· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
OpenVPN

1.1. ½ÃÀÛÇϸç


À̱ÛÀº VPN (Virtual Priviate Network)À» ¸®´ª½º³ª À©µµ¿ìÁî »ó¿¡¼­ ½±°Ô ±¸ÃàÇÒ ¼ö ÀÖµµ·Ï ÇØÁÖ´Â OpenVPN ( http://www.openvpn.net ) ÇÁ·Î±×·¥À» ¼³Ä¡ÇÏ°í ¼³Á¤ÇÏ°í ¿î¿µÇÏ´Â ¹æ¹ýÀ» ¼³¸íÇÑ´Ù.

óÀ½¿¡´Â OpenVPN »çÀÌÆ®¿¡ ÀÖ´Â HOWTO¸¦ ¹ø¿ªÇÒ »ý°¢À̾úÀ¸³ª ¿µ¾î¿¡ ´ëÇÑ ¾Ð¹Ú°ú ¿øº» HOWTO ÀÚü°¡ ±×¸® ±ò²ûÇÏÁö ¸øÇØ ¾Æ¿¹ »õ·Î Àû¾î º¸·Á°í ÇÑ´Ù. ¿øº» HOWTO º¸´Ù ´õ ±ò²ûÇÏ°Ô ÇÒ ¼ö ÀÖÀ»Áö´Â ¸ð¸£Áö¸¸...

1.2. VPN À̶õ

VPN À̾߱â´Â ¸¹ÀÌ µé¾î º¸¾ÒÀ» °ÍÀÌ´Ù. ÀÌ°ÍÀÌ ¿Ö ÇÊ¿äÇÑ °ÍÀΰ¡? ¹®Á¦´Â º¸¾ÈÀÌ´Ù. ¸¸¾à ³»°¡ ´Ù´Ï´Â ȸ»ç¿¡ Áß¿äÇÑ ¼­¹öµéÀÌ ÀÖ´Ù°í ÇÏÀÚ.

ÀÌ ¼­¹ö¸¦ ȸ»ç³»¿¡¼­´Â Á¢¼ÓÀÌ °¡´ÉÇÏ°í ºñ±³Àû º¸¾Èµµ À¯Áö½Ãų ¼ö ÀÖÁö¸¸ ¿ì¸®°¡ ÃâÀåÀ» °¡°Å³ª Çؼ­ È£Åڵ¼­ ¿ì¸® ȸ»çÀÇ ¼­¹ö·Î Á¢¼ÓÇÏ´Â °æ¿ì°¡ ÀÖÀ» ¼ö ÀÖ´Ù.

¿ì¼± À̸¦ À§Çؼ­´Â ȸ»ç ¼­¹ö°¡ ¿ÜºÎ¿¡¼­ ¿¬°áµÇµµ·Ï ¿­¿© ÁÖ¾î¾ß ÇÏ´Â ¹®Á¦°¡ »ý±ä´Ù(ÇØÄ¿µéÀÇ °ø°Ý ´ë»óÀÌ µÉ¼ö ÀÖ´Ù).


´õ¿íÀÌ È£ÅÚ¿¡¼­ ȸ»ç ¼­¹ö·Î ¿¬°áÇÒ °æ¿ì È£ÅÚÀÇ ¸Á°ü¸®ÀÚ³ª ´Ù¸¥ È£ÅÚ ³ÝÆ®¿÷ »ç¿ëÀÚ°¡ ¸¶À½¸¸ ¸ÔÀ¸¸é ³»°¡ Á¢¼ÓÇÏ´Â ¼­¹ö¿Í ³»°¡ ÀÐ°í º¸³»´Â Á¤º¸¸¦ ¿³º¼ ¼ö ÀÖ°Ô µÈ´Ù.

ÀÌ°ÍÀ» ¸·±â À§ÇØ ¿ì¸®´Â ssh°°Àº ¹æ½ÄÀ¸·Î shellÀ» Á¢±ÙÇϰųª ssl·Î À¥¼­¹ö¸¦ Á¢¼ÓÇÑ´Ù.


±×·¯³ª ¿ì¸®°¡ »ç¿ëÇÏ°íÀÚ ÇÏ´Â ¼­ºñ½º°¡ Samba³ª ȸ»çÀÇ DBMSµîÀÌ¸é ´Ü¼øÀÌ ÇϳªÀÇ ÇÁ·ÎÅäŬÀ» ¾Ïȣȭ ÇÏ´Â °ÍÀ¸·Î ¹®Á¦´Â ½±°Ô ÇØ°áµÇÁö ¾Ê´Â´Ù. ±×¸®°í ¼³Á¤¶ÇÇÑ »ó´çÈ÷ º¹ÀâÇØ Áø´Ù.


¿ì¸®´Â Point-to-Point ¾Ïȣȭ, Áï ³» ÄÄÇ»ÅÍ¿¡¼­ ȸ»ç ¼­¹ö·Î ÁÖ°í ¹Þ´Â ¸ðµç ÆÐŶÀÇ ¾Ïȣȭ°¡ ÇÊ¿äÇÑ °ÍÀÌ°í À̸¦ À§Çؼ­´Â VPNÀÌ ÇÊ¿äÇÑ °ÍÀÌ´Ù.

´Ù½Ã °­Á¶ÇÏÀÚ¸é VPNÀº ssh ÅͳÎÀ̳ª ssl Åͳΰ°ÀÌ ÇϳªÀÇ Æ÷Æ®¸¦ ¾Ïȣȭ ÇÑ´ÙÀ½ Æ÷¿öµùÇÏ´Â °ÍÀÌ ¾Æ´Ñ Àüü ÆÐŶÀ» ¾Ïȣȭ ÇÑ´ÙÀ½ ¼­¹ö¿Í Åë½ÅÇÏ´Â °ÍÀÌ´Ù.

1.3. OpenVPN

ÀÌ Áß¿¡¼­µµ [http]À±¼®Âù¾¾°¡ ¼Ò°³ÇØÁØ OpenVPNÀÌ °¡Àå ÀαⰡ ÀÖ¾ú´Ù. ´õ ÀÚ¼¼ÇÑ Á¤º¸´Â SlashDot ¿¡¼­ Åä·ÐÇÑ ³»¿ëÀ» Âü°íÇϱ⠹ٶõ´Ù.

1.3.1. °£´ÜÇÑ µ¿ÀÛ ¿ø¸®


ÇÊÀÚµµ ÀÌÂÊ Àü¹®°¡´Â ¾Æ´ÏÁö¸¸ ¸çÄ¥µ¿¾È Àо¹Ù¿¡ ÀÇÇØ °£´ÜÇÑ µ¿ÀÛ ¿ø¸®¸¦ ¼³¸íÇØ º¸·Á ÇÑ´Ù. VPNÀº ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ®°£ÀÇ ¸ðµç ÆÐŶÀ» Symmetric ¿­¼è¸¦ ÀÌ¿ëÇÏ¿© ¾ÏÈ£ ¹× º¹È£ÇÑ´Ù.

À̶§ Symmetric ¿­¼è¸¦ ¾ÈÀüÇÏ°Ô Å¬¶óÀ̾ðÆ®¿Í ¼­¹ö°£¿¡ °øÀ¯ÇÏ´Â °Í°ú °¡´ÉÇÏ´Ù¸é ±× ¿­¼è¸¦ ÀÚÁÖ ÀÚÁÖ ¹Ù²Ù¾î ÁÖ´Â °ÍÀÌ º¸¾È»ó Áß¿äÇѵ¥ À̸¦ À§Çؼ­´Â ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ®°£ÀÇ ¾ÈÀüÇÑ Åë½Å ä³ÎÀÌ ÇÊ¿äÇÏ´Ù.

À̸¦ À§ÇØ °ø°³¿­¼è ¹æ½ÄÀ» »ç¿ëÇؼ­ ¾ÈÀüÇÑ Ã¤³ÎÀ» ¸¸µç´ÙÀ½ ¼­·Î Symmetric ¿­¼è¸¦ °øÀ¯ÇÑ´Ù.

ÀÌ ¿­¼è´Â ÆÐŶÀÇ ¾Ïȣȭ¿¡ »ç¿ëµÇ°í ±âº»ÀûÀ¸·Î OpenVPNÀº BlueFish¶ó´Â ¾ÆÁ÷±îÁö ¿À·ù°¡ ¾ø´Â °ÍÀ¸·Î ¾Ë·ÁÁø ¾Ïȣȭ ¹æ½ÄÀ» »ç¿ëÇÑ´Ù.

