「OpenVPN」の版間の差分

提供: ArchWiki
ナビゲーションに移動 検索に移動
(en:OpenVPNへの転送ページ)
 
1行目: 1行目:
  +
[[Category:Virtual Private Network]]
#redirect[[en:OpenVPN]]
 
  +
[[de:OpenVPN]]
  +
[[en:OpenVPN]]
  +
[[ru:OpenVPN]]
  +
[[zh-CN:OpenVPN]]
  +
{{Related articles start}}
  +
{{Related|Linux Containers で OpenVPN}}
  +
{{Related4|Airvpn}}
  +
{{Related articles end}}
  +
この記事では、小規模な事業やプレイベートでの利用に適している、[http://openvpn.net OpenVPN] の基本的なインストールと設定について説明します。詳しい情報は [https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage OpenVPN 2.3 man ページ] や [http://openvpn.net/index.php/open-source/documentation OpenVPN ドキュメント] を見て下さい。OpenVPN は堅牢で高い柔軟性を持つ [[Wikipedia:VPN|VPN]] デーモンです。[[Wikipedia:SSL/TLS|SSL/TLS]] セキュリティ, [[Wikipedia:Bridging_(networking)|Ethernet ブリッジ]], [[Wikipedia:Proxy_server|プロキシ]]や [[Wikipedia:Network address translation|NAT]] による [[Wikipedia:Transmission_Control_Protocol|TCP]] や [[Wikipedia:User_Datagram_Protocol|UDP]] の[[Wikipedia:Tunneling_protocol|トンネリング]]をサポートしています。さらに、動的 IP アドレスと [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]] をサポートしており、数百あるいは数千までのユーザーに対応し、主要な OS プラットフォームで動作します。
  +
  +
OpenVPN は [http://www.openssl.org OpenSSL] ライブラリと密接に関係しており、OpenSSL の暗号機能を多数利用しています。[[Wikipedia:Pre-shared_key|事前共有秘密鍵]]による慣用暗号 (Static Key モード) とクライアントとサーバーの証明書を用いる[[Wikipedia:Public_key|公開鍵暗号]] ([[Wikipedia:SSL/TLS|SSL/TLS]] モード) をサポートしています。さらに、暗号化を施さない TCP/UDP トンネルにも対応しています。
  +
  +
ほとんどのプラットフォームに存在する [[Wikipedia:TUN/TAP|TUN/TAP]] 仮想ネットワークインターフェイスを使うように OpenVPN は設計されています。OpenVPN は [[Wikipedia:Ipsec|IPSec]] の主要な機能の多くを提供しますがフットプリントは比較的軽量に抑えられます。OpenVPN は James Yonan によって書かれ [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]] の下で公開されています。
  +
  +
== OpenVPN のインストール ==
  +
  +
{{Pkg|openvpn}} パッケージを[[インストール]]してください。
  +
  +
{{Note|このパッケージに含まれているソフトウェアはクライアントとサーバー両方のモードをサポートするため、VPN 接続を作成する全てのマシンにインストールしてください。}}
  +
  +
== カーネルの設定 ==
  +
  +
OpenVPN は TUN/TAP のサポートを必要としますが、デフォルトカーネルでは既に設定済みです。自分でカーネルをビルドするときは、以下のように {{ic|tun}} モジュールを有効にしてください:
  +
  +
{{hc|Kernel config file|
  +
Device Drivers
  +
--> Network device support
  +
[M] Universal TUN/TAP device driver support}}
  +
  +
詳しくは[[カーネルモジュール]]を読んで下さい。
  +
  +
== 第三者の VPN に接続 ==
  +
  +
To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Most likely you will want to begin with [[#The client configuration file]] and skip ahead to [[#Starting OpenVPN]] after that. Use the certificates and instructions given by your provider, for instance see: [[en2:Airvpn|Airvpn]].
  +
  +
{{Note|Most free VPN providers will (often only) offer [[PPTP サーバー|PPTP]], which is drastically easier to setup and configure, but is [http://poptop.sourceforge.net/dox/protocol-security.phtml not secure].}}
  +
  +
== 公開鍵基盤 (PKI) をスクラッチから作成 ==
  +
  +
スクラッチから OpenVPN をセットアップする場合、[[Wikipedia:Public key infrastructure|公開鍵基盤 (PKI)]] を作成する必要があります。
  +
  +
必要な証明書と鍵を作成する方法は次を参照してください: [[en2:Create a Public Key Infrastructure Using the easy-rsa Scripts|easy-rsa スクリプトを使って公開鍵基盤を作成]]。
  +
  +
The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.
  +
  +
{{Note|The rest of this article assumes that the keys and certificates are placed in {{ic|/etc/openvpn}}.}}
  +
  +
The public ca.crt certificate is needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.
  +
  +
A server needs server.crt, dh2048.pem (public), server.key, and ta.key (private).
  +
  +
A client needs client.crt (public), client.key, and ta.key (private).
  +
  +
== ベーシックな L3 IP ルーティング設定 ==
  +
  +
{{Note|Unless otherwise explicitly stated, the rest of this article assumes this basic configuration.}}
  +
  +
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.
  +
  +
What really distinguishes a server from a client (apart from the type of certificate used) is the configuration file itself. The OpenVPN daemon start-up script reads all the .conf configuration files it finds in {{ic|/etc/openvpn}} on start-up and acts accordingly. If it finds more than one configuration file, it will start one OpenVPN process per configuration file.
  +
  +
This article explains how to set up a server named elmer and a client that connects to it named bugs. More servers and clients can easily be added by creating more key/certificate pairs and adding more server and client configuration files.
  +
  +
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:
  +
  +
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.
  +
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
  +
* Listens for client connections on UDP port 1194 (OpenVPN's [[Wikipedia:Port_number|official IANA port number]]).
  +
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.
  +
  +
For more advanced configurations, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].
  +
  +
=== サーバーの設定ファイル ===
  +
  +
Copy the example server configuration file to {{ic|/etc/openvpn/server.conf}}:
  +
  +
# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf
  +
  +
Edit the following:
  +
  +
* The {{ic|ca}}, {{ic|cert}}, {{ic|key}}, and {{ic|dh}} parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.
  +
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 0 for a server'''.
  +
* It is recommended to run OpenVPN with reduced privileges once it has initialized. Do this by uncommenting the {{ic|user}} and {{ic|group}} directives.
  +
  +
{{hc|/etc/openvpn/server.conf|
  +
ca /etc/openvpn/ca.crt
  +
cert /etc/openvpn/elmer.crt
  +
key /etc/openvpn/elmer.key
  +
  +
dh /etc/openvpn/dh2048.pem
  +
...
  +
tls-auth /etc/openvpn/ta.key '''0'''
  +
...
  +
user nobody
  +
group nobody
  +
}}
  +
  +
{{Note|Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.}}
  +
  +
=== クライアントの設定ファイル ===
  +
  +
Copy the example client configuration file to {{ic|/etc/openvpn/client.conf}}:
  +
  +
# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf
  +
  +
Edit the following:
  +
  +
* The {{ic|remote}} directive to reflect either the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client), or its IP address.
  +
* Uncomment the {{ic|user}} and {{ic|group}} directives to drop privileges.
  +
* The {{ic|ca}}, {{ic|cert}}, and {{ic|key}} parameters to reflect the path and names of the keys and certificates.
  +
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 1 for a client'''.
  +
  +
{{hc|/etc/openvpn/client.conf|
  +
remote elmer.acmecorp.org 1194
  +
...
  +
user nobody
  +
group nobody
  +
ca /etc/openvpn/ca.crt
  +
cert /etc/openvpn/bugs.crt
  +
key /etc/openvpn/bugs.key
  +
...
  +
tls-auth /etc/openvpn/ta.key '''1'''
  +
}}
  +
  +
==== 接続後に root 権限を落とす ====
  +
  +
Using the options {{ic|user nobody}} and {{ic|group nobody}} in the configuration file makes ''openvpn'' drop its privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, this may be advantageous. However, it requires manual action to delete the routes and will, hence, often be undesired. For this case the [https://openvpn.net/index.php/open-source/documentation/howto.html#security OpenVPN howto] explains how to create an unprivileged user mode and wrapper script to have the routes restored automatically.
  +
  +
Further, it is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser this OpenVPN wiki page].
  +
  +
=== OpenVPN 設定のテスト ===
  +
  +
Run {{ic|# openvpn /etc/openvpn/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client.conf}} on the client. You should see something similar to this:
  +
  +
{{hc|# openvpn /etc/openvpn/server.conf|2=
  +
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
  +
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
  +
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
  +
...
  +
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
  +
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
  +
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
  +
}}
  +
  +
{{hc|# openvpn /etc/openvpn/client.conf|2=
  +
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
  +
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
  +
Wed Dec 28 14:41:50 2011 LZO compression initialized
  +
...
  +
Wed Dec 28 14:41:57 2011 GID set to nobody
  +
Wed Dec 28 14:41:57 2011 UID set to nobody
  +
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed
  +
}}
  +
  +
On the server, find the IP address assigned to the tunX device:
  +
  +
{{hc|# ip addr show|2=
  +
...
  +
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
  +
link/none
  +
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
  +
}}
  +
  +
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.
  +
  +
Do the same on the client:
  +
  +
{{hc|# ip addr show|2=
  +
...
  +
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
  +
link/none
  +
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
  +
}}
  +
  +
And the client side has been given the IP address 10.8.0.6.
  +
  +
Now try pinging the interfaces.
  +
  +
On the server:
  +
  +
{{hc|# ping -c3 10.8.0.6|2=
  +
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
  +
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
  +
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
  +
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms
  +
  +
--- 10.8.0.6 ping statistics ---
  +
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
  +
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms
  +
}}
  +
  +
On the client:
  +
  +
{{hc|# ping -c3 10.8.0.1|2=
  +
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
  +
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
  +
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
  +
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms
  +
  +
--- 10.8.0.1 ping statistics ---
  +
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
  +
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms
  +
}}
  +
  +
You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.
  +
  +
{{Note|If using a firewall, make sure that IP packets on the TUN device are not blocked.}}
  +
  +
=== Fragment と MSS による MTU の設定 ===
  +
  +
{{Note|If you do not configure MTU, then you will notice that small packets like ping and DNS will work, however web browsing will not work.}}
  +
  +
Now it is time to configure the maximum segment size (MSS). In order to do this we need to discover what is the smallest MTU along the path between the client and server. In order to do this you can ping the server and disable fragmentation. Then specify the max packet size.
  +
  +
{{hc|# ping -c5 -M do -s 1500 elmer.acmecorp.org|2=
  +
PING elmer.acmecorp.org (99.88.77.66) 1500(1528) bytes of data.
  +
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
  +
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
  +
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
  +
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
  +
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
  +
  +
--- core.myrelay.net ping statistics ---
