{"id":285,"date":"2021-06-16T17:31:44","date_gmt":"2021-06-16T08:31:44","guid":{"rendered":"http:\/\/www.space4u.co.kr\/wp\/?p=285"},"modified":"2021-06-16T17:31:46","modified_gmt":"2021-06-16T08:31:46","slug":"openvpn-%ec%84%a4%ec%b9%98-on-ubuntu-18-04","status":"publish","type":"post","link":"http:\/\/www.space4u.co.kr\/wp\/?p=285","title":{"rendered":"openVPN \uc124\uce58 (on Ubuntu 18.04)"},"content":{"rendered":"\n

iptime \uacf5\uc720\uae30\uc640 \uc6b0\ubd84\ud22c\uc5d0 openVPN\uc744 \uc124\uce58\ud574\uc11c VPN \uc11c\ubc84\ub97c \ub9cc\ub4e4\uc5b4 \ubcf4\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

<\/p>\n\n\n\n

apt\ub97c \uc5c5\ub370\uc774\ud2b8\ud558\uace0 openvpn\uc744 \uc124\uce58\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n

$ sudo apt update\n$ sudo apt install openvpn<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc778\uc99d\uc11c(CA)\ub97c \uc0dd\uc131\ud560 EasyRSA\ub97c \ub2e4\uc6b4\ubc1b\uace0 \uc555\ucd95\uc744 \ud574\uc81c\ud569\ub2c8\ub2e4.
\ub2e4\uc6b4\ub85c\ub4dc \uc8fc\uc18c : https:\/\/github.com\/OpenVPN\/easy-rsa\/releases<\/p>\n\n\n\n
$ wget -P ~\/ https:\/\/github.com\/OpenVPN\/easy-rsa\/releases\/download\/v3.0.8\/EasyRSA-3.0.8.tgz\n$ tar xvf EasyRSA-3.0.8.tgz<\/pre>\n\n\n\n
<\/p>\n\n\n\n
EasyRSA\uc758 \uc124\uc815\uc815\ubcf4\ub97c \uc218\uc815\ud569\ub2c8\ub2e4.
EasyRSA-3.0.8 \ub514\ub809\ud1a0\ub9ac \uc548\uc5d0\ub294 vars.example\ub77c\ub294 \uc608\uc81c\ud30c\uc77c\uc774 \uc788\uc2b5\ub2c8\ub2e4. 
\uc774\uac78 vars\ub77c\uace0 \uc0c8\ub85c \ubcf5\uc0ac \ud55c \ud6c4 vars\uc5d0\uc11c \uc218\uc815\ud558\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
$ cd ~\/EasyRSA-3.0.8\/\n$ cp vars.example vars\n$ vim vars<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc0ac\uc6a9\uc790 \uc815\ubcf4 \ubd80\ubd84\uc774 \uc8fc\uc11d\ucc98\ub9ac (#) \ub418\uc5b4 \uc788\ub294\ub370, #\uc744 \uc9c0\uc6cc \uc8fc\uc11d\uc744 \ud574\uc81c\ud558\uace0 \ub9de\ub294 \uc815\ubcf4\ub85c \uc218\uc815\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
set_var EASYRSA_REQ_COUNTRY     \"KR\"\nset_var EASYRSA_REQ_PROVINCE    \"Seoul\"\nset_var EASYRSA_REQ_CITY        \"DongdaemoonGu\"\nset_var EASYRSA_REQ_ORG         \"My Company co.,Ltd.\"\nset_var EASYRSA_REQ_EMAIL       \"mycompany@mycompany.co.kr\"\nset_var EASYRSA_REQ_OU          \"mycompany AI Lab\"<\/pre>\n\n\n\n
<\/p>\n\n\n\n
EasyRSA-3.0.8 \ud3f4\ub354 \uc548\uc5d0\ub294 easyrsa \ud30c\uc77c\uc774 \uc788\uc2b5\ub2c8\ub2e4.
\uc774\uac78 \uc2e4\ud589\ud558\uba74 vars\uc5d0 \uc218\uc815\ud55c \uc815\ubcf4\ub85c CA \uc11c\ubc84\uac00 \uad6c\ucd95\ub429\ub2c8\ub2e4.
easyras\uc758 \ucd08\uae30\ud654 \uc635\uc158\uc778 init-pki\ub97c \ucd94\uac00\ud574 EasyRSA \uc11c\ubc84\ub97c \uad6c\ucd95\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ .\/easyrsa init-pki\n\nNote: using Easy-RSA configuration from: .\/vars\n\ninit-pki complete; you may now create a CA or requests.\nYour newly created PKI dir is: \/home\/ngle\/EasyRSA-3.0.8\/pki<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\uc81c easyrsa\ub85c \uc778\uc99d\uc11c\uc640 \ud0a4 \ud30c\uc77c\uc744 \uc0dd\uc131\ud569\ub2c8\ub2e4.
\ub9e4\ubc88 \ube44\ubc88\uc744 \ub123\uae30 \ubc88\uac70\ub85c\uc6b0\ubbc0\ub85c nopass \uc635\uc158\ub3c4 \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ .\/easyrsa build-ca nopass<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uba85\ub839\uc744 \uc2e4\ud589\ud558\uba74 \uc544\ub798\uc640 \uac19\uc774 Common Name\uc744 \ubb3b\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:<\/strong><\/p>\n\n\n\n
Common Name\uc740 \uc778\uc99d\uc11c\ub97c \ub9cc\ub4e4\ub54c \ucc38\uc870\ud560 \uc778\uc99d\uae30\uad00\uc744 \ub9d0\ud569\ub2c8\ub2e4.
\ud2b9\ubcc4\ud788 \uc785\ub825\ud560\uac8c \uc5c6\ub2e4\uba74 \uadf8\ub0e5 \uc5d4\ud130<\/strong>\ub97c \uce58\uace0 \ub118\uc5b4\uac11\ub2c8\ub2e4.
\uadf8\ub7f0 \uae30\ubcf8 \uc778\uc99d\uae30\uad00\uc774 \uc9c0\uc815\ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc774\ubc88\uc5d0\ub294 openVPN\uc5d0\uc11c \uc0ac\uc6a9\ud560 \uc778\uc99d\uc11c\uc640 key\ud30c\uc77c\uc744 \ub9cc\ub4e4\uaca0\uc2b5\ub2c8\ub2e4.
\uc774\ubc88\uc5d0\ub294gen-req \uc635\uc158\uc744 \uc8fc\uace0 \ubc14\ub85c \ub2e4\uc74c\uc5d0 \uc778\uc99d\uc11c\ub97c \uc0ac\uc6a9\ud560 \uc7a5\ube44\uc758 \uc774\ub984\uc744 \ub123\uc2b5\ub2c8\ub2e4.