±×·¡¼­ °¢°¢ ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ®µé ¸¶´Ù °¢°¢ÀÇ ¿­¼è°¡ ÀÖ¾î¾ß ÇÑ´Ù. ±×·±µ¥ ¼­·Î ÀÌ ¿­¼è¸¦ ¾î¶»°Ô ½Å·ÚÇÒ ¼ö ÀÖÀ»±î?

¹Ù·Î CA¸¦ ÀÌ¿ëÇؼ­ ÇÑ°÷¿¡¼­ ¿­¼è¸¦ ¸¸µé¾î ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ®µé¿¡ ¿­¼è¸¦ º¹»çÇÏ´Â °ÍÀÌ´Ù. ´õ ÀÚ¼¼ÇÑ »çÇ×Àº ¿­¼è¸¦ ¸¸µé¶§ ´õ ¼³¸íÇÑ´Ù.

(ÇÊÀÚ°¡ À̺κРÀü¹®°¡°¡ ¾Æ´Ï¶ó Ȥ Ʋ¸° ºÎºÐÀÌ ÀÖ´Ù¸é Á÷Á¢ ¼öÁ¤ÇϽðųª Àú¿¡°Ô ¾Ë·Á ÁÖ¼¼¿ä.)

1.4. ¼­¹ö

±×·³ ¼­¹öºÎÅÍ ¼³Ä¡ÇÏ°í ¼³Á¤ÇÏ´Â ¹æ¹ýÀ» ¼³¸íÇÑ´Ù.

1.4.1. ¼³Ä¡ Çϱâ


¼³Ä¡¸¦ À§ÇÑ ÆÄÀϵéÀº http://openvpn.net/download.html ¿¡¼­ ´Ù¿î·Îµå °¡´ÉÇÏ´Ù. Áß¿äÇÑ ÆÄÀϵéÀ̹ǷΠÆÄÀϵéÀÇ ¼­¸íÀ» ´ÙÀ½¿¡¼­ È®ÀÎÇÏ´Â °Íµµ µµ¿òÀÌ µÈ´Ù. http://openvpn.net/sig.html

ÀÌ OpenVPN ÇÁ·Î±×·¥Àº ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ® °ø¿ëÀÌ´Ù. ¿©±â¼­ ¼­¹ö´Â ¸®´ª½º¿¡ Ŭ¶óÀ̾ðÆ®´Â À©µµ¿ì¿¡ ¼³Ä¡ÇÏ´Â °ÍÀ» ¿¹·Î ¼³¸íÇÑ´Ù.

¼­¹ö¿ëÀ¸·Î ¿ì¼±Àº ¸®´ª½º¿ë Source TarballÀ» ´Ù¿î ¹Þ´Â´Ù. RPM°ú YUMµîÀ¸·Îµµ ´Ù¿î°ú ¼³Ä¡°¡ °¡´ÉÇÒ °ÍÀÌÁö¸¸ ¿©±â¼­´Â ¼Ò½º¸¦ ÄÄÆÄÀÏ ÇÑ´Ù.

°£´ÜÈ÷:
    tar xfz openvpn-[version].tar.gz
    cd openvpn-[version]
    ./configure --prefix=/usr/local/openvpn
    make
    make install

±×·¯¸é /usr/local/openvpn/sbin ¿¡ openvpn À̶ó´Â ½ÇÇàÆÄÀÏÀÌ »ý°Ü³µÀ» °ÍÀÌ´Ù.

1.4.2. ¿­¼è ¸¸µé±â


¿ì¼± ¿ì¸®´Â VPN¼­¹ö¿Í Ŭ¶óÀ̾ðÆ®¸¦ À§ÇØ ¿­¼è¸¦ ¸¸µé¾î¾ß ÇÑ´Ù. ÇÊ¿äÇÑ ¿­¼èµéÀº CA(Certificate Authority), ¼­¹ö, ±×¸®°í Ŭ¶óÀ̾ðÆ® ¿­¼èÀÌ°í Ãß°¡·Î Diffie Hellman parameters °¡ ÇÊ¿äÇÏ´Ù.

OpenVPNÀº ¿­¼è»ý¼ºÀ» À§ÇÑ ½ºÅ©¸³Æ®¸¦ Á¦°øÇϹǷΠ¿­¼è¸¦ ¾ÆÁÖ ½±°Ô ¸¸µé ¼ö ÀÖ´Ù.

¿ì¼± ¼Ò½º¸¦ Ǭ µð·ºÅ丮·Î °¡¸é easy-rsa µð·ºÅ丮¸¦ ãÀ» ¼ö ÀÖÀ» °ÍÀÌ´Ù. ¸¸¾à rpmÀ̳ª yumÀ¸·Î ¼³Ä¡ Çß´Ù¸é /usr/share/doc/packages/openvpn ³ª /usr/share/doc/openvpn-2.0 µîÀÇ µð·ºÅ丮¸¦ ã¾Æ º¸¸é ÁÁÀ» °ÍÀÌ´Ù.

¿ø HOWTO´Â update½Ã ÀÌÀü ÆÄÀϵéÀ» º¸Á¸Çϱâ À§ÇØ ÀÌ ÆÄÀϵéÀ» /etc/openvpn µîÀ¸·Î º¹»çÇÒ°ÍÀ» ±ÇÀåÇÑ´Ù.

¿ì¼± vars ¶ó´Â ÆÄÀÏÀ» ¿­¾î Á¦ÀÏ ¾Æ·¡ÂÊ¿¡ ÀÖ´Â º¯¼ö¸¦ ¼öÁ¤ÇÑ´Ù. ÇÊÀÚÀÇ °æ¿ì ¾Æ·¡¿Í °°ÀÌ ÇÏ¿´´Ù.

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=US
export KEY_PROVINCE=MA
export KEY_CITY=Cambridge
export KEY_ORG="OpenVPN-Server"
export KEY_EMAIL="hunkim@gmail.com"

. vars¸¦ ½ÇÇà½ÃÄÑ ¿­¼è »ý¼ºÀ» À§ÇÑ ±âº»ÀûÀÎ º¯¼öµéÀÌ ¼³Á¤µÇ°Ô ÇÑ´Ù.

±×·±´ÙÀ½ ./clean-all (±âÁ¸ ¿­¼èµéÀ» Áö¿î´Ù), ./build-ca ¸¦ ½ÇÇà ½ÃŲ´Ù. ±×·¯¸é ca.crt ¿Í ca.key¸¦ »ý¼º ½ÃŲ´Ù. ÀÌÁ¦ ºÎÅÍ »ý°Ü³¯ ¸ðµç ¿­¼èµéÀº ÇöÀç µð·ºÅ丮 keys¶ó´Â µð·ºÅ丮¿¡ »ý¼ºµÈ´Ù.

ÀÌÁ¦ CA ¿­¼è°¡ »ý¼ºµÇ¾úÀ¸¸é ¼­¹ö¿¡ »ç¿ëÇÒ ¿­¼è¸¦ ¸¸µç´Ù.

./build-key-server server

Common Name À» ¹°¾î ¿À¸é 'server'¸¦ ÀÔ·ÂÇÑ´Ù. ±×¸®°í ´ÙÀ½ µÎ°³ÀÇ Áú¹®¿¡ Yes ¶ó°í ´äÇÑ´Ù.
  • Sign the certificate? y/n
  • 1 out of 1 certificate requests certified, commit? y/n

±×·³ ¼­¹ö¿¡ »ç¿ëÇÒ server.crt ¿Í server.key °¡ »ý¼ºµÇ¾úÀ» °ÍÀÌ´Ù. ¼­¹ö´Â Diffie Hellman parameters ¸¦ »ý¼º½ÃÄÑ¾ß ÇÑ´Ù. °£´ÜÇÏ°Ô build-dh ¸¦ ½ÇÇà½ÃÅ°¸é µÈ´Ù.
    # ./build-dh
    Generating DH parameters, 1024 bit long safe prime, generator 2
    This is going to take a long time
    .................+...........................................
    ...................+.............+.................+.........
    ......................................

ÀÌ°ÍÀ¸·Î ¼­¹ö¿¡¼­ »ç¿ëÇÒ ¿­¼èµéÀº ¸ðµÎ »ý¼ºµÇ¾ú´Ù.

