{"id":4848,"date":"2017-02-17T19:07:20","date_gmt":"2017-02-17T10:07:20","guid":{"rendered":"https:\/\/snowland.net\/wp\/?p=4848"},"modified":"2019-01-09T09:57:40","modified_gmt":"2019-01-09T00:57:40","slug":"er-x-openvpn-server","status":"publish","type":"post","link":"https:\/\/snowland.net\/wp\/2017\/02\/17\/er-x-openvpn-server\/","title":{"rendered":"EdgeRouter X\u3092OpenVPN\u30b5\u30fc\u30d0\u30fc\u306b\u3059\u308b"},"content":{"rendered":"

\"\"<\/a><\/p>\n

EdgeRouterX\u3092\u5165\u624b\u3057\u307e\u3057\u305f\u3002
VPN\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002
L2TP\/IPsec\u3067\u3082\u3044\u3044\u3093\u3067\u3059\u304c\u3001\u4ed6\u306e\u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u3067\u3082\u4f7f\u3063\u3066\u308b\u306e\u3067OpenVPN\u306b\u3057\u305f\u3044\u3002<\/p>\n

ubnt\u306b\u30b5\u30a4\u30c8\u306b\u306fsite-to-site\u3068\u304bER-X\u540c\u58eb\u306eserver-client\u3057\u304b\u66f8\u3044\u3066\u306a\u304b\u3063\u305f\u304c\u3001
\u8003\u3048\u3066\u307f\u308c\u3070server-client\u306eclient\u5074\u306f\u4ed6\u306e\u7aef\u672b\u3067\u3082\u826f\u3044\u306f\u305a\u3002<\/p>\n

\u2026\u3068\u4f5c\u696d\u3057\u30661\u56de\u76ee\u306f\u300c\u7e4b\u304c\u308b\u306e\u306b\u901a\u4fe1\u3067\u304d\u306a\u3044\u300d\u72b6\u614b\u3067\u8ae6\u3081\u3002
\u6539\u3081\u3066\u4f5c\u696d\u3057\u305f\u3089\u3042\u3063\u3055\u308a\u3064\u306a\u304c\u3063\u305f\u3002<\/p>\n

ER-X\u306feth0\u304b\u3089PPPoE\u3067WAN\u3078\u3002
eth1\uff5eeth4\u306f\u5185\u90e8\u7684\u306bswitch0\u306b\u63a5\u7d9a\u3001switch0\u306fproxyarp\u3092on\u306b\u3002<\/p>\n

LAN\u306f192.168.64.0\/24\u3001OpenVPN\u5074\u3092192.168.65.0\/24\u306b\u3059\u308b\u5185\u5bb9\u3067<\/p>\n

\n


\n# ssh\u3067ER-X\u306b\u30ed\u30b0\u30a4\u30f3
\nsudo su
\ncd \/usr\/lib\/ssl\/misc
\n# CA\u4f5c\u6210
\n.\/CA.sh -newca<\/code><\/p>\n

<\/code><\/code><\/p>\n

# server\u7528\u306e\u9375\u4f5c\u6210
.\/CA.sh -newreq
.\/CA.sh -sign<\/p>\n

<\/code><\/code><\/p>\n

cp demoCA\/cacert.pem demoCA\/private\/cakey.pem \/config\/auth\/
mv newcert.pem \/config\/auth\/server.pem
mv newkey.pem \/config\/auth\/server.key
openssl rsa -in \/config\/auth\/server.key -out \/config\/auth\/server-nopass.key<\/p>\n

<\/code><\/code><\/p>\n

openssl dhparam -out \/config\/auth\/dhp.pem -2 1024<\/p>\n

<\/code><\/code><\/p>\n

# client\u7528\u306e\u9375\u4f5c\u6210\u3002hostname\u304cserver\u3084\u4ed6\u306eclient\u3068\u304b\u3076\u3089\u306a\u3044\u3088\u3046\u306b\u3059\u308b
.\/CA.sh -newreq
.\/CA.sh -sign
mv newcert.pem client1.pem
mv newkey.pem client1.key
openssl rsa -in client1.key -out client1-nopass.key
# \u2191\u30af\u30e9\u30a4\u30a2\u30f3\u30c82\u3064\u76ee\u4ee5\u964d\u306f\u3053\u3053\u3092\u7e70\u308a\u8fd4\u3057<\/p>\n

<\/code><\/code><\/p>\n

# client\u306b client1(-nopass).key,client1.pem,cacert.pem \u3092\u30b3\u30d4\u30fc<\/p>\n

<\/code><\/code><\/p>\n

# EdgeRouterX\u306e\u8a2d\u5b9a
—-
configure<\/p>\n

<\/code><\/code><\/p>\n

edit interfaces openvpn vtun0
set mode server
set server subnet 192.168.65.0\/24
set tls ca-cert-file \/config\/auth\/cacert.pem
set tls cert-file \/config\/auth\/server.pem
set tls key-file \/config\/auth\/server-nopass.key
set tls dh-file \/config\/auth\/dhp.pem<\/p>\n

