OpenVPN 설치 및 vpn을 통한 사설 DNS 설정

Linux/Ubuntu 2017. 10. 19. 10:04
반응형

## Install OpenVPN

# apt-get update
# apt-get install openvpn easy-rsa

## Set Up the CA Directory (using easy-rsa)
# make-cadir /etc/openvpn/ease-rsa
# cd /etc/openvpn/ease-rsa

## Configure the CA Variables
# vi vars
export KEY_COUNTRY="KR"
export KEY_PROVINCE="Seoul"
export KEY_CITY="Jongno"
export KEY_ORG="OpenStackKR"
export KEY_EMAIL="root@localhost"
export KEY_OU="OpenStack KR"
export KEY_NAME="server"

## Build the Certificate Authority
# source vars
# ./clean-all
# ./build-ca
Generating a 2048 bit RSA private key
.....................................................+++
...................+++
writing new private key to 'ca.key'
-----
Country Name (2 letter code) [KR]:
State or Province Name (full name) [Seoul]:
Locality Name (eg, city) [Jongno]:
Organization Name (eg, company) [OpenStackKR]:
Organizational Unit Name (eg, section) [OpenStackKR]:
Common Name (eg, your name or your server's hostname) [OpenStackKR CA]:
Name [server]:
Email Address [root@localhost]:


## Create the Server Certificate, Key, and Encryption Files
# ./build-key-server server

A challenge password []:               --> 그냥 엔터
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


# ./build-dh
# openvpn --genkey --secret keys/ta.key


## Generate a Client Certificate and Key Pair
# cd /etc/openvpn/ease-rsa
# source vars
./build-key seungkyua
Generating a 2048 bit RSA private key
.....+++
.................+++
writing new private key to 'seungkyua.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KR]:
State or Province Name (full name) [Seoul]:
Locality Name (eg, city) [Jongno]:
Organization Name (eg, company) [OpenStackKR]:
Organizational Unit Name (eg, section) [OpenStackKR]:
Common Name (eg, your name or your server's hostname) [seungkyua]:
Name [server]:
Email Address [root@localhost]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []: OpenStackKR
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'KR'
stateOrProvinceName   :PRINTABLE:'Seoul'
localityName          :PRINTABLE:'Jongno'
organizationName      :PRINTABLE:'OpenStackKR'
organizationalUnitName:PRINTABLE:'OpenStackKR'
commonName            :PRINTABLE:'seungkyua'
name                  :PRINTABLE:'server'
emailAddress          :IA5STRING:'root@localhost'
Certificate is to be certified until Aug 29 01:42:22 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated



## Configure the OpenVPN Service
# cd /etc/openvpn/ease-rsa/keys
# cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
# gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

# vi /etc/openvpn/server.conf
32 port 1194
35 proto tcp
78 ca ca.crt
79 cert server.crt
80 key server.key

141 push "route 192.168.30.0 255.255.255.0"
142 push "route 192.168.230.0 255.255.255.0"
143 push "route 192.168.130.0 255.255.255.0"
144 push "route 192.168.49.0 255.255.255.0"
145 push "route 192.168.51.0 255.255.255.0"
146 push "route 192.168.54.0 255.255.255.0"

205 push "dhcp-option DNS 192.168.30.26"    # 사설 DNS 서버가 설치될 서버 IP
206 push "dhcp-option DNS 8.8.8.8"
208 push "dhcp-option DOMAIN cicd.seungkyua"   # 사설 DNS 도메인

250 tls-auth ta.key 0
256 cipher AES-128-CBC   # AES
259 auth SHA256
275 user nobody
276 group nogroup


## Adjust the Server Networking Configuration
# vi /etc/sysctl.conf
28 net.ipv4.ip_forward=1

# sysctl -p

# ip route | grep default
# iptables -t nat -A POSTROUTING -s 10.8.0.0/8 -o br-ex -j MASQUERADE



## Start and Enable the OpenVPN Service
# systemctl start openvpn@server
# systemctl status openvpn@server
# systemctl enable openvpn@server


## Create Client Configuration Infrastructure
# cd /etc/openvpn
# mkdir -p /etc/openvpn/client-configs/files
# chmod 700 /etc/openvpn/client-configs/files
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client-configs/base.conf

