Raspberry PiでOpenVPNを導入.
とりあえず,公開,後で詳しく書くかも.

OpenVPNをインストール

pacman -Sy openvpn

VPNのブリッジのためのTupを作成

cp /etc/netctl/example/tuntap /etc/netct/
netctl enable tuntap
netctl start tuntap

鍵の作成

cp -r /usr/share/openvpn/easy-rsa/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa

作成のためのファイル編集

vim vars
# PKCS11 fixes
#export PKCS11_MODULE_PATH="dummy"
#export PKCS11_PIN="dummy"

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="JP"
export KEY_PROVINCE="xxxxx"
export KEY_CITY="xxxxxx"
export KEY_ORG="unix-like.dyndns-web.com"
export KEY_EMAIL="xxxx@yyyy.com"
#export KEY_EMAIL=mail@host.domain
#export KEY_CN=changeme
#export KEY_NAME=changeme
#export KEY_OU=changeme
#export PKCS11_MODULE_PATH=changeme
#export PKCS11_PIN=1234

環境変数を適用

source vars
./clean-all
./build-ca
./build-key-server server
./build-dh

コンフィグファイルの編集

vim /etc/openvpn/easy-rsa/openssl.conf

コンフィグファイルの編集内容

[ pkcs11_section ]
#engine_id = pkcs11
#dynamic_path = /usr/lib/engines/engine_pkcs11.so
#MODULE_PATH = $ENV::PKCS11_MODULE_PATH
#PIN = $ENV::PKCS11_PIN
#init = 0

ダミーの鍵作成

./build-key dummy
./revoke-full dummy

クライアント用の鍵作成

./build-key client
openvpn --genkey --secret /etc/openvpn/ta.key
cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/
cp /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/
cp /etc/openvpn/easy-rsa/keys/server.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/keys/server.key /etc/openvpn/
cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf

サーバの設定

vim /etc/openvpn/server.conf

サーバの設定内容

# open up this port on your firewall.
port 1194
# TCP or UDP server?
proto tcp
;proto udp
・・・・
;dev tap
dev tun0
・・・・
# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
・・・・・
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 8.8.8.8"
;push "dhcp-option DNS 208.67.220.220"
・・・・
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret
・・・・
# non-Windows systems.
user nobody
group nobody