{"id":3012,"date":"2016-10-18T10:45:32","date_gmt":"2016-10-18T01:45:32","guid":{"rendered":"http:\/\/www.itbook.info\/web\/?p=3012"},"modified":"2016-10-18T10:46:43","modified_gmt":"2016-10-18T01:46:43","slug":"raspberry-pi2%e3%81%abopenvpn%e3%82%92%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab%e3%81%97%e3%81%a6%e3%81%bf%e3%81%9f%ef%bc%88openvpn%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab","status":"publish","type":"post","link":"https:\/\/www.itbook.info\/web\/2016\/10\/raspberry-pi2%e3%81%abopenvpn%e3%82%92%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab%e3%81%97%e3%81%a6%e3%81%bf%e3%81%9f%ef%bc%88openvpn%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab.html","title":{"rendered":"Raspberry Pi2\u306bOpenVPN\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u307f\u305f\uff08OpenVPN\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u7de8\uff09"},"content":{"rendered":"<aside class=\"row veu_insertAds before\"><div class=\"col-md-12\"><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script>\r\n                        <!-- cat_\u4e0a\u90e8 -->\r\n                        <ins class=\"adsbygoogle\" style=\"display:block\" data-ad-client=\"ca-pub-6102004203189610\" data-ad-slot=\"9628163001\" data-ad-format=\"auto\"><\/ins>\r\n                        <script>\r\n                        (adsbygoogle = window.adsbygoogle || []).push({});\r\n                        <\/script><\/div><\/aside><h2 id=\"openvpn\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\">OpenVPN\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h2>\n<p><a href=\"http:\/\/www.itbook.info\/web\/2016\/10\/raspberry-pi2%E3%81%ABopenvpn%E3%82%92%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB%E3%81%97%E3%81%A6%E3%81%BF%E3%81%9F%EF%BC%88%E4%BA%8B%E5%89%8D%E6%BA%96%E5%82%99%E7%B7%A8%EF%BC%89.html\">Raspberry Pi2\u306bOpenVPN\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u307f\u305f\uff08\u4e8b\u524d\u6e96\u5099\u7de8\uff09<\/a>\u306b\u7d9a\u3044\u3066\u3001OpenVPN\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n<p>\u5fc5\u8981\u306a\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\"># apt-get install openvpn openssl\n# apt-get install openvpn libssl-dev openssl easy-rsa<\/code><\/pre>\n<p>\u7d9a\u3044\u3066\u3001\u8a8d\u8a3c\u5c40\u7528\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<p><!--more--><\/p>\n<pre><code class=\"(null)\"># make-cadir \/etc\/openvpn\/easy-rsa\n# cd \/etc\/openvpn\/easy-rsa<\/code><\/pre>\n<p>vars\u30d5\u30a1\u30a4\u30eb\u306e\u4e0b\u8a18\u500b\u6240\u3092\u81ea\u8eab\u306e\u60c5\u5831\u306b\u5909\u66f4\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\"># vi vars\n\n# These are the default values for fields\n# which will be placed in the certificate.\n# Don&apos;t leave any of these fields blank.\nexport KEY_COUNTRY=&quot;JP&quot;\nexport KEY_PROVINCE=&quot;hogehoge&quot;\nexport KEY_CITY=&quot;hogehoge&quot;\nexport KEY_ORG=&quot;hogehoge&quot;\nexport KEY_EMAIL=&quot;hoge@myhost.mydomain&quot;\nexport KEY_OU=&quot;hoge&quot;\n\n# X509 Subject Field\nexport KEY_NAME=&quot;hoge&quot;<\/code><\/pre>\n<p>vars\u30d5\u30a1\u30a4\u30eb\u3092\u5909\u66f4\u3057\u305f\u3089\u3001OpenVPN\u30b5\u30fc\u30d0\u30fc\u5074\u306e\u8a3c\u660e\u66f8\u3001\u79d8\u5bc6\u9375\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\"># source vars\nNOTE: If you run .\/clean-all, I will be doing a rm -rf on \/etc\/openvpn\/easy-rsa\/key\n# .\/clean-all\n# .\/build-ca\nGenerating a 2048 bit RSA private key\n.............................................................................................+++\n.......................................................................................................