open vpen 構築メモ - arupaka-

基本は、
https://qiita.com/noraworld/items/2fe6be489e1d93c748b8

VPNは、10.0.1.0 10.0.1.1 ~ 10.0.1.2
仮想のLAN(一つのルーターのネットワークをつくる技術)

の24はサブネットマスク（ネットワークアドレスがはじめの２４桁つかう。２４桁が１）

基本的なやりかた
（１）鍵をたくさんつくる。
　　認証鍵の生成（CA証明書の生成 ca.crt, サーバー証明書 server.crt, server.key, DH鍵 dh.pem, クライアント証明書 crl.pem）
（２）鍵をひたすら /etc/openvpn にコピー
（３）linuxのIPマスカレードやルーティングやファイアーウォールなおす（この辺りはufwが起動してないとダメ。sudo ufw status; sudo ufw enable
。これが起動してないと外にでれない）。
→IPをあわせるのがポイント。本当は違うけど、ufw ubunt fire wall
ファイアーウォール

sudo ufw default deny
#すべて閉じる(sshも閉じちゃうのできをつける)
#vpn
sudo ufw allow 1194/udp　
#ssh
sudo ufw allow 22/tcp
sudo ufw enable
#Check
sudo ufw status　

IPフォーワーディング
パケット転送を有効にする。/etc/default/ufw に。

DEFAULT_FORWARD_POLICY="DROP"

DEFAULT_FORWARD_POLICY="ACCEPT"

に変更。

IPフォワーディングを有効。これちょっとubuntuだと違った。
/etc/ufw/sysctl.confを開き、net.ipv4.ip_forward=1の一行コメントをはずす。

# net.ipv4.ip_forward=1

net.ipv4.ip_forward=1

IPマスカレード
ifconfigで適切なメインのネットワークインターフェース探して

COMMIT
+

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

ファイアーウォール再起動

sudo ufw reload

（４）server.conf の設定。適当にお手本があるのでコピー
以下で起動。デバックは下のほうの「デバック参照」
複数の server.conf とserver_tcp.conf があれば、自動的に両方ともインスタンスをたててくれる。
rubbery py no root を指定してroot権限でうごかさないと必要なファイルがかかれず詰む。

（５）クライアント側で、VVV.opvnをつくる。色々サーバー側とあわせる必要あり。

VPN経由通信。同じサブドメイン名例：192.168.0.xxx とかだとテスト失敗可能性あるので注意。
また、tslエラーが出る場合は、ta.key をローカルに入れる必要あり。
また、以下のもクライアント側設定ファイルに加える。

tls-auth ta_h.key 1

うまくいかない場合は、

/var/log/syslog　を除く

tcpdump | grep IPxxx でパケットを監視してサーバーまで来ているか、ルーターですててるかを確認．

下記参照の手動起動でデバック

log ファイル serever.conf のLog　関係のところをアンコメントしない限り作成されたない。

（６）クライアントのすべてのトラフィック（Webトラフィックを含む）をVPN経由にルーティングする

https://www.openvpn.jp/document/how-to/
push "redirect-gateway def1"