Ŭ¶óÀ̾ðÆ®µé¿¡¼­ »ç¿ëÇÒ ¿­¼èµéÀ» »ý¼º½ÃÄÑ¾ß Çϴµ¥ ÀÌ´Â ¼­¹ö¿¡¼­ (¶Ç´Â ca.key °¡ ÀÖ´Â ¼­¹ö¿¡¼­) ¸¸µç´Ù. °¢°¢ÀÇ Å¬¶óÀ̾ðÆ®µé¸¶´Ù °¢±â ´Ù¸¥ Ŭ¶óÀ̾ðÆ® ¿­¼è°¡ ÇÊ¿äÇÏ´Ù.


±×·¡¼­ 100°³ÀÇ Å¬¶óÀ̾ðÆ®°¡ ÀÖ´Ù¸é ¿­¼è¸¸µé±â¸¦ 100¹ø ÇØ¾ß ÇÑ´Ù. ¿©±â¼­´Â hunkim À» À§ÇÑ Å¬¶óÀ̾ðÆ® ¿­¼è Çϳª¸¸ ¸¸µç´Ù. (¸®´ª½º °èÁ¤À» ÅëÇÑ Ãß°¡ÀÎÁõ ¶Ç´Â ´Üµ¶ÀÎÁõ ¹æ¹ýÀº ¾Æ·¡¿¡¼­ ¼³¸íÇÑ´Ù.)

./build-key hunkim

¼­¹ö¶§¿Í ºñ½ÁÇÏ°Ô Common NameÀº hunkim À» ÀÔ·ÂÇÑ´Ù. °¢°¢ Ŭ¶óÀ̾ðÆ®¸¶´Ù ¼­·Î´Ù¸¥ Common NameÀ» ÁÖ¾î¾ß ÇÑ´Ù.

±×¸®°í ´ÙÀ½ µÎ°³ÀÇ Áú¹®¿¡ Yes ¶ó°í ´äÇÑ´Ù.
 * Sign the certificate? [y/n]
 * 1 out of 1 certificate requests certified, commit? [y/n]

°¢ Ŭ¶óÀ̾ðÆ®·Î ¿ì¸®°¡ ¸¸µç Ŭ¶óÀ̾ðÆ® ¿­¼è (hunkim.crt, hunkim.key) ±×¸®°í ca.crt¸¦ ¾ÈÀüÇÑ ¹æ¹ýÀ¸·Î º¹»çÇØ¾ß ÇÑ´Ù. µð½ºÄÏÀ¸·Î º¹»çÇϰųª sftp µîÀ¸·Î º¹»çÇÏ¸é µÈ´Ù.

À̸ÞÀÏÀ̳ª ftp·Î º¹»çÇÏ´Â °ÍÀº ÁÁÀº ¹æ¹ýÀÌ ¾Æ´Ï´Ù.

±×·³ ¿ì¸®°¡ ÇÊ¿ä·á ÇÏ´Â ¸ðµç ¿­¼èµéÀÌ ¸¸µé¾î Á³´Ù. ¸¸µé¾îÁø ¿­¼èµéÀ» Çѹø »ìÆ캸ÀÚ (OpenVPN HOWTO¿¡¼­ °¡Á®¿Ô½À´Ï´Ù.)

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
hunkim.crt hunkim only hunkim Certificate NO
hunkim.key hunkim only hunkim Key YES

¿©±â¼­ Secret°¡ YESµÈ ¿­¼èµéÀº ¾Ë¾Æ¼­ Àß º¸°üÇϱ⠹ٶõ´Ù. ¾Æ´Ï¸é VPN¼­¹ö¿Í Ŭ¶óÀ̾ðÆ® »çÀÌ¿¡ ÆÐŶÀ» ¿³µè´Â middle-man °ø°ÝÀÌ °¡´ÉÇØÁø´Ù.

1.4.3. ȯ°æ¼³Á¤

¿ì¼± ¼­¹ö ȯ°æÀ» ¼³Á¤Çϱâ Àü¿¡ ¸î°¡Áö °áÁ¤ÇØ¾ß ÇÒ »çÇ×µéÀÌ ÀÖ´Ù. VPNÀ¸·Î ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ®°£¿¡ ¿¬°áÀÌ µÇ¸é VPNÀ» À§ÇÑ »õ·Î¿î ÁÖ¼Ò°¡ ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ®¿¡ ÇÒ´çµÈ´Ù.

ÀÌ ÁÖ¼Ò¸¦ °áÁ¤ÇØ¾ß Çϴµ¥ Ȥ ȸ»ç ³»ºÎÀÇ ¸Á°ú Ãæµ¹ÀÌ ¾ø´ÂÁö È®ÀÎÇÏ¸é µÈ´Ù.

10.8.0.0/255.255.255.0 À» »ç¿ëÇϱ⸦ ±ÇÇÑ´Ù.

µÎ¹ø°´Â TCP¿Í UDPÁß ¾î´À ÇÁ·ÎÅäÄÝÀ» »ç¿ëÇÒÁö¿¡ ´ëÇÑ °ÍÀε¥ UDP´Â ´ëºÎºÐÀÇ È¯°æ¿¡¼­ Àß µ¿ÀÛÇÑ´Ù.

<!> ¿©±â¼­ ÁÖÀÇÇÒ Á¡Àº, ¼­¹ö°¡ UDP¸¦ ¾²¸é Ŭ¶óÀ̾ðÆ®µµ UDP¸¦ ¾²µµ·Ï ¼³Á¤ÇØ¾ß ÇÑ´Ù´Â °ÍÀÌ´Ù.

¸¶Áö¸·Àº route ¹æ½ÄÀ» »ç¿ëÇÒ °ÍÀÎÁö ºê¸´Áö ¹æ½ÄÀ» »ç¿ëÇÒÁö¿¡ ´ëÇÑ °áÁ¤ÀÌ´Ù. °£´ÜÇÑ ¼³Á¤À» À§ÇØ route ¹æ½ÄÀ» »ç¿ëÇϱ⸦ ±ÇÇÑ´Ù.

OpenVPNÀÇ ¼³Á¤ ÆÄÀÏÀº ÇϳªÀÌ´Ù. ¼Ò½º µð·ºÅ丮³ª /usr/share/doc/packages/openvpn ³ª /usr/share/doc/openvpn-2.0 µîÀ» º¸¸é server.conf ¶ó´Â ¿¹Á¦ ¼­¹ö ¼³Á¤ ÆÄÀÏÀÌ ÀÖÀ» °ÍÀÌ´Ù.

10.8.0.0 À» »ç¿ëÇÏ°í UDP¸¦ »ç¿ëÇÏ°í route ¹æ½ÄÀ» »ç¿ëÇϱ⸦ ¿øÇÑ´Ù¸é ¿¹Á¦ ÆÄÀÏÀ» ´ëºÎºÐ ±×´ë·Î »ç¿ëÇÒ ¼ö ÀÖ´Ù.

ÇÑ°¡Áö ¼öÁ¤ÀÌ ÇÊ¿äÇÑ°ÍÀº ¿ì¸®°¡ »ý¼ºÇÑ ¿­¼èµéÀ» ÁöÁ¤ÇÏ´Â ºÎºÐÀÌ Àִµ¥ À̸¦ ¿©·¯ºÐÀÌ »ý¼ºÇÑ ¿­¼èµéÀ» ¹Ù¸£°Ô °¡¸£Å°µµ·Ï ¼³Á¤ÇØ ÁÖ¸é µÈ´Ù.

¾Æ·¡ÀÇ server.confÀÇ °æ¿ì, keys/*ÆÄÀÏÀÌ server.confÆÄÀÏÀÌ ÀÖ´Â µð·ºÅ丮¿¡ °°ÀÌ ÀÖ¾î¾ß ÇÑ´Ù.
# server.conf
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca keys/ca.crt
cert keys/server.crt 
key keys/server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh keys/dh1024.pem

¸¶Áö¸·À¸·Î Áß¿äÇÑ °ÍÀº Ȥ½Ã OpenVPN ¼­¹ö°¡ ¹æÈ­º® ³»ºÎ¿¡ µé¾î ÀÖÀ» °æ¿ì UDP/1194 ¹øÀ» ¿­¾î ÁÖ¾î¾ß ÇÑ´Ù´Â °ÍÀÌ´Ù. ±×·¸Áö ¾ÊÀ¸¸é Ŭ¶óÀ̾ðÆ®°¡ OpenVPN ¼­¹ö·Î Á¢¼ÓÇÒ ¼ö ¾ø°ÔµÈ´Ù.

