컨테이너가 아닌 네이티브 설치는 다음 포스트를 참조
openVPN 서버구축 #1. 개요
openVPN 서버구축 #2. 서버 설치 및 설정
docker-compose.yaml 생성
version: '2'
services:
openvpn:
cap_add:
- NET_ADMIN
image: kylemanna/openvpn
container_name: openvpn
ports:
- "1194:1194/udp"
restart: always
volumes:
- ./openvpn-data/conf:/etc/openvpn #.openvpn-data/conf 디렉토리를 생성해야 한다.
설정파일 및 인증서 초기화
docker-compose run --rm openvpn ovpn_genconfig -u udp://VPN.YOUR_HOST.NAME
# 아래는 수행 결과
reating network "vpn_default" with the default driver
Pulling openvpn (kylemanna/openvpn:)...
....중략....
Creating vpn_openvpn_run ... done
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Processing PUSH Config: 'comp-lzo no'
Successfully generated config
Cleaning up before Exit ...
docker-compose run --rm openvpn ovpn_initpki
# 아래는 수행 결과
Creating vpn_openvpn_run ... done
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Enter New CA Key Passphrase: CA_KEY의_Passphrase
Re-Enter New CA Key Passphrase: CA_KEY의_Passphrase
Generating RSA private key, 2048 bit long modulus (2 primes)
................................+++++
......................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:vpn.haedongg.net
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............................................................+...........................................+..........................................................
...중략...
........................................................+..+....................+................................................................+....+..++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
.............+++++
............................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-74.akeLei/tmp.JBdIKe'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-74.akeLei/tmp.BfJlok
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'vpn.haedongg.net'
Certificate is to be certified until Jul 30 00:51:51 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-149.FPcifA/tmp.cjaMHC
Enter pass phrase for /etc/openvpn/pki/private/ca.key: 위_11_12_라인에서_입력했던_Passphrase
An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem
디렉토리 권한 변경
sudo chown -R $(whoami): ./openvpn-data
서버 프로세스 실행
docker-compose up -d openvpn
클라이언트 사용자 생성 및 인증서 생성
# 비밀번호화 함께 생성
docker-compose run --rm openvpn easyrsa build-client-full 사용자_이름
# 비밀번호 없이 생성
docker-compose run --rm openvpn easyrsa build-client-full 사용자_이름 nopass
# 인증서 파일 출력, 이 파일을 클라이언트 사용자에게 전달하면 된다.
docker-compose run --rm openvpn ovpn_getclient 사용자_이름 > 사용자_이름.ovpn
클라이언트 사용자 제거
# Keep the corresponding crt, key and req files.
docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME
# Remove the corresponding crt, key and req files.
docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME remove
댓글을 달려면 로그인해야 합니다.