출처 : http://tistory.izyou.net/entry/%EC%9A%B0%EB%B6%84%ED%88%AC-%ED%99%98%EA%B2%BD%EC%97%90%EC%84%9C-openvpn-%EC%84%A4%EC%A0%95#recentTrackback
요즘 회사에서 인터넷을 사용하는데 방화벽(+기타등등)의 보안툴로 점점 네트워크를 사용하는게 힘들어지면서 찾기 시작한 VPN서버를 이용한 터널링을 설정해보기로 했다. 서버로 이용하는 것은 예전에 학교에서 활동하던 학회에서 사용하는 서버이며, 일반적으로 많이들 사용하는 우분투 기반의 서버이다. (우분투이니 데비안에는 그냥 적용 가능할 것이라고 생각함)
상대적으로 openvpn 서버를 이용하지 않고, 윈도우에서 사용하는 pptp 프로토콜을 사용하려고 하는 경우 poptop의 우분투 패키지인 pptpd 를 설치하고 간단한 설정을 통해서 바로 접속이 가능했다. 문제는 우리 회사의 경우 pptpd 를 정책상 막아 놓은건지 서버로 접속은 가능했지만, 서버에서 외부 접속에서 사용하는 ppp를 생성하는 중에 아래와 같은 메시지를 뿜으면서 커넥션을 잃어버리더라…
pptpd 설정
root@zeropage:/var/lib/mysql# tail -f /var/log/syslog
…
Nov 23 16:28:21 zeropage pptpd[7279]: CTRL: Client 203.244.218.56 control connection started
Nov 23 16:28:21 zeropage pptpd[7279]: CTRL: Starting call (launching pppd, opening GRE)
Nov 23 16:28:21 zeropage pppd[7280]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Nov 23 16:28:21 zeropage pppd[7280]: pppd 2.4.4 started by root, uid 0
Nov 23 16:28:21 zeropage pppd[7280]: Using interface ppp0
Nov 23 16:28:21 zeropage pppd[7280]: Connect: ppp0 <–> /dev/pts/2
Nov 23 16:28:21 zeropage pptpd[7279]: GRE: Bad checksum from pppd.
Nov 23 16:28:51 zeropage pppd[7280]: LCP: timeout sending Config-Requests
Nov 23 16:28:51 zeropage pppd[7280]: Connection terminated.
Nov 23 16:28:51 zeropage pppd[7280]: Modem hangup
Nov 23 16:28:51 zeropage pppd[7280]: Exit.
Nov 23 16:28:51 zeropage pptpd[7279]: GRE: read(fd=6,buffer=8058660,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Nov 23 16:28:51 zeropage pptpd[7279]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Nov 23 16:28:51 zeropage pptpd[7279]: CTRL: Reaping child PPP[7280]
Nov 23 16:28:51 zeropage pptpd[7279]: CTRL: Client 203.244.218.56 control connection finished
…
Nov 23 16:28:21 zeropage pptpd[7279]: CTRL: Client 203.244.218.56 control connection started
Nov 23 16:28:21 zeropage pptpd[7279]: CTRL: Starting call (launching pppd, opening GRE)
Nov 23 16:28:21 zeropage pppd[7280]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Nov 23 16:28:21 zeropage pppd[7280]: pppd 2.4.4 started by root, uid 0
Nov 23 16:28:21 zeropage pppd[7280]: Using interface ppp0
Nov 23 16:28:21 zeropage pppd[7280]: Connect: ppp0 <–> /dev/pts/2
Nov 23 16:28:21 zeropage pptpd[7279]: GRE: Bad checksum from pppd.
Nov 23 16:28:51 zeropage pppd[7280]: LCP: timeout sending Config-Requests
Nov 23 16:28:51 zeropage pppd[7280]: Connection terminated.
Nov 23 16:28:51 zeropage pppd[7280]: Modem hangup
Nov 23 16:28:51 zeropage pppd[7280]: Exit.
Nov 23 16:28:51 zeropage pptpd[7279]: GRE: read(fd=6,buffer=8058660,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Nov 23 16:28:51 zeropage pptpd[7279]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Nov 23 16:28:51 zeropage pptpd[7279]: CTRL: Reaping child PPP[7280]
Nov 23 16:28:51 zeropage pptpd[7279]: CTRL: Client 203.244.218.56 control connection finished
어쨋든 그래서 openvpn 을 다시 한번 시도를 해보았지만, 기존에 존재하는 국내 문서중에는 openvpn을 우분투 패키지를 이용해서 설정한 내용이 없어서, 설정을 시도하면서 문서로 남겨볼겸 이렇게 글을 적고 있다.
참고문서) http://www.ventanazul.com/webzine/articles/openvpn-ubuntu-and-hulu
더보기
우선, 패키지 관리자를 이용해서 openvpn 패키지를 설치한다. apt-get, aptitude, synaptic 무엇을 패키지 설치에 이용해도 무방할 것이다. 개인적 기호에 의해서 aptitude 를 이용해서 설치했다.
