VyOS1.5 OpenVPN設定 - わすれないうちにメモしよう

OpenVPNと証明書に関する公式ドキュメント

https://docs.vyos.io/en/latest/configuration/interfaces/openvpn.html
https://docs.vyos.io/en/latest/configuration/pki/index.html

基本のコマンド

設定の確認
$ show configuration
$ show configuration commands

設定モードに移行
$ configure

設定の追加/削除
# set ***
# delete ***

設定反映
# commit

設定保存
# save

基本設定

# set service ssh port '22'
# set system time-zone Asia/Tokyo
# set interfaces ethernet eth0 address '192.168.0.102/24'
# set protocols static route 0.0.0.0/0 next-hop 192.168.0.1

証明書の作成

# run generate pki dh install dh-1
# run generate pki openvpn shared-secret install shared-1
# run generate pki ca install ca-1
# run generate pki certificate sign ca-1 install srv-1
# run generate pki certificate sign ca-1 install client-1
※クライアント証明書は必要な数だけ作成
※show configuration commands コマンドで証明書内容やキー内容を確認可能

OpenVPN設定

# set interfaces openvpn vtun0 encryption cipher 'aes256'
# set interfaces openvpn vtun0 hash 'sha512'
# set interfaces openvpn vtun0 mode 'server'
# set interfaces openvpn vtun0 local-port '1195'
# set interfaces openvpn vtun0 protocol 'tcp-passive'
# set interfaces openvpn vtun0 server subnet '192.168.100.0/24'
# set interfaces openvpn vtun0 openvpn-option '--client-to-client'
# set interfaces openvpn vtun0 openvpn-option '--mssfix 1280'
# set interfaces openvpn vtun0 use-lzo-compression
# set interfaces openvpn vtun0 tls ca-cert ca-1
# set interfaces openvpn vtun0 tls certificate srv-1
# set interfaces openvpn vtun0 tls dh-params dh-1

NAT設定

# set nat destination rule 100 destination address '192.168.100.100'
# set nat destination rule 100 inbound-interface name vtun0
# set nat destination rule 100 translation address '192.168.0.100'
# set nat destination rule 101 destination address '192.168.100.101'
# set nat destination rule 101 inbound-interface name vtun0
# set nat destination rule 101 translation address '192.168.0.101'
# set nat destination rule 102 destination address '192.168.100.102'
# set nat destination rule 102 inbound-interface name vtun0
# set nat destination rule 102 translation address '192.168.0.102'
# set nat destination rule 103 destination address '192.168.100.103'
# set nat destination rule 103 inbound-interface name vtun0
# set nat destination rule 103 translation address '192.168.0.103'
# set nat destination rule 104 destination address '192.168.100.104'
# set nat destination rule 104 inbound-interface name vtun0
# set nat destination rule 104 translation address '192.168.0.104'
# set nat destination rule 105 destination address '192.168.100.105'
# set nat destination rule 105 inbound-interface name vtun0
# set nat destination rule 105 translation address '192.168.0.105'
# set nat destination rule 106 destination address '192.168.100.106'
# set nat destination rule 106 inbound-interface name vtun0
# set nat destination rule 106 translation address '192.168.0.106'
# set nat destination rule 107 destination address '192.168.100.107'
# set nat destination rule 107 inbound-interface name vtun0
# set nat destination rule 107 translation address '192.168.0.107'
# set nat destination rule 108 destination address '192.168.100.108'
# set nat destination rule 108 inbound-interface name vtun0
# set nat destination rule 108 translation address '192.168.0.108'
# set nat source rule 100 source address '192.168.100.0/24'
# set nat source rule 100 translation address '192.168.0.107'
# set nat source rule 100 outbound-interface name eth0