ETC
[ETC] OpenVPN 을 통한 Cloud 내부망 서버 접속
인프라보이
2020. 4. 27. 10:16
[설치 전 사전 환경 점검]
Cloud Platform : AWS
OpenVPN Server : EC2 (t2.micro), Public Subnet, EIP, root access, Amazon-Linux 2
Disk volume : 8GB
※ OpenVPN 클라이언트에서 OpenVPN 서버와 연결 시, 계정/패스워드를 입력할 수 있으나, 해당 구성에서는 제외함.
보안 관련 : OS접속용 PPK파일, Openvpn서버로 연결되는 UDP 1194 source IP 제어로 보안 제어
# cat /etc/os-release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/"
epel-release 패키지 인스톨이 필요하나, yum install 로는 안되고 아래 명령어로 수행해야 한다고 함.
# sudo amazon-linux-extras install epel
# sudo yum install epel-release Loaded plugins: extras_suggestions, langpacks, priorities, update-motd No package openvpn available. Error: Nothing to do [root@openvpn openvpn]# yum install epel-release Loaded plugins: extras_suggestions, langpacks, priorities, update-motd No package epel-release available. Error: Nothing to do epel-release is available in Amazon Linux Extra topic "epel" To use, run # sudo amazon-linux-extras install epel Learn more at https://aws.amazon.com/amazon-linux-2/faqs/#Amazon_Linux_Extras
[OpenVPN 구성]
1. OpenVPN 설치 및 EasyRSA v3 다운로드
# yum -y install openvpn # cd /etc/openvpn/ # wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz # tar -xf EasyRSA-unix-v3.0.6.tgz # mv EasyRSA-v3.0.6/ easy-rsa/; rm -f EasyRSA-unix-v3.0.6.tgz
2. EasyRSA v3 구성
# cd /etc/openvpn/easy-rsa/ # vim vars
set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "Ko-kr" set_var EASYRSA_REQ_PROVINCE "Seoul" set_var EASYRSA_REQ_CITY "Seoul" set_var EASYRSA_REQ_ORG "infraboy CERTIFICATE AUTHORITY" set_var EASYRSA_REQ_EMAIL "infraboy@email.com" set_var EASYRSA_REQ_OU "infraboy EASY CA" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7500 set_var EASYRSA_CERT_EXPIRE 365 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "Infraboy CERTIFICATE AUTHORITY" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" set_var EASYRSA_DIGEST "sha256"
# chmod +x vars
3. OpenVPN Key 구성
- CA 초기화 및 빌드
# cd /etc/openvpn/easy-rsa # ./easyrsa init-pki # ./easyrsa build-ca ## 초기화 할 때 CA 패스워드를 지정해야 함. (패스워드 기억필수)
- Server Key 빌드
# ./easyrsa gen-req openvpn-server nopass # ./easyrsa sign-req server openvpn-server # openssl verify -CAfile pki/ca.crt pki/issued/openvpn-server.crt => [결과확인] pki/issued/openvpn-server.crt: OK
위 파일들은 /etc/openvpn/easy-rsa/pki/ 경로에 저장
- Client Key 빌드
# ./easyrsa gen-req client1 nopass # ./easyrsa sign-req client client1 => Confirm request details : yes << yes 입력 # openssl verify -CAfile pki/ca.crt pki/issued/client1.crt
- Diffie-Hellman Key 빌드
# ./easyrsa gen-dh
- Certificate 파일 복사 to /etc/openvpn/server/
# cp pki/ca.crt /etc/openvpn/server/ # cp pki/issued/openvpn-server.crt /etc/openvpn/server/ # cp pki/private/openvpn-server.key /etc/openvpn/server/ # cp pki/ca.crt /etc/openvpn/client/ # cp pki/issued/client1.crt /etc/openvpn/client/ # cp pki/private/client1.key /etc/openvpn/client/ # cp pki/dh.pem /etc/openvpn/server/ # ls /etc/openvpn/server/ # ls /etc/openvpn/client/
4. OpenVPN 구성
# cd /etc/openvpn/server/ # vim server.conf
아래 내용 복붙!