\uc7a5\ube44\uc774\ub984\uc740 \uadf8\ub0e5 \uc608\uc81c\ub97c \ub530\ub77c\uc11c server\ub77c\uace0 \ud558\uaca0\uc2b5\ub2c8\ub2e4. nopass \uc635\uc158\ub3c4 \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ .\/easyrsa gen-req server nopass<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uba85\ub839\uc744 \uc2e4\ud589\ud558\uba74 \uc778\uc99d\uc11c\ub97c \uc0ac\uc6a9\ud560 \uc774\ub984\uc744 \ubb3b\uc2b5\ub2c8\ub2e4.
\uc635\uc158\uc5d0 server\ub77c\uace0 \uc92c\uae30 \ub54c\ubb38\uc5d0 \uadf8\ub0e5 \uc5d4\ud130<\/strong>\ub97c \ub204\ub974\uba74 server\ub77c\uace0 \uc0dd\uc131\ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
Common Name (eg: your user, host, or server name) [server]:<\/strong><\/p>\n\n\n\n
\uacb0\uacfc\uac00 \uc544\ub798\uc640 \uac19\uc774 \ub9ac\ud134 \ub418\uc5c8\uc2b5\ub2c8\ub2e4.
Keypair and certificate request completed. Your files are:
req: \/home\/ngle\/EasyRSA-3.0.4\/pki\/reqs\/server.req
key: \/home\/ngle\/EasyRSA-3.0.4\/pki\/private\/server.key<\/p>\n\n\n\n
key \ud30c\uc77c\uacfc certificate request \ud30c\uc77c\uc774 \uc0dd\uc131\ub418\uc5c8\uc2b5\ub2c8\ub2e4.
\uc774\uc81c openVPN \ub514\ub809\ud130\ub9ac\uc5d0 key\ud30c\uc77c\uc744 \ubcf5\uc0ac\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
openVPN \ub514\ub809\ud130\ub9ac\ub294 \/etc\/openvpn\/ \uc785\ub2c8\ub2e4.<\/p>\n\n\n\n
<\/p>\n\n\n\n
$ sudo cp ~\/EasyRSA-3.0.4\/pki\/private\/server.key \/etc\/openvpn\/<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\uc81c \uc778\uc99d\uc11c \ud30c\uc77c\uc744 \ub9cc\ub4e4 \ucc28\ub840\uc785\ub2c8\ub2e4.
easyras\uc5d0 sign-req \uc635\uc158\uc744 \uc90d\ub2c8\ub2e4.
request \ud0c0\uc785\uc740 client\uc640 server\uac00 \uc788\ub294\ub370 server\ub85c \uc90d\ub2c8\ub2e4.
\uc544\ub798 \uba85\ub839\uc5d0\uc11c \uccab\ubc88\uc9f8 server\ub97c \ub9d0\ud569\ub2c8\ub2e4.
\ub9c8\uc9c0\ub9c9\uc5d0 \uc624\ub294 server\ub294 key\ud30c\uc77c\uc758 \uc774\ub984\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n
$ .\/easyrsa sign-req server server<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uba85\ub839\uc744 \uc2e4\ud589\ud558\uba74 \uc544\ub798\uc640 \uac19\uc774 \uacb0\uacfc\uac00 \ub098\ud0c0\ub0a9\ub2c8\ub2e4.<\/p>\n\n\n\n
Note: using Easy-RSA configuration from: .\/vars\n\n\nYou are about to sign the following certificate.\nPlease check over the details shown below for accuracy. Note that this request\nhas not been cryptographically verified. Please be sure it came from a trusted\nsource or that you have verified the request checksum with the sender.\n\nRequest subject, to be signed as a server certificate for 3650 days:\n\nsubject=\n    commonName                = server\n\n\nType the word 'yes' to continue, or any other input to abort.\n  Confirm request details:<\/pre>\n\n\n\n
<\/p>\n\n\n\n
Confirm request details\uc5d0 yes\ub77c\uace0 \uc785\ub825\ud558\uace0 \uc5d4\ud130\ub97c \ub204\ub985\ub2c8\ub2e4.
\uc778\uc99d\uc11c\uc758 \uc720\ud6a8\uae30\uac04\uc740 3650\uc77c \uc774\ub124\uc694.<\/p>\n\n\n\n
\uc2e4\ud589\uc774 \uc644\ub8cc\ub418\uba74 server.crt\ud30c\uc77c\uc774 \ub9cc\ub4e4\uc5b4 \uc9d1\ub2c8\ub2e4.
Certificate created at: \/home\/ngle\/EasyRSA-3.0.8\/pki\/issued\/server.crt<\/p>\n\n\n\n
\uc0dd\uc131\ub41c server.crt \ud30c\uc77c\uacfc ca.crt \ud30c\uc77c\uc744 openVPN \ud3f4\ub354\ub85c \ubcf5\uc0ac\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo cp ~\/EasyRSA-3.0.8\/pki\/issued\/server.crt \/etc\/openvpn\/\n$ sudo cp ~\/EasyRSA-3.0.8\/pki\/ca.crt \/etc\/openvpn\/<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\uc81c Diffie-Hellman key\ub97c \ub9cc\ub4e4\uc5b4 \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ .\/easyrsa gen-dh<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc0dd\uc131\ud55c dh.pem \ud30c\uc77c\uacfc ta.key \ud30c\uc77c\uc744 openvpn \ud3f4\ub354\ub85c \ubcf5\uc0ac\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo cp ~\/EasyRSA-3.0.8\/ta.key \/etc\/openvpn\/\n$ sudo cp ~\/EasyRSA-3.0.8\/pki\/dh.pem \/etc\/openvpn\/<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc0dd\uc131\ud574\uc57c \ud560 \ud30c\uc77c\ub4e4\uc774 \ub9ce\ub124\uc694. \uc11c\ubc84\uc5d0 \ub300\ud55c \uc778\uc99d\uc11c\ub294 \uc774\uc81c \uc900\ube44\ub418\uc5c8\uc2b5\ub2c8\ub2e4.
\uc774\ubc88\uc5d4 client\uc5d0\uc11c \uc0ac\uc6a9\ud560 \uc778\uc99d\uc11c \ud30c\uc77c\uc744 \ub9cc\ub4e4\uaca0\uc2b5\ub2c8\ub2e4.
client \uc778\uc99d\uc11c\ub294 VPN \uc720\uc800 1\uba85\ub2f9 \ubc1c\uae09\ud574\uc57c \ud569\ub2c8\ub2e4.
