labunix's blog

labunixのラボUnix

Wheezy/Squeezeの事前共有鍵でのP2P-VPNで接続する。

■Wheezy/Squeezeの事前共有鍵でのP2P-VPNで接続する。

 前回は事前共有鍵なしでP2P接続した。

 Wheezy/SqueezeでOpenVPNを使って暗号化なしのお手軽VPNで接続する
 http://labunix.hateblo.jp/entry/20130610/1370869975

f:id:labunix:20130611230439p:plain

$ cat vpn_static.diag
blockdiag {

        # Guest OS
        VPNClientLAN    [label = "VPNC tun1\n172.16.31.12",linecolor=orange];
        VPNClientWAN    [label = "eth0\n192.168.45.11",shape=roundedbox];

        # Host OS
        VPNServerWAN    [label = "vmnet8\n192.168.45.1",shape=roundedbox];
        VPNServerLAN1   [label = "VPNS tun1\n172.16.31.11",linecolor=orange];
        VPNServerLAN2   [label = "eth0\n172.16.31.10"];

        Internet        [label = "Virtual\nInternet\n",shape=cloud,height=60];

        VPNClientWAN -> VPNServerWAN;
        VPNServerWAN -> VPNServerLAN1 -> VPNServerLAN2 -> Internet;
        VPNClientLAN -> VPNServerLAN1 [label="VPN",style=dashed,folded];

        group Guest {
                #orientation = portrait;
                label = "GuestOS"
                color = lightgreen;
                VPNClientLAN -> VPNClientWAN;
        }
        group Host {
                orientation = portrait;
                label = "HostOS"
                color = lightblue;
                VPNServerWAN; VPNServerLAN1; VPNServerLAN2;
        }
}

■静的鍵の生成と、事前共有。
 所有者がroot、アクセス権は600。

$ sudo openvpn --genkey --secret static.key
$ sudo chown labunix:labunix static.key
$ scp static.key labunix@192.168.45.11:~/
labunix@192.168.45.11's password:
static.key                                    100%  636     0.6KB/s   00:00
$ sudo chown root:root static.key
$ ssh labunix@192.168.45.11
$ sudo chown root:root static.key
$ ls -l static.key
-rw-------. 1 root root 636  6月 11 22:44 static.key
■ホスト側
 ※サーバ側にも「--remote 192.168.45.11」を付けてもP2Pなので問題ない。

$ sudo openvpn --dev tun1 --ifconfig 172.16.31.11 172.16.31.12 --verb 3 --secret static.key
Tue Jun 11 22:56:03 2013 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 20 2012
Tue Jun 11 22:56:03 2013 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jun 11 22:56:03 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jun 11 22:56:03 2013 /usr/sbin/openvpn-vulnkey -q static.key
Tue Jun 11 22:56:04 2013 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 11 22:56:04 2013 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 11 22:56:04 2013 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 11 22:56:04 2013 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 11 22:56:04 2013 Socket Buffers: R=[112640->131072] S=[112640->131072]
Tue Jun 11 22:56:04 2013 WARNING: potential TUN/TAP adapter subnet conflict between local LAN [172.16.31.0/255.255.255.0]
 and remote VPN [172.16.31.11/255.255.255.255]
Tue Jun 11 22:56:04 2013 TUN/TAP device tun1 opened
Tue Jun 11 22:56:04 2013 TUN/TAP TX queue length set to 100
Tue Jun 11 22:56:04 2013 /sbin/ifconfig tun1 172.16.31.11 pointopoint 172.16.31.12 mtu 1500
Tue Jun 11 22:56:04 2013 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Tue Jun 11 22:56:04 2013 Local Options hash (VER=V4): '6013e5ac'
Tue Jun 11 22:56:04 2013 Expected Remote Options hash (VER=V4): 'ff617ba7'
Tue Jun 11 22:56:04 2013 UDPv4 link local (bound): [undef]
Tue Jun 11 22:56:04 2013 UDPv4 link remote: [undef]
Tue Jun 11 22:57:18 2013 Peer Connection Initiated with [AF_INET]192.168.45.11:1194
Tue Jun 11 22:57:18 2013 Initialization Sequence Completed

■ゲスト側

$ sudo openvpn --remote 192.168.45.1 --dev tun1 --ifconfig 172.16.31.12 172.16.31.11 --verb 3 --secret static.key
Tue Jun 11 22:57:05 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH]
 [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012
Tue Jun 11 22:57:05 2013 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jun 11 22:57:05 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jun 11 22:57:05 2013 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 11 22:57:05 2013 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 11 22:57:05 2013 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 11 22:57:05 2013 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 11 22:57:05 2013 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue Jun 11 22:57:06 2013 TUN/TAP device tun1 opened
Tue Jun 11 22:57:06 2013 TUN/TAP TX queue length set to 100
Tue Jun 11 22:57:06 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 11 22:57:06 2013 /sbin/ifconfig tun1 172.16.31.12 pointopoint 172.16.31.11 mtu 1500
Tue Jun 11 22:57:06 2013 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Tue Jun 11 22:57:06 2013 Local Options hash (VER=V4): 'ff617ba7'
Tue Jun 11 22:57:06 2013 Expected Remote Options hash (VER=V4): '6013e5ac'
Tue Jun 11 22:57:06 2013 UDPv4 link local (bound): [undef]
Tue Jun 11 22:57:06 2013 UDPv4 link remote: [AF_INET]192.168.45.1:1194
Tue Jun 11 22:57:16 2013 Peer Connection Initiated with [AF_INET]192.168.45.1:1194
Tue Jun 11 22:57:17 2013 Initialization Sequence Completed
■確認

$ for list in 172.16.31.{12,11,10,1};do ping -c 1 "$list";done
PING 172.16.31.12 (172.16.31.12) 56(84) bytes of data.
64 bytes from 172.16.31.12: icmp_req=1 ttl=64 time=0.152 ms

--- 172.16.31.12 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.152/0.152/0.152/0.000 ms
PING 172.16.31.11 (172.16.31.11) 56(84) bytes of data.
64 bytes from 172.16.31.11: icmp_req=1 ttl=64 time=1.25 ms

--- 172.16.31.11 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.259/1.259/1.259/0.000 ms
PING 172.16.31.10 (172.16.31.10) 56(84) bytes of data.
64 bytes from 172.16.31.10: icmp_req=1 ttl=128 time=0.530 ms

--- 172.16.31.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.530/0.530/0.530/0.000 ms
PING 172.16.31.1 (172.16.31.1) 56(84) bytes of data.
64 bytes from 172.16.31.1: icmp_req=1 ttl=128 time=1.34 ms

--- 172.16.31.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.343/1.343/1.343/0.000 ms