debian Squeez(서버)에 openvpn을 설치하고 Fedora 17에서 (클라이언트)로 연결하려고 합니다. 내 구성은 다음과 같습니다.
서버 구성
# Server TCP
proto tcp
port 1194
dev tun
# Keys and certificates
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Network
# Virtual address of the VPN network
server 192.170.70.0 255.255.255.0
# This line adds the client to the router network server
push "route 192.168.1.0 255.255.255.0"
# Create a route server to the tun interface
#route 192.170.70.0 255.255.255.0
# Security
keepalive 10 120
# type of data encryption
cipher AES-128-CBC
# enabling compression
comp-lzo
# maximum number of clients allowed
max-clients 10
# no user and group specific to the use of the VPN
user nobody
group nogroup
# to make persistent connection
persist-key
persist-tun
# Log of the OpenVPN status
status /var/log/openvpn-status.log
# logs openvpnlog /var/log/openvpn.log
log-append /var/log/openvpn.log
# verbosity
verb 5
클라이언트 구성
client
dev tun
proto tcp-client
remote <my server wan IP> 1194
resolv-retry infinite
cipher AES-128-CBC
# Keys
ca ca.crt
cert client.crt
key client.key
# Security
nobind
persist-key
persist-tun
comp-lzo
verb 3
로그 파일에 있는 호스트 클라이언트(fedora 17)의 메시지 /var/log/messages:
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> Starting VPN service 'openvpn'...
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7470
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' appeared; activating connections
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN plugin state changed: starting (3)
Dec 6 21:56:01 GlobalTIC NetworkManager[691]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 5 2012
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"][U][B] WARNING: No server certificate verification method has been enabled.[/B][/U][/COLOR] See http://openvpn.net/howto.html#mitm for more info.
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"] WARNING: file '/home/login/client/client.key' is group or others accessible[/COLOR]
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link local: [undef]
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link remote: [COLOR="Red"]<my server wan IP>[/COLOR]:1194
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4 [ECONNREFUSED]: Connection refused (code=111)[/COLOR]
Dec 6 21:56:03 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4[/COLOR] [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:07 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:15 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:31 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:41 GlobalTIC NetworkManager[691]: <warn> VPN connection 'Connexion VPN 1' (IP Conf[/CODE]
서버 호스트의 ifconfig(debian):
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:16:21:ac
inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe16:21ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9059 errors:0 dropped:0 overruns:0 frame:0
TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:919427 (897.8 KiB) TX bytes:1273891 (1.2 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.170.70.1 P-t-P:192.170.70.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
클라이언트 호스트의 ifconfig(fedora 17)
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.0.1 netmask 255.255.252.0 destination 5.5.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.4.1 netmask 255.255.252.0 destination 5.5.4.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
as0t2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.8.1 netmask 255.255.252.0 destination 5.5.8.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
as0t3: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.12.1 netmask 255.255.252.0 destination 5.5.12.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
**p255p1**: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::21d:baff:fe20:b7e6 prefixlen 64 scopeid 0x20<link>
ether 00:1d:ba:20:b7:e6 txqueuelen 1000 (Ethernet)
RX packets 4842070 bytes 3579798184 (3.3 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3996158 bytes 2436442882 (2.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
p255p1은 eth0 인터페이스의 레이블입니다.
그리고
서버에서:
root@hoteserver:/etc/openvpn# tree
.
├── client
│** ├── ca.crt
│** ├── client.conf
│** ├── client.crt
│** ├── client.csr
│** ├── client.key
│** ├── client.ovpn
│*
│**
├── easy-rsa
│** ├── build-ca
│** ├── build-dh
│** ├── build-inter
│** ├── build-key
│** ├── build-key-pass
│** ├── build-key-pkcs12
│** ├── build-key-server
│** ├── build-req
│** ├── build-req-pass
│** ├── clean-all
│** ├── inherit-inter
│** ├── keys
│** │** ├── 01.pem
│** │** ├── 02.pem
│** │** ├── ca.crt
│** │** ├── ca.key
│** │** ├── client.crt
│** │** ├── client.csr
│** │** ├── client.key
│** │** ├── dh1024.pem
│** │** ├── index.txt
│** │** ├── index.txt.attr
│** │** ├── index.txt.attr.old
│** │** ├── index.txt.old
│** │** ├── serial
│** │** ├── serial.old
│** │** ├── server.crt
│** │** ├── server.csr
│** │** └── server.key
│** ├── list-crl
│** ├── Makefile
│** ├── openssl-0.9.6.cnf.gz
│** ├── openssl.cnf
│** ├── pkitool
│** ├── README.gz
│** ├── revoke-full
│** ├── sign-req
│** ├── vars
│** └── whichopensslcnf
├── openvpn.log
├── openvpn-status.log
├── server.conf
└── update-resolv-conf
클라이언트 측에서:
[login@hoteclient openvpn]$ tree
.