\ub530\ub77c\uc11c vpn \uacc4\uc815\uc774 \uc5ec\ub7ec\uac1c\uc77c \uacbd\uc6b0 \uc544\ub798 \uba85\ub839\uc744 \ubc18\ubcf5\ud574\uc57c \ud569\ub2c8\ub2e4.
\uc2a4\ud06c\ub9bd\ud2b8\ub85c \uac04\ub2e8\ud788 \ub9cc\ub4e4\uc5b4 \ub193\uc73c\uba74 \uc88b\uc744 \uac83 \uac19\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\uba3c\uc800 client \uc778\uc99d\uc11c\ub97c \ubaa8\uc544\ub458 \ud3f4\ub354\ub97c \ud558\ub098 \ub9cc\ub4e4\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
$ mkdir -p ~\/client-configs\/keys\n$ chmod -R 700 ~\/client-configs<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\uc81c EasyRSA\uc5d0\uc11c vpn \uacc4\uc815\uc5d0 \ub300\ud55c \uc778\uc99d\uc11c\ub97c \ub9cc\ub4e4\uc5b4 \uc90d\ub2c8\ub2e4.
vpn \uacc4\uc815\uc744 space4u\ub85c \ud560\uac81\ub2c8\ub2e4.
\uadf8\ub7fc easyrsa \uba85\ub839\uc758 gen-req \uc635\uc158\uc5d0 space4u \ub77c\uace0 common name\uc744 \uc90d\ub2c8\ub2e4.
nopass \ub3c4 \uc635\uc158\uc5d0 \ud3ec\ud568\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ cd ~\/EasyRSA-3.0.8\/\n$ .\/easyrsa gen-req space4u nopass<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uba85\ub839\uc744 \uc2e4\ud589\ud558\uba74 \uc544\ub798\uc640 \uac19\uc774 Common Name\uc744 \ub2e4\uc2dc\ud55c\ubc88 \ud655\uc778\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
Common Name (eg: your user, host, or server name) [space4u]:<\/p>\n\n\n\n
\uc5d4\ud130\ub97c \uce58\uace0 space4u\ub85c \uacc4\uc18d \uc9c4\ud589\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
Keypair \uc544 certificate request \ud30c\uc77c\uc774 \uc544\ub798\uc640 \uac19\uc774 \ub9cc\ub4e4\uc5b4 \uc84c\uc2b5\ub2c8\ub2e4.
req: \/home\/ngle\/EasyRSA-3.0.4\/pki\/reqs\/space4u.req
key: \/home\/ngle\/EasyRSA-3.0.4\/pki\/private\/space4u.key<\/p>\n\n\n\n
\uc0dd\uc131\ud55c space4u.key \ud30c\uc77c\uc744 \ud074\ub77c\uc774\uc5b8\ud2b8 keys \ud3f4\ub354(~\/client-configs\/keys)\uc5d0 \ubcf5\uc0ac\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ cp pki\/private\/space4u.key ~\/client-configs\/keys\/<\/pre>\n\n\n\n
<\/p>\n\n\n\n
space4u.key \ud30c\uc77c\ub85c \uc778\uc99d\uc11c\ub97c \ub9cc\ub4e4\uc5b4 \uc90d\ub2c8\ub2e4. request type\uc740 client\ub85c \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ .\/easyrsa sign-req client space4u<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\ub9c8\ucc2c\uac00\uc9c0\ub85c \uc778\uc99d\uc11c\uc758 \uc815\ubcf4\uac00 \ub9de\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
Note: using Easy-RSA configuration from: .\/vars\n\n\nYou are about to sign the following certificate.\nPlease check over the details shown below for accuracy. Note that this request\nhas not been cryptographically verified. Please be sure it came from a trusted\nsource or that you have verified the request checksum with the sender.\n\nRequest subject, to be signed as a client certificate for 3650 days:\n\nsubject=\n    commonName                = space4u\n\n\nType the word 'yes' to continue, or any other input to abort.\n  Confirm request details:<\/pre>\n\n\n\n
<\/p>\n\n\n\n
Confirm request details: \uc5d0 yes\ub97c \uc785\ub825\ud558\uace0 \uc5d4\ud130\ub97c \ub204\ub985\ub2c8\ub2e4.
\uadf8\ub7fc \uc544\ub798\uc640 \uac19\uc774 \uc778\uc99d\uc11c \ud30c\uc77c\uc774 \ub9cc\ub4e4\uc5b4 \uc9d1\ub2c8\ub2e4.<\/p>\n\n\n\n
Certificate created at: \/home\/ngle\/EasyRSA-3.0.4\/pki\/issued\/space4u.crt<\/p>\n\n\n\n
\ub9cc\ub4e4\uc5b4\uc9c4 \uc778\uc99d\uc11c \ud30c\uc77c(.crt)\ub3c4 \ud074\ub77c\uc774\uc5b8\ud2b8 keys \ud3f4\ub354\uc5d0 \ubcf5\uc0ac\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo cp pki\/issued\/space4u.crt ~\/client-configs\/keys\/<\/pre>\n\n\n\n
<\/p>\n\n\n\n
ca.crt \uc640 ta.key \ud30c\uc77c\ub3c4 \ud074\ub77c\uc774\uc5b8\ud2b8 keys \ud3f4\ub354\ub85c \ubcf5\uc0ac\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo cp ~\/EasyRSA-3.0.8\/ta.key ~\/client-configs\/keys\/\n$ sudo cp \/etc\/openvpn\/ca.crt ~\/client-configs\/keys\/<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\uc81c openVPN \uacc4\uc815\uc73c\ub85c \uc0ac\uc6a9\ud560 space4u \uacc4\uc815\uc758 \uc778\uc99d\uc11c \uc900\ube44\uac00 \ub418\uc5c8\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc774\ubc88\uc5d4 openVPN\uc5d0 \ub300\ud55c \uc124\uc815\uc785\ub2c8\ub2e4.