# vi client-configs/base.conf
36 proto tcp
42 remote server_ip 1194
61 user nobody
62 group nogroup
88 #ca ca.crt
89 #cert client.crt
90 #key client.key
113 cipher AES-128-CBC
114 auth SHA256
115 key-direction 1


# vi client-configs/make_config.sh
#!/bin/bash

# First argument: Client identifier

KEY_DIR=/etc/openvpn/ease-rsa/keys
OUTPUT_DIR=/etc/openvpn/client-configs/files
BASE_CONFIG=/etc/openvpn/client-configs/base.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn


# chmod 700 client-configs/make_config.sh

# cd /etc/openvpn/client-configs

## seungkyua.ovpn 파일이 /etc/openvpn/client-configs/files 디렉토리 밑에 생성됨
# ./make_config.sh seungkyua



## 사용자 추가 시 클라이언트 파일 만드는 법

# cd /etc/openvpn/ease-rsa
# source vars
# ./build-key seungkyua

# cd /etc/openvpn/client-configs
# ./make_config.sh seungkyua


## server reboot 시 체크
# ip route | grep default

# iptables -t nat -A POSTROUTING -s 10.8.0.0/8 -o br-ex -j MASQUERADE



출처 : https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04






## Install Bind on the DNS Server
# sudo apt-get update
# apt-get install unbound


## config 설정
# cd /etc/unbound
# vi unbound.conf.d/root-auto-trust-anchor-file.conf
server:
    verbosity: 1
    statistics-interval: 0
    statistics-cumulative: no
    extended-statistics: yes
    num-threads: 2

        interface: 192.168.30.26
        interface: 127.0.0.1

    outgoing-range: 4096
    outgoing-port-permit: 40000-44096
    cache-max-ttl: 3600
    do-ip4: yes
    do-ip6: no

    access-control: 10.8.0.0/24 allow
    access-control: 192.168.30.0/24 allow
    access-control: 192.168.54.0/24 allow

    chroot: ""
    username: "unbound"
    directory: "/etc/unbound"
    log-time-ascii: yes
    pidfile: "/var/run/unbound/unbound.pid"
    hide-identity: yes
    hide-version: yes
    harden-short-bufsize: yes
    harden-large-queries: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-below-nxdomain: yes
    harden-referral-path: yes
    use-caps-for-id: yes
    unwanted-reply-threshold: 10000000
    prefetch: yes
    prefetch-key: yes
    rrset-roundrobin: yes
    minimal-responses: yes
#    trusted-keys-file: /etc/unbound/keys.d/*.key
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    val-clean-additional: yes
    val-permissive-mode: no
    val-log-level: 1
    key-cache-size: 512m

    include: /etc/unbound/local.d/*.conf

# Remote control config section.
remote-control:
    control-enable: yes
    server-key-file: "/etc/unbound/unbound_server.key"
    server-cert-file: "/etc/unbound/unbound_server.pem"
    control-key-file: "/etc/unbound/unbound_control.key"
    control-cert-file: "/etc/unbound/unbound_control.pem"

# Stub and Forward zones
# include: /etc/unbound/conf.d/*.conf



## dns 설정
# mkdir -p local.d
# vi local.d/cicd.seungkyua.conf
local-zone: "cicd.stg.taco." static
local-data: "master01.cicd.seungkyua. IN A 192.168.30.13"
local-data: "node01.cicd.seungkyua. IN A 192.168.30.12"
local-data: "node02.cicd.seungkyua. IN A 192.168.30.17"
local-data: "node03.cicd.seungkyua. IN A 192.168.30.18"
local-data: "node04.cicd.seungkyua. IN A 192.168.30.21"

local-data: "centos-repo.cicd.seungkyua. IN A 192.168.30.12"
local-data: "dashboard.cicd.seungkyua. IN A 192.168.30.12"
local-data: "grafana.cicd.seungkyua. IN A 192.168.30.12"
local-data: "horizon.cicd.seungkyua. IN A 192.168.30.12"
local-data: "jenkins.cicd.seungkyua. IN A 192.168.30.12"
local-data: "keystone.cicd.seungkyua. IN A 192.168.30.12"
local-data: "kibana.cicd.seungkyua. IN A 192.168.30.12"
local-data: "minio.seungkyua. IN A 192.168.30.12"
local-data: "pypi-repo.cicd.seungkyua. IN A 192.168.30.12"
local-data: "registry.cicd.seungkyua. IN A 192.168.30.12"
local-data: "scope.cicd.seungkyua. IN A 192.168.30.12"
local-data: "prometheus.cicd.seungkyua. IN A 192.168.30.12"
local-data: "ubuntu-repo.cicd.seungkyua. IN A 192.168.30.12"



