윈도우에 OpenVPN 설치 - 클라이언트 측 구성
OpenVPN 서버를 구성했으니,
윈도우에 OpenVPN 설치 - 서버 측 구성
; https://www.sysnet.pe.kr/2/0/12224
이제 해당 네트워크에 참여할 클라이언트 측 구성을 할 차례입니다. OpenVPN의 경우 이 과정도 서버와 동일한 설치 파일을 사용하는데,
OpenVPN - Windows 10/Server 2016/Server 2019 installer (NSIS) GnuPG Signature openvpn-install-2.4.9-I601-Win10.exe
; https://openvpn.net/community-downloads/
단지 이번에는 설치 과정에 나오는 질문들은 모두 그냥 기본값으로 두고 설치를 진행해도 됩니다. (즉, "EasyRSA2 Certificate Management Scripts" 구성 요소를 설치할 필요는 없습니다.)
설치가 완료되면, 이번에도 마찬가지로 "C:\Program Files\OpenVPN"에 파일이 위치합니다.
바이너리는 클라이언트에 설치했지만, 이제 다시 서버 쪽 환경으로 넘어가서 ca 인증 기관으로부터 클라이언트를 위한 인증서를 하나 발급받아야 합니다.
// 서버 측에서 클라이언트를 위한 인증서 생성 (Common Name은 임의의 값 사용)
C:\Users\clntusr> cd "C:\Program Files\OpenVPN\easy-rsa"
C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> build-key client1
Ignoring -days; not generating a certificate
Generating a RSA private key
..........................................................................++++
.....................................................................................................................................................................................................++++
writing new private key to 'keys\client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:myvpnclient1
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'myvpnclient1'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jun 9 00:33:57 2030 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>
명령이 완료되었으면 "C:\Program Files\OpenVPN\easy-rsa\keys" 폴더에 client1.crt, client1.csr, client1.key 파일이 생성됩니다. 그럼, 이전에 생성해 두었던 ca.crt, ta.key 파일을 포함한 다음의 파일들을,
- ca.crt
- client1.crt
- client1.key
- ta.key
클라이언트 측의 "C:\Program Files\OpenVPN\config" 폴더에 복사합니다. 또한 서버 때와 마찬가지로 OpenVPN의 동작 환경을 미리 정의한 템플릿 파일인 "C:\Program Files\OpenVPN\sample-config\client.ovpn"을 "C:\Program Files\OpenVPN\config" 폴더에 복사한 후, 다음의 설정들을 변경해 줍니다.
// 만약 OpenVPN 서버의 주소가 my.test.com이라면,
remote my.test.com 1194
cert client1.crt
key client1.key
(그 외 값들도 원한다면 자신의 환경에 따라 적절하게 변경한 후), 마지막으로 관리자 권한의 cmd.exe 명령행에서 다음의 명령어로 VPN 연결을 할 수 있습니다.
C:\Program Files\OpenVPN\config> ..\bin\openvpn client.ovpn
Thu Jun 11 09:42:17 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Thu Jun 11 09:42:17 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Jun 11 09:42:17 2020 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Thu Jun 11 09:42:17 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 11 09:42:17 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 11 09:42:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]64.102.56.78:1194
Thu Jun 11 09:42:17 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Jun 11 09:42:17 2020 UDP link local: (not bound)
Thu Jun 11 09:42:17 2020 UDP link remote: [AF_INET]64.102.56.78:1194
Thu Jun 11 09:42:17 2020 TLS: Initial packet from [AF_INET]64.102.56.78:1194, sid=35cbd3b6 a489989e
Thu Jun 11 09:42:17 2020 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=myca, name=changeme, emailAddress=mail@host.domain
Thu Jun 11 09:42:17 2020 VERIFY KU OK
Thu Jun 11 09:42:17 2020 Validating certificate extended key usage
Thu Jun 11 09:42:17 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jun 11 09:42:17 2020 VERIFY EKU OK
Thu Jun 11 09:42:17 2020 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=myvpn, name=changeme, emailAddress=mail@host.domain
Thu Jun 11 09:42:17 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Thu Jun 11 09:42:17 2020 [myvpn] Peer Connection Initiated with [AF_INET]64.102.56.78:1194
Thu Jun 11 09:42:18 2020 SENT CONTROL [myvpn]: 'PUSH_REQUEST' (status=1)
Thu Jun 11 09:42:18 2020 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 168.126.63.1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Thu Jun 11 09:42:18 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun 11 09:42:18 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jun 11 09:42:18 2020 OPTIONS IMPORT: route options modified
Thu Jun 11 09:42:18 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jun 11 09:42:18 2020 OPTIONS IMPORT: peer-id set