\uba3c\uc800 openVPN\uc5d0\uc11c \uc81c\uacf5\ud55c sample config files\ub97c \ubcf5\uc0ac\ud558\uace0 \uc555\ucd95\uc744 \ud574\uc81c\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz \/etc\/openvpn\/\n$ sudo gzip -d \/etc\/openvpn\/server.conf.gz<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc555\ucd95\uc744 \ud47c server.conf \ud30c\uc77c\uc744 \uc5fd\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo vim \/etc\/openvpn\/server.conf<\/pre>\n\n\n\n
<\/p>\n\n\n\n
HMAC Section\uc758 tls-auth\ub97c \ucc3e\uc2b5\ub2c8\ub2e4.
tls-auth ta.key 0 \uc774 \uc8fc\uc11d\uc774 \uc81c\uac70\ub418\uc5b4 \uc788\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4. \uadf8\ub9ac\uace0 \ubc14\ub85c \ubc11\uc5d0 key-direction 0\uc744 \ucd94\uac00\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# For extra security beyond that provided\n# by SSL\/TLS, create an \"HMAC firewall\"\n# to help block DoS attacks and UDP port flooding.\n#\n# Generate with:\n#   openvpn --genkey --secret ta.key\n#\n# The server and each client must have\n# a copy of this key.\n# The second parameter should be '0'\n# on the server and '1' on the clients.\ntls-auth ta.key 0 # This file is secret\nkey-direction 0<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\ub2e4\uc74c\uc73c\ub85c cryptographic cipher Section\uc758 cipher\ub97c \ucc3e\uc2b5\ub2c8\ub2e4.
cipher AES-256-CBC\uac00 \uc8fc\uc11d\uc774 \uc81c\uac70\ub418\uc5b4 \uc788\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4. \uadf8\ub9ac\uace0 \ubc14\ub85c \ubc11\uc5d0 auth SHA256\ub97c \ucd94\uac00\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# Select a cryptographic cipher.\n# This config item must be copied to\n# the client config file as well.\n# Note that v2.4 client\/server will automatically\n# negotiate AES-256-GCM in TLS mode.\n# See also the ncp-cipher option in the manpage\ncipher AES-256-CBC\nauth SHA256<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\ubc88\uc5d0\ub294 dh\ub97c \ucc3e\uc2b5\ub2c8\ub2e4.
dh\uc758 \ud30c\ub77c\uba54\ud130\uc5d0 dh2048.pem\uc73c\ub85c \ub418\uc5b4 \uc788\uc744 \uac83\uc785\ub2c8\ub2e4.
EasyRSA\uac00 \uc0dd\uc131\ud558\ub294 .pem\ud30c\uc77c\uc774 \uc774\uc804\uc5d0\ub294 dh2048.pem\uc774\uc5c8\ub294\ub370 \ucd5c\uadfc \ubc84\uc804\uc5d0\uc11c\ub294 dh.pem \ud30c\uc77c\ub85c \uc0dd\uc131\ub418\ub294 \ud30c\uc77c \uc774\ub984\uc774 \ubcc0\uacbd\ub418\uc5c8\uc2b5\ub2c8\ub2e4.
(\uc55e\uc11c \uc778\uc99d\uc11c \uc0dd\uc131\ud560\ub54c \ubcf4\uc168\uc744 \uac81\ub2c8\ub2e4.)
dh2040.pem\uc5d0\uc11c 2048\uc744 \uc9c0\uc6b0\uace0 dh dh.pem \uc73c\ub85c \ubcc0\uacbd\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# Diffie hellman parameters.\n# Generate your own with:\n#   openssl dhparam -out dh2048.pem 2048\ndh dh.pem<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\ub9c8\uc9c0\ub9c9\uc73c\ub85c, user\uc640 group\uc744 \ucc3e\uc2b5\ub2c8\ub2e4.
user\uc640 group \uc55e\uc5d0\uc788\ub294 \uc8fc\uc11d\uc744 \uc81c\uac70\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# It's a good idea to reduce the OpenVPN\n# daemon's privileges after initialization.\n#\n# You can uncomment this out on\n# non-Windows systems.\nuser nobody\ngroup nogroup<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc5ec\uae30\uae4c\uc9c0\ub294 server.conf \ud30c\uc77c\uc758 \uae30\ubcf8 \ubcc0\uacbd \uc124\uc815\uc774\uc5c8\uc73c\uba70 \ub2e4\uc74c\uc740 optional \uc124\uc815\uc785\ub2c8\ub2e4.
\uc800\ub294 \uc544\ub798 \uc124\uba85\ud560 optional \uc124\uc815\ub3c4 \ubaa8\ub450 \ubcc0\uacbd\ud574 \uc92c\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
(Optional) Push DNS Changes to Redirect All Traffic Through the VPN
VPN\uc73c\ub85c \uc811\uc18d\ud55c Client\uc758 DNS\ub97c \ubcc0\uacbd\ud558\uac8c \ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# If enabled, this directive will configure\n# all clients to redirect their default\n# network gateway through the VPN, causing\n# all IP traffic such as web browsing and\n# and DNS lookups to go through the VPN\n# (The OpenVPN server machine may need to NAT\n# or bridge the TUN\/TAP interface to the internet\n# in order for this to work properly).\npush \"redirect-gateway def1 bypass-dhcp\"<\/pre>\n\n\n\n
<\/p>\n\n\n\n
push “redirect-gateway def1 bypass-dhcp” \uc55e\uc758 \uc8fc\uc11d\uc744 \uc81c\uac70\ud569\ub2c8\ub2e4.
\uadf8\ub9ac\uace0 \ubc14\ub85c \ubc11\uc5d0\uc788\ub294 dhcp-option \uc635\uc158\ub3c4 \uc8fc\uc11d\uc744 \uc81c\uac70\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# Certain Windows-specific network settings\n# can be pushed to clients, such as DNS\n# or WINS server addresses.  CAVEAT:\n# http:\/\/openvpn.net\/faq.html#dhcpcaveats\n# The addresses below refer to the public\n# DNS servers provided by opendns.com.\npush \"dhcp-option DNS 168.126.63.1\"\npush \"dhcp-option DNS 168.126.63.2\"<\/pre>\n\n\n\n
<\/p>\n\n\n\n
dhcp-option DNS\uc5d0 opendns.com\uc758 DNS \uc8fc\uc18c\uac00 \uc788\uc5c8\ub294\ub370 \uc800\ub294 KT\uc758 DNS\ub97c \uc0ac\uc6a9\ud588\uc2b5\ub2c8\ub2e4.
\uc774\ub807\uac8c \ud558\uba74 LG\ub098 \ub2e4\ub978 \ud1b5\uc2e0\uc0ac \ud68c\uc120\uc73c\ub85c VPN\uc5d0 \uc811\uc18d\ud558\ub354\ub77c\ub3c4 \ud074\ub77c\uc774\uc5b8\ud2b8\uc758 DNS\ub97c config\uc5d0 \uc124\uc815\ud55c DNS\ub85c \ubcc0\uacbd\ud558\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
(Optional) Adjust the Port and Protocol
openVPN\uc758 \uae30\ubcf8 port\ub294 1194\uc774\uace0 UDP\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.
