■OpenVPNのP2P接続(平文、事前共有鍵)をファイルで設定する。
Wheezy/SqueezeでOpenVPNを使って暗号化なしのお手軽VPNで接続する
http://labunix.hateblo.jp/entry/20130610/1370869975
Wheezy/Squeezeの事前共有鍵でのP2P-VPNで接続する。
http://labunix.hateblo.jp/entry/20130611/1370959526
■OpenVPNの初期化の後にnobody/nogroupになるよう設定を追加する。
$ grep ^no /etc/passwd /etc/group | awk -F\: '{print $1,$2}'
/etc/passwd nobody
/etc/group nogroup
■起動時のroot権限で動作しているときにだけ、
鍵ファイルを読み込み、tunデバイスをオープンする。
それ以外の再読み込みを行わない。
$ man openvpn | grep -A 1 "^ *\-\-persist-[kt]..\$"
] --persist-tun
Don't close and reopen TUN/TAP device or run up/down scripts
--
--persist-key
Don't re-read key files across SIGUSR1 or --ping-restart.
■平文(クリアテキスト)での接続
$ cat cleartext_server.conf
port 1194
proto udp
dev tun1
ifconfig 10.26.7.13 10.26.7.14
user nobody
group nogroup
persist-key
persist-tun
status static_server.log
$ cat cleartext_client.conf
remote 192.168.45.1
port 1194
proto udp
dev tun1
ifconfig 10.26.7.14 10.26.7.13
persist-key
persist-tun
status static_client.log
$ sudo openvpn --config cleartext_client.conf
Fri Jun 14 00:11:39 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6]
[IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012
Fri Jun 14 00:11:39 2013 NOTE: OpenVPN 2.1 requires '--script-security 2'
or higher to call user-defined scripts or executables
Fri Jun 14 00:11:39 2013 ******* WARNING *******: all encryption and authentication features disabled
-- all data will be tunnelled as cleartext
Fri Jun 14 00:11:39 2013 TUN/TAP device tun1 opened
Fri Jun 14 00:11:39 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jun 14 00:11:39 2013 /sbin/ifconfig tun1 10.26.7.14 pointopoint 10.26.7.13 mtu 1500
Fri Jun 14 00:11:39 2013 UDPv4 link local (bound): [undef]
Fri Jun 14 00:11:39 2013 UDPv4 link remote: [AF_INET]192.168.45.1:1194
Fri Jun 14 00:11:49 2013 Peer Connection Initiated with [AF_INET]192.168.45.1:1194
Fri Jun 14 00:11:50 2013 Initialization Sequence Completed
$ sudo openvpn --config cleartext_server.conf
Fri Jun 14 00:17:44 2013 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6]
[eurephia] built on Feb 20 2012
Fri Jun 14 00:17:44 2013 NOTE: OpenVPN 2.1 requires '--script-security 2'
or higher to call user-defined scripts or executables
Fri Jun 14 00:17:44 2013 ******* WARNING *******: all encryption and authentication features disabled
-- all data will be tunnelled as cleartext
Fri Jun 14 00:17:44 2013 WARNING: potential TUN/TAP adapter subnet conflict between local LAN
[10.26.7.0/255.255.255.0] and remote VPN [10.26.7.13/255.255.255.255]
Fri Jun 14 00:17:44 2013 TUN/TAP device tun1 opened
Fri Jun 14 00:17:44 2013 /sbin/ifconfig tun1 10.26.7.13 pointopoint 10.26.7.14 mtu 1500
Fri Jun 14 00:17:44 2013 GID set to nogroup
Fri Jun 14 00:17:44 2013 UID set to nobody
Fri Jun 14 00:17:44 2013 UDPv4 link local (bound): [undef]
Fri Jun 14 00:17:44 2013 UDPv4 link remote: [undef]
Fri Jun 14 00:17:58 2013 Peer Connection Initiated with [AF_INET]192.168.45.11:1194
Fri Jun 14 00:17:59 2013 Initialization Sequence Completed
■事前共有鍵を有効にする。
$ cat cleartext_server.conf
port 1194
proto udp
dev tun1
ifconfig 10.26.7.13 10.26.7.14
user nobody
group nogroup
persist-key
persist-tun
secret static.key
status static_server.log
$ cat cleartext_client.conf
remote 192.168.45.1
port 1194
proto udp
dev tun1
ifconfig 10.26.7.14 10.26.7.13
persist-key
persist-tun
secret static.key
status static_client.log
$ sudo openvpn --config cleartext_server.conf
Fri Jun 14 00:16:24 2013 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6]
[eurephia] built on Feb 20 2012
Fri Jun 14 00:16:24 2013 NOTE: OpenVPN 2.1 requires '--script-security 2'
or higher to call user-defined scripts or executables
Fri Jun 14 00:16:24 2013 /usr/sbin/openvpn-vulnkey -q static.key
Fri Jun 14 00:16:24 2013 WARNING: potential TUN/TAP adapter subnet conflict between local LAN
[10.26.7.0/255.255.255.0] and remote VPN [10.26.7.13/255.255.255.255]
Fri Jun 14 00:16:24 2013 TUN/TAP device tun1 opened
Fri Jun 14 00:16:24 2013 /sbin/ifconfig tun1 10.26.7.13 pointopoint 10.26.7.14 mtu 1500
Fri Jun 14 00:16:24 2013 GID set to nogroup
Fri Jun 14 00:16:24 2013 UID set to nobody
Fri Jun 14 00:16:24 2013 UDPv4 link local (bound): [undef]
Fri Jun 14 00:16:24 2013 UDPv4 link remote: [undef]
Fri Jun 14 00:16:50 2013 Peer Connection Initiated with [AF_INET]192.168.45.11:1194
Fri Jun 14 00:16:52 2013 Initialization Sequence Completed
$ sudo openvpn --config cleartext_client.conf
Fri Jun 14 00:10:32 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6]
[IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012
Fri Jun 14 00:10:32 2013 NOTE: OpenVPN 2.1 requires '--script-security 2'
or higher to call user-defined scripts or executables
Fri Jun 14 00:10:32 2013 TUN/TAP device tun1 opened
Fri Jun 14 00:10:32 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jun 14 00:10:32 2013 /sbin/ifconfig tun1 10.26.7.14 pointopoint 10.26.7.13 mtu 1500
Fri Jun 14 00:10:32 2013 UDPv4 link local (bound): [undef]
Fri Jun 14 00:10:32 2013 UDPv4 link remote: [AF_INET]192.168.45.1:1194
Fri Jun 14 00:10:42 2013 Peer Connection Initiated with [AF_INET]192.168.45.1:1194
Fri Jun 14 00:10:43 2013 Initialization Sequence Completed
■ステータスログを見る。
$ sudo cat static_server.log
OpenVPN STATISTICS
Updated,Fri Jun 14 00:18:44 2013
TUN/TAP read bytes,0
TUN/TAP write bytes,0
TCP/UDP read bytes,120
TCP/UDP write bytes,120
Auth read bytes,120
END
$ sudo cat static_client.log
OpenVPN STATISTICS
Updated,Fri Jun 14 00:12:39 2013
TUN/TAP read bytes,0
TUN/TAP write bytes,0
TCP/UDP read bytes,120
TCP/UDP write bytes,120
Auth read bytes,120
END