+++\nwriting new private key to &apos;ca.key&apos;\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter &apos;.&apos;, the field will be left blank.\n-----\nCountry Name (2 letter code) [JP]:\nState or Province Name (full name) [hoge]:\nLocality Name (eg, city) [hoge]:\nOrganization Name (eg, company) [hoge]:\nOrganizational Unit Name (eg, section) [hoge]:\nCommon Name (eg, your name or your server&apos;s hostname) [Myoffice CA]:\nName [hoge]:\nEmail Address [hoge@myhost.mydomain]:<\/code><\/pre>\n<pre><code class=\"(null)\"># .\/build-key-server hoge\nGenerating a 2048 bit RSA private key\n...........+++\n.......................................................................+++\nwriting new private key to &apos;hoge.key&apos;\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter &apos;.&apos;, the field will be left blank.\n-----\nCountry Name (2 letter code) [JP]:\nState or Province Name (full name) [hoge]:\nLocality Name (eg, city) [hoge]:\nOrganization Name (eg, company) [hoge]:\nOrganizational Unit Name (eg, section) [hoge]:\nCommon Name (eg, your name or your server&apos;s hostname) [hoge]:\nName [hoge]:\nEmail Address [hoge@myhost.mydomain]:\n\nPlease enter the following &apos;extra&apos; attributes\nto be sent with your certificate request\nA challenge password []:\nAn optional company name []:\nUsing configuration from \/etc\/openvpn\/easy-rsa\/openssl-1.0.0.cnf\nCheck that the request matches the signature\nSignature ok\nThe Subject&apos;s Distinguished Name is as follows\ncountryName           :PRINTABLE:&apos;JP&apos;\nstateOrProvinceName   :PRINTABLE:&apos;hoge&apos;\nlocalityName          :PRINTABLE:&apos;hoge&apos;\norganizationName      :PRINTABLE:&apos;hoge&apos;\norganizationalUnitName:PRINTABLE:&apos;hoge&apos;\ncommonName            :PRINTABLE:&apos;hoge&apos;\nname                  :PRINTABLE:&apos;hoge&apos;\nemailAddress          :IA5STRING:&apos;hoge@myhost.mydomain&apos;\nCertificate is to be certified until Oct 14 10:31:02 2026 GMT (3650 days)\nSign the certificate? [y\/n]:y\n\n\n1 out of 1 certificate requests certified, commit? [y\/n]y\nWrite out database with 1 new entries\nData Base Updated\nroot@ubuntu-standard:\/etc\/openvpn\/easy-rsa#<\/code><\/pre>\n<p>\u6700\u5f8c\u306b\u4ee5\u4e0b\u3092\u5b9f\u884c\u3057\u3066Diffie Hellman\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u751f\u6210\u3057\u307e\u3059\u3002\u30d1\u30e9\u30e1\u30fc\u30bf\u751f\u6210\u306f\u7d50\u69cb\u6642\u9593\uff0810\u5206\u4ee5\u4e0a\uff09\u304c\u304b\u304b\u308a\u307e\u3059\u306e\u3067\u6c17\u9577\u306b\u5f85\u3061\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\"># .\/build-dh<\/code><\/pre>\n<p>\u30b5\u30fc\u30d0\u30fc\u3001\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5171\u901a\u306e\u79d8\u5bc6\u9375\u3092\u751f\u6210\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\"># cd keys\/\n# openvpn --genkey --secret ta.key<\/code><\/pre>\n<h2 id=\"\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u9375\u306e\u4f5c\u6210\">\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u9375\u306e\u4f5c\u6210<\/h2>\n<p>OpenVPN\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\u306e\u8a3c\u660e\u66f8\u3001\u79d8\u5bc6\u9375\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\">\/etc\/openvpn\/easy-rsa# .\/build-key-pass user1\nGenerating a 2048 bit RSA private key\n................+++\n...............................+++\nwriting new private key to &apos;user1.key&apos;\nEnter PEM pass phrase:\nVerifying - Enter PEM pass phrase:\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter &apos;.&apos;, the field will be left blank.