1 ls
2 git clone https://github.com/OpenVPN/easy-rsa.git
3 cd easy-rsa
4 ls
5 cd easyrsa3
6 ./easyrsa init-pki
7 ./easyrsa build-ca
8 sudo cp pki/ca.crt /etc/openvpn
9 sudo gpasswd -a user1 sudo
10 sudo cp pki/ca.crt /etc/openvpn
11 gpasswd -a user1 sudo
12 exit
13 sudo cp pki/ca.crt /etc/openvpn
14 ls
15 cd eary-rsa
16 cd easy-rsa
17 ls
18 cd easyrsa3
19 sudo cp pki/ca.crt /etc/openvpn
20 sudo cp pki/issued/server.crt /etc/openvpn
21 sudo cp pki/private/server.key /etc/openvpn
22 ./easyrsa gen-dh
23 ./easyrsa gen-crl
24 sudo cp pki/dh.pem /etc/openvpn
25 sudo chmod o+r /etc/openvpn/crl.pem
26 ls /
27 ls /usr
28 ls /usr/share
29 ls /usr/share/openvpn
30 ls /usr/share/openvpn/verify-cn
31 cd /etc/openvpn
32 vim
33 vim server.conf
34 sudo vim server.conf
35 vim server.conf
36 sudo ufw status
37 sudo ufw default DENY
38 $ sudo ufw allow proto tcp from 192.168.1.0/24 to any port 22
39 sudo ufw allow proto tcp from 192.168.1.0/24 to any port 22
40 sudo ufw status
41 sudo ufw enable
42 sudo ufw status
43 sudo vim /etc/default/ufw
44 sudo vim /etc/ufw/sysctl.conf
45 ifconfig
46 sudo vim /etc/ufw/before.rules
47 sudo ufw reload
48 sudo systemctl start openvpn
49 ps -ef | grep openvpn | grep -v grep
50 ps -ef
51 ps -ef | grep openvpn
52 systemctl status openvpn
53 cd easy-rsa/easyrsa3
54 cd /easy-rsa/easyrsa3
55 cd
56 cd /easy-rsa/easyrsa3
57 cd easy-rsa/easyrsa3
58 ./easyrsa build-client-full user1
59 mkdir ~/vpn_test
60 sudo cp /etc/openvpn/ca.crt ~/vpn_test
61 sudo cp /etc/openvpn/user1.crt ~/vpn_test
62 ls
63 sudo cp pki/issued/user1.crt ~/vpn_test
64 sudo cp pki/private/user1.key ~/vpn_test
65 ls
66 cd
67 ls
68 cd vpn_test
69 ls
70 vim VPN.ovpn
71 ifconfig
72 vim VPN.ovpn
73 ls
74 cd ..
75 ls
76 tar -cvf vpn_test.tar vpn_test
77 sudo tar -cvf vpn_test.tar vpn_test
78 ls
79 exit
80 ls
81 cd vpn_test
82 ls
83 vim VPN.ovpn
84 cd ..
85 sudo tar -cvf vpn_test.tar vpn_test
86 exit
87 sudo tar -cvf vpn_test.tar vpn_test
88 sudo systemctl start openvpn
89 ps
90 ps -ef
91 ps -ef | grep openvpn
92 vim /var/log/openvpn.log
93 ls
94 sudo cp /etc/openvpn/ta.key ~/vpn_test
95 ls /etc/openvpn
96 ls
97 ls /easy-rsa
98 ls
99 ls easy-rsa
100 ls easy-rsa/easyrsa3
101 ls easy-rsa/easyrsa3/pki
102 ls easy-rsa/easyrsa3/private
103 ls easy-rsa/easyrsa3
104 ls easy-rsa/easyrsa3/pki
105 ls easy-rsa/easyrsa3/pki/private
106 ./easyrsa build-client-full client
107 cd eary-rsa
108 cd easy-rsa
109 cd easy-rsa3
110 cd easyrsa3
111 ls
112 ./easyrsa build-client-full client
113 ls
114 cd pki
115 ls
116 cd private
117 ls
118 cd ..
119 cd issued
120 ls
121 cd ..
122 ls
123 cd reqs
124 ls
125 cd ..
126 ls
127 cd renewd
128 ls
129 cd renewd
130 ls
131 openvpn --genkey --secret ./pki/ta.key
132 sudo openvpn --genkey --secret ./pki/ta.key
133 ls
134 cd ..
135 cd /etc
136 ls
137 cd openvpn
138 ls
139 vim server.conf
140 openvpn --genkey --secret /etc/openvpn/easy-rsa/2.0/keys/ta.key
141 openvpn --genkey --secret
142 openvpn --genkey --secret ta.key
143 ls
144 cd ..
145 cd
146 ls
147 cd vpn_test
148 sudo cp /etc/openvpn/ta.key ~/vpn_test
149 ls
150 cd ..
151 ls
152 sudo tar -cvf vpn_test.tar vpn_test
153 exit
154 ps -AF | grep openvpn
155 systemctl status openvpn
156 sudo systemctl start openvpn
157 ifconfig
158 vim /var/log/openvpn.log
159 vim /var/log/openvpn-status.log
160 ls /usr/share/doc/packages/openvpn/
161 ls /usr/share/doc/openvpn/
162 ls /usr/share/doc/openvpn/examples
163 ls /usr/share/doc/openvpn/examples/sample-config-files
164 cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
165 sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
166 ls
167 cd /etc/openvpn
168 ls
169 gzip -d server.conf.gz
170 vim server.conf.gz
171 sudo server.conf.gz
172 sudo vim server.conf.gz
173 ls
174 sudo vim server.conf
175 gzip -d server.conf.gz
176 sudo gzip -d server.conf.gz
177 sudo vim server.conf
178 cd ..
179 ls
180 cd
181 ls
182 jobs
183 sudo systemctl start openvpn
184 exit
185 sudo systemctl start openvpn
186 sudo vim server.conf
187 /etc/openvpn
188 cd /etc/openvpn
189 sudo vim server.conf
190 ls
191 ls | grep log
192 ls /var/log/openvpn-status.log
193 ls /var/log
194 ls /var/log/openvpn
195 ls
196 ls /
197 ls /usr
198 ls /var
199 ls /var/log
200 ls /var/log/openvpn
201 ls
202 openvpn --genkey --secret key.txt
203 ls
204 cd ..
205 ls
206 cd
207 sudo cp /etc/openvpn/key.txt ~/vpn_test
208 tar -cvf vpn_test.tar vpn_test
209 sudo tar -cvf vpn_test.tar vpn_test
210 exit
211 ls
212 cd /etc
213 ls
214 cd log
215 ls
216 cd ..
217 ls
218 cd var
219 ls
220 cd log
221 ls
222 cd openvn
223 cd openvpn
