ppp /usr/sbin/pppd localip 192.168.1.101-110 remoteip 192.168.2.111-120 #logwtmp < logwtmp をコメントアウト
name pptpd domain tar3.net # localip と remoteip が LAN 側サブネットに含まれる場合は proxyarp を有効にします。 proxyarp auth lock refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 192.168.1.37 ms-dns 192.168.1.1 ms-wins 192.168.1.37 nobsdcomp novj novjcomp nologfd mtu 1200 mru 1200 debug
hoge pptpd password *
net.ipv4.ip_forward = 1
-A FORWARD -i ppp+ -j ACCEPT -A FORWARD -o ppp+ -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1723 -j ACCEPT
[root@sv22 ~]# vi /etc/samba/smb.conf ; domain master = yes ↓ domain master = yes ; local master = no ↓ local master = yes ; preferred master = yes ↓ preferred master = yes ; os level = 33 ↓ os level = 65 ; wins support = yes ↓ wins support = yes
[root@sv22 ~]# /etc/rc.d/init.d/smb restart SMB サービスを停止中: [ OK ] NMB サービスを停止中: [ OK ] SMB サービスを起動中: [ OK ] NMB サービスを起動中: [ OK ]
rpm -Uvh http://ftp-srv2.kddilabs.jp/Linux/distributions/fedora/epel/6/i386/epel-release-6-8.noarch.rpm vi /etc/yum.repos.d/epel.repo
[global] [lns default] ip range = 192.168.1.128-192.168.1.254 local ip = 192.168.1.99 require chap = yes refuse pap = yes require authentication = yes name = VPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
auth crtscts debug lock proxyarp refuse-pap refuse-chap refuse-mschap require-mschap-v2 logfile /var/log/xl2tpd.log ms-dns 192.168.1.1 ms-dns 192.168.1.2 ipcp-accept-local ipcp-accept-remote
openswan にiPhoneからつながらない不具合が有り、
strongswan に変更
yum install strongswan
version 2.0 config setup protostack=netkey nat_traversal=yes include /etc/strongswan/ipsec.d/*.conf
conn L2TP-PSK-NAT rightsubnet=0.0.0.0/0 #rightsubnet=vhost:%priv forceencaps=yes dpddelay=10 dpdtimeout=30 dpdaction=clear also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT #conn L2TP-PSK # # Configuration for one user with any type of IPsec/L2TP client # including the updated Windows 2000/XP (MS KB Q818043), but # excluding the non-updated Windows 2000/XP. # # # Use a Preshared Key. Disable Perfect Forward Secrecy. # # PreSharedSecret needs to be specified in /etc/ipsec.secrets as # YourIPAddress %any: "sharedsecret" authby=secret pfs=no auto=add keyingtries=3 # we cannot rekey for %any, let client rekey rekey=no # Apple iOS doesn't send delete notify so we need dead peer detection # to detect vanishing clients #dpddelay=5 #dpdtimeout=10 #dpdaction=clear # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h # l2tp-over-ipsec is transport mode type=transport left=192.168.1.3 leftnexthop=%defaultroute #leftsubnet=192.168.1.0/24 # For updated Windows 2000/XP clients, # to support old clients as well, use leftprotoport=17/%any leftprotoport=17/1701 # The remote user. right=%any # Using the magic port of "%any" means "any one single port". This is # a work around required for Apple OSX clients that use a randomly # high port. rightprotoport=17/%any #rightprotoport=17/0 #ike=3des-md5 #esp=3des-md5 #forceencaps=yes
: PSK "password" include /etc/strongswan/ipsec.d/*.secrets