<\/code><\/code><\/p>\n

# \u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u60c5\u5831\u306epush
set server push-route 192.168.64.0\/24<\/p>\n

<\/code><\/code><\/p>\n

# \u4e0b\u8a18\u306f\u7121\u304f\u3066\u3082\u7e4b\u304c\u308b\u3051\u3069\u3044\u3064\u3082\u5165\u308c\u3066\u308b
## openvpn-option\u3092\u30c0\u30d6\u30eb\u30af\u30aa\u30fc\u30c8\u3067\u56f2\u3093\u3060\u308a
## –comp-lzo\u307f\u305f\u3044\u306b\u30cf\u30a4\u30d5\u30f3\u4ed8\u3051\u305f\u308a\u3059\u308b\u306e\u306f\u4f55\u304b\u9055\u3044\u304c\u3042\u308b\u306e\u304b\uff1f\uff08\u8abf\u3079\u306a\u304d\u3083\uff09
set openvpn-option comp-lzo
set openvpn-option persist-key
set openvpn-option persist-tun
# LAN\u5074\u306eDNS\u3092push\u3059\u308b
# LAN\u5074\u3067\u5225\u306e\u30ed\u30fc\u30ab\u30ebDNS\u304c\u3042\u308b\u74b0\u5883\u306a\u306e\u3067\u305d\u308c\u3092\u6307\u5b9a(2019-01-09\u8ffd\u8a18)
set server name-server 192.168.64.2
set openvpn-option “dhcp-option DNS 192.168.64.2”
set openvpn-option “dhcp-option DOMAIN localdomain”<\/p>\n

<\/code><\/code><\/p>\n

# OpenVPN\u5411\u3051\u306eFirewall\u8a2d\u5b9a
top<\/p>\n

<\/code><\/code><\/p>\n

edit firewall name WAN_LOCAL rule 1
set description OpenVPN
set action accept
set destination port 1194
set log disable
set protocol udp<\/p>\n

<\/code><\/code><\/p>\n

# \u4fdd\u5b58
commit
save
exit
—-<\/p>\n


\n<\/code><\/p>\n

# client\u306bovpn\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u308b
\n----
\nclient
\ndev tun
\nproto udp
\nremote erx.example.com 1194
\nresolv-retry infinite
\nnobind
\npersist-key
\npersist-tun
\nverb 3
\nca cacert.pem
\ncert client1.pem
\nkey client1-nopass.key
\n----
\n<\/code><\/p>\n<\/blockquote>\n

\u3053\u308c\u3067\u3068\u308a\u3042\u3048\u305a\u7e4b\u304c\u3063\u305f\u3002
ta.key\u3068\u304btls-cipher\u306e\u8a2d\u5b9a\u3092\u8ffd\u52a0\u3057\u3066\u3088\u308a\u5f37\u56fa\u306b\u3057\u305f\u3044\u304c\u3001\u307e\u305f\u5f8c\u65e5\u3002<\/p>\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

EdgeRouterX\u3092\u5165\u624b\u3057\u307e\u3057\u305f\u3002VPN\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002L2TP\/IPsec\u3067\u3082\u3044\u3044\u3093\u3067\u3059\u304c\u3001\u4ed6\u306e\u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u3067\u3082\u4f7f\u3063\u3066\u308b\u306e\u3067OpenVPN\u306b\u3057\u305f\u3044\u3002 ubnt\u306b\u30b5\u30a4\u30c8\u306b\u306fsite-to-site\u3068\u304bER-X\u540c\u58eb\u306e … \u7d9a\u304d\u3092\u8aad\u3080 →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,8],"tags":[],"class_list":["post-4848","post","type-post","status-publish","format-standard","hentry","category-comtech","category-server"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6zwpu-1gc","_links":{"self":[{"href":"https:\/\/snowland.net\/wp\/wp-json\/wp\/v2\/posts\/4848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/snowland.net\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/snowland.net\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/snowland.net\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/snowland.net\/wp\/wp-json\/wp\/v2\/comments?post=4848"}],"version-history":[{"count":5,"href":"https:\/\/snowland.net\/wp\/wp-json\/wp\/v2\/posts\/4848\/revisions"}],"predecessor-version":[{"id":6171,"href":"https:\/\/snowland.net\/wp\/wp-json\/wp\/v2\/posts\/4848\/revisions\/6171"}],"wp:attachment":[{"href":"https:\/\/snowland.net\/wp\/wp-json\/wp\/v2\/media?parent=4848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/snowland.net\/wp\/wp-json\/wp\/v2\/categories?post=4848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/snowland.net\/wp\/wp-json\/wp\/v2\/tags?post=4848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}