나. VPN 서비스 구성 (OpenVPN)

main-r, site1-r, site2-r

intsrv

#mainr
scp /ca/certs/main* [email protected]:/etc/openvpn
scp /etc/ssl/chain.crt [email protected]:/etc/openvpn

#site1r
scp /ca/certs/site1* [email protected]:/etc/openvpn
scp /etc/ssl/chain.crt [email protected]:/etc/openvpn

#site2r
scp /ca/certs/site2* [email protected]:/etc/openvpn 
scp /etc/ssl/chain.crt [email protected]:/etc/openvpn

main-r

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn
cd /etc/openvpn

openvpn --genkey tls-crypt-v2-server server.key
openvpn --tls-crypt-v2 server.key --genkey tls-crypt-v2-client client.key

mkdir ccd

vi /etc/openvpn/ccd/SITE1-R
### vi ###
iroute 192.168.0.0 255.255.255.0
### vi ###

vi /etc/openvpn/ccd/SITE2-R
### vi ###
iroute 172.16.0.0 255.255.255.0
### vi ###

vi /etc/openvpn/server.conf
### vi ###
ca chain.crt
cert main.crt
key main.key
dh none
topology subnet
**server 10.255.255.0 255.255.255.0
push "route 10.0.0.0 255.255.254.0"
push "route 10.0.255.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "route 172.16.0.0 255.255.255.0"
route 192.168.0.0 255.255.255.0
route 172.16.0.0 255.255.255.0**
client-config-dir ccd
tls-crypt-v2 server.key
cipher AES-256-GCM
tls-server
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
# ta.key 찾아서 그 줄 주석처리
### vi ###

systemctl enable openvpn
systemctl restart openvpn

site1-r

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
scp 100.0.0.1:/etc/openvpn/client.key /etc/openvpn

vi /etc/openvpn/client.conf

### vi ###
remote 100.0.0.1 1194
ca chain.crt
cert site1.crt
key site1.key

;remote-cert-tls server
;tls-auth ta.key 1

tls-crypt-v2 client.key
cipher AES-256-GCM
### vi ###

systemctl enable openvpn
systemctl restart openvpn

site2-r

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
scp 100.0.0.1:/etc/openvpn/client.key /etc/openvpn

vi /etc/openvpn/client.conf

### vi ###
remote 100.0.0.1 1194
ca chain.crt
cert site2.crt
key site2.key
;remote-cert-tls server
;tls-auth ta.key 1
tls-crypt-v2 client.key
cipher AES-256-GCM
### vi ###

systemctl enable openvpn
systemctl restart openvpn