net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.eth1.send_redirects = 0 net.ipv4.conf.eth1.accept_redirects = 0 net.ipv4.ip_forward = 1
yum install lsof
yum install libpcap-devel ppp
SELINUX=disabled
-A FORWARD -i ppp+ -j ACCEPT -A FORWARD -o ppp+ -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -p udp -m udp --dport 50 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
# アカウント 接続名 パスワード IPアドレス "vpn-account" * "vpn-password" *
touch /var/log/xl2tpd.log
sudo apt install network-manager-openvpn network-manager-l2tp
Client1 -> Internet - udp -> キャリアルーター -> VPN サーバ -> Internet(全ての通信がVPNサーバ経由を目標とする)
※tcp は重い。server.conf に tcp-nodelay オプションを記入することにより改善されるが重い。
※tcp にするには、server.conf で udp を無効化しtcp を有効化。 同様に client 設定ファイルも行う。
sudo yum -y install openssl-devel lzo-devel pam-devel gcc
mkdir temp wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.12.tar.gz
sudo rpmbuild -tb --clean openvpn-2.3.12.tar.gz
sudo yum -y localinstall ~/rpmbuild/RPMS/x86_64/openvpn-2.3.12-1.x86_64.rpm
cd ~/temp wget https://github.com/OpenVPN/easy-rsa/archive/master.zip unzip master.zip
sudo cp -r easy-rsa-master/easyrsa3/ /etc/openvpn/
※以下 su - で実行
cd /etc/openvpn/easyrsa3/ ./easyrsa init-pki
./easyrsa build-ca ~ Enter PEM pass phrase: (任意のパスワード) Verifying - Enter PEM pass phrase: (任意のパスワード)(確認) ~ Common Name (eg: your user, host, or server name) [Easy-RSA CA]:(サイト名) 例) tar3.net ~ CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /root/easy-rsa-master/easyrsa3/pki/ca.crt
cp pki/ca.crt /etc/openvpn/
./easyrsa build-server-full server nopass Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key: (CA秘密鍵のパスワード)(上記で入力) ~ Data Base Updated
cp pki/issued/server.crt /etc/openvpn/ cp pki/private/server.key /etc/openvpn/
(セキュリティー確保のため共有キーを直接やりとりしないために)登場するのが、 DH鍵交換方式。 DH鍵交換方式では、共通鍵そのものを送受信せず、 共通鍵を作り出す材料となる数のみを互いに交換する。 共通鍵そのものを送受信していないのに、同じ共通鍵を持つことができ セキュリティーを確保することができる。
./easyrsa gen-dh (少し時間がかかるので終わるまで待つ(数分?)
cp pki/dh.pem /etc/openvpn/
./easyrsa build-client-full dmy nopass ~ Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key:(CA秘密鍵のパスワード)(上記で入力) ~ Write out database with 1 new entries Data Base Updated
./easyrsa revoke dmy ~ Continue with revocation: yes (Enter) ~ IMPORTANT!!! Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent the revoked cert from being accepted.
./easyrsa gen-crl ~ Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key:(CA秘密鍵のパスワード)(上記で入力) An updated CRL has been created. CRL file: /etc/openvpn/easyrsa3/pki/crl.pem
cp ./pki/crl.pem /etc/openvpn/
chmod o+r /etc/openvpn/crl.pem
※以下 su - で実行
openvpn --genkey --secret /etc/openvpn/ta.key
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
port 1194 ~ proto udp ※tcp は重い。server.conf に tcp-nodelay オプションを記入することにより改善されるが重い。 ※tcp にするには、server.conf で udp を無効化しtcp を有効化。 同様に client 設定ファイルも行う。 ~ dev tun ← 確認するだけ。デフォルトで設定済み ~ ca ca.crt cert server.crt key server.key # This file should be kept secret ~ dh dh.pem ← 左記のように変更する。