티스토리 뷰

___리눅스

[OpenVPN] openvpn client 설치(리눅스)

변군 변군이글루 2020. 9. 25. 16:41

openvpn client 설치

 

웹 관리자 화면에서 인증서 생성 및 다운로드 받기

 

인증서 생성

Create a new Certificates > Name > Create 

 

인증서 다운로드

Certificates > vpnuser01(Name) 클릭

 

openvpn 패키지 설치

 - epel-release, openvpn 설치

$ yum install -y epel-release

$ yum install -y openvpn

 

openvpn 설정 파일 편집

 - vpnclient-201.ovpn 설정

$ vim /etc/openvpn/client/vpnclient-201.ovpn
dev tun
persist-tun
persist-key
client
resolv-retry infinite
remote 123.123.123.201 1194 udp
lport 0

cipher AES-256-CBC
keysize 256
auth SHA256
tls-client

<ca>
-----BEGIN CERTIFICATE-----
MIIEnjCCA4agAwIBAgIJALvFI507Mwi7MA0GCSqGSIb3DQEBCwUAMIGQMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMQ4wDAYDVQQK
EwVkdW1teTELMAkGA1UECxMCSVQxETAPBgNVBAMTCGR1bW15IENBMRAwDgYDVQQp
EwdMb2NhbENBMR8wHQYJKoZIhvcNAQkBFhBkZW1vQGV4YW1wbGUuY29tMB4XDTIw
MDkyNTAyMjEwNFoXDTMwMDkyMzAyMjEwNFowgZAxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJOWTERMA8GA1UEBxMITmV3IFlvcmsxDjAMBgNVBAoTBWR1bW15MQswCQYD
VQQLEwJJVDERMA8GA1UEAxMIZHVtbXkgQ0ExEDAOBgNVBCkTB0xvY2FsQ0ExHzAd
BgkqhkiG9w0BCQEWEGRlbW9AZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDFB+eHGiHW0jD7tQehF/lxHe1Az5HZw6EHAPnjt4JD7/M9
P41bosHaW4a+baL/tP1xc/VcNHlBj/280UYBJv8kSnQN5pNy+kJF0cgFX7P5UDgD
/izWmqk9Ge94QlDdVswFqaVOCsovsaiF26DcoobfJPKzQQOKqcHqXUDJoSctPsOk
NN72NTeBB451g3G68my0WgJ4yJ6YstQs1ztSBBUqFh1qFrAzUSySx/oiF3IyUcHB
5jXsnaBk71e71gzoCfhCr/Ma7mRdATpH7rIxiEzGFhK6iz0KMuS8YweSa8+AckL0
SzCtYPnl3W8MkG/BbvzcQGbUQVBldSNF7opD14JbAgMBAAGjgfgwgfUwHQYDVR0O
BBYEFAvXB30U2PtCCdnWRfhukbuUFYsuMIHFBgNVHSMEgb0wgbqAFAvXB30U2PtC
CdnWRfhukbuUFYsuoYGWpIGTMIGQMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkx
ETAPBgNVBAcTCE5ldyBZb3JrMQ4wDAYDVQQKEwVkdW1teTELMAkGA1UECxMCSVQx
ETAPBgNVBAMTCGR1bW15IENBMRAwDgYDVQQpEwdMb2NhbENBMR8wHQYJKoZIhvcN
AQkBFhBkZW1vQGV4YW1wbGUuY29tggkAu8UjnTszCLswDAYDVR0TBAUwAwEB/zAN
BgkqhkiG9w0BAQsFAAOCAQEAAPUFzsap65pyU3PAYLHGRTm+CF/PLmW9RU7WX1xl
olpHYirqjdIbgxFSr/kQhFiw+MbloTyl/7hXumMxvUic/pdTRbNqfMkLbIPc05aP
YgNnO59rPw+B/mzSxFTDJhPCfLGfqG3KsLI41NbKl0PUbX4viw2n1F2rR/9KWZOH
jcfJ1XsT2cSxO/an+sSYCq68LBR+986/ZolfodAQ6+6DT4SDYYoy18wd65EP/dsk
v9yVnQvU8UneT1H2R4SRRdyv+EiAjC6jLKbiX49/pE+1i3DiHJjtUoyaZPVxaYn8
a15B13RmOtNj2r9uzrTChZFLzjSvoEf7TtsTTkWrri0Cbg==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6 (0x6)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=NY, L=New York, O=dummy, OU=IT, CN=dummy CA/name=LocalCA/emailAddress=demo@example.com
        Validity
            Not Before: Sep 25 07:20:09 2020 GMT
            Not After : Sep 23 07:20:09 2030 GMT
        Subject: C=KR, ST=Seoul, L=Jongno, O=dummy, OU=IT, CN=dev-219/name=dev-219/emailAddress=demo@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b3:bb:81:cd:08:02:2f:8f:80:73:36:e5:dd:08:
                    9a:1f:50:9d:65:5c:59:87:54:12:cd:a6:76:32:6c:
                    04:77:32:27:91:4f:61:bc:b8:fa:a2:45:fc:23:fc:
                    b3:1f:67:f9:2c:cc:1e:fd:79:4a:94:0b:c9:fa:73:
                    e5:5e:df:3a:0b:fd:4c:12:3f:00:69:bf:25:2f:6e:
                    65:56:74:44:fb:8c:4d:0c:bc:28:39:43:3a:f1:92:
                    c1:8f:c1:d6:3d:63:d6:d0:21:1d:f6:0b:19:b6:bd:
                    bf:4c:e7:2d:88:3d:6e:ff:c6:6d:84:8c:1f:3c:1c:
                    ad:d8:be:c3:5b:e4:d9:88:6a:a1:66:f5:12:b0:2a:
                    50:53:70:e1:4a:e7:bd:0a:e8:3e:ba:c9:13:5b:12:
                    04:ae:8c:1e:c2:fa:20:d5:56:79:73:eb:9b:02:bf:
                    dd:77:30:cc:bc:5c:09:7d:7a:cb:2b:af:2f:49:c0:
                    23:16:ca:b5:a0:d4:45:ef:e9:20:47:00:90:b0:7c:
                    52:ab:de:75:81:be:66:37:48:86:88:ff:29:8f:a6:
                    ff:01:1f:00:11:ee:87:42:01:4b:60:35:af:01:62:
                    1f:50:a8:13:f2:82:a7:5a:a3:a4:e8:9b:19:d4:25:
                    d5:1e:ad:73:69:26:6f:b3:f6:fd:39:9b:0b:ce:aa:
                    2b:0f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier:
                B0:BF:E7:55:E2:2E:0D:04:6B:0A:55:CF:19:87:B7:0A:3D:A6:AA:3B
            X509v3 Authority Key Identifier:
                keyid:0B:D7:07:7D:14:D8:FB:42:09:D9:D6:45:F8:6E:91:BB:94:15:8B:2E
                DirName:/C=US/ST=NY/L=New York/O=dummy/OU=IT/CN=dummy CA/name=LocalCA/emailAddress=demo@example.com
                serial:BB:C5:23:9D:3B:33:08:BB