1.4.4. ½ÇÇà


¼­¹ö ½ÇÇàÀº ¾ÆÁÖ °£´ÜÇÏ´Ù. openvpnÀ» ½ÇÇà½ÃÅ°¸é¼­ server.conf ÆÄÀÏÀÇ À§Ä¡¸¦ ¾Ë·Á ÁÖ¸é µÈ´Ù.±×·¯¸é ·Î±×¿¡ ÇØ´çÇÏ´Â ºÎºÐÀ» È­¸éÀ¸·Î Ãâ·ÂÇØ ÁÙ °ÍÀÌ´Ù (ÀÌ ·Î±×´Â ¿øÇÏ´Â ÆÄÀÏ·Î º¸³¾ ¼ö ÀÖ´Ù).

# /sbin/openvpn server.conf 

Wed Dec 27 04:06:51 2006 OpenVPN 2.0.9 i686-intel-linux [SSL] [LZO] [EPOLL] built on Dec 26 2006
Wed Dec 27 04:06:51 2006 Diffie-Hellman initialized with 1024 bit key
Wed Dec 27 04:06:51 2006 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 27 04:06:51 2006 TUN/TAP device tun0 opened
Wed Dec 27 04:06:51 2006 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Wed Dec 27 04:06:51 2006 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Wed Dec 27 04:06:51 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 27 04:06:51 2006 UDPv4 link local (bound): [undef]:1194
Wed Dec 27 04:06:51 2006 UDPv4 link remote: [undef]
Wed Dec 27 04:06:51 2006 MULTI: multi_init called, r=256 v=256
Wed Dec 27 04:06:51 2006 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Dec 27 04:06:51 2006 IFCONFIG POOL LIST
Wed Dec 27 04:06:51 2006 hunkim,10.8.0.4
Wed Dec 27 04:06:51 2006 Initialization Sequence Completed


¼­¹ö·Î¼­ °è¼Ó OpenVPN ÇÁ·Î±×·¥ÀÌ ½ÇÇàµÇ°Ô ÇÏ·Á¸é rc ½ºÅ©¸³Æ®µî¿¡ ³Ö¾î ÁÖ¾î¾ß Çϴµ¥ ÀÌ´Â ¿øº» HOWTO³ª ÀÚ½ÅÀÌ »ç¿ëÇÏ´Â ¸®´ª½º ¹èÆ÷ÆÇÀÇ ¼³¸í¼­¿¡¼­ Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖÀ» °ÍÀÌ´Ù.

1.5. Ŭ¶óÀ̾ðÆ®

ÀÌÁ¦ ¼­¹ö°¡ ¿Ï¼ºµÇ¾úÀ¸´Ï Ŭ¶óÀ̾ðÆ®¸¦ ¼³Ä¡ÇØ º¸°í ¼­¹ö°¡ Àß µ¿À۵ǴÂÁö ½ÃÇèÇØ º¸ÀÚ. Ŭ¶óÀ̾ðÆ®´Â À©µµ¿ìÁî¿¡¼­ ½ÇÇàµÈ´Ù°í °¡Á¤ÇÏ°í ¼³¸íÇÑ´Ù. (¸®´ª½ºµîÀº À¯»çÇÑ ¹æ¹ýÀ¸·Î ¼³Ä¡¹× ½ÇÇàÀÌ °¡´ÉÇÏ´Ù.)

1.5.1. ¼³Ä¡Çϱâ


À̸¦ À§ÇØ ¿ì¼± Ŭ¶óÀ̾ðÆ®¿¡ ÇÊ¿äÇÑ ÇÁ·Î±×·¥À» ´Ù¿î ¹ÞÀÚ. OpenVPN GUI for Windows (http://openvpn.se/) ¸¦ ÃßõÇÑ´Ù.

ÀÌ ÇÁ·Î±×·¥À» ¼³Ä¡Çϸé ÃֽŠOpenVPN¹× GUI ÇÁ·Î±×·¥À» ´Ù Çѹø¿¡ ¼³Ä¡Çϱ⠶§¹®¾Ö Æí¸®ÇÏ°Ô ¼³Ä¡ ÇÒ ¼ö ÀÖ´Ù.

Installation Package (Both 32-bit and 64-bit TAP driver included)¸¦ ´Ù¿î ¹Þ¾Æ ÀÌ ¼³Ä¡ ÇÁ·Î±×·¥À» ½ÇÇà ½ÃŲ´Ù. ´ëºÎºÐÀº ±âº»À¸·Î ¼³Á¤À¸·Î ¼³Ä¡¸¦ ÇÑ´Ù.

¼³Ä¡Áß ¾Æ·¡¿Í °°ÀÌ TAP-Win32 Adapter¸¦ ÀÚµ¿À¸·Î ¼³Ä¡ÇØ Áִµ¥ ÀÌ ÇÁ·Î±×·¥Àº M$ ÀÇ ¼­¸íÀº ¹ÞÁö ¾Ê¾ÒÁö¸¸ "°è¼Ó"À» ´­·¯ ¼³Ä¡¸¦ ÇÑ´Ù.

openvpn1.png
[PNG image (57.81 KB)]

¼³Ä¡°¡ ¿Ï·áµÈ·ç OpenVPN GUI°¡ ÀÚµ¿À¸·Î ½ÇÇàµÇ¾î À©µµ¿ì Tray¿¡ º¸¸é OpenVPN GUI ¾ÆÀÌÄÜÀÌ ³ªÅ¸³¯ °ÍÀÌ´Ù.

openvpn2.png
[PNG image (2.76 KB)]

1.5.2. Å° º¹»çÇϱâ


±×·³ ÀÌÁ¦ ¼­¹ö ¼³Ä¡ °úÁ¤¿¡¼­ »ý¼º ½ÃŲ Ŭ¶óÀ̾ðÆ®¿ë ¿­¼èµéÀ» (ca.crt, hunkim.key, hunkim.crt) Àû´çÇÑ À§Ä¡·Î º¹»ç ÇÑ´Ù.

´Ù½Ã °­Á¶ÇÏÁö¸¸ ÀÌ Å°µéÀ» ¼­¹ö¿¡¼­ ¹Þ¾Æ¿Ã¶§ °¢º°ÇÑ ÁÖÀǸ¦ ¿äÇÑ´Ù. (sftp³ª PGP ¸ÞÀϵîÀÇ ¹æ¹ý »ç¿ë)

ÇÊÀÚÀÇ °æ¿ì ¿­¼èµéÀ» C:\Program Files\OpenVPN\config ·Î º¹»ç Çß´Ù.

Å° ÆÄÀÏ ¾øÀÌ Á¢¼ÓÇÏ´Â ¹æ¹ýÀº ¾Æ·¡ÂÊ¿¡ º°µµ·Î ¼³¸íÇÑ´Ù.

1.5.3. ȯ°æ¼³Á¤


Ŭ¶óÀ̾ðÆ®µµ ÇϳªÀÇ ¼³Á¤ÆÄÀÏÀÌ ÇÊ¿äÇѵ¥ (À©µµ¿ìÁî´Â .ovpn ÆÄÀÏÀÌ´Ù), ¿¹Á¦ ÆÄÀϵéÀÌ C:\Program Files\OpenVPN\sample-config ¿¡ Áغñ µÇ¾î ÀÖ´Ù.

ÀÌÁß client.ovpn À» config µð·ºÅ丮 (C:\Program Files\OpenVPN\config) ·Î º¹»çÇÑ´Ù. ÀÌ°÷ÀÌ À©µµ¿ìÁî OpenVPN GUIÇÁ·Î±×·¥ÀÌ »ç¿ëÇÏ´Â ±âº» µð·ºÅ丮ÀÌ´Ù.

±×·±´ÙÀ½ Tray¿¡ ÀÖ´Â OpenVPN GUI ¾ÆÀÌÄÜ¿¡¼­ ¿À¸¥ÂÊ ¸¶¿ì½º¸¦ ´©¸£¸é ¸Þ´º°¡ ³ªÅ¸³ª´Âµ¥ ÀÌÁß Edit Config ¸¦ ¼±ÅÃÇÏ¸é ¿ì¸®ÀÇ Ä£±¸ ³ëÆ®ÆÐÆ®°¡ ¿­¸®¸é¼­ ¼³Á¤ÆÄÀÏÀ» ÆíÁýÇÒ ¼ö ÀÖµµ·Ï ÇØÁØ´Ù.

openvpn3.png
[PNG image (5.1 KB)]

¿ì¼± Open VPN ¼­¹ö¸¦ ÁöÁ¤ÇÑ´Ù.