Thu Jun 11 09:42:18 2020 OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Jun 11 09:42:18 2020 OPTIONS IMPORT: data channel crypto options modified
Thu Jun 11 09:42:18 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jun 11 09:42:18 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jun 11 09:42:18 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jun 11 09:42:18 2020 interactive service msg_channel=0
Thu Jun 11 09:42:18 2020 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=23 HWADDR=1c:23:dc:45:8d:d7
Thu Jun 11 09:42:18 2020 open_tun
Thu Jun 11 09:42:18 2020 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{ADBBCAAE-B7AA-4553-89CD-97141B40AA6F}.tap
Thu Jun 11 09:42:18 2020 TAP-Windows Driver Version 9.24
Thu Jun 11 09:42:19 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {ADBBCAAE-B7AA-4553-89CD-97141B40AA6F} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Jun 11 09:42:19 2020 Successful ARP Flush on interface [89] {ADBBCAAE-B7AA-4553-89CD-97141B40AA6F}
Thu Jun 11 09:42:24 2020 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Jun 11 09:42:24 2020 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
Thu Jun 11 09:42:24 2020 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Thu Jun 11 09:42:24 2020 Route addition via IPAPI succeeded [adaptive]
Thu Jun 11 09:42:24 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jun 11 09:42:24 2020 Initialization Sequence Completed
정상적으로 연결되었다면 서버 측 콘솔에는 다음과 같은 식의 내용들이 출력됩니다.
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 TLS: Initial packet from [AF_INET6]::ffff:165.24.56.23:59374, sid=c8110058 5fa1884e
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=myca, name=changeme, emailAddress=mail@host.domain
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=myvpnclient1, name=changeme, emailAddress=mail@host.domain
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 peer info: IV_VER=2.4.9
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 peer info: IV_PLAT=win
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 peer info: IV_PROTO=2
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 peer info: IV_NCP=2
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 peer info: IV_LZ4=1
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 peer info: IV_LZ4v2=1
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 peer info: IV_LZO=1
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 peer info: IV_COMP_STUB=1
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 peer info: IV_COMP_STUBv2=1
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 peer info: IV_TCPNL=1
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Thu Jun 11 09:42:16 2020 165.24.56.23:59374 [myvpnclient1] Peer Connection Initiated with [AF_INET6]::ffff:165.24.56.23:59374
Thu Jun 11 09:42:16 2020 myvpnclient1/165.24.56.23:59374 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Thu Jun 11 09:42:16 2020 myvpnclient1/165.24.56.23:59374 MULTI: Learn: 10.8.0.6 -> myvpnclient1/165.24.56.23:59374
Thu Jun 11 09:42:16 2020 myvpnclient1/165.24.56.23:59374 MULTI: primary virtual IP for myvpnclient1/165.24.56.23:59374: 10.8.0.6
Thu Jun 11 09:42:17 2020 myvpnclient1/165.24.56.23:59374 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jun 11 09:42:17 2020 myvpnclient1/165.24.56.23:59374 SENT CONTROL [myvpnclient1]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 168.126.63.1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Jun 11 09:42:17 2020 myvpnclient1/165.24.56.23:59374 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jun 11 09:42:17 2020 myvpnclient1/165.24.56.23:59374 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jun 11 09:42:17 2020 myvpnclient1/165.24.56.23:59374 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
일단, 이렇게 잘 동작하는 것을 확인했으면 이후로는 "OpenVPN GUI" 프로그램을 이용해 트레이 아이콘의 "Connect" 메뉴로 VPN 접속을 편리하게 수행할 수 있습니다.
[이 글에 대해서 여러분들과 의견을 공유하고 싶습니다. 틀리거나 미흡한 부분 또는 의문 사항이 있으시면 언제든 댓글 남겨주십시오.]