224 ls
225 cd ..
226 ps -AF | gre
227 sudo systemctl start openvpn
228 ps -AF | grep open
229 ps -AF | grep vpn
230 ps -cf | grep vpn
231 ps -ef | grep vpn
232 openvpn start
233 /etc/init.d/openvpn start
234 ps -ef | grep vpn
235 ps -ef | grep open
236 ps -Af | grep open
237 ps -af | grep open
238 sysctl --system
239 sudo sysctl --system
240 systemctl start openvpn@server
241 ps -af | grep open
242 ps -Af | grep open
243 ls /var/log
244 ls /var/log/openvpn
245 exit
246 systemctl start openvpn@server
247 sudo systemctl start openvpn@server
248 ps
249 ps -AF | grep open
250 ls /var/log/openvpn
251 ls /var/log/openvpn/openvpn-status.log
252 cat /var/log/openvpn/openvpn-status.log
253 sudo cat /var/log/openvpn/openvpn-status.log
254 ls /var/log/openvpn/openvpn-status.log
255 ls /var/log/openvpn
256 ls /var/log/openvpn/ipp.txt
257 cat /var/log/openvpn/ipp.txt
258 sudo cat /var/log/openvpn/ipp.txt
259 ls /var/log/openvpn/openvpn-status.log
260 cat /var/log/openvpn/openvpn-status.log
261 sudo cat /var/log/openvpn/openvpn-status.log
262 ps -ef | grep openvpn | grep -v grep
263 ls /var/log/openvpn
264 sudo ufw reload
265 sudo cat /var/log/openvpn/openvpn-status.log
266 ls /var/log/openvpn
267 ls /var/log/openvpn/ipp.txt
268 sudo cat /var/log/openvpn/ipp.txt
269 cd /etc
270 ls
271 cd openvpn
272 ls
273 cd vim server.conf
274 sudo vim server.conf
275 openvpn --show-valid-subnet
276 openvpn --show-valid-subnets
277 sudo cat /var/log/openvpn/ipp.txt
278 ls cat /var/log/openvpn
279 sudo cat /var/log/openvpn/ipp.txt/openvpn-status.log
280 sudo cat /var/log/openvpn/openvpn-status.log
281 vim server.conf
282 ip a
283 vim server.conf
284 exit
285 ls
286 cd /etc/openvpn
287 ls
288 sudo vim server.conf
289 openvpn --show-valid-subnet
290 sudo systemctl start openvpn@server
291 jobs
292 ls
293 ps
294 ps -AF | grep openvpn
295 vi /etc/openvpn/server.conf
296 sudo vi /etc/openvpn/server.conf
297 systemctl start openvpn@server
298 systemctl restart openvpn@server
299 vi /etc/openvpn/server.conf
300 sudo vi /etc/openvpn/server.conf
301 systemctl restart openvpn@server
302 vi /etc/openvpn/server.conf
303 sudo vi /etc/openvpn/server.conf
304 systemctl restart openvpn@server
305 journalctl -xe
306 systemctl restart openvpn@server
307 sudo vi /etc/openvpn/server.conf
308 systemctl restart openvpn@server
309 sudo vi /etc/openvpn/server.conf
310 systemctl restart openvpn@server
311 sudo vi /etc/openvpn/server.conf
312 systemctl restart openvpn@server
313 journalctl -xe
314 systemctl restart openvpn@server
315 journalctl -xe
316 sudo vi /etc/openvpn/server.conf
317 systemctl restart openvpn@server
318 sudo vi /etc/openvpn/server.conf
319 systemctl restart openvpn@server
320 journalctl -xe
321 ls /etc
322 ls /etc/openvpn
323 ls /local
324 ls
325 ls /etc
326 ls /etc/openvpn
327 ls /usr
328 sudo vi /etc/openvpn/server.conf
329 ls /var/log/openvpn/ipp.txt
330 cat /var/log/openvpn/ipp.txt
331 sudo cat /var/log/openvpn/ipp.txt
332 sudo ls /var/log/openvpn
333 sudo ls /var/log/openvpn/openvpn-status.log
334 sudo cat /var/log/openvpn/openvpn-status.log
335 sudo vi /etc/openvpn/server.conf
336 systemctl restart openvpn@server
337 sudo ls /etc/openvpn/server.conf
338 sudo ls /etc/openvpn
339 sudo ls /var
340 sudo ls /var/log
341 sudo ls /var/log/openvpn
342 sudo ls /var/log/openvpn/openvpn.log
343 sudo cat /var/log/openvpn/openvpn.log
344 sudo ls /etc/openvpn/server.conf
345 sudo vim /etc/openvpn/server.conf
346 systemctl restart openvpn@server
347 sudo cat /var/log/openvpn/openvpn.log
348 sudo vi /etc/openvpn/server.conf
349 systemctl restart openvpn@server
350 sudo cat /var/log/openvpn/openvpn.log
351 sudo vi /etc/openvpn/server.conf
352 systemctl restart openvpn@server
353 sudo vi /etc/openvpn/server.conf
354 systemctl restart openvpn@server
355 sudo vi /etc/openvpn/server.conf
356 systemctl restart openvpn@server
357 sudo vi /etc/openvpn/server.conf
358 systemctl restart openvpn@server
359 sudo vi /etc/openvpn/server.conf
360 systemctl restart openvpn@server
361 sudo vi /etc/openvpn/server.conf
362 systemctl restart openvpn@server
363 sudo vi /etc/openvpn/server.conf
364 sudo cat /var/log/openvpn/openvpn.log
365 ls cat /var/log/openvpn
366 ls cat /var/log/openvpn/ipp.txt
367 sudo cat cat /var/log/openvpn/ipp.txt
368 sudo cat /var/log/openvpn/ipp.txt
369 sudo cat /var/log/openvpn/openvpn-status.log
370 sudo vi /etc/openvpn/server.conf
371 sudo cat /var/log/openvpn/ipp.txt
372 sudo cat /var/log/openvpn/openvpn.log
373 sudo vi /etc/openvpn/server.conf
374 systemctl restart openvpn@server