...
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote vpn.mit.edu 1194
...

¸¸¾à ¼­¹ö¸¦ UDP, route ¹æ½ÄÀ¸·Î ¼³Á¤ÇÏ¿´À¸¸é ÀÌÁ¦ ¿­¼è ÁöÁ¤ ºÎºÐ¸¸ ¼öÁ¤ÇÏ¸é µÈ´Ù.

À©µµ¿ì¿¡¼­´Â ¿­¼èÀÇ À§Ä¡¸¦ ·çÆ® µð·ºÅ丮 ºÎÅÍ Á¤È®ÇÏ°Ô ÁöÁ¤ÇØÁØ´Ù.

...
# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\hunkim.crt"
key "C:\\Program Files\\OpenVPN\\config\\hunkim.key"
...

±×¹Û¿¡, ¼­¹ö¿¡¼­ tunÀ» ¾²¸é clientµµ tunÀ» ¾²µµ·ÏÇÏ°í, ¼­¹ö°¡ TCP¸¦ ¾²¸é Ŭ¶óÀ̾ðÆ®µµ TCP¸¦ ¾²µµ·Ï ÇØ¾ß ÇÑ´Ù.
# Use the same setting as you are using on the server. On most systems, the
# VPN will not function unless you partially or fully disable the firewall
# for the TUN/TAP interface.
;dev tap
dev tun
....
# Are we connecting to a TCP or UDP server?  Use the same setting as
# on the server.
;proto udp
proto tcp
...
ÀÌ°ÍÀ¸·Î Ŭ¶óÀ̾ðÆ®ÀÇ ¸ðµç ¼³Á¤Àº ³¡ÀÌ ³µ´Ù.

1.5.4. ¼­¹ö¿¬°á

ÀÌÁ¦ ´Ù½Ã Tray¿¡ ÀÖ´Â OpenVPN ¸Þ´ºÀÇ Connect¸¦ ÀÌ¿ëÇؼ­ ¼­¹ö¿¡ ¿¬°áÇØ º»´Ù. ±×·¯¸é Status âÀ» ÅëÇØ ¿¬°á»óȲÀ» º¸¿©ÁØ´Ù.

Tray¿¡ ÀÖ´Â ¾ÆÀÌÄÜÀÌ ¿¬°áÁß¿¡´Â ³ë¶õ»öÀ¸·Î, ¼º°øÀûÀ¸·Î ¿¬°áµÈÈÄ¿¡´Â ÃÊ·Ï»öÀ¸·Î ¹Ù²ï´Ù. ¿¬°áÀÌ ¾ÈµÇ¾î ÀÖÀ»¶§¿¡´Â »¡°£»öÀÌ´Ù.

Ȥ ¿¬°áÀÌ ¾ÈµÇ°Å³ª ¹®Á¦°¡ »ý±â¸é OpenVPN ¾ÆÀÌÄÜ ¸Þ´º¿¡ ÀÖ´Â View Log ¸¦ ÅëÇØ ¹®Á¦Á¡À» »ìÆì º¼ ¼ö ÀÖ´Ù. Âü°í·Î ¿­¼è ¼³Á¤ÀÌ À߸øµÇ¸é ¾Æ·¡¿Í °°Àº ¸Þ½ÃÁö°¡ ³ª¿Â´Ù.

Tue Dec 26 15:32:45 2006 Cannot load CA certificate file C:\Program Files\OpenVPN\config\ca.crt (SSL_CTX_load_verify_locations): 
  error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file: 
  error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
Tue Dec 26 15:32:45 2006 Exiting

¼º°øÀûÀ¸·Î ¿¬°áµÇ¸é OpenVPN GUI ¾ÆÀÌÄÜ »ö±òÀÌ ÃÊ·Ï»öÀ¸·Î ¹Ù²î¸é¼­ 10.8.0.x ÀÇ ¹øÈ£°¡ ÇÒ´çµÇ¾ú´Ù´Â ¸Þ½ÃÁö°¡ ³ª¿Â´Ù.

openvpn4.png
[PNG image (7.86 KB)]

±×·³ ÀÌÁ¦ ´Ù¸¥ ¹æ¹ýÀ¸·Î ¼­¹ö¿Í ¿¬°áÀÌ È®½ÇÇÑÁö ¾Ë¾Æ º¸ÀÚ. ¿ì¼± ¼­¹öÀÇ ·Î±× ¸Þ½ÃÁö¸¦ »ìÆ캸ÀÚ.

±×·±´ÙÀ½ Ŭ¶óÀ̾ðÆ®¿¡¼­ ¼­¹ö·Î PingÀ» Çغ¸ÀÚ. Âü°í·Î ¼­¹öÀÇ IP´Â 10.8.0.1 ÀÌ´Ù.

(À©µµ¿ìÁî¿¡¼­ cygwinÀÇ shellÀ» »ç¿ëÇß´Ù.)
$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=260 ms
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=216 ms

----10.8.0.1 PING Statistics----
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip (ms)  min/avg/max/med = 216/238/260/238

¹Ý´ë·Î ¼­¹ö¿¡¼­´Â Ŭ¶óÀ̾ðÆ®·Î pingÀ» º¸³»¸é Ŭ¶óÀ̾ðÆ®µµ ¹ÝÀÀÀ» ÇØ¾ß ÇÑ´Ù.
server $ ping 10.8.0.6
PING 10.8.0.1 (10.8.0.6): 56 data bytes
...

PingÀÌ ¼º°øÀûÀ¸·Î µÇ¾ú´Ù¸é ÀÌÁ¦ ¼­¹ö·Î Á¢¼ÓÇÒ¶§´Â 10.8.0.1 ÁÖ¼Ò·Î Á¢¼ÓÀ» ÇÏ¸é ¾ÈÀüÇÏ°Ô ¸ðµç ÆÐŶÀÌ ¼­¹ö·Î Àü´ÞµÈ´Ù.

1.6. Ãß°¡ ¼³Á¤


À§ÀÇ ±âº» ¼³Á¤À¸·Î °£´ÜÇÏ°Ô VPNÀÌ ¿¬°áµÇ¾ú´Ù. ¿©±â¼­´Â Ãß°¡ÀûÀÎ ¼³Á¤¿¡ ´ëÇØ ¼³¸íÇÑ´Ù.

1.6.1. Ãß°¡Àû »ç¿ëÀÚ ÀÎÁõ

°¢ Ŭ¶óÀ̾ðÆ®µéÀº ÀÚ½ÅÀÇ ¿­¼èµéÀ» °¡Áö°í VPN ¼­¹ö¿¡ Á¢¼ÓÇÑ´Ù. Áï ÀÌ Å°¸¦ °¡Áø »ç¶÷µéÀº VPN ¼­¹ö·Î Á¢¼ÓÀÌ °¡´ÉÇÏ´Ù. ÀÌ Å°µéÀÌ¿Ü¿¡ Ãß°¡·Î ¼­¹öÂÊ¿¡¼­ Ŭ¶óÀ̾ðÆ® Á¢¼ÓÀ» ÀÎÁ¤ÇÏ°í ½Í´Ù¸é ¾î¶»°Ô ÇØ¾ß ÇÒ±î? ¿¹¸¦ µé¾î ¸®´ª½º ¼­¹ö¿¡ ÀÖ´Â »ç¿ëÀÚ ¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£¸¦ °¡Áø »ç¶÷µé¸¸ OpenVPN ¼­¹ö¿¡ Á¢¼ÓÇÏ°Ô ÇÏ°í ½Í´Ù¸é...

OpenVPNÀº Ãß°¡ÀûÀÎ ÀÎÁõ ¹æ½ÄÀ» Áö¿øÇϸç ÀÌÁß PAM¹æ½ÄÀ» ÀÌ¿ëÇÑ ÀÎÁõ ÇÁ·Î±×·¥Àº ÀÌ¹Ì ¹èÆ÷ÆÇ¿¡ Æ÷ÇԵǾî ÀÖ´Ù. Ãß°¡ ÀÎÁõÀ» À§Çؼ­´Â ¿ì¼± Ŭ¶óÀ̾ðÆ® ¼³Á¤ ÆÄÀÏ¿¡ auth-user-pass ¸¦ Ãß°¡ ÇÑ´Ù.

¼­¹öÂÊ ¼³Á¤ ÆÄÀÏ¿¡´Â PAMÀÎÁõÀ» À§ÇØ ´ÙÀ½À» Ãß°¡ ÇÑ´Ù.