\uc774\uac78 Port\ub294 443, \ud504\ub85c\ud1a0\ucf5c\uc740 TCP\ub97c \uc0ac\uc6a9\ud558\ub3c4\ub85d \ubcc0\uacbd\ud558\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
# Which TCP\/UDP port should OpenVPN listen on?\n# If you want to run multiple OpenVPN instances\n# on the same machine, use a different port\n# number for each one.  You will need to\n# open up this port on your firewall.\nport 443\n\n# TCP or UDP server?\nproto tcp\n;proto udp<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uadf8\ub9ac\uace0 tcp\ub97c \uc0ac\uc6a9\ud558\ub3c4\ub85d \uc218\uc815\ud588\ub2e4\uba74 explicit-exit-notify\ub3c4 \ubcc0\uacbd\ud574 \uc918\uc57c \ud569\ub2c8\ub2e4.
explicit-exit-notify\uc758 \uac12\uc744 0\uc73c\ub85c \ubcc0\uacbd\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# Notify the client that when the server restarts so it\n# can automatically reconnect.\nexplicit-exit-notify 0<\/pre>\n\n\n\n
<\/p>\n\n\n\n
(Optional) Point to Non-Default Credentials
\ub9cc\uc57d \uc55e\uc11c \uc11c\ubc84 \uc778\uc99d\uc11c\ub97c \ub9cc\ub4e4\ub54c server\uac00 \uc544\ub2cc \ub2e4\ub978 \uc774\ub984\uc73c\ub85c \ub9cc\ub4e4\uc5c8\ub2e4\uba74 .crt\uc640 .key\ud30c\uc77c\uc758 \uc774\ub984\uc744 \ubcc0\uacbd\ud574 \uc918\uc57c \ud569\ub2c8\ub2e4.
\uc800\ub294 server\ub85c \ub9cc\ub4e4\uc5b4 \uc918\uc11c \uae30\ubcf8 \uc124\uc815\uc778 server.crt\uc640 server.key\uac00 \uc815\uc0c1\uc801\uc778\uc9c0\ub9cc \ud655\uc778\ud558\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
# SSL\/TLS root certificate (ca), certificate\n# (cert), and private key (key).  Each client\n# and the server must have their own cert and\n# key file.  The server and all clients will\n# use the same ca file.\n#\n# See the \"easy-rsa\" directory for a series\n# of scripts for generating RSA certificates\n# and private keys.  Remember to use\n# a unique Common Name for the server\n# and each of the client certificates.\n#\n# Any X509 key management system can be used.\n# OpenVPN can also use a PKCS #12 formatted key file\n# (see \"pkcs12\" directive in man page).\nca ca.crt\ncert server.crt\nkey server.key  # This file should be kept secret<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\uc81c \uc218\uc815\ud574\uc57c \ud560 \uae30\ubcf8 \uc124\uc815\uc740 \ub418\uc5c8\uc2b5\ub2c8\ub2e4.
server.conf \ud30c\uc77c\uc744 \uc800\uc7a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc774\ubc88\uc5d0\ub294 openVPN server\uc758 \ub124\ud2b8\uc6cc\ud06c \uc124\uc815\uc744 \ubcc0\uacbd\ud574 \uc918\uc57c \ud569\ub2c8\ub2e4.
\uba3c\uc800 ip forwarding\uc774 \ub418\ub3c4\ub85d \uc124\uc815\ud574\uc57c \ud569\ub2c8\ub2e4.
\/etc\/sysctl.conf \ud30c\uc77c\uc744 \uc5f4\uc5b4\uc11c net.ipv4.ip_forward=1\ub85c \uc218\uc815\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo vim \/etc\/sysctl.conf<\/pre>\n\n\n\n
<\/p>\n\n\n\n
net.ipv4.ip_forward\ub97c \ucc3e\uc2b5\ub2c8\ub2e4.
\uc8fc\uc11d\ucc98\ub9ac \ub418\uc5b4 \uc788\ub2e4\uba74 \uc8fc\uc11d\uc744 \ud574\uc81c\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# Uncomment the next line to enable packet forwarding for IPv4\nnet.ipv4.ip_forward=1<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc8fc\uc11d\uc744 \uc81c\uac70\ud588\ub2e4\uba74 sysctl.conf \ud30c\uc77c\uc744 \uc800\uc7a5\ud569\ub2c8\ub2e4.
\uadf8\ub9ac\uace0 \ud604\uc7ac \uc5f4\ub824\uc788\ub294 session\uc5d0\uc11c \ubcc0\uacbd \uc0ac\ud56d\uc744 \uc801\uc6a9\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo sysctl -p\nnet.ipv4.ip_forward = 1<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\ubc88\uc5d0\ub294 \ubc29\ud654\ubcbd(Ubuntu) \uc124\uc815\uc785\ub2c8\ub2e4.
VPN \uc11c\ubc84\ub85c \ub4e4\uc5b4\uc624\ub294 \ubd88\ud544\uc694\ud55c \ud2b8\ub798\ud53d\uc744 \uc81c\uac70\ud558\ub294 \ubaa9\uc801\uc785\ub2c8\ub2e4.
\uba3c\uc800 \ud604\uc7ac \ub124\ud2b8\uc6cc\ud06c\uc758 \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984\uc744 \ud655\uc778\ud574\uc57c \ud569\ub2c8\ub2e4.
\uc544\ub798 \uba85\ub839\uc73c\ub85c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
$ ip route | grep default\ndefault via 192.168.0.1 dev enp3s0 proto dhcp metric 100 <\/pre>\n\n\n\n
<\/p>\n\n\n\n
default gateway\uac00 192.168.0.1\ub85c \ub418\uc5b4 \uc788\ub124\uc694. \uc778\ud130\ud398\uc774\uc2a4 \uc774\ub984\uc740 dev \ub2e4\uc74c\uc5d0 \uc788\uc2b5\ub2c8\ub2e4.
enp3s0\uac00 \ub124\ud2b8\uc6cc\ud06c \uc778\ud130\ud398\uc774\uc2a4 \ub124\uc784\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc774\uc81c ufw(\ubc29\ud654\ubcbd) \uc124\uc815\uc744 \uc5f4\uace0 openVPN\uc5d0\uc11c \uc0ac\uc6a9\ud560 roule\uc744 \ucd94\uac00\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo vim \/etc\/ufw\/before.rules<\/pre>\n\n\n\n
<\/p>\n\n\n\n
UFW rule\uc740 \ubcf4\ud1b5 ufw \uba85\ub839\uc744 \uc0ac\uc6a9\ud574 \ucd94\uac00\ud569\ub2c8\ub2e4.
\ucd94\uac00\ub41c \ubc29\ud654\ubcbd(ufw) rule\uc740 before.rules \ud30c\uc77c\uc5d0 \uc800\uc7a5\ub429\ub2c8\ub2e4.
