here: | ||
+ | # http://openvpn.net/howto.html#mitm | ||
+ | # | ||
+ | # To use this feature, you will need to generate | ||
+ | # your server certificates with the nsCertType | ||
+ | # field set to "server". The build-key-server | ||
+ | # script in the easy-rsa folder will do this. | ||
+ | ;ns-cert-type server | ||
+ | |||
+ | # If a tls-auth key is used on the server | ||
+ | # then every client must also have the key. | ||
+ | ;tls-auth ta.key 1 | ||
+ | |||
+ | # Select a cryptographic cipher. | ||
+ | # If the cipher option is used on the server | ||
+ | # then you must also specify it here. | ||
+ | ;cipher x | ||
+ | |||
+ | # Enable compression on the VPN link. | ||
+ | # Don't enable this unless it is also | ||
+ | # enabled in the server config file. | ||
+ | comp-lzo | ||
+ | |||
+ | # Set log file verbosity. | ||
+ | verb 3 | ||
+ | |||
+ | # Silence repeating messages | ||
+ | ;mute 20 | ||
+ | |||
+ | fragment 1426 | ||
+ | mssfix | ||
+ | </file> | ||
+ | |||
+ | ※ **remote openvpn-server.example.jp 1194** の行は、立ち上げたサーバのアドレスおよびポート番号に変更する必要があります。 | ||
+ | |||
+ | \\ | ||