|-- easy-rsa
| |-- 1.0
| | |-- build-ca
| | |-- build-dh
| | |-- build-inter
| | |-- build-key
| | |-- build-key-pass
| | |-- build-key-pkcs12
| | |-- build-key-server
| | |-- build-req
| | |-- build-req-pass
| | |-- clean-all
| | |-- list-crl
| | |-- make-crl
| | |-- openssl.cnf
| | |-- README
| | |-- revoke-crt
| | |-- revoke-full
| | |-- sign-req
| | `-- vars
| `-- 2.0
| |-- build-ca
| |-- build-dh
| |-- build-inter
| |-- build-key
| |-- build-key-pass
| |-- build-key-pkcs12
| |-- build-key-server
| |-- build-req
| |-- build-req-pass
| |-- clean-all
| |-- inherit-inter
| |-- keys [error opening dir]
| |-- list-crl
| |-- Makefile
| |-- openssl-0.9.6.cnf
| |-- openssl-0.9.8.cnf
| |-- openssl-1.0.0.cnf
| |-- pkitool
| |-- README
| |-- revoke-full
| |-- sign-req
| |-- vars
| `-- whichopensslcnf
|-- keys -> ./easy-rsa/2.0/keys/
`-- server.conf
cipher AES-128-CBCUDP 문제의 원인 proto tcp-client이나 Fedora17의 인터페이스 또는 p255p1파일 확인을 찾을 수 없습니까?ta.key
답변1
먼저 해당 파일에 대한 권한을 /home/login/client/client.key그룹이나 다른 사람이 접근할 수 없도록 변경해야 합니다.
chmod 400 /home/login/client/client.key
그런 다음 설명을 따르십시오.여기클라이언트가 올바른 서버에 연결되어 있고 중간자 공격이 불가능한지 확인하는 방법을 구현해야 합니다.
답변2
다음은 심각하게 받아들여야 할 OpenVPN의 문제 및 경고의 전체 목록입니다. 하지만 경고만 있을 뿐 연결 문제의 원인은 없습니다. NetworkManager의 openvpn 플러그인이 UDP를 사용하여 연결을 시도하고 있습니다. 귀하의 client.conf가 실제 클라이언트 구성과 어떤 관련이 있는지 모르겠습니다. VPN 설정을 NetworkManager로 가져오는 데 사용됩니까?
그럼에도 불구하고 VPN 연결 프로필의 고급 설정 대화 상자에서 TCP 연결 확인란을 선택해야 합니다.
클라이언트 또는 서버 측에서 tls-auth를 사용하지 않는 것 같으므로 ta.key 파일이 누락되어서는 안 됩니다(그러나 tls-auth를 사용하는 것이 좋습니다).
비밀번호는 양쪽에서 동일한 것으로 나타나므로 문제가 되지 않습니다.
나는 정말추천도착하다서버 인증서 확인몰릭스가 말했듯이.
답변3
No server certificate verification method has been enabled경고를 표시하지 않으려면 extendedKeyUsage올바른 확장자를 사용하여 클라이언트 및 서버 인증서를 생성하고 이를 remote-cert-tls server클라이언트의 openvpn.conf.
CA에 두 개의 섹션을 추가합니다 openssl.cnf.
[server_cert]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[client_cert]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
다음과 같이 CA에서 서버 인증서에 서명합니다.
openssl ca -config openssl.cnf -extensions server_cert -notext -md sha256 -in csr.pem -out cert.pem
다음과 같이 클라이언트 인증서에 서명합니다.
openssl ca -config openssl.cnf -extensions client_cert -notext -md sha256 -in csr.pem -out cert.pem
그런 다음 클라이언트에 openvpn.cnf다음 줄을 추가합니다 .
remote-cert-tls server
그리고 openvpn 서비스를 다시 시작하세요.