\uc544\ub798\uc640\uac19\uc774 \ucd94\uac00\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# rules.before\n#\n# Rules that should be run before the ufw command line added rules. Custom\n# rules should be added to one of these chains:\n#   ufw-before-input\n#   ufw-before-output\n#   ufw-before-forward\n#\n# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0]\n# Allow traffic from OpenVPN client to enp3s0\n-A POSTROUTING -s 10.8.0.0\/8 -o enp3s0 -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES\n#<\/pre>\n\n\n\n
<\/p>\n\n\n\n
VPN\uc73c\ub85c \uc811\uc18d\ud588\uc744\ub54c \ud074\ub77c\uc774\uc5b8\ud2b8\uc5d0\uc11c \ubc1b\ub294 ip\ub294 10.8.0.1 \ubd80\ud130 10.10.255.254\uae4c\uc9c0 \uc785\ub2c8\ub2e4.
ip\ub97c \ub2e4\ub974\uac8c \ud574\ubcf4\ub824\uace0 \ud588\ub294\ub370 openVPN\uc758 server.conf \ud30c\uc77c\uc5d0 \ubaa8\ub450 10.8.0.0\uc73c\ub85c \uc124\uc815\ub418\uc5b4 \uc788\uc5b4\uc11c \ubcc0\uacbd\ud558\ub824\uba74 \uc218\uc815\ud560 \ubd80\ubd84\uc774 \ub9ce\uc544\uc9d1\ub2c8\ub2e4.
\uadf8\ub798\uc11c \uadf8\ub0e5 \uc4f0\ub3c4\ub85d \ud558\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\ucd94\uac00\ub418\ub294 rule\uc740 START OPENVPN RULES \ubd80\ud130 END OPENVPN RULES\uae4c\uc9c0 \ub0b4\uc6a9\uc785\ub2c8\ub2e4.
\ucd94\uac00\ub418\uc5c8\ub2e4\uba74 \uc800\uc7a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
UFW\uc5d0\ub3c4 \ucd94\uac00\ud574\uc57c \ud569\ub2c8\ub2e4.
\/etc\/default\/ufw \ud30c\uc77c\uc744 \uc5f4\uace0 DEFAULT_FORWARD_POLICY\ucc3e\uc544 ACCEPT\ub85c \uc218\uc815\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo vim \/etc\/default\/ufw<\/pre>\n\n\n\n
<\/p>\n\n\n\n
DEFAULT_FORWARD_POLICY\ub294 DROP\uc774\ub77c\uace0 \ub418\uc5b4 \uc788\ub294 \uac83\uc744 ACCEPT\ub85c \ubcc0\uacbd\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that\n# if you change this you will most likely want to adjust your rules\nDEFAULT_FORWARD_POLICY=\"ACCEPT\"<\/pre>\n\n\n\n
<\/p>\n\n\n\n
ufw \ud30c\uc77c\uc744 \uc800\uc7a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc55e\uc11c openVPN\uc758 port\uc640 \ud504\ub85c\ud1a0\ucf5c\uc744 \ubcc0\uacbd\ud574 \uc92c\uae30 \ub54c\ubb38\uc5d0 \ubc29\ud654\ubcbd(ufw)\uc5d0\ub3c4 \uc801\uc6a9\ud574\uc57c \ud569\ub2c8\ub2e4.
openSSH\ub3c4 \ucd94\uac00\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo ufw allow 443\/tcp\n$ sudo ufw allow OpenSSH<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\ubc29\ud654\ubcbd \uc124\uc815\uc774 \ub2e4 \ub418\uc5c8\ub2e4\uba74 ufw disable enable\uc744 \uc2e4\ud589\ud574 \uc7ac\uc2dc\uc791 \ud574\uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo ufw disable\n$ sudo ufw enable<\/pre>\n\n\n\n
<\/p>\n\n\n\n
sudo ufw enable \uba85\ub839\uc744 \uc2e4\ud589\ud560\ub54c \uc544\ub798\uc640 \uac19\uc740 \uba54\uc2dc\uc9c0\uac00 \ub098\uc654\ub2e4\uba74 y\ub97c \uc785\ub825\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
Command may disrupt existing ssh connections. Proceed with operation (y|n)?<\/p>\n\n\n\n
openVPN server\ub97c \uc2dc\uc791\ud560 \uc900\ube44\ub294 \uac70\uc758 \ub418\uc5c8\uc2b5\ub2c8\ub2e4.
\uc774\uc81c openVPN\uc744 \uc2dc\uc791\ud560 \ucc28\ub840\uc785\ub2c8\ub2e4.
systemctl \uba85\ub839\uc73c\ub85c openVPN\uc744 \uc2dc\uc791\ud569\ub2c8\ub2e4.
openVPN \uc2e4\ud589\uc2dc \uc124\uc815 \ud30c\uc77c\uc740 \/etc\/openvpn\/server.conf \ud30c\uc77c\uc744 \uc0ac\uc6a9\ud558\uae30 \uc704\ud574 @server\ub97c \ucd94\uac00\ud574 \uc2e4\ud589\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo systemctl start openvpn@server<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uba85\ub839\uc744 \uc2e4\ud589\ud558\uba74 \ub9ac\ud134\uac12\uc774 \uc5c6\uc2b5\ub2c8\ub2e4.
systemctl status \uc635\uc158\uc73c\ub85c \ud655\uc778\ud574 \ubd05\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo systemctl status openvpn@server<\/pre>\n\n\n\n
<\/p>\n\n\n\n
status \uc635\uc158\uc73c\ub85c \uba85\ub839\uc744 \uc2e4\ud589\ud558\uba74 \uc544\ub798\uc640 \uac19\uc774 \uacb0\uacfc\uac00 \ub098\uc635\ub2c8\ub2e4.<\/p>\n\n\n\n
openvpn@server.service - OpenVPN connection to server\n   Loaded: loaded (\/lib\/systemd\/system\/openvpn@.service; disabled; vendor preset: enabled)\n   Active: active (running) since Thu 2018-08-30 16:08:10 KST; 6min ago\n     Docs: man:openvpn(8)\n           https:\/\/community.openvpn.net\/openvpn\/wiki\/Openvpn24ManPage\n           https:\/\/community.openvpn.net\/openvpn\/wiki\/HOWTO\n Main PID: 11225 (openvpn)\n   Status: \"Initialization Sequence Completed\"\n    Tasks: 1 (limit: 4915)\n   CGroup: \/system.slice\/system-openvpn.slice\/openvpn@server.service\n           \u2514\u250011225 \/usr\/sbin\/openvpn --daemon ovpn-server --status \/run\/openvpn\/server.status 10 --cd \/etc\/openvpn --script-security 2 --config \/etc\/openvpn\/server.conf --writepid \/run\/openvpn\/server.pid\n\n<\/pre>\n\n\n\n
<\/p>\n\n\n\n
openVPN\uc758 tun0 \uc778\ud130\ud398\uc774\uc2a4\ub3c4 \ud655\uc778\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ ip addr show tun0\n3: tun0:  mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100\n    link\/none \n    inet 10.8.0.1 peer 10.8.0.2\/32 scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::efXX:abXX:f2XX:a3XX\/XX scope link stable-privacy \n       valid_lft forever preferred_lft forever<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc11c\ubc84\uac00 reboot\ub418\uc5b4\ub3c4 \uc790\ub3d9\uc73c\ub85c \uc2dc\uc791\ub418\ub3c4\ub85d \uc124\uc815\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo systemctl enable openvpn@server\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/openvpn@server.service \u2192 \/lib\/systemd\/system\/openvpn@.service.<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\uc81c openVPN\uc774 \ubaa8\ub450 \uc124\uc815\ub418\uc5c8\uace0 \uc2e4\ud589\ub418\uc5c8\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc5ec\uae30\uc11c \ub05d\uc774 \uc544\ub2d9\ub2c8\ub2e4.
