[VPN] OPENVPN 스크립트로 패키지 설치

OPENVPN 스크립트로 패키지 설치

 

openvpn 설치 스크립트 실행

$ wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

Welcome to this OpenVPN road warrior installer!

Which IPv4 address should be used?
     1) 123.123.123.210
     2) 172.17.0.1
IPv4 address [1]: 1

Which protocol should OpenVPN use?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 1

What port should OpenVPN listen to?
Port [1194]: 1194

Select a DNS server for the clients:
   1) Current system resolvers
   2) Google
   3) 1.1.1.1
   4) OpenDNS
   5) Quad9
   6) AdGuard
DNS server [1]: 4

Enter a name for the first client:
Name [client]: test

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/server/easy-rsa/pki


Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
.......+++
...........+++
e is 65537 (0x10001)

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
....................................+++
....+++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-23352.PC7PMm/tmp.SE9mzA'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-23352.PC7PMm/tmp.d2Djq5
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Sep 26 00:49:49 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...................................................................+++
...........................................................................................+++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-23440.6Sns5M/tmp.MRsxRw'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-23440.6Sns5M/tmp.s2JBc0
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'test'
Certificate is to be certified until Sep 26 00:49:50 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-23507.AEmJgC/tmp.tH4EXa

An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem


Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service to /etc/systemd/system/openvpn-iptables.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service to /usr/lib/systemd/system/openvpn-server@.service.

Finished!

The client configuration is available in: /root/test.ovpn
New clients can be added by running this script again.

 

server.conf 설정 파일

$ vim /etc/openvpn/server/server.conf
local 123.123.123.210
port 1194
proto udp

dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

auth SHA512

tls-crypt tc.key

topology subnet

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

#push "redirect-gateway def1 bypass-dhcp"
push "route 123.123.123.204 255.255.255.255"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

keepalive 10 120

cipher AES-256-CBC

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

verb 3

crl-verify crl.pem

explicit-exit-notify

 

openvpn 재기동

$ systemctl restart openvpn-server@server.service

 

openvpn 클라이언트 계정 생성

$ ./openvpn-install.sh new_client

OpenVPN is already installed.

Select an option:
   1) Add a new client
   2) Revoke an existing client
   3) Remove OpenVPN
   4) Exit
Option: 1

Provide a name for the client:
Name: test2
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.................+++
......................+++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-25786.5NXSph/tmp.fgF6ri'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-25786.5NXSph/tmp.0FlOUB
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'test2'
Certificate is to be certified until Sep 26 01:22:01 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated


test2 added. Configuration available in: /root/test2.ovpn