  +
0 packets transmitted, 0 received, +5 errors
  +
}}
  +
  +
We received an ICMP message telling us the MTU is 576 bytes. The means we need to fragment the UDP packets smaller then 576 bytes to allow for some UDP overhead.
  +
  +
{{hc|# ping -c5 -M do -s 548 elmer.acmecorp.org|2=
  +
PING elmer.acmecorp.org (99.88.77.66) 548(576) bytes of data.
  +
556 bytes from 99.88.77.66: icmp_seq=1 ttl=48 time=206 ms
  +
556 bytes from 99.88.77.66: icmp_seq=2 ttl=48 time=224 ms
  +
556 bytes from 99.88.77.66: icmp_seq=3 ttl=48 time=206 ms
  +
556 bytes from 99.88.77.66: icmp_seq=4 ttl=48 time=207 ms
  +
556 bytes from 99.88.77.66: icmp_seq=5 ttl=48 time=208 ms
  +
  +
--- myrelay.net ping statistics ---
  +
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
  +
rtt min/avg/max/mdev = 206.027/210.603/224.158/6.832 ms
  +
}}
  +
  +
After some trial and error..., we discover that we need to fragment packets on 548 bytes. In order to do this we specify this fragment size in the configuration and instruct OpenVPN to fix the Maximum Segment Size (MSS).
  +
  +
{{hc|/etc/openvpn/client.conf|
  +
remote elmer.acmecorp.org 1194
  +
...
  +
fragment 548
  +
mssfix 548
  +
...
  +
user nobody
  +
group nobody
  +
...
  +
ca /etc/openvpn/ca.crt
  +
cert /etc/openvpn/bugs.crt
  +
key /etc/openvpn/bugs.key
  +
...
  +
tls-auth /etc/openvpn/ta.key '''1'''
  +
}}
  +
  +
We also need to tell the server about the fragmentation. Note that "mssfix" is NOT needed in the server configuration.
  +
  +
{{hc|/etc/openvpn/server.conf|
  +
ca /etc/openvpn/ca.crt
  +
cert /etc/openvpn/elmer.crt
  +
key /etc/openvpn/elmer.key
  +
  +
dh /etc/openvpn/dh2048.pem
  +
...
  +
tls-auth /etc/openvpn/ta.key '''0'''
  +
...
  +
user nobody
  +
group nobody
  +
...
  +
fragment 548
  +
}}
  +
  +
{{Note|The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless your client is a laptop that will be connecting over many different networks and the bottle neck is on the client side.}}
  +
  +
You can also allow OpenVPN to do this for you by having OpenVPN do the ping testing every time the client connects to the VPN. Be patient, since your client may not inform you about the test being run and the connection may appear as nonfunctional until finished.
  +
{{hc|/etc/openvpn/client.conf|
  +
remote elmer.acmecorp.org 1194
  +
...
  +
mtu-test
  +
...
  +
user nobody
  +
group nobody
  +
...
  +
ca /etc/openvpn/ca.crt
  +
cert /etc/openvpn/bugs.crt
  +
key /etc/openvpn/bugs.key
  +
...
  +
tls-auth /etc/openvpn/ta.key '''1'''
  +
}}
  +
  +
=== IPv6 ===
  +
==== IPv6 でサーバーに接続 ====
  +
  +
In order to enable Dual Stack for OpenVPN, you have to change {{ic|proto udp}} to {{ic|proto udp6}} in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.
  +
  +
==== トンネルで IPv6 を使用 ====
  +
  +
In order to provide IPv6 inside the tunnel, you need to have a IPv6 prefix routed to your OpenVPN server. Either set up a static route on your gateway (if you have a static block assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see [[IPv6#Prefix delegation (DHCPv6-PD)|IPv6 Prefix delegation]] for details). You can also use a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:
  +
  +
* Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so you need to change your server.conf every time the prefix is changed (Maybe can be automated with a script).
  +
* ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. So you cannot route the entire traffic over the tunnel. If you only want to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, the ULA addresses may be easier to use.
  +
  +
After you have received a prefix (a /64 is recommended), append the following to the server.conf:
  +
  +
server-ipv6 2001:db8:0:123::/64
  +
  +
This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.
  +
  +
If you want to push a route to your home network (192.168.1.0/24 equivalent), also append:
  +
  +
push "route-ipv6 2001:db8:0:abc::/64"
  +
  +
OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The [https://community.openvpn.net/openvpn/wiki/IPv6 OpenVPN Wiki] provides some other configuration options.
  +
  +
== OpenVPN の起動 ==
  +
  +
=== 手動起動 ===
  +
  +
VPN 接続をトラブルシュートするときは、root で {{ic|openvpn /etc/openvpn/client.conf}} を実行して手動でクライアントのデーモンを起動してください。同じように、サーバーもサーバーの設定ファイル (例: {{ic|openvpn /etc/openvpn/server.conf}}) を使って起動できます。
  +
  +
=== systemd サービスの設定 ===
  +
  +
システムの起動時に OpenVPN を自動的に実行するには、クライアントでもサーバーでも、適当なマシンで {{ic|openvpn@''<configuration>''.service}} を[[有効化]]してください。
  +
  +
例えば、クライアントの設定ファイルが {{ic|/etc/openvpn/client.conf}} の場合、サービス名は {{ic|openvpn@client.service}} です。また、サーバーの設定ファイルが {{ic|/etc/openvpn/server.conf}} の場合、サービス名は {{ic|openvpn@server.service}} となります。
  +
  +
=== NetworkManager で接続を開始 ===
  +
  +
On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to {{ic|/etc/NetworkManager/dispatcher.d/}}. In the following example "Provider" is the name of the NetworkManager connection:
  +
  +
{{hc|/etc/NetworkManager/dispatcher.d/10-openvpn|2=
  +
#!/bin/bash
  +
  +
case "$2" in
  +
up)
  +
if [ "$CONNECTION_ID" == "Provider" ]; then
  +
systemctl start openvpn@client
  +
fi
  +
;;
  +
down)
  +
systemctl stop openvpn@client
  +
;;
  +
esac}}
  +
  +
詳しくは [[NetworkManager#ネットワークサービスと NetworkManager dispatcher]] を見て下さい。
  +
  +
=== Gnome の設定 ===
  +
  +
If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install {{ic|networkmanager-openvpn}}. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings, or you can choose to import [[#The client configuration file]] if you have already created one. If you followed the instructions in this article then it will be located at {{ic|/etc/openvpn/client.conf}}. To connect to the VPN simply turn the connection on.
  +
  +
== 全てのクライアントの通信をサーバーにルーティング ==
  +
  +
{{Note|There are potential pitfalls when routing all traffic through a VPN server. Refer to [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect the OpenVPN documenation on this topic] for more information.}}
  +
  +
By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic, including web traffic, pass through the VPN do the following. First add the following to your server's configuration file (i.e., {{ic|/etc/openvpn/server.conf}}) [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect]:
  +
  +
push "redirect-gateway def1"
  +
push "dhcp-option DNS 10.8.0.1"
  +
  +
Change "10.8.0.1" to your preferred DNS IP address.
  +
  +
If you have problems with non responsive DNS after connecting to server, install [[BIND]] as simple DNS forwarder and push the IP address of the OpenVPN server as DNS to clients.
  +
  +
サーバーで[[インターネット共有#パケット転送の有効化|パケットフォワーディングを有効化]]してください。
  +
  +
In addition to above, your server's firewall will need to be set up to allow VPN traffic through it, which is described below for both [[ufw]] and [[iptables]].
  +
  +
=== ファイアウォールの設定 ===
  +
  +
==== ufw ====
  +
  +
In order to configure your ufw settings for VPN traffic first add the following to {{ic|/etc/default/ufw}}:
  +
  +
{{hc|/etc/default/ufw|2=
  +
DEFAULT_FORWARD_POLICY="ACCEPT"
  +
}}
  +
  +
Now change {{ic|/etc/ufw/before.rules}}, and add the following code after the header and before the "*filter" line. Do not forget to change the IP/subnet mask to match the one in {{ic|/etc/openvpn/server.conf}}.
  +
  +
{{hc|/etc/ufw/before.rules|2=
  +
# NAT (Network Address Translation) table rules
  +
*nat
  +
:POSTROUTING ACCEPT [0:0]
  +
  +
# Allow traffic from clients to enp1s0
  +
-A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
  +
  +
# do not delete the "COMMIT" line or the NAT table rules above will not be processed
  +
COMMIT
  +
}}
  +
  +
Lastly, open OpenVPN port 1194:
  +
  +
ufw allow 1194
  +
  +
==== iptables ====
  +
  +
In order to allow VPN traffic through your iptables firewall of your server, first create an iptables rule for NAT forwarding [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] on the server:
  +
  +
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  +
  +
If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn]:
  +
  +
{{Warning|There are security implications for the following rules if you do not trust all clients which connect to the server. Refer to the [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn OpenVPN documentation on this topic] for more details.}}
  +
  +
# Allow TUN interface connections to OpenVPN server
  +
iptables -A INPUT -i tun+ -j ACCEPT
  +
# Allow TUN interface connections to be forwarded through other interfaces
  +
iptables -A FORWARD -i tun+ -j ACCEPT
  +
# Allow TAP interface connections to OpenVPN server
  +
iptables -A INPUT -i tap+ -j ACCEPT
  +
# Allow TAP interface connections to be forwarded through other interfaces
  +
iptables -A FORWARD -i tap+ -j ACCEPT
  +
  +
Additionally edit {{ic|/etc/conf.d/iptables}} and change IPTABLES_FORWARD=1.
  +
  +
When you are satisfied make the changes permanent in the [[iptables#Configuration file]].
  +
  +
=== VPN が落ちた時に漏洩を防止 ===
  +
  +
The idea is simple: prevent all traffic through our default interface (enp3s0 for example) and only allow tun0.
  +
If the openvpn connection drops, your computer will lose its internet access and therefore, avoid your programs to continue connecting through an insecure network adapter.
  +
  +
Be sure to set up a script to restart openvpn if it goes down if you don't want to manually restart it.
  +
  +
==== ufw ====
  +
  +
# Default policies
  +
ufw default deny incoming
  +
ufw default deny outgoing
  +
  +
# Openvpn interface (adjust interface accordingly to your configuration)
  +
ufw allow in on tun0
  +
ufw allow out on tun0
  +
  +
# Local Network (adjust ip accordingly to your configuration)
  +
ufw allow in on enp3s0 from 192.168.1.0/24
  +
ufw allow out on enp3s0 to 192.168.1.0/24
  +
  +
# Openvpn (adjust port accordingly to your configuration)
  +
ufw allow out on enp3s0 to any port 1194
  +
ufw allow in on enp3s0 from any port 1194
  +
  +
{{Warning| DNS '''won't''' work '''unless''' you run your own dns server like [[BIND]]
  +
Otherwise, you will need to allow dns leak. '''Be sure to trust your dns server!'''
  +
# DNS
  +
ufw allow in from any to any port 53
  +
ufw allow out from any to any port 53
  +
}}
  +
  +
== L3 IPv4 ルーティング==
  +
  +
This section describes how to connect client/server LANs to each other using L3 IPv4 routing.
  +
  +
=== LAN のルーティングの要件 ===
  +
  +
ホストが LAN と VPN で IPv4 パケットを転送できるようにするために、NIC と tun/tap デバイスでパケットを転送できるようにする必要があります。詳しい設定方法は[[インターネット共有#パケット転送の有効化]]を見て下さい。
  +
  +
==== ルーティングテーブル ====
  +
  +
By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.
  +
  +
* Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.
  +
* Add a static route on each host on the LAN that needs to send IP packets back to the VPN.
  +