## start unbound
# systemctl restart unbound.service

# systemctl enable unbound.service 



출처 : https://calomel.org/unbound_dns.html



## reload unbound server with new configuration

# unbound-control reload






반응형
저작자표시 변경금지
Posted by seungkyua@gmail.com
,

haproxy 설치

Linux/Ubuntu 2016. 1. 9. 15:15
반응형

1. hpproxy install

$ sudo apt-get install haproxy


$ sudo vi /etc/haproxy/haproxy.cfg

...

defaults

log        global

mode    http

retries   3                  # 추가

option   httplog

option   dontlognull

option   redispatch      # 추가 : 한 서버가 죽으면 다른 서버로 보내라

...

...

listen serv 0.0.0.0:80        # 추가 : serv 는 아무 이름이나 줘도 됨

mode http

option http-server-close

timeout http-keep-alive 3000             # 추가 : 이미지 같은 것은 하나의 컨넥션으로 연결하기 위해

server serv 127.0.0.1:9000 check       # server1, server2 이런 식으로 서버 이름을 준다.


$ sudo service haproxy reload


















반응형
저작자표시 변경금지
Posted by seungkyua@gmail.com
,

Ubuntu 14.04 jdk8 설치하기

Linux/Ubuntu 2015. 8. 20. 21:19
반응형

$ cd /opt

$ sudo wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u20-b26/jdk-8u20-linux-x64.tar.gz"


$ sudo tar -zxvf jdk-8u20-linux-x64.tar.gz


$ sudo update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_20/bin/java 2


$ sudo update-alternatives --config java


There are 2 choices for the alternative java (providing /usr/bin/java).


  Selection    Path                                            Priority   Status

------------------------------------------------------------

* 0            /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java   1071      auto mode

  1            /opt/jdk1.8.0_20/bin/java                                 2         manual mode

  2            /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java   1071      manual mode


Press enter to keep the current choice[*], or type selection number: 1



$ sudo update-alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_20/bin/javac 2

$ sudo update-alternatives --config javac



$ sudo update-alternatives --install /usr/bin/jar jar /opt/jdk1.8.0_20/bin/jar 2

$ sudo update-alternatives --config jar


$ sudo vi .bashrc


export JAVA_HOME=/opt/jdk1.8.0_20

export JRE_HOME=/opt/jdk1.8.0_20/jre

export PATH=$PATH:/opt/jdk1.8.0_20/bin:/opt/jdk1.8.0_20/jre/bin


$ echo $JAVA_HOME

$ echo $JRE_HOME






반응형
저작자표시 변경금지
Posted by seungkyua@gmail.com
,

DNS Server setting

Linux/Ubuntu 2014. 7. 18. 16:34
반응형

1. dnsmasq 설치하기

# apt-get install dnsmasq


2. conf 설정

# vi /etc/dnsmasq.conf


resolv-file=/etc/resolv.conf

interface=eth0

interface=eth1

listen-address=127.0.0.1


3. 다른 호스트에서 nameserver 를 dnsmasq 가 설치된 서버로 지정

# vi /etc/resolv.conf

nameserver dnsmasq 서버


반응형
저작자표시 변경금지
Posted by seungkyua@gmail.com
,

Linux vlan 생성 명령어

Linux/Ubuntu 2014. 5. 15. 10:20
반응형

linux 에서 vlan 을 생성하고 삭제하는 명령어


1.  vlan101 이름으로 101 vlan 을 eth0 에 만든다.

# ip link add link eth0 name vlan101 type vlan id 101

# ip -d link show vlan101

# ip link set vlan101 up


2. vlan101 을 삭제한다.

# ip link set vlan101 down

# ip link delete vlan101


※ bridge 와 device interface 연결은 brctl show 로 연결을 볼 수 있지만,

vlan 은 ip addr show 로 보여지는 vlan101@eth0 와 같이 @ 다음의 device interface 로 알 수 있다.


