[ETC] OpenVPN 을 통한 Cloud 내부망 서버 접속

 

 

[설치 전 사전 환경 점검]

Cloud Platform : AWS
OpenVPN Server : EC2 (t2.micro), Public Subnet, EIP, root access, Amazon-Linux 2
Disk volume : 8GB

※ OpenVPN 클라이언트에서 OpenVPN 서버와 연결 시, 계정/패스워드를 입력할 수 있으나, 해당 구성에서는 제외함.
   보안 관련 : OS접속용 PPK파일, Openvpn서버로 연결되는 UDP 1194 source IP 제어로 보안 제어

# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

epel-release 패키지 인스톨이 필요하나, yum install 로는 안되고 아래 명령어로 수행해야 한다고 함.
# sudo amazon-linux-extras install epel

# sudo yum install epel-release

​

Loaded plugins: extras_suggestions, langpacks, priorities, update-motd

No package openvpn available.

Error: Nothing to do

[root@openvpn openvpn]# yum install epel-release

Loaded plugins: extras_suggestions, langpacks, priorities, update-motd

No package epel-release available.

Error: Nothing to do

​

epel-release is available in Amazon Linux Extra topic "epel"

​

To use, run

# sudo amazon-linux-extras install epel

​

Learn more at

https://aws.amazon.com/amazon-linux-2/faqs/#Amazon_Linux_Extras

[OpenVPN 구성]

1. OpenVPN 설치 및 EasyRSA v3 다운로드

# yum -y install openvpn
# cd /etc/openvpn/
# wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
# tar -xf EasyRSA-unix-v3.0.6.tgz
# mv EasyRSA-v3.0.6/ easy-rsa/; rm -f EasyRSA-unix-v3.0.6.tgz

2. EasyRSA v3 구성

# cd /etc/openvpn/easy-rsa/
# vim vars

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "Ko-kr"
set_var EASYRSA_REQ_PROVINCE    "Seoul"
set_var EASYRSA_REQ_CITY        "Seoul"
set_var EASYRSA_REQ_ORG         "infraboy CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "infraboy@email.com"
set_var EASYRSA_REQ_OU          "infraboy EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "Infraboy CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"

# chmod +x vars

 

3. OpenVPN Key 구성

​- CA 초기화 및 빌드

# cd /etc/openvpn/easy-rsa
# ./easyrsa init-pki
# ./easyrsa build-ca
  ## 초기화 할 때 CA 패스워드를 지정해야 함. (패스워드 기억필수)

- Server Key 빌드

# ./easyrsa gen-req openvpn-server nopass
# ./easyrsa sign-req server openvpn-server
# openssl verify -CAfile pki/ca.crt pki/issued/openvpn-server.crt

=> [결과확인] pki/issued/openvpn-server.crt: OK

위 파일들은 /etc/openvpn/easy-rsa/pki/ 경로에 저장

​- Client Key 빌드

# ./easyrsa gen-req client1 nopass
# ./easyrsa sign-req client client1
  => Confirm request details : yes   << yes 입력
# openssl verify -CAfile pki/ca.crt pki/issued/client1.crt

- Diffie-Hellman Key 빌드

# ./easyrsa gen-dh

- Certificate 파일 복사 to /etc/openvpn/server/

# cp pki/ca.crt /etc/openvpn/server/
# cp pki/issued/openvpn-server.crt /etc/openvpn/server/
# cp pki/private/openvpn-server.key /etc/openvpn/server/
# cp pki/ca.crt /etc/openvpn/client/
# cp pki/issued/client1.crt /etc/openvpn/client/
# cp pki/private/client1.key /etc/openvpn/client/
# cp pki/dh.pem /etc/openvpn/server/

# ls /etc/openvpn/server/
# ls /etc/openvpn/client/

 

4. OpenVPN 구성

# cd /etc/openvpn/server/
# vim server.conf

아래 내용 복붙!

# OpenVPN Port, Protocol, and the Tun
port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/openvpn-server.crt
key /etc/openvpn/server/openvpn-server.key

#DH and CRL key
dh /etc/openvpn/server/dh.pem
#crl-verify /etc/openvpn/server/crl.pem

# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
# 이게 Client들이 할당받을 IP대역입니다. VPC대역과 무관해도 됨
server 10.5.0.0 255.255.255.0
push "redirect-gateway def1"

# Using the DNS from https://dns.watch
push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"

#Enable multiple clients to connect with the same certificate key
duplicate-cn

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nobody

# OpenVPN Log
log-append /var/log/openvpn.log
verb 3

5. 포트-포워딩(Port-Forwarding) 및 라우팅 설정

# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
# sysctl -p
net.ipv4.ip_forward = 1

(Optional) 방화벽 설정 ; 방화벽(Firewall 이 enable 상태일 경우 수행합니다.)

# firewall-cmd --permanent --add-service=openvpn
# firewall-cmd --permanent --zone=trusted --add-service=openvpn
# firewall-cmd --permanent --zone=trusted --add-interface=tun0
# firewall-cmd --permanent --add-masquerade
# SERVERIP=$(ip route get 1.1.1.1 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s  10.5.0.0/24 -o $SERVERIP -j MASQUERADE
# firewall-cmd --reload

6. OpenVPN 서버 기동 (Start)

# systemctl start openvpn-server@server
# systemctl enable openvpn-server@server
# netstat -plntu
# systemctl status openvpn-server@server

7. Public Subnet > Private Subnet 라우팅 되도록 추가 설정

# iptables -t nat -A POSTROUTING -s $VPN_CIDR -o eth0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables-save > /etc/iptables.conf
# RC_LOCAL_TEST=`cat /etc/rc.local | grep "iptables-restore" | wc -c`
# if [ $[RC_LOCAL_TEST] -lt 10 ];then echo "iptables-restore < /etc/iptables.conf" >> /etc/rc.local; fi
# systemctl restart openvpn-server@server

 

8. 이제 Client를 위한 OpenVPN 구성

# cd /etc/openvpn/client
# vim client01.ovpn

아래 내용 복사 후 붙여넣기! remote xxx.xxx.xxx.xxx 에 OpenVPN 공인IP(EIP) 할당

client
dev tun
proto udp

#아래 remote IP 주소는 OpenVPN 서버 EIP!!
remote xxx.xxx.xxx.xxx 1194

ca ca.crt
cert client1.crt
key client1.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

- 이제 Client 인증서 파일이 포함된 폴더 전체를 압축하여 사용자PC로 가져가자. (WinSCP 사용)

# cd /etc/openvpn/
# tar -cvf /tmp/client1.tar.gz client/
# cd /tmp/

9. Windows 사용자 PC에서 설정

- OpenVPN 사용자용 Client 다운로드 후 설치
https://openvpn.net/community-downloads/

Community Downloads | OpenVPN

- 압축받은 파일 압축해제 하고, C:\Program Files\OpenVPn\config\ 하위 경로에 넣어주자.
- 트레이 아이콘쪽 OpenVPN아이콘 우클릭 후 "연결"

 

 

퍼블릭 클라우드의 서버(VM, EC2, PaaS DB)에 Private IP주소로 접속이 가능함.
단, UDP 1194가 열려있어야 합니다. ​

 

- 끝 -