# OpenVPN Port, Protocol, and the Tun port 1194 proto udp dev tun # OpenVPN Server Certificate - CA, server key and certificate ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/openvpn-server.crt key /etc/openvpn/server/openvpn-server.key #DH and CRL key dh /etc/openvpn/server/dh.pem #crl-verify /etc/openvpn/server/crl.pem # Network Configuration - Internal network # Redirect all Connection through OpenVPN Server # 이게 Client들이 할당받을 IP대역입니다. VPC대역과 무관해도 됨 server 10.5.0.0 255.255.255.0 push "redirect-gateway def1" # Using the DNS from https://dns.watch push "dhcp-option DNS 84.200.69.80" push "dhcp-option DNS 84.200.70.40" #Enable multiple clients to connect with the same certificate key duplicate-cn # TLS Security cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache # Other Configuration keepalive 20 60 persist-key persist-tun compress lz4 daemon user nobody group nobody # OpenVPN Log log-append /var/log/openvpn.log verb 3
5. 포트-포워딩(Port-Forwarding) 및 라우팅 설정
# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf # sysctl -p net.ipv4.ip_forward = 1
(Optional) 방화벽 설정 ; 방화벽(Firewall 이 enable 상태일 경우 수행합니다.)
# firewall-cmd --permanent --add-service=openvpn
# firewall-cmd --permanent --zone=trusted --add-service=openvpn
# firewall-cmd --permanent --zone=trusted --add-interface=tun0
# firewall-cmd --permanent --add-masquerade
# SERVERIP=$(ip route get 1.1.1.1 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.5.0.0/24 -o $SERVERIP -j MASQUERADE
# firewall-cmd --reload6. OpenVPN 서버 기동 (Start)
# systemctl start openvpn-server@server # systemctl enable openvpn-server@server # netstat -plntu # systemctl status openvpn-server@server
7. Public Subnet > Private Subnet 라우팅 되도록 추가 설정
# iptables -t nat -A POSTROUTING -s $VPN_CIDR -o eth0 -j MASQUERADE # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # iptables-save > /etc/iptables.conf # RC_LOCAL_TEST=`cat /etc/rc.local | grep "iptables-restore" | wc -c` # if [ $[RC_LOCAL_TEST] -lt 10 ];then echo "iptables-restore < /etc/iptables.conf" >> /etc/rc.local; fi # systemctl restart openvpn-server@server
8. 이제 Client를 위한 OpenVPN 구성
# cd /etc/openvpn/client # vim client01.ovpn
아래 내용 복사 후 붙여넣기! remote xxx.xxx.xxx.xxx 에 OpenVPN 공인IP(EIP) 할당
client dev tun proto udp #아래 remote IP 주소는 OpenVPN 서버 EIP!! remote xxx.xxx.xxx.xxx 1194 ca ca.crt cert client1.crt key client1.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lz4 nobind persist-key persist-tun mute-replay-warnings verb 3
- 이제 Client 인증서 파일이 포함된 폴더 전체를 압축하여 사용자PC로 가져가자. (WinSCP 사용)
# cd /etc/openvpn/ # tar -cvf /tmp/client1.tar.gz client/ # cd /tmp/
9. Windows 사용자 PC에서 설정
- OpenVPN 사용자용 Client 다운로드 후 설치
https://openvpn.net/community-downloads/
Community Downloads | OpenVPN
Visit this page to download the latest version of the open-souce VPN, OpenVPN.
openvpn.net
- 압축받은 파일 압축해제 하고, C:\Program Files\OpenVPn\config\ 하위 경로에 넣어주자.
- 트레이 아이콘쪽 OpenVPN아이콘 우클릭 후 "연결"
퍼블릭 클라우드의 서버(VM, EC2, PaaS DB)에 Private IP주소로 접속이 가능함.
단, UDP 1194가 열려있어야 합니다.
- 끝 -
728x90