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login


À̶§ openvpn-auth-pam.so ÀÇ Á¤È®ÇÑ À§Ä¡¸¦ ¼³Á¤ÇØ¾ß ÇÑ´Ù. ±×·±´ÙÀ½ ´Ù½Ã ¼­¹ö¸¦ ±¸µ¿ÇÏ°í Ŭ¶óÀ̾ðÆ®·Î Á¢¼ÓÀ» ÇÏ¸é ¾Æ·¡¿Í °°ÀÌ ¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£¸¦ ¹°¾î ¿Â´Ù.

openvpn5.png
[PNG image (20.41 KB)]

ÀÌ ºñ¹Ð¹øÈ£°¡ Á¤È®ÇÒ¶§¸¸ Á¢¼ÓÀÌ °¡´ÉÇÏ´Ù. ÀÌ ºñ¹Ð¹øÈ£´Â ¹°·Ð ¾ÈÀüÇÑ ¹æ¹ýÀ¸·Î ¼­¹ö·Î º¸³½´Ù.

1.6.1.1. »ç¿ëÀÚ/ºñ¹Ð¹øÈ£ ¸¸À¸·Î ÀÎÁõÇϱâ


¿©±â±îÁö ¼³¸í ¹æ¹ýÀ¸·Î¿¡¼­´Â °¢ Ŭ¶óÀ̾ðÆ®ÀÇ ¿­¼èµéÀÇ ÀÎÁõ ¹æ½ÄÀÇ Ãß°¡·Î ¸®´ª½º »óÀÇ »ç¿ëÀÚ ¾ÆÀ̵ð/ºñ¹Ð¹øÈ£·Î ÀÎÁõÇÏ´Â ¹æ¹ýÀ» »ìÆì º¸¾Ò´Ù.

ÀÌÀü ¿­¼è¸¦ ¸¸µå´Â ¹æ¹ý¿¡¼­ ¼³¸íÇÑ°Í Ã³·³ °¢ Ŭ¶óÀ̾ðÆ®¸¶´Ù °¢°¢ÀÇ ¿­¼è¸¦ ¸¸µé¾î¾ß ÇÏ°í À̸¦ ¾ÈÀüÇÏ°Ô Å¬¶óÀ̾ðÆ®·Î º¹»çÇØ¾ß Çϴµ¥ ÀÌ´Â ¸Å¿ì ¼º°¡½Å ÀÏÀÌ ¾Æ´Ò ¼ö ¾ø´Ù.


±×·¯ÇÑ ÀÌÀ¯·Î º¸¾È»ó ±ÇÀåÇÏÁö´Â ¾ÊÁö¸¸ VPN ¼­¹ö Á¢¼Ó½Ã ¸®´ª½º »óÀÇ »ç¿ëÀÚ ¾ÆÀ̵ð/ºñ¹Ð¹øÈ£¸¸À¸·Î ÀÎÁõÇÏ´Â ¹æ¹ýµµ Á¦°øÇÑ´Ù.

´ÙÀ½ÀÇ µÎ ÁÙÀ» ¼­¹öÀÇ ¼³Á¤ ÆÄÀÏ¿¡ Ãß°¡ ÇÑ´Ù. (¼­¹öÀÇ ¼³Á¤ÆÄÀÏÀÌ server.conf¶ó¸é ±× ÆÄÀÏ¿¡)

...
client-cert-not-required
username-as-common-name
...

±×¸®°í Ŭ¶óÀ̾ðÆ®¿¡¼­´Â cert¿Í key ºÎºÐÀÇ ¿­¼è¸¦ ÁöÁ¤ÇÏÁö ¾ÊÀ¸¸é µÈ´Ù. ±×·¯³ª ca´Â VPN ¼­¹öÀÇ ¿­¼è¸¦ ÀÎÁ¤Çϱâ À§ÇØ Å¬¶óÀ̾ðÆ®·Î º¹»ç µÇ¾î¾ß Çϸç Á¤È®ÇÏ°Ô ÁöÁ¤µÇ¾î¾ß ÇÑ´Ù.
...
ca "C:\\Program Files\\OpenVPN\\config\\my-server.ca.crt"
...

1.6.2. ¼­¹öÂÊÀÇ ´Ù¸¥ ¼­¹öµé ¿¬°áÇϱâ (µµ¿ò ÇÊ¿ä)


ÀÌÀü±îÁöÀÇ ¿¬°áÀº ¼­¹ö¿Í 1:1 (point-to-point)¹æ½ÄÀ¸·Î ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ®°£¿¡¸¸ ¼­·Î ÆÐŶÀÌ ¾Ïȣȭ µÈ´Ù. ¸¸¾à ¼­¹ö°¡ ÀÖ´Â ÂÊ ´Ù¸¥ ¼­¹öµé (¼­¹ö¿Í °°Àº ³ÝÆ®¿÷¿¡ ÀÖ´Â)¿¡ Á¢¼ÓÇÏ°í ½Í´Ù¸é ¾î¶»°Ô ÇØ¾ß Çϳª?

¿©±â¼­´Â ¿©·¯ºÐÀÌ routed VPN(dev tun)À» »ç¿ëÇÏ°í ÀÖ´Ù°í °¡Á¤ÇÕ´Ï´Ù.

¿ì¼± ¼­¹ö°¡ ÀÖ´Â ³ÝÆ®¿÷ÀÌ 128.30.0.0/8 À̶ó°í °¡Á¤ÇÏÀÚ. ¿ì¼± ¼­¹ö¿¡¼­ À̵éÀÇ ÁÖ¼Ò¸¦ Ŭ¶óÀ̾ðÆ®·Î ¾Ë·Á ÁÖ¾î¾ß ÇÑ´Ù. ´ÙÀ½ÀÇ ÇÑÁÙÀ» ¼­¹öÀÇ ¼³Á¤¿¡ Ãß°¡ ÇÑ´Ù.

push "route 128.30.0.0 255.255.255.0"

Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).

À̺κÐÀº Á¦°¡ LAN gatewayÀÇ ¼³Á¤ ±ÇÇÑÀÌ ¾ø¾î¼­ ½ÇÇèÀ» ¸øÇß½À´Ï´Ù. Ȥ½Ã ½ÃÇèÇÏ½Ç ¼ö ÀÖÀ¸½Å ºÐµéÀº Àú¿¡°Ô ¾Ë·Á ÁÖ½Ã¸é °¨»çÇÏ°Ú½À´Ï´Ù.

±×·±ÈÄ ¹Ýµå½Ã IP forwarding À» °¡´ÉÇÏ°Ô ¼³Á¤ÇØ Áֽðí:
On Linux, use the command:

    echo 1 > /proc/sys/net/ipv4/ip_forward

TUNµµ forwardingÀÌ °¡´ÉÇϵµ·Ï ¼³Á¤ ÇÑ´Ù:
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT

±×·±´ÙÀ½ ´Ù½Ã OpenVPNÀ¸·Î Á¢¼ÓÇϽŠ´ÙÀ½ ÇØ´ç ¼­¹öµéÀ» Á¢¼ÓÇÏ¸é µÈ´Ù.

1.6.3. Àüü Æ®·¡ÇÈÀ» ¼­¹ö·Î ¶ó¿ìÆà Çϱâ


ÀÌÀüÀÇ ¼³Á¤À» ÅëÇØ VPN ¼­¹ö¿¡ Á¢¼ÓÇÏ¸é ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ® (point-to-point) ¶Ç´Â Å©¶óÀ̾ðÆ® ¿Í ¼­¹ö³ÝµéÀÇ ¿¬°á¸¸ ¾Ïȣȭ°¡ µÇ¾ú´Ù. ±×·¯³ª ¾î¶³¶§´Â ¿ÜºÎ¿¡ ÀÖ´Â »ç¿ëÀÚ°¡ ÀÚ½ÅÀÌ »ç¿ëÇÏ´Â Àüü Æ®·¡ÇÈÀ» ¼­¹ö·Î ¾Ïȣȭ ÇÑ´ÙÀ½ ¶ó¿ìÆ® ÇÒ ÇÊ¿ä°¡ ÀÖ´Ù. ¿¹¸¦ µé¾î ¿ÜºÎ¿¡¼­ ³»°¡ ±¸±Û ¸ÞÀÏÀ̳ª ±¸±ÛÅåµîÀ» »ç¿ëÇÒ¶§ ´©±º°¡°¡ ÀÌ ¸ÞÀÏÀ̳ª ÅåÀÇ Á¤º¸¸¦ ¿³º¼ ¼ö Àֱ⠶§¹®ÀÌ´Ù.