* Use [[iptables]]' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.
  +
  +
=== サーバー LAN をクライアントに接続 ===
  +
  +
The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}
  +
  +
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.
  +
}}
  +
  +
=== クライアント LAN をサーバーに接続 ===
  +
  +
Prerequisites:
  +
  +
* Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
  +
* Each client's certificate has a unique Common Name, in this case bugs.
  +
* The server may not use the duplicate-cn directive in its config file.
  +
  +
Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.
  +
  +
# mkdir -p /etc/openvpn/ccd
  +
  +
Create a file in the client configuration directory called bugs, containing the {{ic|iroute 192.168.4.0 255.255.255.0}} directive. It tells the server what subnet should be routed to the client:
  +
  +
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}
  +
  +
Add the client-config-dir and the {{ic|route 192.168.4.0 255.255.255.0}} directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:
  +
  +
{{hc|/etc/openvpn/server.conf|
  +
client-config-dir ccd
  +
route 192.168.4.0 255.255.255.0
  +
}}
  +
  +
{{Note|To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.
  +
}}
  +
  +
=== クライアントとサーバー両方の LAN を接続 ===
  +
  +
Combine the two previous sections:
  +
  +
{{hc|/etc/openvpn/server.conf|
  +
push "route 10.66.0.0 255.255.255.0"
  +
...
  +
client-config-dir ccd
  +
route 192.168.4.0 255.255.255.0
  +
}}
  +
  +
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}
  +
  +
{{Note|Remember to make sure that all the LANs or the needed hosts can route to all the destinations.}}
  +
  +
=== クライアントとクライアントの LAN を接続 ===
  +
  +
By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file: {{hc|/etc/openvpn/server.conf|client-to-client}}
  +
  +
In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):
  +
  +
{{hc|/etc/openvpn/server.conf|
  +
client-to-client
  +
push "route 192.168.4.0 255.255.255.0"
  +
push "route 192.168.5.0 255.255.255.0"
  +
...
  +
}}
  +
  +
{{Note|As always, make sure that the routing is properly configured.}}
  +
  +
== DNS ==
  +
  +
The DNS servers used by the system are defined in {{ic|/etc/resolv.conf}}. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install {{pkg|openresolv}}, which makes it possible for more than one program to modify {{ic|resolv.conf}} without stepping on each-other's toes.
  +
  +
Before continuing, test openresolv by restarting your network connection and ensuring that {{ic|resolv.conf}} states that it was generated by ''resolvconf'', and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.
  +
  +
For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with a [https://github.com/masterkorp/openvpn-update-resolv-conf openvpn-update-resolv-conf] script, which can be saved for example at {{ic|/etc/openvpn/update-resolv-conf}} and make it executable with [[chmod]]. There is also an AUR package: {{AUR|openvpn-update-resolv-conf}} which will take care of the script installation for you.
  +
  +
Once the script is installed add lines like the following into your OpenVPN client configuration file:
  +
  +
script-security 2
  +
up /etc/openvpn/update-resolv-conf
  +
down /etc/openvpn/update-resolv-conf
  +
  +
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.
  +
  +
== L2 Ethernet ブリッジ ==
  +
  +
次を参照: [[en2:OpenVPN Bridge|OpenVPN Bridge]]
  +
  +
== トラブルシューティング ==
  +
  +
=== 問題の解決 ===
  +
  +
If you are having resolve issues when starting your profile:
  +
{{hc|# journalctl _SYSTEMD_UNIT&#61;openvpn@''profile''.service|
  +
RESOLVE: Cannot resolve host address: example.com: Name or service not known
  +
}}
  +
  +
Then, '''only if your network setup can be started before OpenVPN''', you should force OpenVPN to wait for the network by adding {{ic|1=Requires=network.target}} and {{ic|1=After=network.target}} to the OpenVPN systemd service file:
  +
{{hc|/usr/lib/systemd/system/openvpn@.service|<nowiki>
  +
[Unit]
  +
Description=OpenVPN connection to %i
  +
Requires=network.target
  +
After=network.target
  +
...</nowiki>
  +
}}
  +
忘れずに {{ic|systemctl daemon-reload}} を実行して {{ic|openvpn@''profile''.service}} を[[systemd#ユニットを使う|再起動]]してください。
  +
  +
=== サスペンド後にクライアントデーモンが再起動しない ===
  +
  +
If you put your client system to sleep, and on resume openvpn does not restart, resulting in broken connectivity, create the following file:
  +
  +
{{hc|/usr/lib/systemd/system-sleep/vpn.sh|2=
  +
#!/bin/sh
  +
if [ "$1" == "pre" ]
  +
then
  +
killall openvpn
  +
fi
  +
}}
  +
  +
Make it executable {{ic|chmod a+x /usr/lib/systemd/system-sleep/vpn.sh}}
  +
  +
{{hc|/etc/systemd/system/openvpn@.service.d/restart.conf|2=
  +
[Service]
  +
Restart=always
  +
}}
  +
  +
=== しばらく通信しないと接続が切れる ===
  +
  +
If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a {{ic|keepalive}}directive to the server's configuration:
  +
  +
{{hc|/etc/openvpn/server.conf|
  +
...
  +
keepalive 10 120
  +
...
  +
}}
  +
  +
In this case the server will send ping-like messages to all of its clients every {{ic|10}} seconds, thus keeping the tunnel up.
  +
If the server does not receive a response within {{ic|120}} seconds from a specific client, it will assume this client is down.
  +
  +
A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on your connection, also try lower intervals than 10 seconds.
  +
  +
== 参照 ==
  +
* [https://openvpn.net/index.php/open-source.html OpenVPN 公式サイト]