\n-----\nCountry Name (2 letter code) [JP]:\nState or Province Name (full name) [hoge]:\nLocality Name (eg, city) [hoge]:\nOrganization Name (eg, company) [hoge]:\nOrganizational Unit Name (eg, section) [hoge]:\nCommon Name (eg, your name or your server&apos;s hostname) [user1]:\nName [hoge]:\nEmail Address [hoge@myhost.mydomain]:\n\nPlease enter the following &apos;extra&apos; attributes\nto be sent with your certificate request\nA challenge password []:\nAn optional company name []:\nUsing configuration from \/etc\/openvpn\/easy-rsa\/openssl-1.0.0.cnf\nCheck that the request matches the signature\nSignature ok\nThe Subject&apos;s Distinguished Name is as follows\ncountryName           :PRINTABLE:&apos;JP&apos;\nstateOrProvinceName   :PRINTABLE:&apos;hoge&apos;\nlocalityName          :PRINTABLE:&apos;hoge&apos;\norganizationName      :PRINTABLE:&apos;hoge&apos;\norganizationalUnitName:PRINTABLE:&apos;hoge&apos;\ncommonName            :PRINTABLE:&apos;user1&apos;\nname                  :PRINTABLE:&apos;hoge&apos;\nemailAddress          :IA5STRING:&apos;hoge@myhost.mydomain&apos;\nCertificate is to be certified until Oct 14 11:06:02 2026 GMT (3650 days)\nSign the certificate? [y\/n]:y\n\n\n1 out of 1 certificate requests certified, commit? [y\/n]y\nWrite out database with 1 new entries\nData Base Updated<\/code><\/pre>\n<p>\u4f5c\u6210\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3092OpenVPN\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\"># cp ca.crt ca.key hoge.crt hoge.key ta.key dh2048.pem \/etc\/openvpn\n# cd \/etc\/openvpn\/<\/code><\/pre>\n<p>\u6b21\u306bserver.conf\u306e\u8a2d\u5b9a\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\"># cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz \/etc\/openvpn\/\n# gzip -d \/etc\/openvpn\/server.conf.gz\n# cp server.conf server.conf.org\n# vim server.conf<\/code><\/pre>\n<p>\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u8a2d\u5b9a\u3092\u5909\u66f4\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\">#################################################\n# Sample OpenVPN 2.0 config file for            #\n# multi-client server.                          #\n#                                               #\n# This file is for the server side              #\n# of a many-clients &lt;-&gt; one-server              #\n# OpenVPN configuration.                        #\n#                                               #\n# OpenVPN also supports                         #\n# single-machine &lt;-&gt; single-machine             #\n# configurations (See the Examples page         #\n# on the web site for more info).               #\n#                                               #\n# This config should work on Windows            #\n# or Linux\/BSD systems.  Remember on            #\n# Windows to quote pathnames and use            #\n# double backslashes, e.g.:                     #\n# &quot;C:\\\\Program Files\\\\OpenVPN\\\\config\\\\foo.key&quot; #\n#                                               #\n# Comments are preceded with &apos;#&apos; or &apos;;&apos;         #\n#################################################\n\n# Which local IP address should OpenVPN\n# listen on? (optional)\n;local a.b.c.d\n\n# Which TCP\/UDP port should OpenVPN listen on?\n# If you want to run multiple OpenVPN instances\n# on the same machine, use a different port\n# number for each one.  You will need to\n# open up this port on your firewall.\nport 443\n\n# TCP or UDP server?\n;proto tcp\nproto udp\n\n# &quot;dev tun&quot; will create a routed IP tunnel,\n# &quot;dev tap&quot; will create an ethernet tunnel.\n# Use &quot;dev tap0&quot; if you are ethernet bridging\n# and have precreated a tap0 virtual interface\n# and bridged it with your ethernet interface.