OS別メニュー
                                                                            
RedHat系 CentOS VineLinuxFedoraMandriva Linux
Berry Linux
Debian系 Debian GNU KnoppixUbuntuMandriva Linux
gOS
Windows系 XP vista78
8.110

その他 seesaa関連 Free Soft紹介PCメーカー情報質問集
迷惑メール Grub

商品無料仕入戦隊『電脳卸』

2011年03月31日
OpenVPN

1.OpenSSLがインストールされているか確認。
# rpm -q openssl
openssl-0.9.8p-1vl5


2.OpenVPNパッケージをapt-getコマンドにてインストール。
# apt-get install openvpn
パッケージリストを読みこんでいます... 完了
依存情報ツリーを作成しています... 完了
以下のパッケージが新たにインストールされます:
openvpn
アップグレード: 0 個, 新規インストール: 1 個, 削除: 0 個, 保留: 0 個
373kB のアーカイブを取得する必要があります。
展開後に 784kB のディスク容量が追加消費されます。
取得:1 http://updates.vinelinux.org 5.2/i386/plus openvpn 2.1-0.1.rc9vl5 [373kB]
373kB を 0s 秒で取得しました (475kB/s)
変更を適用しています...
準備中 ############################## [100%]
更新/インストール中
openvpn-2.1-0.1.rc9vl5.i386 ############################## [100%]
完了


3.サーバー設定ファイルの準備
# cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/


4.プライベートCAの準備
# cp -r /usr/share/openvpn/easy-rsa /etc/openvpn/


5.プライベートCAの構築とCA証明書・秘密鍵の作成

# vi /etc/openvpn/easy-rsa/2.0/vars
export KEY_COUNTRY="JP" <=国
export KEY_PROVINCE="NIIGATA" <=都道府県
export KEY_CITY="NISHIKU" <=市区町村
export KEY_ORG="TEST" <=団体名
export KEY_EMAIL="xx@myhost.mydomain" <=メールアドレス
@myhost.mydomain" <=メールアドレス



# cd /etc/openvpn/easy-rsa/2.0/

# source ./vars

# ./clean-all

# ./build-ca
Generating a 1024 bit RSA private key
............++++++
..............................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]: <=ENTER
State or Province Name (full name) [NIIGATA]: <=ENTER
Locality Name (eg, city) [NISHIKU]: <=ENTER
Organization Name (eg, company) [TEST]: <=ENTER
Organizational Unit Name (eg, section) []: <=ENTER
Common Name (eg, your name or your server's hostname) [TEST CA]: <=ENTER
Email Address [xx@myhost.mydomain]: <=ENTER


6./etc/openvpn/easy-rsa/2.0/keys/の配下にca.crtとca.keyが出来上がっている。
# ls /etc/openvpn/easy-rsa/2.0/keys/
ca.crt ca.key index.txt serial


7.サーバ証明書・サーバ秘密鍵の作成
サーバ秘密鍵を作成し、先ほど構築したプライベートCAで署名
# ./build-key-server server
Generating a 1024 bit RSA private key
......++++++
...............................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]: <=ENTER
State or Province Name (full name) [NIIGATA]: <=ENTER
Locality Name (eg, city) [NISHIKU]: <-ENTER
Organization Name (eg, company) [TEST]: <=ENTER
Organizational Unit Name (eg, section) []: <=ENTER
Common Name (eg, your name or your server's hostname) [server]: <=ENTER
Email Address [xx@myhost.mydomain]: <=ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'NIIGATA'
localityName :PRINTABLE:'NISHIKU'
organizationName :PRINTABLE:'TEST'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Mar 28 13:34:01 2021 GMT (3650 days)
Sign the certificate? [y/n]:y <=yを入力しENTER


1 out of 1 certificate requests certified, commit? [y/n]y <=yを入力しENTER
Write out database with 1 new entries
Data Base Updated


8./etc/openvpn/easy-rsa/2.0/keys/の配下にserver.crtとserver.keyが出来上がったいることを確認
# ls /etc/openvpn/easy-rsa/2.0/keys/
01.pem ca.key index.txt.attr serial server.crt server.key
ca.crt index.txt index.txt.old serial.old server.csr


9.3.クライアント証明書・クライアント秘密鍵の作成。
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys

# source ./build-key-pass sample1
Generating a 1024 bit RSA private key
...................++++++
...........................++++++
writing new private key to 'sample1.key'
Enter PEM pass phrase:  <=パスフレーズの入力
Verifying - Enter PEM pass phrase: <=パスフレーズの入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:  <=ENTER 
State or Province Name (full name) [NIIGATA]: <=ENTER
Locality Name (eg, city) [NISHIKU]: <=ENTER
Organization Name (eg, company) [TEST]: <=ENTER
Organizational Unit Name (eg, section) []: <=ENTER
Common Name (eg, your name or your server's hostname) [sample1]: <=ENTER
Email Address [xx@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'NIIGATA'
localityName :PRINTABLE:'NISHIKU'
organizationName :PRINTABLE:'TEST'
commonName :PRINTABLE:'sample1'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Mar 28 13:42:35 2021 GMT (3650 days)
Sign the certificate? [y/n]:y <=yを入力しENTER


1 out of 1 certificate requests certified, commit? [y/n]y <=yを入力しENTER
Write out database with 1 new entries
Data Base Updated


9./etc/openvpn/easy-rsa/2.0/keys/の配下にsample1.crtとsample1.keyが出来上がっているか確認。
# ls /etc/openvpn/easy-rsa/2.0/keys/
01.pem ca.key index.txt.attr.old sample1.csr serial.old server.key
02.pem index.txt index.txt.old sample1.key server.crt
ca.crt index.txt.attr sample1.crt serial server.csr


10. サーバで使用するDH(Diffie-Hellman)パラメータをbuild-dhスクリプトで生成。
# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........................................................................+............+..................................................................+................................+..................................................................................+.............+.++*++*++*


11.クライアント側(windowsXP)で使用するための証明書を別媒体をしようしてコピー
ca.crt(CA証明書)、sample1.crt(クライアント証明書)、sample1.key(クライアント秘密鍵)



12.CA証明書、サーバ証明書、サーバ秘密鍵、DHパラメータを/etc/openvpn/に移動します。
# cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/
# cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/ope/etc/openvpn/server.confnvpn/
# cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn/
# cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/
# chmod og-rx /etc/openvpn/*,key


13./etc/openvpn/server.confの編集。/etc/openvpn/server.conf





posted by 初心者。 at 23:20 | Comment(0) | OS>Vine Linux | このブログの読者になる | 更新情報をチェックする
この記事へのコメント
コメントを書く
お名前:

メールアドレス:

ホームページアドレス:

コメント: