この文書の現在のバージョンと選択したバージョンの差分を表示します。
両方とも前のリビジョン 前のリビジョン 次のリビジョン | 前のリビジョン | ||
mae3xx_tips:setup_openvpn:setup_client:start [2019/02/25 16:34] admin |
mae3xx_tips:setup_openvpn:setup_client:start [2019/02/25 16:46] (現在) admin |
||
---|---|---|---|
ライン 1: | ライン 1: | ||
- | ====== クライアント側の設定 ====== | + | ====== クライアント側の作業 ====== |
- | ===== 鍵ファイル類のコピー ===== | + | ===== 設定 ===== |
+ | |||
+ | ==== 鍵ファイル類のコピー ==== | ||
[[mae3xx_tips:setup_openvpn:setup_server:start|]] で生成した、ca.crt およびクライアント用の **client**.crt, **client**.key ファイルをセキュアな手段で MA-E3xx に持ってきます。 | [[mae3xx_tips:setup_openvpn:setup_server:start|]] で生成した、ca.crt およびクライアント用の **client**.crt, **client**.key ファイルをセキュアな手段で MA-E3xx に持ってきます。 | ||
ライン 25: | ライン 27: | ||
\\ | \\ | ||
- | ===== 設定ファイルの作成 ===== | + | ==== 設定ファイルの作成 ==== |
OpenVPN クライアント用の設定ファイルを作成します。 | OpenVPN クライアント用の設定ファイルを作成します。 | ||
ライン 159: | ライン 161: | ||
\\ | \\ | ||
+ | |||
+ | ===== 起動 ===== | ||
+ | |||
+ | 設定変更を systemd に通知するため、"systemctl daemon-reload" を行ってから起動します。 | ||
+ | |||
+ | <code> | ||
+ | root@plum:~# systemctl daemon-reload | ||
+ | root@plum:~# systemctl start openvpn | ||
+ | </code> | ||
+ | |||
+ | \\ | ||
+ | |||
+ | 設定がきちんとできていれば、tun0 I/F が up して通信ができるようになります。 | ||
+ | |||
+ | <code> | ||
+ | root@plum:~# ifconfig tun0 | ||
+ | tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 | ||
+ | inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5 | ||
+ | inet6 fe80::7031:7640:14c0:272 prefixlen 64 scopeid 0x20<link> | ||
+ | unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) | ||
+ | RX packets 0 bytes 0 (0.0 B) | ||
+ | RX errors 0 dropped 0 overruns 0 frame 0 | ||
+ | TX packets 4 bytes 304 (304.0 B) | ||
+ | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 | ||
+ | </code> | ||
+ | |||
+ | \\ | ||
+ | |||
+ | syslog には下記のように出力されます。 | ||
+ | |||
+ | <code> | ||
+ | Feb 25 16:36:42 plum systemd[1]: Starting OpenVPN service... | ||
+ | Feb 25 16:36:42 plum systemd[1]: Started OpenVPN service. | ||
+ | Feb 25 16:36:42 plum ovpn-client[1328]: OpenVPN 2.4.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2018 | ||
+ | Feb 25 16:36:42 plum ovpn-client[1328]: library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08 | ||
+ | Feb 25 16:36:42 plum systemd[1]: Started OpenVPN connection to client. | ||
+ | Feb 25 16:36:42 plum ovpn-client[1328]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. | ||
+ | Feb 25 16:36:42 plum ovpn-client[1328]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194 | ||
+ | Feb 25 16:36:42 plum ovpn-client[1328]: Socket Buffers: R=[163840->163840] S=[163840->163840] | ||
+ | Feb 25 16:36:42 plum ovpn-client[1328]: UDP link local: (not bound) | ||
+ | Feb 25 16:36:42 plum ovpn-client[1328]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194 | ||
+ | Feb 25 16:36:44 plum ovpn-client[1328]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=3dac9839 d72b77f5 | ||
+ | Feb 25 16:36:44 plum ovpn-client[1328]: VERIFY OK: depth=1, C=JP, ST=Tokyo, L=Musashino-shi, O=Century Systems, OU=SW4, CN=Century Systems CA, name=EasyRSA, emailAddress=kikuchi@centurysys.co.jp | ||
+ | Feb 25 16:36:44 plum ovpn-client[1328]: VERIFY OK: depth=0, C=JP, ST=Tokyo, L=Musashino-shi, O=Century Systems, OU=SW4, CN=server, name=EasyRSA, emailAddress=kikuchi@centurysys.co.jp | ||
+ | Feb 25 16:36:44 plum ovpn-client[1328]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1546', remote='link-mtu 1562' | ||
+ | Feb 25 16:36:44 plum ovpn-client[1328]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC' | ||
+ | Feb 25 16:36:44 plum ovpn-client[1328]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256' | ||
+ | Feb 25 16:36:44 plum ovpn-client[1328]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA | ||
+ | Feb 25 16:36:44 plum ovpn-client[1328]: [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194 | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: OPTIONS IMPORT: timers and/or timeouts modified | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: OPTIONS IMPORT: --ifconfig/up options modified | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: OPTIONS IMPORT: route options modified | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: OPTIONS IMPORT: peer-id set | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: OPTIONS IMPORT: adjusting link_mtu to 1629 | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: OPTIONS IMPORT: data channel crypto options modified | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: Data Channel: using negotiated cipher 'AES-256-GCM' | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key | ||
+ | Feb 25 16:36:46 plum systemd-udevd[1330]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: ROUTE_GATEWAY ON_LINK IFACE=ppp0 HWADDR=00:00:00:00:00:00 | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: TUN/TAP device tun0 opened | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: TUN/TAP TX queue length set to 100 | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0 | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: /sbin/ip link set dev tun0 up mtu 1500 | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: /sbin/ip route add 10.8.0.1/32 via 10.8.0.5 | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this | ||
+ | Feb 25 16:36:46 plum ovpn-client[1328]: Initialization Sequence Completed | ||
+ | </code> | ||
+ | |||
+ | \\ | ||
+ | |||
+ | ===== 確認 ===== | ||
+ | |||
+ | ping で確認してみます。 | ||
+ | |||
+ | <code> | ||
+ | root@plum:~# ping -c 5 10.8.0.1 | ||
+ | PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. | ||
+ | 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=481 ms | ||
+ | 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=501 ms | ||
+ | 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=480 ms | ||
+ | 64 bytes from 10.8.0.1: icmp_seq=4 ttl=64 time=499 ms | ||
+ | 64 bytes from 10.8.0.1: icmp_seq=5 ttl=64 time=530 ms | ||
+ | |||
+ | --- 10.8.0.1 ping statistics --- | ||
+ | 5 packets transmitted, 5 received, 0% packet loss, time 4001ms | ||
+ | rtt min/avg/max/mdev = 480.386/498.706/530.023/18.034 ms | ||
+ | </code> | ||
+ | |||