376 sudo cat /var/log/openvpn/openvpn-status.log
378 naw
379 l
380 exot
381 exit
382 systemctl restart openvpn@server
383 sudo cat /var/log/openvpn/openvpn-status.log
384 sudo cat /var/log/openvpn/openvpn.txt
385 sudo cat /var/log/openvpn/openvpn.log
386 jobs
387 firewall-cmd --permanent --add-masquerade
388 vim /etc/default/ufw
389 vim /etc/ufw/sysctl.conf
390 vim /etc/ufw/before.rules
391 sudo vim /etc/ufw/before.rules
392 ifconfig
393 sudo vim /etc/ufw/before.rules
394 sudo vi /etc/openvpn/server.conf
395 systemctl restart openvpn@server
396 sudo cat /var/log/openvpn/openvpn-status.log
397 sudo cat /var/log/openvpn/openvpn.log
398 sudo vi /etc/openvpn/server.conf
399 systemctl restart openvpn@server
400 history

######

user1@ssss:~$ sudo cat /etc/openvpn/server.conf
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
#dh dh2048.pem
dh dh.pem

# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
#;topology subnet
#topology net30
#ifconfig 192.168.33.6 255.255.255.0

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
#server 10.8.0.0 255.255.255.252
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /var/log/openvpn/ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
####;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
####;server-bridge 10.8.0.4 255.255.255.0 10.8.0.6 10.8.0.8
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
########;server-bridge