2015年12月9日 (水) 01:00時点における版

関連記事

この記事では、小規模な事業やプレイベートでの利用に適している、OpenVPN の基本的なインストールと設定について説明します。詳しい情報は OpenVPN 2.3 man ページOpenVPN ドキュメント を見て下さい。OpenVPN は堅牢で高い柔軟性を持つ VPN デーモンです。SSL/TLS セキュリティ, Ethernet ブリッジ, プロキシNAT による TCPUDPトンネリングをサポートしています。さらに、動的 IP アドレスと DHCP をサポートしており、数百あるいは数千までのユーザーに対応し、主要な OS プラットフォームで動作します。

OpenVPN は OpenSSL ライブラリと密接に関係しており、OpenSSL の暗号機能を多数利用しています。事前共有秘密鍵による慣用暗号 (Static Key モード) とクライアントとサーバーの証明書を用いる公開鍵暗号 (SSL/TLS モード) をサポートしています。さらに、暗号化を施さない TCP/UDP トンネルにも対応しています。

ほとんどのプラットフォームに存在する TUN/TAP 仮想ネットワークインターフェイスを使うように OpenVPN は設計されています。OpenVPN は IPSec の主要な機能の多くを提供しますがフットプリントは比較的軽量に抑えられます。OpenVPN は James Yonan によって書かれ GNU General Public License (GPL) の下で公開されています。

OpenVPN のインストール

openvpn パッケージをインストールしてください。

ノート: このパッケージに含まれているソフトウェアはクライアントとサーバー両方のモードをサポートするため、VPN 接続を作成する全てのマシンにインストールしてください。

カーネルの設定

OpenVPN は TUN/TAP のサポートを必要としますが、デフォルトカーネルでは既に設定済みです。自分でカーネルをビルドするときは、以下のように tun モジュールを有効にしてください:

Kernel config file
 Device Drivers
  --> Network device support
    [M] Universal TUN/TAP device driver support

詳しくはカーネルモジュールを読んで下さい。

第三者の VPN に接続

To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Most likely you will want to begin with #The client configuration file and skip ahead to #Starting OpenVPN after that. Use the certificates and instructions given by your provider, for instance see: Airvpn.

ノート: Most free VPN providers will (often only) offer PPTP, which is drastically easier to setup and configure, but is not secure.

公開鍵基盤 (PKI) をスクラッチから作成

スクラッチから OpenVPN をセットアップする場合、公開鍵基盤 (PKI) を作成する必要があります。

必要な証明書と鍵を作成する方法は次を参照してください: easy-rsa スクリプトを使って公開鍵基盤を作成

The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.

ノート: The rest of this article assumes that the keys and certificates are placed in /etc/openvpn.

The public ca.crt certificate is needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.

A server needs server.crt, dh2048.pem (public), server.key, and ta.key (private).

A client needs client.crt (public), client.key, and ta.key (private).

ベーシックな L3 IP ルーティング設定

ノート: Unless otherwise explicitly stated, the rest of this article assumes this basic configuration.

OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.

What really distinguishes a server from a client (apart from the type of certificate used) is the configuration file itself. The OpenVPN daemon start-up script reads all the .conf configuration files it finds in /etc/openvpn on start-up and acts accordingly. If it finds more than one configuration file, it will start one OpenVPN process per configuration file.

This article explains how to set up a server named elmer and a client that connects to it named bugs. More servers and clients can easily be added by creating more key/certificate pairs and adding more server and client configuration files.

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

  • Uses Public Key Infrastructure (PKI) for authentication.
  • Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
  • Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number).
  • Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

For more advanced configurations, please see the official OpenVPN 2.2 man page and the OpenVPN documentation.

サーバーの設定ファイル

Copy the example server configuration file to /etc/openvpn/server.conf:

# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf

Edit the following:

  • The ca, cert, key, and dh parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.
  • Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 0 for a server.
  • It is recommended to run OpenVPN with reduced privileges once it has initialized. Do this by uncommenting the user and group directives.
/etc/openvpn/server.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/elmer.crt
key /etc/openvpn/elmer.key

dh /etc/openvpn/dh2048.pem
...
tls-auth /etc/openvpn/ta.key 0
...
user nobody
group nobody
ノート: Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.

クライアントの設定ファイル

Copy the example client configuration file to /etc/openvpn/client.conf:

# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf

Edit the following:

  • The remote directive to reflect either the server's Fully Qualified Domain Name, hostname (as known to the client), or its IP address.
  • Uncomment the user and group directives to drop privileges.
  • The ca, cert, and key parameters to reflect the path and names of the keys and certificates.
  • Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 1 for a client.
/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
...
user nobody
group nobody
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key
...
tls-auth /etc/openvpn/ta.key 1

接続後に root 権限を落とす

Using the options user nobody and group nobody in the configuration file makes openvpn drop its privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, this may be advantageous. However, it requires manual action to delete the routes and will, hence, often be undesired. For this case the OpenVPN howto explains how to create an unprivileged user mode and wrapper script to have the routes restored automatically.

Further, it is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see this OpenVPN wiki page.

OpenVPN 設定のテスト

Run # openvpn /etc/openvpn/server.conf on the server, and # openvpn /etc/openvpn/client.conf on the client. You should see something similar to this:

# openvpn /etc/openvpn/server.conf
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
...
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
# openvpn /etc/openvpn/client.conf
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:50 2011 LZO compression initialized
...
Wed Dec 28 14:41:57 2011 GID set to nobody
Wed Dec 28 14:41:57 2011 UID set to nobody
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed

On the server, find the IP address assigned to the tunX device:

# ip addr show
...
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.

Do the same on the client:

# ip addr show
...
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0

And the client side has been given the IP address 10.8.0.6.

Now try pinging the interfaces.

On the server:

# ping -c3 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms

--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms

On the client:

# ping -c3 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms

You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.

