-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0]
# SSH、Webサーバなど -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# OpenVPNへの接続 -A INPUT -p udp --dport 1194 -j ACCEPT -A INPUT -p tcp -s 10.8.0.0/24 --dport 22 -j ACCEPT
# /etc/openvpn/server/server.conf (全文) dev tun port 1194 proto udp
ca ca.crt cert server.crt key server.key dh dh.pem
server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 1.1.1.1" keepalive 10 120
tls-auth ta.key 0 auth SHA512 cipher AES-256-CBC
comp-lzo
user nobody group nobody
persist-key persist-tun
status openvpn-status.log verb 3 explicit-exit-notify 1
クライアント用設定ファイル作成
1 2
cd /etc/openvpn/server/ ovpngen /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/issued/client.crt /etc/easy-rsa/pki/private/client.key /etc/openvpn/server/ta.key > client.ovpn
以下の設定は自動的に読み込んでくれないのでclient.ovpnからコメントアウト
1 2 3 4 5 6 7 8
### optionally uncomment and change both the cipher and auth lines to exactly ### match the values specified in /etc/openvpn/server/server.conf cipher AES-256-CBC auth SHA512 ### ### depending on how /etc/openvpn/server/server.conf is configured, uncomment ### the following line if you are not using the compression push option therein comp-lzo
あとはローカルにscpとかでコピーします。
デバッグ方法
verb 6にしてエラーの原因を出力させます。
サーバー
1 2
cd /etc/openvpn/server/ sudo openvpn --config server.conf --verb 6