■Wheezy/Squeezeの事前共有鍵でのP2P-VPNで接続する。
前回は事前共有鍵なしでP2P接続した。
Wheezy/SqueezeでOpenVPNを使って暗号化なしのお手軽VPNで接続する
http://labunix.hateblo.jp/entry/20130610/1370869975
$ cat vpn_static.diag
blockdiag {
VPNClientLAN [label = "VPNC tun1\n172.16.31.12",linecolor=orange];
VPNClientWAN [label = "eth0\n192.168.45.11",shape=roundedbox];
VPNServerWAN [label = "vmnet8\n192.168.45.1",shape=roundedbox];
VPNServerLAN1 [label = "VPNS tun1\n172.16.31.11",linecolor=orange];
VPNServerLAN2 [label = "eth0\n172.16.31.10"];
Internet [label = "Virtual\nInternet\n",shape=cloud,height=60];
VPNClientWAN -> VPNServerWAN;
VPNServerWAN -> VPNServerLAN1 -> VPNServerLAN2 -> Internet;
VPNClientLAN -> VPNServerLAN1 [label="VPN",style=dashed,folded];
group Guest {
label = "GuestOS"
color = lightgreen;
VPNClientLAN -> VPNClientWAN;
}
group Host {
orientation = portrait;
label = "HostOS"
color = lightblue;
VPNServerWAN; VPNServerLAN1; VPNServerLAN2;
}
}
■静的鍵の生成と、事前共有。
所有者がroot、アクセス権は600。
$ sudo openvpn --genkey --secret static.key
$ sudo chown labunix:labunix static.key
$ scp static.key labunix@192.168.45.11:~/
labunix@192.168.45.11's password:
static.key 100% 636 0.6KB/s 00:00
$ sudo chown root:root static.key
$ ssh labunix@192.168.45.11
$ sudo chown root:root static.key
$ ls -l static.key
-rw-------. 1 root root 636 6月 11 22:44 static.key
■ホスト側
※サーバ側にも「--remote 192.168.45.11」を付けてもP2Pなので問題ない。
$ sudo openvpn --dev tun1 --ifconfig 172.16.31.11 172.16.31.12 --verb 3 --secret static.key
Tue Jun 11 22:56:03 2013 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 20 2012
Tue Jun 11 22:56:03 2013 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jun 11 22:56:03 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jun 11 22:56:03 2013 /usr/sbin/openvpn-vulnkey -q static.key
Tue Jun 11 22:56:04 2013 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 11 22:56:04 2013 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 11 22:56:04 2013 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 11 22:56:04 2013 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 11 22:56:04 2013 Socket Buffers: R=[112640->131072] S=[112640->131072]
Tue Jun 11 22:56:04 2013 WARNING: potential TUN/TAP adapter subnet conflict between local LAN [172.16.31.0/255.255.255.0]
and remote VPN [172.16.31.11/255.255.255.255]
Tue Jun 11 22:56:04 2013 TUN/TAP device tun1 opened
Tue Jun 11 22:56:04 2013 TUN/TAP TX queue length set to 100
Tue Jun 11 22:56:04 2013 /sbin/ifconfig tun1 172.16.31.11 pointopoint 172.16.31.12 mtu 1500
Tue Jun 11 22:56:04 2013 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Tue Jun 11 22:56:04 2013 Local Options hash (VER=V4): '6013e5ac'
Tue Jun 11 22:56:04 2013 Expected Remote Options hash (VER=V4): 'ff617ba7'
Tue Jun 11 22:56:04 2013 UDPv4 link local (bound): [undef]
Tue Jun 11 22:56:04 2013 UDPv4 link remote: [undef]
Tue Jun 11 22:57:18 2013 Peer Connection Initiated with [AF_INET]192.168.45.11:1194
Tue Jun 11 22:57:18 2013 Initialization Sequence Completed
■ゲスト側
$ sudo openvpn --remote 192.168.45.1 --dev tun1 --ifconfig 172.16.31.12 172.16.31.11 --verb 3 --secret static.key
Tue Jun 11 22:57:05 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH]
[PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012
Tue Jun 11 22:57:05 2013 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jun 11 22:57:05 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jun 11 22:57:05 2013 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 11 22:57:05 2013 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 11 22:57:05 2013 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 11 22:57:05 2013 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 11 22:57:05 2013 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue Jun 11 22:57:06 2013 TUN/TAP device tun1 opened
Tue Jun 11 22:57:06 2013 TUN/TAP TX queue length set to 100
Tue Jun 11 22:57:06 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 11 22:57:06 2013 /sbin/ifconfig tun1 172.16.31.12 pointopoint 172.16.31.11 mtu 1500
Tue Jun 11 22:57:06 2013 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Tue Jun 11 22:57:06 2013 Local Options hash (VER=V4): 'ff617ba7'
Tue Jun 11 22:57:06 2013 Expected Remote Options hash (VER=V4): '6013e5ac'
Tue Jun 11 22:57:06 2013 UDPv4 link local (bound): [undef]
Tue Jun 11 22:57:06 2013 UDPv4 link remote: [AF_INET]192.168.45.1:1194
Tue Jun 11 22:57:16 2013 Peer Connection Initiated with [AF_INET]192.168.45.1:1194
Tue Jun 11 22:57:17 2013 Initialization Sequence Completed
■確認
$ for list in 172.16.31.{12,11,10,1};do ping -c 1 "$list";done
PING 172.16.31.12 (172.16.31.12) 56(84) bytes of data.
64 bytes from 172.16.31.12: icmp_req=1 ttl=64 time=0.152 ms
--- 172.16.31.12 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.152/0.152/0.152/0.000 ms
PING 172.16.31.11 (172.16.31.11) 56(84) bytes of data.
64 bytes from 172.16.31.11: icmp_req=1 ttl=64 time=1.25 ms
--- 172.16.31.11 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.259/1.259/1.259/0.000 ms
PING 172.16.31.10 (172.16.31.10) 56(84) bytes of data.
64 bytes from 172.16.31.10: icmp_req=1 ttl=128 time=0.530 ms
--- 172.16.31.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.530/0.530/0.530/0.000 ms
PING 172.16.31.1 (172.16.31.1) 56(84) bytes of data.
64 bytes from 172.16.31.1: icmp_req=1 ttl=128 time=1.34 ms
--- 172.16.31.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.343/1.343/1.343/0.000 ms