OpenStack 에서 vlan Manager 를 사용하면 연결고리는 다음과 같다.

bridge -> vlan -> eth0

예) br101 -> vlan101 (vlan101@eth0) -> eth0

반응형
저작자표시 변경금지
Posted by seungkyua@gmail.com
,

네트워크 디바이스명 em 혹은 eno 를 eth 로 바꾸기

Linux/Ubuntu 2014. 5. 15. 09:11
반응형

$ sudo vi /etc/udev/rules.d/70-persistent-net.rules


SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:e3:d9:dd", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eno*", NAME="eth0"

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:e3:d9:e7", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eno*", NAME="eth1"


auto lo

iface lo inet loopback


auto eth0

iface eth0 inet static

        address 192.168.75.129

        netmask 255.255.255.0

        gateway 192.168.75.2

        dns-nameservers 8.8.8.8 8.8.4.4


auto eth1

iface eth1 inet static

        address 192.168.230.129

        netmask 255.255.255.0


$ sudo reboot




=========== 이전 자료 =======================


1) 수정 /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT=”biosdevname=0 quiet splash”
GRUB_CMDLINE_LINUX=”biosdevname=0″
위 두 파라메터의 값에 biosdevname=0 을 추가 해 주십시요.
2) sudo update-grub
3) /etc/network/interface 의 NIC 설정 변경
4) reboot

이 방법으로 변경이 되지 않으시거나 kernel option 을 변경하고 싶지 않으시면 아래 방법으로 변경해 주시면 됩니다.

1) biosdevname package 삭제
sudo apt-get purge biosdevname
2) NIC 의 MAC 확인
ifconfig | grep HWaddr
xx:xx:xx:yy:yy:yy

3) /etc/udev/rules.d/70-persistent-net.rules 설정 변경
아래 라인을 추가 해 주시거나 해당 라인이 있으면 수정 해 주십시요.
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="xx:xx:xx:yy:yy:yy", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

위 설정은 MAC xx:xx:xx:yy:yy:yy 을 가지는 NIC 에 대해 eth0 으로 장치명을 설정하는 예제 입니다.

3) /etc/network/interface 의 NIC 설정 변경
4) reboot

- /etc/udev/rules.d/ 에 biosdevname 관련 파일이 있으면 삭제 해 주십시요.


- From 심장훈 at Canonical -

반응형
저작자표시 변경금지
Posted by seungkyua@gmail.com
,

Ubuntu jdk 1.7 설치하기

Linux/Ubuntu 2014. 3. 24. 16:04
반응형

1. 최신 버전의 JDK 다운로드 : jdk-7u51-linux-x64.tar.gz

http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html


2. 압축을 푼 후 /usr/local/jdk1.7.0_51/ 로 복사  (root.root 권한으로 변경)


3. vi /etc/profile 에 경로 추가

export JAVA_HOME=/usr/local/jdk1.7.0_51

PATH="$JAVA_HOME/bin:$PATH"

반응형
저작자표시 변경금지
Posted by seungkyua@gmail.com
,

Telnet, Proftp 설치

Linux/Ubuntu 2010. 8. 14. 23:57
반응형
텔넷은 설치가 쉬었는데.. Proftp 는 정말 삽질 많이 했습니다..^^

//----------------------------------------
//--  Telnet 설치
//----------------------------------------
# sudo apt-get install xinetd
# sudo apt-get install telnetd

//------- telnet을 xinetd에 추가
# vi /etc/xinetd.conf
defaults
{
}

service telnet
{
   disable = no
   flags = REUSE
   socket_type = stream
   wait = no
   user = root
   server = /usr/sbin/in.telnetd
   log_on_failure += USERID
}

//------- xinetd 재시작
# service xinetd restart

문제가 발생하면 다음의 로그를 보면 됩니다.
# tail -f /var/log/syslog

//----------------------------------------
//--  Proftpd 설치
//----------------------------------------
# sudo apt-get install proftpd

화면에 standalone 과 xinetd 선택이 나오면 xinetd 를 선택합니다.

//------- proftpd을 xinetd에 추가
# vi /etc/xinetd.conf

service ftp
{
   disable = no
   flags = REUSE
   socket_type = stream
   wait = no
   user = root
   server = /usr/sbin/proftpd
   log_on_success += DURATION USERID
   log_on_failure += USERID
   nice = 10
}

//------- xinetd 재시작
# service xinetd restart

//------- 방화벽 열기
# sudo ufw allow 21/tcp


반응형
저작자표시 변경금지
Posted by seungkyua@gmail.com
,

티스토리툴바