설치를 한뒤 아래의 명령어로 기본 설정파일 위치를 지정한다.
root@zeropage:/etc/openvpn#vi /etc/default/openvpn
해당 파일을 열고 이전에 존재하는 모든 내용을 comment 처리 한뒤, AUTOSTART=”openvpn” 을 마지막에 추가한다.
해당 파일을 열고 이전에 존재하는 모든 내용을 comment 처리 한뒤, AUTOSTART=”openvpn” 을 마지막에 추가한다.
이렇게 설정해주면 openvpn 은 구동시 /etc/openvpn/openvpn.conf 설정을 찾는데, 현재는 존재하지 않기 때문에 따로 작성을 할 것이다.
다음 작업할 내용은 키와 인증서를 만드는 일이다.
rsa 설정을 위해서 예제 설정 파일을 복사해온다.
root@zeropage:/etc/openvpn#cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .
root@zeropage:/etc/openvpn#vi easy-rsa/vars
위의 파일이 존재하지 않는 상황이라면 아래의 위치에서 설정 파일을 찾아보자.
root@zeropage:/etc/openvpn#vi easy-rsa/2.0/vars
root@zeropage:/etc/openvpn#vi easy-rsa/vars
위의 파일이 존재하지 않는 상황이라면 아래의 위치에서 설정 파일을 찾아보자.
root@zeropage:/etc/openvpn#vi easy-rsa/2.0/vars
해당 파일에서 아래의 내용을 반영한다.
export KEY_COUNTRY=PE
export KEY_PROVINCE=LI
export KEY_CITY=Lima
export KEY_ORG=”Nombre-OpenVPN”
export KEY_EMAIL=”tu-nombre@example.com“
export KEY_PROVINCE=LI
export KEY_CITY=Lima
export KEY_ORG=”Nombre-OpenVPN”
export KEY_EMAIL=”tu-nombre@example.com“
그리고 아래의 명령어를 이용해서 환경 설정을 현재 터미널에 반영한다.
root@zeropage:/etc/openvpn/easy-rsa/2.0# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
private key 를 작성한다.
root@zeropage:/etc/openvpn/easy-rsa/2.0# ./build-ca
Generating a 1024 bit RSA private key
…………..++++++
………………………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [PE]:
State or Province Name (full name) [LI]:
Locality Name (eg, city) [Lima]:
Organization Name (eg, company) [Nombre-OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [Nombre-OpenVPN CA]:
Email Address [tu-nombre@example.com]:
Generating a 1024 bit RSA private key
…………..++++++
………………………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [PE]:
State or Province Name (full name) [LI]:
Locality Name (eg, city) [Lima]:
Organization Name (eg, company) [Nombre-OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [Nombre-OpenVPN CA]:
Email Address [tu-nombre@example.com]:
서버키를 작성한다. (서버키 작성 마지막에 certification 을 반드시 작성하도록 y를 선택해야한다)
root@zeropage:/etc/openvpn/easy-rsa/2.0# ./build-key-server server
Generating a 1024 bit RSA private key
…++++++
……………..++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [PE]:
State or Province Name (full name) [LI]:
Locality Name (eg, city) [Lima]:
Organization Name (eg, company) [Nombre-OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [server]:
Email Address [tu-nombre@example.com]:
Generating a 1024 bit RSA private key
…++++++
……………..++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [PE]:
State or Province Name (full name) [LI]:
Locality Name (eg, city) [Lima]:
Organization Name (eg, company) [Nombre-OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [server]:
Email Address [tu-nombre@example.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’PE’
stateOrProvinceName :PRINTABLE:’LI’
localityName :PRINTABLE:’Lima’
organizationName :PRINTABLE:’Nombre-OpenVPN’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’tu-nombre@example.com’
Certificate is to be certified until Nov 21 08:03:49 2018 GMT (3650 days)
Sign the certificate? [y/n]:
CERTIFICATE WILL NOT BE CERTIFIED
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’PE’
stateOrProvinceName :PRINTABLE:’LI’
localityName :PRINTABLE:’Lima’
organizationName :PRINTABLE:’Nombre-OpenVPN’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’tu-nombre@example.com’
Certificate is to be certified until Nov 21 08:03:49 2018 GMT (3650 days)
Sign the certificate? [y/n]:
CERTIFICATE WILL NOT BE CERTIFIED
클라이언트 키를 작성한다.
