koulab

技術系のメモ

VPSなどにOpenVPNサーバを立てる一番簡単な方法

Anonymous VPN Advent Calendar 2019の4日目の記事

https://adventar.org/calendars/4028

手っ取り早くVPSなどにOpenVPNサーバを立てる方法です

以下のシェルスクリプトを使用します。RHEL/CentOS/Ubuntu/Debianなどに対応しています

https://github.com/Nyr/openvpn-install

git clone https://github.com/Nyr/openvpn-install
cd openvpn-install/
chmod +x ./openvpn-install.sh
./openvpn-install.sh
First, provide the IPv4 address of the network interface you want OpenVPN
listening to.
IP address: ListenするIPアドレスを入力する。NAT環境下の場合はプライベートIPになります

Which protocol do you want for OpenVPN connections?
   1) UDP (recommended)
   2) TCP
Protocol [1-2]:1もしくは2のどちらか用途によって選択します

What port do you want OpenVPN listening to?
Port: 1194
OpenVPNのポートを変更する場合はここで指定

Which DNS do you want to use with the VPN?
   1) Current system resolvers
   2) 1.1.1.1
   3) Google
   4) OpenDNS
   5) Verisign
DNS [1-5]: 1
VPNで使用するDNSサーバを選択します

Finally, tell me your name for the client certificate.
Please, use one word only, no special characters.
Client name: client1
生成するクライアント用プロファイル名を入力します

Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue...
エンターキーを押して続行します

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Generating RSA private key, 2048 bit long modulus
......................................................................................................................................................................................................................................+++
.....................+++
e is 65537 (0x10001)

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...................+++
...................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.7TxZApvu2e'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Dec  1 14:42:22 2029 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
......+++
..............................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client1.key.tGfIR4Muup'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client1'
Certificate is to be certified until Dec  1 14:42:23 2029 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

1281
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.

Finished!

Your client configuration is available at: /root/client1.ovpn
If you want to add more clients, you simply need to run this script again!

あとは、生成された/root/client1.ovpnをSFTP経由などでダウンロードしてOpenVPNクライアントからインポートして接続できるかテストします。

さらにユーザを増やす場合は同様にシェルスクリプトを実行すると追加することができます

# ./openvpn-install.sh

Looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]: 1

Tell me a name for the client certificate.
Please, use one word only, no special characters.
Client name: client2

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.........................................................................................+++
..........................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client2.key.iD5GAidQyN'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client2'
Certificate is to be certified until Dec  1 14:47:38 2029 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Client client2 added, configuration is available at: /root/client2.ovpn

設定などは以下が参考になります

https://qiita.com/keiya/items/fadc549b539c542d8a40

https://qiita.com/tags/openvpn

防弾ホスティングに立てて色々ゴニョるとおもしろいことができそうです