\ucd08\uae30 \uc0ac\uc6a9\uc790\ub85c tongchun\uc744 \ucd94\uac00\ud588\uc5c8\ub294\ub370\uc694.
\uc0ac\uc6a9\uc790\ub97c \ucd94\uac00\ud560\ub54c\ub9c8\ub2e4 \uc778\uc99d\uc11c\ub97c \ub9cc\ub4e4\uc5b4\uc918\uc57c \ud558\uae30 \ub54c\ubb38\uc5d0 \uc0c1\ub2f9\ud788 \ubc88\uac70\ub86d\uc2b5\ub2c8\ub2e4.
\uadf8\ub798\uc11c Client \ucd94\uac00\uc5d0 \uc124\uc815 \uad6c\uc131\uc744 \uc7a1\ub3c4\ub85d \ud558\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
\uba3c\uc800 \ub9cc\ub4e4\uc5c8\ub2e8 clinet-configs \ud3f4\ub354 \uc544\ub798 files\ub77c\uace0 \ud558\uc704 \ud3f4\ub354\ub97c \ub9cc\ub4e4\uc5b4 \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ mkdir -p ~\/client-configs\/files<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uadf8\ub9ac\uace0 client configuration \uc0d8\ud50c\ud30c\uc77c\uc744 client-configs \ud3f4\ub354\uc5d0 \ubcf5\uc0ac\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
$ cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/client.conf ~\/client-configs\/base.conf<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\ubcf5\uc0ac\ud55c base.conf \ud30c\uc77c\uc744 \uc5f4\uace0 \uc218\uc815\ud558\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo vim ~\/client-configs\/base.conf<\/pre>\n\n\n\n
<\/p>\n\n\n\n
remote\ub97c \ucc3e\uc544 openVPN \uc11c\ubc84\uc758 ip\uc640 port\ub97c \ucd94\uac00\ud569\ub2c8\ub2e4. (ip\ub294 public ip \uc785\ub2c8\ub2e4.)
port\ub3c4 \uae30\ubcf8 \ud3ec\ud2b8\uac00 \uc544\ub2cc 443\uc73c\ub85c \ubcc0\uacbd\ud588\uc73c\ub2c8 443\uc73c\ub85c \uc7a1\uc544\uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ # The hostname\/IP and port of the server.\n# You can have multiple remote entries\n# to load balance between the servers.\nremote 120.130.170.120 443<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\ubc88\uc5d4 proto\ub97c \ucc3e\uace0 tcp\ub85c \ubcc0\uacbd\ud569\ub2c8\ub2e4.
\uc55e\uc11c udp\uc5d0\uc11c tcp\ub85c \ubcc0\uacbd\ud588\uc2b5\ub2c8\ub2e4.
\uc8fc\uc11d\uc744 \ubcc0\uacbd\ud558\uba74 \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
# Are we connecting to a TCP or\n# UDP server?  Use the same setting as\n# on the server.\nproto tcp\n;proto udp<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\ub2e4\uc74c\uc73c\ub85c user\uc640 group \uc55e\uc758 \uc8fc\uc11d\uc744 \uc81c\uac70\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# Downgrade privileges after initialization (non-Windows only)\nuser nobody\ngroup nogroup<\/pre>\n\n\n\n
<\/p>\n\n\n\n
SSL\/TLS parms. Section\uc744 \ucc3e\uc544 ca, cert, key \uc124\uc815\uc744 \ubaa8\ub450 \uc8fc\uc11d \ucc98\ub9ac \ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
# SSL\/TLS parms.\n# See the server config file for more\n# description.  It's best to use\n# a separate .crt\/.key file pair\n# for each client.  A single ca\n# file can be used for all clients.\n#ca ca.crt\n#cert client.crt\n#key client.key<\/pre>\n\n\n\n
<\/p>\n\n\n\n
cipher\uc640 auth\ub97c \ucc3e\uc544 server\uc758 config\uc640 \ub3d9\uc77c\ud558\uac8c \uc218\uc815\ud569\ub2c8\ub2e4.
cipher\ub294 AES-256-CBC \uadf8\ub300\ub85c\uc774\uba70 auth SHA256\uc740 \ucd94\uac00\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
# Select a cryptographic cipher.\n# If the cipher option is used on the server\n# then you must also specify it here.\n# Note that v2.4 client\/server will automatically\n# negotiate AES-256-GCM in TLS mode.\n# See also the ncp-cipher option in the manpage\ncipher AES-256-CBC\nauth SHA256<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\ubc88\uc5d0\ub294 key-direction 1 \uc744 \ucd94\uac00\ud574 \uc90d\ub2c8\ub2e4. auth \ubc11\uc5d0 \ucd94\uac00\ud574 \uc8fc\uba74 \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
key-direction 1<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\ub9c8\uc9c0\ub9c9\uc73c\ub85c \uc544\ub798 \ud56d\ubaa9\uc744 \uc8fc\uc11d\ucc98\ub9ac \ud55c \ucc44 \ucd94\uac00\ud574 \uc90d\ub2c8\ub2e4.
\ucd94\uac00\ub418\ub294 \ud56d\ubaa9\uc740 \ub9ac\ub205\uc2a4 \ud074\ub77c\uc774\uc5b8\ud2b8\uc5d0\uc11c \uc0ac\uc6a9\ud558\ub294 \ud56d\ubaa9\ub4e4\uc785\ub2c8\ub2e4
base.config \ud30c\uc77c \uc81c\uc77c \ub9c8\uc9c0\ub9c9 \uc904\uc5d0 \ucd94\uac00\ud588\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
# script-security 2\n# up \/etc\/openvpn\/update-resolv-conf\n# down \/etc\/openvpn\/update-resolv-conf<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc124\uc815\uc774 \uc644\ub8cc\ub418\uc5c8\ub2e4\uba74 \ud30c\uc77c\uc744 \uc800\uc7a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc774\uc81c simple script\ub97c \ub9cc\ub4e4 \ucc28\ub840\uc785\ub2c8\ub2e4.