\n# If you want to control access policies\n# over the VPN, you must create firewall\n# rules for the the TUN\/TAP interface.\n# On non-Windows systems, you can give\n# an explicit unit number, such as tun0.\n# On Windows, use &quot;dev-node&quot; for this.\n# On most systems, the VPN will not function\n# unless you partially or fully disable\n# the firewall for the TUN\/TAP interface.\n;dev tap\ndev tun\n\n# Windows needs the TAP-Win32 adapter name\n# from the Network Connections panel if you\n# have more than one.  On XP SP2 or higher,\n# you may need to selectively disable the\n# Windows firewall for the TAP adapter.\n# Non-Windows systems usually don&apos;t need this.\n;dev-node MyTap\n\n# SSL\/TLS root certificate (ca), certificate\n# (cert), and private key (key).  Each client\n# and the server must have their own cert and\n# key file.  The server and all clients will\n# use the same ca file.\n#\n# See the &quot;easy-rsa&quot; directory for a series\n# of scripts for generating RSA certificates\n# and private keys.  Remember to use\n# a unique Common Name for the server\n# and each of the client certificates.\n#\n# Any X509 key management system can be used.\n# OpenVPN can also use a PKCS #12 formatted key file\n# (see &quot;pkcs12&quot; directive in man page).\nca ca.crt\ncert hoge.crt\nkey hoge.key  # This file should be kept secret\n\n# Diffie hellman parameters.\n# Generate your own with:\n#   openssl dhparam -out dh2048.pem 2048\ndh dh2048.pem\n\n# Network topology\n# Should be subnet (addressing via IP)\n# unless Windows clients v2.0.9 and lower have to\n# be supported (then net30, i.e. a \/30 per client)\n# Defaults to net30 (not recommended)\n;topology subnet\n\n# Configure server mode and supply a VPN subnet\n# for OpenVPN to draw client addresses from.\n# The server will take 10.8.0.1 for itself,\n# the rest will be made available to clients.\n# Each client will be able to reach the server\n# on 10.8.0.1. Comment this line out if you are\n# ethernet bridging. See the man page for more info.\nserver 10.8.0.0 255.255.255.0\n\n# Maintain a record of client &lt;-&gt; virtual IP address\n# associations in this file.  If OpenVPN goes down or\n# is restarted, reconnecting clients can be assigned\n# the same virtual IP address from the pool that was\n# previously assigned.\nifconfig-pool-persist ipp.txt\n\n# Configure server mode for ethernet bridging.\n# You must first use your OS&apos;s bridging capability\n# to bridge the TAP interface with the ethernet\n# NIC interface.  Then you must manually set the\n# IP\/netmask on the bridge interface, here we\n# assume 10.8.0.4\/255.255.255.0.  Finally we\n# must set aside an IP range in this subnet\n# (start=10.8.0.50 end=10.8.0.100) to allocate\n# to connecting clients.  Leave this line commented\n# out unless you are ethernet bridging.\n;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100\n\n# Configure server mode for ethernet bridging\n# using a DHCP-proxy, where clients talk\n# to the OpenVPN server-side DHCP server\n# to receive their IP address allocation\n# and DNS server addresses.  You must first use\n# your OS&apos;s bridging capability to bridge the TAP\n# interface with the ethernet NIC interface.\n# Note: this mode only works on clients (such as\n# Windows), where the client-side TAP adapter is\n# bound to a DHCP client.\n;server-bridge\n\n# Push routes to the client to allow it\n# to reach other private subnets behind\n# the server.  Remember that these\n# private subnets will also need\n# to know to route the OpenVPN client\n# address pool (10.8.0.0\/255.255.255.0)\n# back to the OpenVPN server.