            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Key Usage:
                Digital Signature
            X509v3 Subject Alternative Name:
                DNS:vpnclient-201
    Signature Algorithm: sha256WithRSAEncryption
         a0:c4:f2:7b:dd:cb:89:31:29:55:4d:e0:23:bf:9a:25:e6:17:
         ff:6a:2b:fd:e0:aa:7b:e3:7f:fb:69:81:42:ad:e5:45:ba:77:
         85:a7:0a:97:03:91:01:0a:08:28:50:6e:76:42:40:4f:d0:98:
         59:80:5c:8d:cd:28:89:f4:c5:4f:34:4e:e1:7d:bf:97:f9:5a:
         94:62:7a:f6:d7:86:df:42:60:da:2f:cf:fa:25:7b:3c:b2:e5:
         72:f3:6d:72:28:42:41:34:c7:f7:b9:06:bf:3f:ba:bb:75:96:
         5f:ed:76:32:ce:42:11:fc:cc:61:e9:86:f4:c2:38:8e:bc:b4:
         1b:4f:bc:18:ca:fb:fc:3a:af:35:ed:5b:0c:1a:8c:03:c3:c0:
         e8:d5:dd:69:89:ae:9c:c4:67:dd:cb:3f:b8:44:c6:ce:b2:20:
         32:e7:fc:1d:94:88:ed:8b:9d:35:75:7b:46:93:f9:22:0f:03:
         39:a8:cd:d9:9e:53:e3:dd:0e:c3:3f:d4:68:0d:f5:23:9f:f6:
         0f:9a:17:6b:b4:f3:48:c5:f2:6f:a3:93:c5:07:9f:8c:21:c6:
         a1:4c:f2:cb:1b:bd:15:9e:b1:3d:c3:b6:7c:8e:32:69:5b:7d:
         1c:97:fb:1e:f2:75:ce:2d:be:36:ec:38:b3:98:c4:06:0e:86:
         33:4e:49:a2
-----BEGIN CERTIFICATE-----
MIIE+jCCA+KgAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEOMAwGA1UEChMFZHVtbXkx
CzAJBgNVBAsTAklUMREwDwYDVQQDEwhkdW1teSBDQTEQMA4GA1UEKRMHTG9jYWxD
QTEfMB0GCSqGSIb3DQEJARYQZGVtb0BleGFtcGxlLmNvbTAeFw0yMDA5MjUwNzIw
MDlaFw0zMDA5MjMwNzIwMDlaMIGQMQswCQYDVQQGEwJLUjEOMAwGA1UECBMFU2Vv
dWwxDzANBgNVBAcTBkpvbmdubzEOMAwGA1UEChMFZHVtbXkxCzAJBgNVBAsTAklU
MRAwDgYDVQQDEwdkZXYtMjE5MRAwDgYDVQQpEwdkZXYtMjE5MR8wHQYJKoZIhvcN
AQkBFhBkZW1vQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAs7uBzQgCL4+Aczbl3QiaH1CdZVxZh1QSzaZ2MmwEdzInkU9hvLj6okX8
I/yzH2f5LMwe/XlKlAvJ+nPlXt86C/1MEj8Aab8lL25lVnRE+4xNDLwoOUM68ZLB
j8HWPWPW0CEd9gsZtr2/TOctiD1u/8ZthIwfPByt2L7DW+TZiGqhZvUSsCpQU3Dh
Sue9Cug+uskTWxIErowewvog1VZ5c+ubAr/ddzDMvFwJfXrLK68vScAjFsq1oNRF
7+kgRwCQsHxSq951gb5mN0iGiP8pj6b/AR8AEe6HQgFLYDWvAWIfUKgT8oKnWqOk
6JsZ1CXVHq1zaSZvs/b9OZsLzqorDwIDAQABo4IBWzCCAVcwCQYDVR0TBAIwADAt
BglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
A1UdDgQWBBSwv+dV4i4NBGsKVc8Zh7cKPaaqOzCBxQYDVR0jBIG9MIG6gBQL1wd9
FNj7QgnZ1kX4bpG7lBWLLqGBlqSBkzCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
Ak5ZMREwDwYDVQQHEwhOZXcgWW9yazEOMAwGA1UEChMFZHVtbXkxCzAJBgNVBAsT
