Package

apt install -y openvpn

CA 구성

6. 인증 기관

INTSRV

scp /ca/certs/main* 10.0.0.254:/etc/openvpn
scp /etc/ssl/chain.crt 10.0.0.254:/etc/openvpn

scp /ca/certs/site1* 100.0.0.5:/etc/openvpn
scp /etc/ssl/chain.crt 100.0.0.5:/etc/openvpn

scp /ca/certs/site2* 100.0.0.9:/etc/openvpn
scp /etc/ssl/chain.crt 100.0.0.9:/etc/openvpn

MAIN-R

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn

cd /etc/openvpn
openvpn --genkey tls-crypt-v2-server server.key
openvpn --tls-crypt-v2 server.key --genkey tls-crypt-v2-client client.key

mkdir ccd
echo "iroute 192.168.0.0 255.255.255.0" > ccd/SITE1-R
echo "iroute 172.16.0.0 255.255.255.0" > ccd/SITE2-R

vi server.conf

### vi ###
ca chain.crt
cert main.crt
key main.key

dh none
topology subnet

server 10.255.255.0 255.255.255.0

push "route 10.0.0.0 255.255.254.0"
push "route 10.0.255.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "route 172.16.0.0 255.255.255.0"

route 192.168.0.0 255.255.255.0
route 172.16.0.0 255.255.255.0

client-config-dir ccd
#tls-auth ta.key 0
tls-crypt-v2 server.key

cipher AES-256-GCM

tls-server

log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
### vi ###

systemctl enable openvpn
systemctl restart openvpn
ss -nl | grep 1194

SITE1-R

cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn
scp 100.0.0.1:/etc/openvpn/client.key /etc/openvpn

vi client.conf

### vi ###
remote 100.0.0.1 1194

ca chain.crt
cert site1.crt
key site1.key

#tls-auth ta.key 1
tls-crypt-v2 client.key

cipher AES-256-GCM
### vi ###

systemctl enable openvpn
systemctl restart openvpn
ip route

SITE2-R

cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn
scp 100.0.0.1:/etc/openvpn/client.key /etc/openvpn

vi client.conf

### vi ###
remote 100.0.0.1 1194

ca chain.crt
cert site2.crt
key site2.key

#tls-auth ta.key 1
tls-crypt-v2 client.key

cipher AES-256-GCM
### vi ###

systemctl enable openvpn
systemctl restart openvpn
ip route