\n;push &quot;route 192.168.10.0 255.255.255.0&quot;\n;push &quot;route 192.168.20.0 255.255.255.0&quot;\npush &quot;route 192.168.11.0 255.255.255.0&quot;\n\n# To assign specific IP addresses to specific\n# clients or if a connecting client has a private\n# subnet behind it that should also have VPN access,\n# use the subdirectory &quot;ccd&quot; for client-specific\n# configuration files (see man page for more info).\n\n# EXAMPLE: Suppose the client\n# having the certificate common name &quot;Thelonious&quot;\n# also has a small subnet behind his connecting\n# machine, such as 192.168.40.128\/255.255.255.248.\n# First, uncomment out these lines:\n;client-config-dir ccd\n;route 192.168.40.128 255.255.255.248\n# Then create a file ccd\/Thelonious with this line:\n#   iroute 192.168.40.128 255.255.255.248\n# This will allow Thelonious&apos; private subnet to\n# access the VPN.  This example will only work\n# if you are routing, not bridging, i.e. you are\n# using &quot;dev tun&quot; and &quot;server&quot; directives.\n\n# EXAMPLE: Suppose you want to give\n# Thelonious a fixed VPN IP address of 10.9.0.1.\n# First uncomment out these lines:\n;client-config-dir ccd\n;route 10.9.0.0 255.255.255.252\n# Then add this line to ccd\/Thelonious:\n#   ifconfig-push 10.9.0.1 10.9.0.2\n\n# Suppose that you want to enable different\n# firewall access policies for different groups\n# of clients.  There are two methods:\n# (1) Run multiple OpenVPN daemons, one for each\n#     group, and firewall the TUN\/TAP interface\n#     for each group\/daemon appropriately.\n# (2) (Advanced) Create a script to dynamically\n#     modify the firewall in response to access\n#     from different clients.  See man\n#     page for more info on learn-address script.\n;learn-address .\/script\n\n# If enabled, this directive will configure\n# all clients to redirect their default\n# network gateway through the VPN, causing\n# all IP traffic such as web browsing and\n# and DNS lookups to go through the VPN\n# (The OpenVPN server machine may need to NAT\n# or bridge the TUN\/TAP interface to the internet\n# in order for this to work properly).\npush &quot;redirect-gateway def1 bypass-dhcp&quot;\n\n# Certain Windows-specific network settings\n# can be pushed to clients, such as DNS\n# or WINS server addresses.  CAVEAT:\n# http:\/\/openvpn.net\/faq.html#dhcpcaveats\n# The addresses below refer to the public\n# DNS servers provided by opendns.com.\n;push &quot;dhcp-option DNS 208.67.222.222&quot;\n;push &quot;dhcp-option DNS 208.67.220.220&quot;\npush &quot;dhcp-option DNS 192.168.11.1&quot;\npush &quot;dhcp-option DNS 8.8.8.8&quot;\n\n# Uncomment this directive to allow different\n# clients to be able to &quot;see&quot; each other.\n# By default, clients will only see the server.\n# To force clients to only see the server, you\n# will also need to appropriately firewall the\n# server&apos;s TUN\/TAP interface.\nclient-to-client\n\n# Uncomment this directive if multiple clients\n# might connect with the same certificate\/key\n# files or common names.  This is recommended\n# only for testing purposes.  For production use,\n# each client should have its own certificate\/key\n# pair.\n#\n# IF YOU HAVE NOT GENERATED INDIVIDUAL\n# CERTIFICATE\/KEY PAIRS FOR EACH CLIENT,\n# EACH HAVING ITS OWN UNIQUE &quot;COMMON NAME&quot;,\n# UNCOMMENT THIS LINE OUT.\nduplicate-cn\n\n# The keepalive directive causes ping-like\n# messages to be sent back and forth over\n# the link so that each side knows when\n# the other side has gone down.\n# Ping every 10 seconds, assume that remote\n# peer is down if no ping received during\n# a 120 second time period.