AklUMREwDwYDVQQDEwhkdW1teSBDQTEQMA4GA1UEKRMHTG9jYWxDQTEfMB0GCSqG
SIb3DQEJARYQZGVtb0BleGFtcGxlLmNvbYIJALvFI507Mwi7MBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDASBgNVHREECzAJggdkZXYtMjE5MA0GCSqG
SIb3DQEBCwUAA4IBAQCgxPJ73cuJMSlVTeAjv5ol5hf/aiv94Kp743/7aYFCreVF
uneFpwqXA5EBCggoUG52QkBP0JhZgFyNzSiJ9MVPNE7hfb+X+VqUYnr214bfQmDa
L8/6JXs8suVy821yKEJBNMf3uQa/P7q7dZZf7XYyzkIR/Mxh6Yb0wjiOvLQbT7wY
yvv8Oq817VsMGowDw8Do1d1pia6cxGfdyz+4RMbOsiAy5/wdlIjti501dXtGk/ki
DwM5qM3ZnlPj3Q7DP9RoDfUjn/YPmhdrtPNIxfJvo5PFB5+MIcahTPLLG70VnrE9
w7Z8jjJpW30cl/se8nXOLb427DizmMQGDoYzTkmi
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCzu4HNCAIvj4Bz
NuXdCJofUJ1lXFmHVBLNpnYybAR3MieRT2G8uPqiRfwj/LMfZ/kszB79eUqUC8n6
c+Ve3zoL/UwSPwBpvyUvbmVWdET7jE0MvCg5QzrxksGPwdY9Y9bQIR32Cxm2vb9M
5y2IPW7/xm2EjB88HK3YvsNb5NmIaqFm9RKwKlBTcOFK570K6D66yRNbEgSujB7C
+iDVVnlz65sCv913MMy8XAl9essrry9JwCMWyrWg1EXv6SBHAJCwfFKr3nWBvmY3
SIaI/ymPpv8BHwAR7odCAUtgNa8BYh9QqBPygqdao6TomxnUJdUerXNpJm+z9v05
mwvOqisPAgMBAAECggEAKVnMhUWAazzSyq8ot2/RNb8wVy+mEXKQWOwhaXxckqfh
Xpcq32aXk1oSppzvARzEwT+9KYgMVn9X2t1rOiaVjkiaheAk0i99+KmnevqJHG6t
E27+uh3zo7yl99Ma3UjpFT1pTUBEjDyflKvjV+L6dLJMZCBw1z2p6aIKBExkl/O9
HE3nhIXjd3pTVaJmqgD/7euZq7j1ON5KLZTEcMFIjjndG1M7l9OoEfbpf7p+uETA
rGvJd1WBx184XASaEeCQmCJXr1bzkRjixkE28qxewk+AriLJCD2VBRJxs1vaq7cl
9RUaVJyIVspXiNgkmrB9QuFzf6RXlga5pKJupWPJgQKBgQDvkrUx4hKKBJkxkY3h
MwUHu6I0KGh0Qp73sFcRFYfDijxFGlY9V1gMkDQv7CncfojqrmTnF1+o7g2BZbIo
cD6spR5FF1w105KXshDxqbRazQhdv0gSkXBo7ivKGxnzw3ZqXWiOnOdkB+/m9eTD
OBeg+DKlZLb+VhvdwuKhjUTM4QKBgQDADmZ0v1TuUd5CnyQQ8d7Eg0kbct0pkcvk
JW7V7dLUwP9iC1B7XX2uLozHSbxDFHR0VIPH2LmSm99kFOlozg2+AD9kppAfJiH2
IOi2qT6gdzJ+qVCb4uxAtu3ODK4EQZdUcPAj0MDE4SxRIWiEz4PuwN52HmGInuls
n9c53r6F7wKBgHcUReoQg8SEepzPy2TXVjW8xugD+b9n6doVlYFRYVUJXeG/MIR2
6LX962KykTAe2PFFU7Qlww+Vm7LomIBPImfv/ra64MOEcUXjZVapUpMbfIAUdr97
+RK+55cil2i5jB9cZH8WcFEhPNZg/J8oP15sX8gj4m1S4bD9kGZacIshAoGAAzS6
VRyUiF3pfec2LOo8s78VS1YBhx4d7zMIxJ1xtYd7O+HAeC65WF0CkJkUgXIn94Ep
qf5eKqpbcko/EzbNV+ydIkr9gOecDYXDHLl6iCc1OpQM+m0xUGs9UQE5Lm0B37D6
8T4c2ayAluId4omsRCIIFKSxMBym/N82MosbVxUCgYBnVmDXbqeI8Wto2WmBWBO7
LxsI4hXuIGXH7smqWFAeySJt3Xs8Rcjo40E8l+3VxXMZ+paF5Bv7SvjxdRiIXsvp
H6pB6nO5unccyDnwZwMGT1T+oOBxmQJ71xHjQ3j+/ymwXvK5yx3hKD9HEnU03A94
FqIwocOdZxAbXAmpV8Mkwg==
-----END PRIVATE KEY-----
</key>