ノート: If using a firewall, make sure that IP packets on the TUN device are not blocked.

Fragment と MSS による MTU の設定

ノート: If you do not configure MTU, then you will notice that small packets like ping and DNS will work, however web browsing will not work.

Now it is time to configure the maximum segment size (MSS). In order to do this we need to discover what is the smallest MTU along the path between the client and server. In order to do this you can ping the server and disable fragmentation. Then specify the max packet size.

# ping -c5 -M do -s 1500 elmer.acmecorp.org
PING elmer.acmecorp.org (99.88.77.66) 1500(1528) bytes of data.
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)

--- core.myrelay.net ping statistics ---
0 packets transmitted, 0 received, +5 errors

We received an ICMP message telling us the MTU is 576 bytes. The means we need to fragment the UDP packets smaller then 576 bytes to allow for some UDP overhead.

# ping -c5 -M do -s 548 elmer.acmecorp.org
PING elmer.acmecorp.org (99.88.77.66) 548(576) bytes of data.
556 bytes from 99.88.77.66: icmp_seq=1 ttl=48 time=206 ms
556 bytes from 99.88.77.66: icmp_seq=2 ttl=48 time=224 ms
556 bytes from 99.88.77.66: icmp_seq=3 ttl=48 time=206 ms
556 bytes from 99.88.77.66: icmp_seq=4 ttl=48 time=207 ms
556 bytes from 99.88.77.66: icmp_seq=5 ttl=48 time=208 ms

--- myrelay.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 206.027/210.603/224.158/6.832 ms

After some trial and error..., we discover that we need to fragment packets on 548 bytes. In order to do this we specify this fragment size in the configuration and instruct OpenVPN to fix the Maximum Segment Size (MSS).

/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
...
fragment 548
mssfix 548
...
user nobody
group nobody
...
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key
...
tls-auth /etc/openvpn/ta.key 1

We also need to tell the server about the fragmentation. Note that "mssfix" is NOT needed in the server configuration.

/etc/openvpn/server.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/elmer.crt
key /etc/openvpn/elmer.key

dh /etc/openvpn/dh2048.pem
...
tls-auth /etc/openvpn/ta.key 0
...
user nobody
group nobody
...
fragment 548
ノート: The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless your client is a laptop that will be connecting over many different networks and the bottle neck is on the client side.

You can also allow OpenVPN to do this for you by having OpenVPN do the ping testing every time the client connects to the VPN. Be patient, since your client may not inform you about the test being run and the connection may appear as nonfunctional until finished.

/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
...
mtu-test
...
user nobody
group nobody
...
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key
...
tls-auth /etc/openvpn/ta.key 1

IPv6

IPv6 でサーバーに接続

In order to enable Dual Stack for OpenVPN, you have to change proto udp to proto udp6 in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.

トンネルで IPv6 を使用

In order to provide IPv6 inside the tunnel, you need to have a IPv6 prefix routed to your OpenVPN server. Either set up a static route on your gateway (if you have a static block assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see IPv6 Prefix delegation for details). You can also use a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:

  • Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so you need to change your server.conf every time the prefix is changed (Maybe can be automated with a script).
  • ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. So you cannot route the entire traffic over the tunnel. If you only want to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, the ULA addresses may be easier to use.

After you have received a prefix (a /64 is recommended), append the following to the server.conf:

server-ipv6 2001:db8:0:123::/64

This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.

If you want to push a route to your home network (192.168.1.0/24 equivalent), also append:

push "route-ipv6 2001:db8:0:abc::/64"

OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The OpenVPN Wiki provides some other configuration options.

OpenVPN の起動

手動起動

VPN 接続をトラブルシュートするときは、root で openvpn /etc/openvpn/client.conf を実行して手動でクライアントのデーモンを起動してください。同じように、サーバーもサーバーの設定ファイル (例: openvpn /etc/openvpn/server.conf) を使って起動できます。

systemd サービスの設定

システムの起動時に OpenVPN を自動的に実行するには、クライアントでもサーバーでも、適当なマシンで openvpn@<configuration>.service有効化してください。

例えば、クライアントの設定ファイルが /etc/openvpn/client.conf の場合、サービス名は openvpn@client.service です。また、サーバーの設定ファイルが /etc/openvpn/server.conf の場合、サービス名は openvpn@server.service となります。

NetworkManager で接続を開始

On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to /etc/NetworkManager/dispatcher.d/. In the following example "Provider" is the name of the NetworkManager connection:

/etc/NetworkManager/dispatcher.d/10-openvpn
#!/bin/bash

case "$2" in
  up)
    if [ "$CONNECTION_ID" == "Provider" ]; then
      systemctl start openvpn@client
    fi
  ;;
  down)
    systemctl stop openvpn@client
  ;;
esac

詳しくは NetworkManager#ネットワークサービスと NetworkManager dispatcher を見て下さい。

Gnome の設定

If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install networkmanager-openvpn. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings, or you can choose to import #The client configuration file if you have already created one. If you followed the instructions in this article then it will be located at /etc/openvpn/client.conf. To connect to the VPN simply turn the connection on.

全てのクライアントの通信をサーバーにルーティング

ノート: There are potential pitfalls when routing all traffic through a VPN server. Refer to the OpenVPN documenation on this topic for more information.

By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic, including web traffic, pass through the VPN do the following. First add the following to your server's configuration file (i.e., /etc/openvpn/server.conf) [1]:

push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"

Change "10.8.0.1" to your preferred DNS IP address.

If you have problems with non responsive DNS after connecting to server, install BIND as simple DNS forwarder and push the IP address of the OpenVPN server as DNS to clients.

サーバーでパケットフォワーディングを有効化してください。

In addition to above, your server's firewall will need to be set up to allow VPN traffic through it, which is described below for both ufw and iptables.