\nkeepalive 10 120\n\n# For extra security beyond that provided\n# by SSL\/TLS, create an &quot;HMAC firewall&quot;\n# to help block DoS attacks and UDP port flooding.\n#\n# Generate with:\n#   openvpn --genkey --secret ta.key\n#\n# The server and each client must have\n# a copy of this key.\n# The second parameter should be &apos;0&apos;\n# on the server and &apos;1&apos; on the clients.\ntls-auth ta.key 0 # This file is secret\n\n# Select a cryptographic cipher.\n# This config item must be copied to\n# the client config file as well.\n;cipher BF-CBC        # Blowfish (default)\ncipher AES-128-CBC   # AES\n;cipher DES-EDE3-CBC  # Triple-DES\n\n# Enable compression on the VPN link.\n# If you enable it here, you must also\n# enable it in the client config file.\ncomp-lzo\n\n# The maximum number of concurrently connected\n# clients we want to allow.\n;max-clients 100\n\n# It&apos;s a good idea to reduce the OpenVPN\n# daemon&apos;s privileges after initialization.\n#\n# You can uncomment this out on\n# non-Windows systems.\nuser nobody\ngroup nogroup\n\n# The persist options will try to avoid\n# accessing certain resources on restart\n# that may no longer be accessible because\n# of the privilege downgrade.\npersist-key\npersist-tun\n\n# Output a short status file showing\n# current connections, truncated\n# and rewritten every minute.\nstatus openvpn-status.log\n\n# By default, log messages will go to the syslog (or\n# on Windows, if running as a service, they will go to\n# the &quot;\\Program Files\\OpenVPN\\log&quot; directory).\n# Use log or log-append to override this default.\n# &quot;log&quot; will truncate the log file on OpenVPN startup,\n# while &quot;log-append&quot; will append to it.  Use one\n# or the other (but not both).\nlog         openvpn.log\nlog-append  openvpn.log\n\n# Set the appropriate level of log\n# file verbosity.\n#\n# 0 is silent, except for fatal errors\n# 4 is reasonable for general usage\n# 5 and 6 can help to debug connection problems\n# 9 is extremely verbose\nverb 3\n\n# Silence repeating messages.  At most 20\n# sequential messages of the same message\n# category will be output to the log.\n;mute 20<\/code><\/pre>\n<h2 id=\"\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u7b49\u306e\u8a2d\u5b9a\">\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u7b49\u306e\u8a2d\u5b9a<\/h2>\n<p>\u7d9a\u3044\u3066\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u3068IP\u30d5\u30a9\u30ef\u30fc\u30c7\u30a3\u30f3\u30b0\u7b49\u306e\u8a2d\u5b9a\u3092\u5909\u66f4\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\"># ip route | grep default\ndefault via 192.168.11.1 dev eth0\n# vi \/etc\/ufw\/before.rules<\/code><\/pre>\n<p>\u4ee5\u4e0b\u3092\u5148\u982d\u306b\u8ffd\u52a0<\/p>\n<pre><code class=\"(null)\"># START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0]\n# Allow traffic from OpenVPN client to eth0\n-A POSTROUTING -s 10.8.0.0\/8 -o eth0 -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES<\/code><\/pre>\n<p>\u30d5\u30a9\u30ef\u30fc\u30c7\u30a3\u30f3\u30b0\u30dd\u30ea\u30b7\u30fc\u3092\u5909\u66f4\u3057\u307e\u3059<\/p>\n<pre><code class=\"(null)\"># vi \/etc\/default\/ufw<\/code><\/pre>\n<p>\u4ee5\u4e0b\u306b\u5909\u66f4<\/p>\n<pre><code class=\"(null)\"># Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that\n# if you change this you will most likely want to adjust your rules\nDEFAULT_FORWARD_POLICY=&quot;ACCEPT&quot;<\/code><\/pre>\n<p>OpenVPN\u306e\u30dd\u30fc\u30c8\u3092\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u306b\u8a31\u53ef\u3057\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u4f8b\u306f\u3001\u30dd\u30fc\u30c8\u756a\u53f7\u3092443\u306b\u5909\u66f4\u3057\u3066\u3044\u308b\u306e\u3067\u9069\u5b9c\u8aad\u307f\u66ff\u3048\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<pre><code