comp-lzo

 

openvpn 데몬 실행

$ openvpn --config /etc/openvpn/client/vclient-201.ovpn

### Background 실행
$ openvpn --config /etc/openvpn/client/vclient-201.ovpn --daemon

$ ps -ef |grep openvpn | grep -v grep
root     24376     1  0 16:44 ?        00:00:00 openvpn --config /etc/openvpn/client/vclient-201.ovpn --daemon

 

클라이언트 라우팅 테이블

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         123.123.123.1   0.0.0.0         UG    100    0        0 ens192
10.8.0.0        10.8.0.9        255.255.255.0   UG    0      0        0 tun0
10.8.0.1        10.8.0.9        255.255.255.255 UGH   0      0        0 tun0
10.8.0.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
123.123.123.1   0.0.0.0         255.255.255.0   U     100    0        0 ens192

 

VPN 서버에 vclient-201 서버로 핑 테스트

$ ping 10.8.0.10
PING 10.8.0.10 (10.8.0.10): 56 data bytes
64 bytes from 10.8.0.10: seq=0 ttl=64 time=0.583 ms
64 bytes from 10.8.0.10: seq=1 ttl=64 time=0.674 ms
64 bytes from 10.8.0.10: seq=2 ttl=64 time=0.679 ms
TAG
,
댓글
댓글쓰기 폼