VPNÀ¸·Î ¼­¹ö¿Í ¶Ç´Â ¼­¹ö³ÝÀ¸·Î´Â ¾Ïȣȭ·Î ¿¬°áµÈ´Ù°í Çصµ ±× ¿ÜÀÇ ³ÝÆ®웤(º¸Åë ÀÎÅͳÝ) Æ®·¡ÇÈÀº Á÷Á¢ ÇØ´çÇÏ´Â ¼­¹ö¿Í ¾Ïȣȭ µÇÁö ¾Ê°í ¿¬°áµÈ´Ù.

Áï ¾Æ·¡ ±×¸²°ú °°ÀÌ VPNÀ» »ç¿ëÇÏ´Â Áß¿¡µµ ¾î¶² »ç¿ëÀÚ°¡ A¶ó´Â ±â°ü¿¡¼­ ±¸±ÛÅåÀ» ÇÏ°Ô µÇ¸é A±â°üÀÇ ¸Á °ü¸®ÀÚ´Â ½±°Ô ±× ³»¿ëÀ» ¿³ µéÀ» ¼ö ÀÖ°Ô µÈ´Ù.

openvpn6.png
[PNG image (17.09 KB)]

±×·¡¼­ ¾Æ·¡ ±×¸²°ú °°ÀÌ Àüü Æ®·¡ÇÈÀ» VPN ¼­¹ö·Î º¸³»°í VPN ¼­¹ö¿¡¼­ ±¸±Û ÅåÀ̳ª ´Ù¸¥ ¼­¹ö·Î ¿¬°áÇÒ ¼ö ÀÖ´Ù¸é A±â°üÀÇ ¸Á °ü¸®ÀÚ´Â ±× ³»¿ëÀ» ÀüÇô ¾Ë ¼ö ¾ø°Ô µÈ´Ù.

openvpn7.png
[PNG image (26.32 KB)]

¹°·Ð VPN ¼­¹ö¿¡¼­ ¿ÜºÎ·Î ³ª°¡´Â Á¤º¸´Â ¾Ïȣȭ°¡ µÇÁö ¾Ê°í ¶Ç °¨½Ã´çÇÒ ¼öµµ ÀÖÁö¸¸ VPN¼­¹ö¸¦ µÐ °÷Àº ÀÚ½ÅÀÇ ÁýÀ̳ª ȸ»ç±â ¶§¹®¿¡ ºñ±³Àû ¹ÏÀ»¸¸ÇÏ´Ù°í °¡Á¤ÇÑ´Ù.

ÀÌ ¹æ¹ýÀº ¼­¹öÂÊ ³ÝÆ®¿÷¿¡ ÀÖ´Â ´Ù¸¥ ¼­¹öµé°úÀÇ ¾ÈÀüÇÑ ¿¬°áÀ» À§Çؼ­µµ »ç¿ëÇÒ ¼ö ÀÖ´Ù. Áï ¼­¹öÂÊÀÇ ³ÝÆ®¿÷¿¡ ÀÖ´Â ¼­¹ö°¡ ÀÚü ³ÝÆ®¿÷¿¡¼­¸¸ ¿¬°áµÇ°í ¿ÜºÎ¿¡¼­´Â Â÷´ÜµÇµµ·Ï Çسõ´Â ´Ù¸é OpenVPN ¼­¹ö Á¢¼ÓÀ» ÅëÇؼ­ ³»ºÎ¸Á¿¡ ÀÖ´Â ¼­¹öµé°úÀÇ Á¢¼ÓÀÌ °¡´ÉÇϱ⠶§¹®ÀÌ´Ù. ¸¶Ä¡ ÀÚ½ÅÀÌ ±× ³»ºÎ¸Á¿¡¼­ ÄÄÇ»Å͸¦ ¿¬°áÇÑ°Í°ú °°¾Æ Áø´Ù.

ÀÌ À¯¿ëÇÑ ¹æ¹ýÀº ¿©·¯¸ð·Î ¾µ¸ð°¡ ¸¹Áö¸¸ ¼³Á¤Àº ¾ÆÁÖ °£´ÜÇÏ´Ù. ´ÙÀ½ÀÇ ÇÑÁÙÀ» ¼­¹öÂÊ ¼³Á¤¿¡ Ãß°¡ ÇÑ´Ù.

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly). 
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel.  Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
push "redirect-gateway def1"

±×·±ÈÄ ¸î°¡Áö °£´ÜÇÑ Ãß°¡ ¼³Á¤ÀÌ ÇÊ¿äÇѵ¥ ¿ì¼± IP forwarding À» °¡´ÉÇÏ°Ô ¼³Á¤ÇØ Áֽðí:
On Linux, use the command:

    echo 1 > /proc/sys/net/ipv4/ip_forward

VPNÀÌ 10.8.0.0/24 ÁÖ¼Ò¸¦ »ç¿ëÇÏ°í ¼­¹öÀÇ ±âº» ³ÝÆ®¿÷ ÀåÄ¡°¡ eth0ÀÌ¶ó °¡Á¤ ÇÏ¸é ¾Æ·¡ÀÇ ¸í·ÉÀ¸·Î NAT¸¦ ÅëÇØ VPN Ŭ¶óÀ̾ðÆ®ÀÇ Æ®·¡ÇÈÀ» ÀÎÅͳÝÀ¸·Î º¸³¾ ¼ö ÀÖµµ·Ï ÇØÁØ´Ù.

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

±×·¯¸é Ŭ¶óÀ̾ðÆ®ÀÇ ¸ðµç Æ®·¡ÇÈ (DNS Äõ¸®¸¦ Æ÷ÇÔ)ÀÌ ¼­¹ö¸¦ °ÅÄ¡¹Ç·Î DNS´Â ¼­¹ö´Â VPN ¼­¹ö¿¡¼­ °¡±î¿î ÂÊÀ̳ª ¶Ç´Â VPN ¼­¹ö ÀÚü°¡ DNS ¼­¹ö¸¦ °âÇϸé ÁÁ´Ù. À̸¦ À§Çؼ­´Â ¾Æ·¡ ÇÑÁÙÀÇ Ãß°¡·Î ÀÚµ¿À¸·Î Ŭ¶óÀ̾ðÆ® DNS¸¦ ¼³Á¤ÇØ ÁÙ ¼ö ÀÖ´Ù.

    push "dhcp-option DNS 10.8.0.1"

±×·±ÈÄ ÀÌÁ¦ ´Ù½Ã Ŭ¶óÀ̾ðÆ®ÀÇ OpenVPN GUIÇÁ·Î±×·¥À» ÅëÇØ Á¢¼ÓÀ» Çغ¸ÀÚ. ±×·±´ÙÀ½ Ŭ¶óÀ̾ðÆ® ÂÊÀÇ TCP/IP ¼³Á¤À» º¸ÀÚ.

Ethernet adapter Local Area Connection 7:

        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : TAP-Win32 Adapter V8
        Physical Address. . . . . . . . . : 00-FF-51-C4-40-4B
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.8.0.6
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 10.8.0.5
        DHCP Server . . . . . . . . . . . : 10.8.0.5
        DNS Servers . . . . . . . . . . . : 10.8.0.1
        Lease Obtained. . . . . . . . . . : Tuesday, December 26, 2006 4:43:57 PM
        Lease Expires . . . . . . . . . . : Wednesday, December 26, 2007 4:43:57 PM

Default Gateway ¿Í DNS Servers °¡ 10.8.0.1 ·Î ¼³Á¤µÈ°ÍÀ» ¾Ë ¼ö ÀÖ´Ù. ¿ì¼± ¿¬°áÀÌ ÀߵǾú´ÂÁö º¸±â À§Çؼ­´Â À¥»çÀÌÆ®¸¦ Á¢¼ÓÇغ¸ÀÚ. À̶§ ÀÎÅÍ³Ý ¿¬°á ¼Óµµ°¡ ¸Å¿ì ¶³¾îÁö´Â °ÍÀ» ´À³¤´Ù¸é VPN ¼­¹ö·Î Á¢¼ÓÀÌ µÈ °ÍÀÌ´Ù. ´õ È®½ÇÈ÷ Çϱâ Çؼ­´Â Ŭ¶óÀ̾ðÆ®¿¡¼­ http://www.checkmyip.com/ µîÀ» Á¢¼ÓÇغ¸ÀÚ. IP¹øÈ£°¡ Ŭ¶óÀ̾ðÆ®°¡ ¾Æ´Ñ ¼­¹öÀÇ °ÍÀ̶ó¸é È®½ÇÇÏ°Ô ¿¬°áÀÌ µÈ°ÍÀÌ´Ù. ÀÌÁ¦ºÎÅÍ »ç¿ëÀÚ°¡ »ç¿ëÇÏ´Â ¸ðµç ³ÝÆ®¿÷ (¸ðµç ÀÎÅͳÝ, ¸ðµç ÇÁ·ÎÅäŬ)Àº OpenVPN ¼­¹ö±îÁö ¾ÈÀüÇÏ°Ô Àü´ÞµÈÈÄ ¼­¹ö¸¦ ÅëÇØ ¿¬°áÀÌ µÈ´Ù.


