読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

OpenVPNのP2P接続(平文、事前共有鍵)をファイルで設定する。

■OpenVPNのP2P接続(平文、事前共有鍵)をファイルで設定する。

 Wheezy/SqueezeでOpenVPNを使って暗号化なしのお手軽VPNで接続する
 http://labunix.hateblo.jp/entry/20130610/1370869975

 Wheezy/Squeezeの事前共有鍵でのP2P-VPNで接続する。
 http://labunix.hateblo.jp/entry/20130611/1370959526

■OpenVPNの初期化の後にnobody/nogroupになるよう設定を追加する。

$ grep ^no /etc/passwd /etc/group | awk -F\: '{print $1,$2}'
/etc/passwd nobody
/etc/group nogroup

■起動時のroot権限で動作しているときにだけ、
 鍵ファイルを読み込み、tunデバイスをオープンする。
 それ以外の再読み込みを行わない。

$ man openvpn | grep -A 1 "^  *\-\-persist-[kt]..\$"
]       --persist-tun
              Don't close and reopen TUN/TAP device  or  run  up/down  scripts
--
       --persist-key
              Don't re-read key files across SIGUSR1 or --ping-restart.


■平文(クリアテキスト)での接続

$ cat cleartext_server.conf
port 1194
proto udp
dev tun1
ifconfig 10.26.7.13 10.26.7.14
user nobody
group nogroup
persist-key
persist-tun
#secret static.key
status static_server.log

$ cat cleartext_client.conf
remote 192.168.45.1
port 1194
proto udp
dev tun1
ifconfig 10.26.7.14 10.26.7.13
persist-key
persist-tun
#secret static.key
status static_client.log

$ sudo openvpn --config cleartext_client.conf
Fri Jun 14 00:11:39 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6]
 [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012
Fri Jun 14 00:11:39 2013 NOTE: OpenVPN 2.1 requires '--script-security 2'
 or higher to call user-defined scripts or executables
Fri Jun 14 00:11:39 2013 ******* WARNING *******: all encryption and authentication features disabled
 -- all data will be tunnelled as cleartext
Fri Jun 14 00:11:39 2013 TUN/TAP device tun1 opened
Fri Jun 14 00:11:39 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jun 14 00:11:39 2013 /sbin/ifconfig tun1 10.26.7.14 pointopoint 10.26.7.13 mtu 1500
Fri Jun 14 00:11:39 2013 UDPv4 link local (bound): [undef]
Fri Jun 14 00:11:39 2013 UDPv4 link remote: [AF_INET]192.168.45.1:1194
Fri Jun 14 00:11:49 2013 Peer Connection Initiated with [AF_INET]192.168.45.1:1194
Fri Jun 14 00:11:50 2013 Initialization Sequence Completed

$ sudo openvpn --config cleartext_server.conf
Fri Jun 14 00:17:44 2013 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6]
 [eurephia] built on Feb 20 2012
Fri Jun 14 00:17:44 2013 NOTE: OpenVPN 2.1 requires '--script-security 2'
 or higher to call user-defined scripts or executables
Fri Jun 14 00:17:44 2013 ******* WARNING *******: all encryption and authentication features disabled
 -- all data will be tunnelled as cleartext
Fri Jun 14 00:17:44 2013 WARNING: potential TUN/TAP adapter subnet conflict between local LAN
 [10.26.7.0/255.255.255.0] and remote VPN [10.26.7.13/255.255.255.255]
Fri Jun 14 00:17:44 2013 TUN/TAP device tun1 opened
Fri Jun 14 00:17:44 2013 /sbin/ifconfig tun1 10.26.7.13 pointopoint 10.26.7.14 mtu 1500
Fri Jun 14 00:17:44 2013 GID set to nogroup
Fri Jun 14 00:17:44 2013 UID set to nobody
Fri Jun 14 00:17:44 2013 UDPv4 link local (bound): [undef]
Fri Jun 14 00:17:44 2013 UDPv4 link remote: [undef]
Fri Jun 14 00:17:58 2013 Peer Connection Initiated with [AF_INET]192.168.45.11:1194
Fri Jun 14 00:17:59 2013 Initialization Sequence Completed

■事前共有鍵を有効にする。

$ cat cleartext_server.conf
port 1194
proto udp
dev tun1
ifconfig 10.26.7.13 10.26.7.14
user nobody
group nogroup
persist-key
persist-tun
secret static.key
status static_server.log

$ cat cleartext_client.conf
remote 192.168.45.1
port 1194
proto udp
dev tun1
ifconfig 10.26.7.14 10.26.7.13
persist-key
persist-tun
secret static.key
status static_client.log

$ sudo openvpn --config cleartext_server.conf
Fri Jun 14 00:16:24 2013 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6]
 [eurephia] built on Feb 20 2012
Fri Jun 14 00:16:24 2013 NOTE: OpenVPN 2.1 requires '--script-security 2'
 or higher to call user-defined scripts or executables
Fri Jun 14 00:16:24 2013 /usr/sbin/openvpn-vulnkey -q static.key
Fri Jun 14 00:16:24 2013 WARNING: potential TUN/TAP adapter subnet conflict between local LAN
 [10.26.7.0/255.255.255.0] and remote VPN [10.26.7.13/255.255.255.255]
Fri Jun 14 00:16:24 2013 TUN/TAP device tun1 opened
Fri Jun 14 00:16:24 2013 /sbin/ifconfig tun1 10.26.7.13 pointopoint 10.26.7.14 mtu 1500
Fri Jun 14 00:16:24 2013 GID set to nogroup
Fri Jun 14 00:16:24 2013 UID set to nobody
Fri Jun 14 00:16:24 2013 UDPv4 link local (bound): [undef]
Fri Jun 14 00:16:24 2013 UDPv4 link remote: [undef]
Fri Jun 14 00:16:50 2013 Peer Connection Initiated with [AF_INET]192.168.45.11:1194
Fri Jun 14 00:16:52 2013 Initialization Sequence Completed

$ sudo openvpn --config cleartext_client.conf
Fri Jun 14 00:10:32 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6]
 [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012
Fri Jun 14 00:10:32 2013 NOTE: OpenVPN 2.1 requires '--script-security 2'
 or higher to call user-defined scripts or executables
Fri Jun 14 00:10:32 2013 TUN/TAP device tun1 opened
Fri Jun 14 00:10:32 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jun 14 00:10:32 2013 /sbin/ifconfig tun1 10.26.7.14 pointopoint 10.26.7.13 mtu 1500
Fri Jun 14 00:10:32 2013 UDPv4 link local (bound): [undef]
Fri Jun 14 00:10:32 2013 UDPv4 link remote: [AF_INET]192.168.45.1:1194
Fri Jun 14 00:10:42 2013 Peer Connection Initiated with [AF_INET]192.168.45.1:1194
Fri Jun 14 00:10:43 2013 Initialization Sequence Completed

■ステータスログを見る。

$ sudo cat static_server.log
OpenVPN STATISTICS
Updated,Fri Jun 14 00:18:44 2013
TUN/TAP read bytes,0
TUN/TAP write bytes,0
TCP/UDP read bytes,120
TCP/UDP write bytes,120
Auth read bytes,120
END

$ sudo cat static_client.log
OpenVPN STATISTICS
Updated,Fri Jun 14 00:12:39 2013
TUN/TAP read bytes,0
TUN/TAP write bytes,0
TCP/UDP read bytes,120
TCP/UDP write bytes,120
Auth read bytes,120
END