class=\"(null)\"># ufw allow 443\/udp<\/code><\/pre>\n<p>ufw\u30b5\u30fc\u30d3\u30b9\u3092\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"(null)\"># sudo ufw disable\nFirewall stopped and disabled on system startup\n# sudo ufw enable\nCommand may disrupt existing ssh connections. Proceed with operation (y|n)? y\nFirewall is active and enabled on system startup<\/code><\/pre>\n<p>\u4ee5\u4e0a\u3067\u30b5\u30fc\u30d0\u30fc\u5074\u306eOpenVPN\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3068\u8a2d\u5b9a\u306f\u7d42\u4e86\u3067\u3059\u3002<\/p>\n<p>\u300c\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\u306eOpenVPN\u8a2d\u5b9a\u3068\u63a5\u7d9a\u78ba\u8a8d\u300d\u306b\u7d9a\u304d\u307e\u3059\u3002<\/p>\n<aside class=\"row veu_insertAds after\"><div class=\"col-md-12\"><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script>\r\n                        <!-- cat_\u4e0a\u90e8 -->\r\n                        <ins class=\"adsbygoogle\" style=\"display:block\" data-ad-client=\"ca-pub-6102004203189610\" data-ad-slot=\"9628163001\" data-ad-format=\"auto\"><\/ins>\r\n                        <script>\r\n                        (adsbygoogle = window.adsbygoogle || []).push({});\r\n                        <\/script><\/div><\/aside>","protected":false},"excerpt":{"rendered":"<p>OpenVPN\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb Raspberry Pi2\u306bOpenVPN\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u307f\u305f\uff08\u4e8b\u524d\u6e96\u5099\u7de8\uff09\u306b\u7d9a\u3044\u3066\u3001OpenVPN\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3092\u884c\u3044\u307e\u3059\u3002 \u5fc5\u8981\u306a\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002 # apt-get  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[38],"tags":[313,290,314],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v15.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Raspberry Pi2\u306bOpenVPN\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u307f\u305f\uff08OpenVPN\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u7de8\uff09 - \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a8\u30f3\u30b8\u30cb\u30a2\u304c\u65e5\u3005\u306e\u51fa\u6765\u4e8b\u3092\u8a9e\u308b<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.itbook.info\/web\/2016\/10\/raspberry-pi2\u306bopenvpn\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u307f\u305f\uff08openvpn\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb.html\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Raspberry Pi2\u306bOpenVPN\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u307f\u305f\uff08OpenVPN\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u7de8\uff09 - \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a8\u30f3\u30b8\u30cb\u30a2\u304c\u65e5\u3005\u306e\u51fa\u6765\u4e8b\u3092\u8a9e\u308b\" \/>\n<meta property=\"og:description\" content=\"OpenVPN\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb Raspberry Pi2\u306bOpenVPN\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u307f\u305f\uff08\u4e8b\u524d\u6e96\u5099\u7de8\uff09\u306b\u7d9a\u3044\u3066\u3001OpenVPN\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3092\u884c\u3044\u307e\u3059\u3002 \u5fc5\u8981\u306a\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002 # apt-get [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.itbook.info\/web\/2016\/10\/raspberry-pi2\u306bopenvpn\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u307f\u305f\uff08openvpn\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb.html\" \/>\n<meta