ファイアウォールの設定

ufw

In order to configure your ufw settings for VPN traffic first add the following to /etc/default/ufw:

/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

Now change /etc/ufw/before.rules, and add the following code after the header and before the "*filter" line. Do not forget to change the IP/subnet mask to match the one in /etc/openvpn/server.conf.

/etc/ufw/before.rules
# NAT (Network Address Translation) table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from clients to enp1s0
-A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE

# do not delete the "COMMIT" line or the NAT table rules above will not be processed
COMMIT

Lastly, open OpenVPN port 1194:

ufw allow 1194

iptables

In order to allow VPN traffic through your iptables firewall of your server, first create an iptables rule for NAT forwarding [2] on the server:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [3]:

警告: There are security implications for the following rules if you do not trust all clients which connect to the server. Refer to the OpenVPN documentation on this topic for more details.
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT
# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT

Additionally edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1.

When you are satisfied make the changes permanent in the iptables#Configuration file.

VPN が落ちた時に漏洩を防止

The idea is simple: prevent all traffic through our default interface (enp3s0 for example) and only allow tun0. If the openvpn connection drops, your computer will lose its internet access and therefore, avoid your programs to continue connecting through an insecure network adapter.

Be sure to set up a script to restart openvpn if it goes down if you don't want to manually restart it.

ufw

# Default policies
ufw default deny incoming
ufw default deny outgoing

# Openvpn interface (adjust interface accordingly to your configuration)
ufw allow in on tun0
ufw allow out on tun0

# Local Network (adjust ip accordingly to your configuration)
ufw allow in on enp3s0 from 192.168.1.0/24
ufw allow out on enp3s0 to 192.168.1.0/24

# Openvpn (adjust port accordingly to your configuration)
ufw allow out on enp3s0 to any port 1194
ufw allow in on enp3s0 from any port 1194
警告: DNS won't work unless you run your own dns server like BIND

Otherwise, you will need to allow dns leak. Be sure to trust your dns server!

# DNS
ufw allow in from any to any port 53
ufw allow out from any to any port 53

L3 IPv4 ルーティング

This section describes how to connect client/server LANs to each other using L3 IPv4 routing.

LAN のルーティングの要件

ホストが LAN と VPN で IPv4 パケットを転送できるようにするために、NIC と tun/tap デバイスでパケットを転送できるようにする必要があります。詳しい設定方法はインターネット共有#パケット転送の有効化を見て下さい。

ルーティングテーブル

By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.

  • Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.
  • Add a static route on each host on the LAN that needs to send IP packets back to the VPN.
  • Use iptables' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.

サーバー LAN をクライアントに接続

The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:

/etc/openvpn/server.conf
push "route 10.66.0.0 255.255.255.0"
ノート: To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.

クライアント LAN をサーバーに接続

Prerequisites:

  • Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
  • Each client's certificate has a unique Common Name, in this case bugs.
  • The server may not use the duplicate-cn directive in its config file.

Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.

# mkdir -p /etc/openvpn/ccd

Create a file in the client configuration directory called bugs, containing the iroute 192.168.4.0 255.255.255.0 directive. It tells the server what subnet should be routed to the client:

/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0

Add the client-config-dir and the route 192.168.4.0 255.255.255.0 directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:

/etc/openvpn/server.conf
client-config-dir ccd
route 192.168.4.0 255.255.255.0
ノート: To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.

クライアントとサーバー両方の LAN を接続

Combine the two previous sections:

/etc/openvpn/server.conf
push "route 10.66.0.0 255.255.255.0"
...
client-config-dir ccd
route 192.168.4.0 255.255.255.0
/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0
ノート: Remember to make sure that all the LANs or the needed hosts can route to all the destinations.

クライアントとクライアントの LAN を接続

By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:

/etc/openvpn/server.conf
client-to-client

In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):

/etc/openvpn/server.conf
client-to-client
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
...
ノート: As always, make sure that the routing is properly configured.

DNS

The DNS servers used by the system are defined in /etc/resolv.conf. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install openresolv, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes.

Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by resolvconf, and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.

For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with a openvpn-update-resolv-conf script, which can be saved for example at /etc/openvpn/update-resolv-conf and make it executable with chmod. There is also an AUR package: openvpn-update-resolv-confAUR which will take care of the script installation for you.

Once the script is installed add lines like the following into your OpenVPN client configuration file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.

L2 Ethernet ブリッジ

次を参照: OpenVPN Bridge

トラブルシューティング

問題の解決

If you are having resolve issues when starting your profile:

# journalctl _SYSTEMD_UNIT=openvpn@profile.service
RESOLVE: Cannot resolve host address: example.com: Name or service not known

Then, only if your network setup can be started before OpenVPN, you should force OpenVPN to wait for the network by adding Requires=network.target and After=network.target to the OpenVPN systemd service file:

/usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN connection to %i
Requires=network.target
After=network.target
...

忘れずに systemctl daemon-reload を実行して openvpn@profile.service再起動してください。

サスペンド後にクライアントデーモンが再起動しない

If you put your client system to sleep, and on resume openvpn does not restart, resulting in broken connectivity, create the following file:

/usr/lib/systemd/system-sleep/vpn.sh
#!/bin/sh
if [ "$1" == "pre" ]
then
  killall openvpn
fi

Make it executable chmod a+x /usr/lib/systemd/system-sleep/vpn.sh

/etc/systemd/system/openvpn@.service.d/restart.conf
[Service]
Restart=always

しばらく通信しないと接続が切れる

If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a keepalivedirective to the server's configuration:

/etc/openvpn/server.conf
...
keepalive 10 120
...

In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up. If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.

A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on your connection, also try lower intervals than 10 seconds.

参照