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.

push "route 10.8.0.0 255.255.255.0"
#;push "route 192.168.10.0 255.255.255.0"
#;push "route 192.168.20.0 255.255.255.0"
#;push "route 192.168.0.0 255.255.255.252"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
############;client-config-dir ccd
###############;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
########;client-config-dir ccd
#########;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

###########
#########
#######

push "redirect-gateway def1"
#####
#####
####

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC

# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
#compress lz4-v2
push "compress lz4-v2"

# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
#comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

#####
クライント側
client

dev tun
proto udp

remote xx.xx.xx.xx.xx port

resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert user1.crt
key user1.key
tls-auth ta.key 1

comp-lzo
verb 3

- - - -

tcp とudp 両方
（１）tcpポートをあける。ファイヤーウォール
（２）tcp の場合は、explicit-exit-notify 1をコメントアウト; #
（３）sudo ufw allow 443/tcp
（４）sudo ufw allow 22
（４） systemctl end openvpn@server.service では止まらないので注意
（５）ps -AF と grep openvpn | kill で消してから再起動
（６）マスカレードとポートフォーワードの設定を変える必要ある。
→ひとつのグローバルIPと複数ローカルをむすびつけ
（７）エンドポイントがネットワークIPをかえておく
　TCP:　10.0.8.1 UDP 10.0.9.1
（８）マスカレードの設定
sudo vim /etc/ufw/before.rules　に加える。

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
COMMIT

（１０）確認
user1@xxxx:~/vpn_test$ sudo netstat -plunt | grep openvpn
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 29123/openvpn
udp 0 0 0.0.0.0:1194 0.0.0.0:* 29201/openvpn
（１１）tcp-server.confを作る
udp-server.confを作る
server.confをもとに
/etc/default/openvpnに
AUTOSTART="tcp-server udp-server"
読み込み　systemctl daemon-reload
再起動
sudo systemctl daemon-reload

チェック
user1@xxxxx:~/vpn_test$ sudo netstat -plunt | grep openvpn
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 19104/openvpn
udp 0 0 0.0.0.0:1194 0.0.0.0:* 19045/openvpn

https://www.michelebologna.net/2016/openvpn-with-multiple-configurations-on-the-same-host-with-systemd/
https://www.michelebologna.net/2016/openvpn-with-multiple-configurations-on-the-same-host-with-systemd/

デバック　エラーチェック
sudo openvpn /etc/openvpn/server.conf
https://riocampos-tech.hatenablog.com/entry/20080116/p8

##TCP example
user1@xxxx:~/vpn_test$ sudo cat /etc/openvpn/server2.conf
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# TCP or UDP server?
proto tcp
#proto udp

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
#dh dh2048.pem
dh dh.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.9.0.0 255.255.255.0
#server 10.8.0.0 255.255.255.252
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "route 10.9.0.0 255.255.255.0"
#;push "route 192.168.10.0 255.255.255.0"
#;push "route 192.168.20.0 255.255.255.0"
#;push "route 192.168.0.0 255.255.255.252"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

###########
#########
#######

push "redirect-gateway def1"
#####
#####
####

# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"

# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
#explicit-exit-notify 1

##TCP client vpn
client
client

dev tun
proto tcp

remote xx.xx.xx.xx port

resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert user1.crt
key user1.key
tls-auth ta.key 1

comp-lzo
verb 3

####

595 systemctl restart openvpn@server
596 ls /etc/openvpn
597 ls
598 cd -
599 ls
600 cd -
601 ls ../../home/pi/easy-rsa/easyrsa3/pki/issued/server.crt
602 ls ../../home/pi/easy-rsa/easyrsa3/pki
603 ls ../../home/pi/easy-rsa/easyrsa3/easyrsa gen-crl
604 cd ../../home/pi/easy-rsa/easyrsa3
605 ./easyrsa gen-crl
606 ./easyrsa init-pki
607 sudo cp pki/ca.crt /etc/openvpn
608 sudo cp pki/issued/server.crt /etc/openvpn
609 ./easyrsa gen-dh
610 ./easyrsa gen-crl
611 sudo chmod o+r /etc/openvpn/crl.pem
612 history > ~/rireki_openvpn_key.txt
/etc/ufw/sysctl.conf