property=\"og:site_name\" content=\"\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a8\u30f3\u30b8\u30cb\u30a2\u304c\u65e5\u3005\u306e\u51fa\u6765\u4e8b\u3092\u8a9e\u308b\" \/>\n<meta property=\"article:published_time\" content=\"2016-10-18T01:45:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-10-18T01:46:43+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.itbook.info\/web\/#website\",\"url\":\"https:\/\/www.itbook.info\/web\/\",\"name\":\"\\u30cd\\u30c3\\u30c8\\u30ef\\u30fc\\u30af\\u30a8\\u30f3\\u30b8\\u30cb\\u30a2\\u304c\\u65e5\\u3005\\u306e\\u51fa\\u6765\\u4e8b\\u3092\\u8a9e\\u308b\",\"description\":\"\\u30cd\\u30c3\\u30c8\\u30ef\\u30fc\\u30af\\u30cd\\u30bf\\u3068\\u304b\\u3092\\u9069\\u5f53\\u306b\\u66f8\\u304d\\u6563\\u3089\\u304b\\u3059\\u30d6\\u30ed\\u30b0\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.itbook.info\/web\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"ja\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.itbook.info\/web\/2016\/10\/raspberry-pi2%e3%81%abopenvpn%e3%82%92%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab%e3%81%97%e3%81%a6%e3%81%bf%e3%81%9f%ef%bc%88openvpn%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab.html#webpage\",\"url\":\"https:\/\/www.itbook.info\/web\/2016\/10\/raspberry-pi2%e3%81%abopenvpn%e3%82%92%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab%e3%81%97%e3%81%a6%e3%81%bf%e3%81%9f%ef%bc%88openvpn%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab.html\",\"name\":\"Raspberry Pi2\\u306bOpenVPN\\u3092\\u30a4\\u30f3\\u30b9\\u30c8\\u30fc\\u30eb\\u3057\\u3066\\u307f\\u305f\\uff08OpenVPN\\u30a4\\u30f3\\u30b9\\u30c8\\u30fc\\u30eb\\u7de8\\uff09 - \\u30cd\\u30c3\\u30c8\\u30ef\\u30fc\\u30af\\u30a8\\u30f3\\u30b8\\u30cb\\u30a2\\u304c\\u65e5\\u3005\\u306e\\u51fa\\u6765\\u4e8b\\u3092\\u8a9e\\u308b\",\"isPartOf\":{\"@id\":\"https:\/\/www.itbook.info\/web\/#website\"},\"datePublished\":\"2016-10-18T01:45:32+00:00\",\"dateModified\":\"2016-10-18T01:46:43+00:00\",\"author\":{\"@id\":\"https:\/\/www.itbook.info\/web\/#\/schema\/person\/3707482c5270f902ec5d92dba1db0920\"},\"inLanguage\":\"ja\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.itbook.info\/web\/2016\/10\/raspberry-pi2%e3%81%abopenvpn%e3%82%92%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab%e3%81%97%e3%81%a6%e3%81%bf%e3%81%9f%ef%bc%88openvpn%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab.html\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.itbook.info\/web\/#\/schema\/person\/3707482c5270f902ec5d92dba1db0920\",\"name\":\"na3620\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.itbook.info\/web\/#personlogo\",\"inLanguage\":\"ja\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1e7e7f8079aa707666c2a1069de805ef?s=96&d=mm&r=g\",\"caption\":\"na3620\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.itbook.info\/web\/wp-json\/wp\/v2\/posts\/3012"}],"collection":[{"href":"https:\/\/www.itbook.info\/web\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itbook.info\/web\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itbook.info\/web\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itbook.info\/web\/wp-json\/wp\/v2\/comments?post=3012"}],"version-history":[{"count":2,"href":"https:\/\/www.itbook.info\/web\/wp-json\/wp\/v2\/posts\/3012\/revisions"}],"predecessor-version":[{"id":3014,"href":"https:\/\/www.itbook.info\/web\/wp-json\/wp\/v2\/posts\/3012\/revisions\/3014"}],"wp:attachment":[{"href":"https:\/\/www.itbook.info\/web\/wp-json\/wp\/v2\/media?parent=3012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itbook.info\/web\/wp-json\/wp\/v2\/categories?post=3012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itbook.info\/web\/wp-json\/wp\/v2\/tags?post=3012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}