À§ÀÇ ¼³¸íÀº ¼­¹ö¿¡¼­ ¼³Á¤ÇÏ´Â ¹æ¹ý¿¡ ´ëÇÑ ¼³¸íÀÌ´Ù. ¼­¹ö¿¡¼­ À§ÀÇ ¼³Á¤À» Á¦°øÇØ ÁÖÁö ¾ÊÀ» °æ¿ì (openvpnÀÇ client ¿¡¼­ ¿É¼ÇÀ» ¾ÆÁ÷ Á¦°øÇÏ°íÀÖÁö ¾Ê´Â´Ù) °­Á¦ ¶ó¿ìÆÃÀ» º¯°æÇÏ¿© Æ®·¡ÇÈÀ» ¼­¹ö·Î ¸ðµÎ º¸³¾ ¼ö ÀÖ´Ù. ¾Æ·¡¿¡ ¼³¸íÇÏ´Â ¹æ¹ýÀº client ¿¡¼­ ÇàÇϸç windows ¿¡¼­ÀÇ ¸í·ÉÇàÀÌ´Ù. (±âŸ OS ¿¡¼­´Â DIY Çϱâ ^^)

// ±âÁ¸ÀÇ default gateway ¸¦ Á¦°Å (ÀÌ·¸°Ô Á¦°ÅÇÏÁö ¾ÊÀ» °æ¿ì´Â metric°ª¿¡ µû¶ó ¼ø¼­°¡ °áÁ¤µÈ´Ù)
route DELETE 0.0.0.0

// VPN_SERVER_IP ¸¦ gateway ·Î Àâ´Â´Ù. À̶§ Áß¿äÇÑ °ÍÀº P-2-P ÀÇ VPN Ãø IP
// ·Î Àâ¾Æ¾ß ÇÑ´Ù. ¾Æ¹«»ý°¢ ¾øÀÌ VPN server ÀÇ real IP ¸¦ ÀâÀ¸¸é ´ë·« ³¶ÆдÙ.
//
// OpenVPN Àº route ¹æ½Ä°ú bridge ¹æ½ÄÀÌ Àִµ¥, µÎ°¡Áö ¸ðµå Áß¿¡¼­ VPN_SERVER_IP
// ´Â ´ÙÀ½°ú °°´Ù.
// 
// * route ¹æ½Ä
// ¼­¹öÃø¿¡ "server 192.168.100.0 255.255.255.0" ¶ó´Â ¼³Á¤ÀÌ ÀÖ´Ù¸é 192.168.100.1
// ·Î ¼³Á¤À» ÇÏ¸é µÉ °ÍÀÌ´Ù. (OpenVPNÀÇ ±âº»°ªÀ¸·Î µÎ¾úÀ» °æ¿ì´Â ´ë°Ô 10.8.0.5 ÀÌ´Ù)
//
// * bridge ¹æ½Ä
// ¼­¹öÃø¿¡ "server-bridge 192.168.100.1 255.255.255.0 192.168.100.2 192.168.100.254"
// ¿Í °°ÀÌ ¼³Á¤ÀÌ µÇ¾î ÀÖ´Ù¸é 192.168.100.1 ·Î »ç¿ëÇÏ¸é µÈ´Ù.
route ADD 0.0.0.0 MASK 0.0.0.0 VPN_SERVER_IP

À§¿Í °°ÀÌ default gateway ¸¦ VPN À¸·Î º¯°æÇÏ¸é ¸ðµç Æ®·¡ÇÈÀº VPN ¼­¹ö¸¦ ÅëÇؼ­ °¡°Ô µÉ °ÍÀÌ´Ù. VPN À» ²÷À¸¸é ¿ª½Ã ¼öµ¿À¸·Î gateway ¸¦ º¹±¸ÇØ Áà¾ß ÇÑ´Ù. (VPN ¼­¹ö¿¡¼­ ¼³Á¤À» ÇØ ÁÖ¸é ÀÚµ¿À¸·Î º¹±¸°¡ µÇ³ª, ¼öµ¿À¸·Î GW ¸¦ º¯°æÇϸé, º¹¿ø½Ã¿¡µµ ¼öµ¿À¸·Î ÇØ ÁÖ¾î¾ß ÇÑ´Ù. º¹±¸ ¹æ¹ýÀº À§ÀÇ VPN_SERVER_IP ¸¦ ±âÁ¸ÀÇ gateway ·Î ¹Ù²ã¼­ ½ÇÇàÇØ ÁÖ¸é µÈ´Ù.

º¯°æÀ» ÇÏ·Á°í ÇÒ¶§ ¸¸¾à ¼­¹öÃøÀÇ ¼³Á¤À» ¸ð¸¥´Ù¸é OpenVPNÀÇ Å¬¶óÀ̾ðÆ® ȤÀº ¼­¹öÀÇ log¸¦ º¸°í ½ÃµµÇغ»´Ù. -- oops

1.7. ¸¶Ä¡¸é¼­


OpenVPNÀº ±âÁ¸ÀÇ VPN ÇÁ·ÎÅäŬÀÎ IPSec µîº¸´Ù ½±°Ô (ÇÊÀÚÀÇ °æ¿ì ÇÏ·ç Á¤µµ) ¼³Ä¡, ¼³Á¤ ¹× ¿î¿µÀÌ °¡´ÉÇÏ´Ù. º¸¾ÈÀÌ ÇÊ¿äÇÑ È¸»ç³ª ´Üü µîÀº ¹Ýµå½Ã OpenVPNµîÀ» ÀÌ¿ëÇØ ¾ÈÀüÇÑ Åë½ÅÀ» ÇÒ °ÍÀ» ±ÇÇÑ´Ù.

ÇÊÀÚµµ °øºÎÇϸ鼭 Á¤¸®ÇÑ ³»¿ëÀ̶ó ¿À·ù³ª À߸øµÈ ºÎºÐÀÌ ¸¹À» °ÍÀ¸·Î »ý°¢ÇÑ´Ù. ¹ß°ßµÇ¸é Á÷Á¢ ¼öÁ¤ÇϽðųª ÇÊÀÚ¿¡°Ô ¾Ë·Á Áֽñ⠹ٶø´Ï´Ù. Âü°í·Î OpenVPN ÀÌ »ó¼¼ÇÏ°Ô ¼³¸íµÈ Ã¥(http://www.packtpub.com/openvpn/book/mid/2405065clw5q) À» ÁÖ¹®ÇØ µÎ¾ú´Âµ¥ Ã¥ÀÌ µµÂøÇϸé Àß ÀÐ¾î º¸°í ºÎÁ·ÇÑ ³»¿ëÀ» º¸ÃæÇÒ °èȹÀÌ´Ù.

1.8. ÀÐÀºÈÄ ¼Ò°¨

  • Àаí 1¹æ¿¡ ´Ù ó¸®Çß½À´Ï´Ù. ±Û °¨»çÇÕ´Ï´Ù. ^^ -- by idlock
  • [http]"¼­¹öÂÊÀÇ ´Ù¸¥ ¼­¹öµé ¿¬°áÇϱâ" °ü·ÃÇÏ¿© ¾Æ·¡ÂÊ¿¡ ³»¿ë ³²±é´Ï´Ù. -- by [http]ÁøÀÌÇå±Ô
  • solaris ȯ°æ¿¡¼­ÀÇ ¼³Ä¡ ¹æ¹ý¿¡ ´ëÇØ Ãß°¡Çß½À´Ï´Ù. ¾µµ¥¾øÀÌ ºÐ·®ÀÌ Á» ¸¹¾ÆÁ³³×¿ä.. -- by ai


ID
Password
Join
There is no fear in love; but perfect love casteth out fear.


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2011-08-11 11:25:19
Processing time 0.0164 sec