DHパラメータ ファイル名 ~ server 10.8.0.0 255.255.255.0 ← VPNクライアント割当てアドレス範囲(デフォルト) ~ ifconfig-pool-persist ipp.txt ~ ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" ← 追加(LAN(例:192.168.3.0/24)へのルートをVPNサーバー経由にする) ~ push "redirect-gateway def1" <- インターネットへのアクセスをVPN経由で行う ~ push "dhcp-option DNS 192.168.1.1" <- インターネットアクセス時に使用するDNSサーバ ~ tls-auth ta.key 0 # This file is secret ← 行頭の;を削除してコメント解除(TLS認証有効化) ~ comp-lzo ~ user nobody ← 行頭の;を削除してコメント解除(OpenVPN実行権限を下げる) group nobody ← 行頭の;を削除してコメント解除(OpenVPN実行権限を下げる) ~ persist-key persist-tun ~ status openvpn-status.log ~ log-append /var/log/openvpn.log ← 行頭の;を削除してコメント解除(ログを/var/log/openvpn.logに記録する) ~ verb 3 ~ management localhost 7505 ← 最終行へ追加(管理インタフェースの有効化※後述) ~ crl-verify crl.pem ← 最終行へ追加(証明書廃止リストの有効化) ~ 最終行へ以下を追加(OpenVPN経由でSambaへのアクセスがエラーになる場合) fragment 1280 mssfix 1280 link-mtu 1400
※以下 su - で実行
/var/log/openvpn.log { missingok notifempty sharedscripts postrotate systemctl restart openvpn 2>&1 > /dev/null || true endscript }
※以下 su - で実行
echo 1 > /proc/sys/net/ipv4/ip_forward
service openvpn start
chkconfig openvpn on
設定関連図(構成図)
Client1 -> Internet -> キャリアルーター -> VPN サーバ -> Internet(全ての通信がVPNサーバ経由を目標とする)
※以下 su - で実行
cd /etc/openvpn/easyrsa3/ ./easyrsa build-client-full client1 nopass Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key: (CA秘密鍵のパスワード入力) Write out database with 1 new entries Data Base Updated
C:\Program Files\OpenVPN\sample-config\client.ovpn
C:\Program Files\OpenVPN\config
remote tar3.net 1194
ca ca.crt cert client1.crt key client1.key
remote-cert-tls server
tls-auth ta.key 1
fragment 1280 mssfix 1280 link-mtu 1400
- CA証明書
/etc/openvpn/ca.crt- クライアント証明書
/etc/openvpn/easyrsa3/pki/issued/client1.crt- クライアント秘密鍵
/etc/openvpn/easyrsa3/pki/private/client1.key- TLS認証鍵
/etc/openvpn/ta.key
- C:\Program Files\OpenVPN\config
Ping による疎通確認が可能だが、通らない場合は大抵ルートの問題。
キャリアルーターにきちんと静的ルートが書いてあるか。また間違えてないか、など
OpenVPN サーバの Push "Route ..." は関係ない場合が多く、そこをいじっても解決しない時が多い。
※以下 su - で実行
cd /etc/openvpn/easyrsa3/ ./easyrsa revoke client1 ~ Continue with revocation: yes を入力 ~ Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key <-CA秘密鍵のパスワードを入力
rm -f ./pki/issued/client1.crt ← client1証明書類削除 rm -f ./pki/private/client1.key ← client1証明書類削除 rm -f ./pki/reqs/client1.req ← client1証明書類削除 ./easyrsa gen-crl ← 証明書廃止リストを作成 ~ Enter pass phrase for /etc/openvpn/easyrsa3/pki/private/ca.key: <-CA秘密鍵のパスワードを入力 ~ CRL file: /etc/openvpn/easyrsa3/pki/crl.pem
cp ./pki/crl.pem /etc/openvpn/
chmod o+r /etc/openvpn/crl.pem
※以下 su - で実行
yum install telnet
telnet localhost 7505
status client1,124.211.3.180:1617,6882,7144,Tue Nov 28 19:26:53 2006 ← client1が接続中
kill client1
status
exit
Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.7 (netkey) on 2.6.32-431.3.1.el6.i686 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ppp0/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking NAT and MASQUERADEing [TEST INCOMPLETE] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help
Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.7 (netkey) on 2.6.32-431.3.1.el6.i686 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ppp0/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking NAT and MASQUERADEing [TEST INCOMPLETE] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help