\uc778\uc99d\uc11c\uc640 key \ud30c\uc77c\ub4e4\uc744 \uad6c\uc131\ud558\uace0 ~\/client-configs\/files \uacbd\ub85c\uc5d0 \uc0dd\uc131\ud558\uac8c \ud574\uc90d\ub2c8\ub2e4.
~\/client-configs \ud3f4\ub354 \uc548\uc560 make_config.sh \ub77c\uace0 \ud30c\uc77c\uc744 \ub9cc\ub4e4\uc5b4 \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo vim ~\/client-configs\/make_config.sh<\/pre>\n\n\n\n
<\/p>\n\n\n\n
make_config.sh \ud30c\uc77c\uc548\uc5d0 \uc544\ub798\uc640 \uac19\uc774 \ucd94\uac00\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
#!\/bin\/bash\n\n# First argument: Client identifier\n\nKEY_DIR=~\/client-configs\/keys\nOUTPUT_DIR=~\/client-configs\/files\nBASE_CONFIG=~\/client-configs\/base.conf\n\ncat ${BASE_CONFIG} \\\n    <(echo -e '<ca>') \\\n    ${KEY_DIR}\/ca.crt \\\n    <(echo -e '<\/ca>\\n<cert>') \\\n    ${KEY_DIR}\/${1}.crt \\\n    <(echo -e '<\/cert>\\n<key>') \\\n    ${KEY_DIR}\/${1}.key \\\n    <(echo -e '<\/key>\\n<tls-auth>') \\\n    ${KEY_DIR}\/ta.key \\\n    <(echo -e '<\/tls-auth>') \\\n    > ${OUTPUT_DIR}\/${1}.ovpn<\/pre>\n\n\n\n
<\/p>\n\n\n\n
make_config.sh \ud30c\uc77c\uc744 \uc800\uc7a5\ud558\uace0 \uc544\ub798\uc640 \uac19\uc774 \uad8c\ud55c\uc744 \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ chmod 700 ~\/client-configs\/make_config.sh<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\uc774\uc81c \uc0ac\uc6a9\uc790\ub97c \uad6c\uc131\ud560 \uc124\uc815\uc774 \uc644\ub8cc\ub418\uc5c8\uc2b5\ub2c8\ub2e4.
client-configs \ud3f4\ub354\ub85c \uc774\ub3d9\ud574 tongchun \uacc4\uc815\uc744 openVPN \uacc4\uc815\uc73c\ub85c \ub9cc\ub4e4\uc5b4 \ubcf4\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
$ cd ~\/client-configs\n$ sudo .\/make_config.sh space4u<\/pre>\n\n\n\n
<\/p>\n\n\n\n
make_config.sh <\uc778\uc99d\uc11c\ub97c \ub9cc\ub4e0 \uacc4\uc815>\uc744 \uc2e4\ud589\ud558\uba74
~\/client-configs\/files \uc548\uc5d0 \uacc4\uc815 \uc774\ub984\uc73c\ub85c\ub41c .ovpn \ud30c\uc77c\uc774 \uc0dd\uc131\ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc800\ub294 space4u.ovpn \ud30c\uc77c\uc774 \uc0dd\uc131\ub418\uc5c8\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
$ ls ~\/client-configs\/files\/\nspace4u.ovpn<\/pre>\n\n\n\n
<\/p>\n\n\n\n
.ovpn \ud30c\uc77c\uc740 client\uc5d0\uc11c vpn \uc811\uc18d\uc2dc \ud544\uc694\ud569\ub2c8\ub2e4.
VPN\uc73c\ub85c \uc811\uc18d\ud558\ub824\ub294 \ub85c\uceec \ucef4\ud4e8\ud130\ub098 \ubaa8\ubc14\uc77c \ub514\ubc14\uc774\uc2a4\uc5d0\uc11c \ud544\uc694\ud569\ub2c8\ub2e4.
.ovpn \ud30c\uc77c\uc740 \uc554\ud638\ud654\ub41c sftp\ub098 scp\ub97c \uc774\uc6a9\ud574 \uc804\ub2ec\ub418\uc5b4\uc57c \ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
[\ucd94\uac00]
Windows\ub97c \uc81c\uc678\ud55c OS\uc5d0\uc11c VPN \uc5f0\uacb0\uc744 \ud558\ub824\uba74 ta.key \ud30c\uc77c\ub3c4 \ud544\uc694\ud569\ub2c8\ub2e4.
ta.key \ud30c\uc77c\ub3c4 client-configs\/files\/ \ub85c \ubcf5\uc0ac\ud558\uace0 \uad8c\ud55c\uc744 \ubcc0\uacbd\ud574 \uc90d\ub2c8\ub2e4.<\/p>\n\n\n\n
$ sudo cp ~\/client-configs\/keys\/ta.key ~\/client-configs\/files\/\n$ sudo chmod 644 ta.key <\/pre>\n\n\n\n
<\/p>\n\n\n\n
\ub9c8\uc9c0\ub9c9\uc73c\ub85c \uc678\ubd80\uc5d0\uc11c \ub0b4\ubd80 openVPN server\ub85c \uc811\uc18d\ud560 \uc218 \uc788\ub3c4\ub85d \uacf5\uc720\uae30\uc758 port forwarding \uc124\uc815\uc744 \ud569\ub2c8\ub2e4.<\/p>\n","protected":false},"excerpt":{"rendered":"
openVPN \uc124\uce58<\/p>\n
\ub354 \uc77d\uae30openVPN \uc124\uce58 (on Ubuntu 18.04)<\/span> <\/i><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,4],"tags":[216,218,217,219],"aioseo_notices":[],"_links":{"self":[{"href":"http:\/\/www.space4u.co.kr\/wp\/index.php?rest_route=\/wp\/v2\/posts\/285"}],"collection":[{"href":"http:\/\/www.space4u.co.kr\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.space4u.co.kr\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.space4u.co.kr\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.space4u.co.kr\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=285"}],"version-history":[{"count":1,"href":"http:\/\/www.space4u.co.kr\/wp\/index.php?rest_route=\/wp\/v2\/posts\/285\/revisions"}],"predecessor-version":[{"id":286,"href":"http:\/\/www.space4u.co.kr\/wp\/index.php?rest_route=\/wp\/v2\/posts\/285\/revisions\/286"}],"wp:attachment":[{"href":"http:\/\/www.space4u.co.kr\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.space4u.co.kr\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=285"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.space4u.co.kr\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}