root@zeropage:/etc/openvpn/easy-rsa/2.0# ./build-key-server client
Generating a 1024 bit RSA private key
………………++++++
…………++++++
writing new private key to ‘client.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [PE]:
State or Province Name (full name) [LI]:
Locality Name (eg, city) [Lima]:
Organization Name (eg, company) [Nombre-OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [client]:
Email Address [tu-nombre@example.com]:
Generating a 1024 bit RSA private key
………………++++++
…………++++++
writing new private key to ‘client.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [PE]:
State or Province Name (full name) [LI]:
Locality Name (eg, city) [Lima]:
Organization Name (eg, company) [Nombre-OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [client]:
Email Address [tu-nombre@example.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’PE’
stateOrProvinceName :PRINTABLE:’LI’
localityName :PRINTABLE:’Lima’
organizationName :PRINTABLE:’Nombre-OpenVPN’
commonName :PRINTABLE:’client’
emailAddress :IA5STRING:’tu-nombre@example.com’
Certificate is to be certified until Nov 21 08:06:02 2018 GMT (3650 days)
Sign the certificate? [y/n]:
CERTIFICATE WILL NOT BE CERTIFIED
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’PE’
stateOrProvinceName :PRINTABLE:’LI’
localityName :PRINTABLE:’Lima’
organizationName :PRINTABLE:’Nombre-OpenVPN’
commonName :PRINTABLE:’client’
emailAddress :IA5STRING:’tu-nombre@example.com’
Certificate is to be certified until Nov 21 08:06:02 2018 GMT (3650 days)
Sign the certificate? [y/n]:
CERTIFICATE WILL NOT BE CERTIFIED
Diffie Hellman 파라메터를 생성한다.
root@zeropage:/etc/openvpn/easy-rsa/2.0# ./build-dh
root@zeropage:/etc/openvpn/easy-rsa/2.0# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
………+………………………………+…………….+…………………………………..+…………………………………………………………………..+……………….+………………………………………+….+……………………+………………………………………………………………………………+…………………………………….+……………………….+…………………………………………………………………..++*++*++*
This is going to take a long time
………+………………………………+…………….+…………………………………..+…………………………………………………………………..+……………….+………………………………………+….+……………………+………………………………………………………………………………+…………………………………….+……………………….+…………………………………………………………………..++*++*++*
이제 기본적인 키 작성 작업이 끝났다. 클라이언트 측에서 서버로의 접속을 위해서는 /etc/openvpn/easy-rsa/keys 디렉토리내에 3개의 파일이 필요하니 잘 보관한다.
ca.crt
client1.crt
client1.key
client1.crt
client1.key
openvpn 환경 설정 파일을 만들어야한다.
root@zeropage:/etc/openvpn# vi openvpn.conf
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push “redirect-gateway def1”
#log-append /var/log/openvpn
comp-lzo
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push “redirect-gateway def1”
#log-append /var/log/openvpn
comp-lzo
그리고 IP라우팅을 위해서 아래의 커맨드를 한번씩 날려준다.
echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -L -t nat
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -L -t nat
(차후 방화벽 정책 삭제를 위해서는 sudo iptables -F -t nat)
서버쪽 설정은 완료 되었음을 알 수 있다.
root@zeropage:/etc/openvpn# ifconfig
eth0 Link encap:Ethernet HWaddr 00:17:31:f3:11:1e
inet addr:165.194.17.160 Bcast:165.194.17.255 Mask:255.255.255.0
inet6 addr: fe80::217:31ff:fef3:111e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34354629 errors:0 dropped:0 overruns:0 frame:0
TX packets:14478158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:355495487 (339.0 MB) TX bytes:744316533 (709.8 MB)
Interrupt:217 Base address:0x8000
eth0 Link encap:Ethernet HWaddr 00:17:31:f3:11:1e
inet addr:165.194.17.160 Bcast:165.194.17.255 Mask:255.255.255.0
inet6 addr: fe80::217:31ff:fef3:111e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34354629 errors:0 dropped:0 overruns:0 frame:0
TX packets:14478158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:355495487 (339.0 MB) TX bytes:744316533 (709.8 MB)
Interrupt:217 Base address:0x8000
eth1 Link encap:Ethernet HWaddr 00:48:54:4a:e0:c7
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:20 Base address:0xac00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:348697 errors:0 dropped:0 overruns:0 frame:0
TX packets:348697 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:185131767 (176.5 MB) TX bytes:185131767 (176.5 MB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
자 이제 오늘의 핵심 클라이언트에서 이제 VPN 서버로 한번 붙여보자. ㅋㅋ
VPN서버로 붙일 윈도우에서 http://openvpn.org 에서 제공하는 윈도우용 클라이언트를 받고 설치하자!!!
프로그램 메뉴의 OpenVPN configuration file directory 를 열고 서버에서 생성된 키중 ca.crt, client.crt, client.key 를 복사하고, client.ovpn 파일을 열고 remote 항목을 수정하면 종료!!!
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 165.194.17.160 1194
;remote my-server-2 1194
# You can have multiple remote entries
# to load balance between the servers.
remote 165.194.17.160 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don’t need to bind to
# a specific local port number.
nobind
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It’s best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
# 위의 3개의 값을 절대경로를 함께 넣어서 “c:\program files\openvpn\config\key….” 형태로 지정해야함.
# See the server config file for more
# description. It’s best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
# 위의 3개의 값을 절대경로를 함께 넣어서 “c:\program files\openvpn\config\key….” 형태로 지정해야함.
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to “server”. This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to “server”. The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# that the certicate has the nsCertType
# field set to “server”. This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to “server”. The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don’t enable this unless it is also
# enabled in the server config file.
comp-lzo
# Don’t enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
verb 3
# Silence repeating messages
;mute 20
;mute 20