[openVPN #1] 무료버전 OpenVPN을 설치하고 사용하기!

 

안녕하세요! 🤗

정말 오래간만의 포스팅입니다.
이번 포스팅은 "무료버전 OpenVPN을 설치하고 사용하기!" 입니다.

OpenVPN은 그림과 같이, VPN을 연결하면 마치 VPC 내부 네트워크에 있는것 처럼 동작하게 되어,
RDS,EC2에 접근할 수 있게 됩니다. 😊

이제 OpenVPN을 설치하고 사용해도록 하겠습니다! (아주 간단합니다)

[순서]
1. OpenVPN EC2 생성 & 설치하기
2. OpenVPN 사용자 생성하기
3. 사용자 로그인하기

 

---

1. OpenVPN EC2 생성 & 설치하기

---

OpenVPN은 마켓플레이스에서 간단하게 구매하여 사용할 수 있습니다.
우리가 사용할 AMI는 "OpenVPN Access Server" 이며, 라이선스를 BYOL하거나 무료로 2개세션까지 쓸 수 있는 버전입니다.

OpenVPN 인스턴스를 생성하는 방법은 별도로 안내하지 않겠습니다.😁
생성이 완료 되면, 아래처럼 인스턴스 목록에 표시됩니다.
이제, OpenVPN설정을 하도록 SSH접속해봅시다!

$ ssh -i <ec2 key> openvpnas@<ec2 ip>

접속하면 바로 여러 약관동의하는지에 대한 내용이 나온 후 설정에 대한 질문이 이어집니다. :)
아래 더보기 란을 클릭하여 전부 확인할 수 있습니다.

i-mini@awskey % ssh -i myEC2Key.pem openvpnas@3.36.120.182

Welcome to OpenVPN Access Server Appliance 2.8.5

  System information as of Mon Aug 30 04:56:27 UTC 2021

  System load:  0.62              Processes:           112
  Usage of /:   23.6% of 7.69GB   Users logged in:     0
  Memory usage: 13%               IP address for ens5: 172.31.0.18
  Swap usage:   0%

186 packages can be updated.
139 updates are security updates.


Last login: Mon Aug 30 04:51:52 2021 from 14.52.234.101
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.


          OpenVPN Access Server
          Initial Configuration Tool
------------------------------------------------------
OpenVPN Access Server End User License Agreement (OpenVPN-AS EULA)

    1. Copyright Notice: OpenVPN Access Server License;
       Copyright (c) 2009-2020 OpenVPN Inc. All rights reserved.
       "OpenVPN" is a trademark of OpenVPN Inc.
    2. Redistribution of OpenVPN Access Server binary forms and related documents,
       are permitted provided that redistributions of OpenVPN Access Server binary
       forms and related documents reproduce the above copyright notice as well as
       a complete copy of this EULA.
    3. You agree not to reverse engineer, decompile, disassemble, modify,
       translate, make any attempt to discover the source code of this software,
       or create derivative works from this software.
    4. The OpenVPN Access Server is bundled with other open source software
       components, some of which fall under different licenses. By using OpenVPN
       or any of the bundled components, you agree to be bound by the conditions
       of the license for each respective component. For more information, you can
       find our complete EULA (End-User License Agreement) on our website
       (http://openvpn.net), and a copy of the EULA is also distributed with the
       Access Server in the file /usr/local/openvpn_as/license.txt.
    5. This software is provided "as is" and any expressed or implied warranties,
       including, but not limited to, the implied warranties of merchantability
       and fitness for a particular purpose are disclaimed. In no event shall
       OpenVPN Inc. be liable for any direct, indirect, incidental,
       special, exemplary, or consequential damages (including, but not limited
       to, procurement of substitute goods or services; loss of use, data, or
       profits; or business interruption) however caused and on any theory of
       liability, whether in contract, strict liability, or tort (including
       negligence or otherwise) arising in any way out of the use of this
       software, even if advised of the possibility of such damage.
    6. OpenVPN Inc. is the sole distributor of OpenVPN Access Server
       licenses. This agreement and licenses granted by it may not be assigned,
       sublicensed, or otherwise transferred by licensee without prior written
       consent of OpenVPN Inc. Any licenses violating this provision
       will be subject to revocation and deactivation, and will not be eligible
       for refunds.
    7. A purchased license entitles you to use this software for the duration of
       time denoted on your license key on any one (1) particular device, up to
       the concurrent user limit specified by your license. Multiple license keys
       may be activated to achieve a desired concurrency limit on this given
       device. Unless otherwise prearranged with OpenVPN Inc.,
       concurrency counts on license keys are not to be divided for use amongst
       multiple devices. Upon activation of the first purchased license key in
       this software, you agree to forego any free licenses or keys that were
       given to you for demonstration purposes, and as such, the free licenses
       will not appear after the activation of a purchased key. You are
       responsible for the timely activation of these licenses on your desired
       server of choice. Refunds on purchased license keys are only possible
       within 30 days of purchase of license key, and then only if the license key
       has not already been activated on a system. To request a refund, contact us
       through our support ticket system using the account you have used to
       purchase the license key. Exceptions to this policy may be given for
       machines under failover mode, and when the feature is used as directed in
       the OpenVPN Access Server user manual. In these circumstances, a user is
       granted one (1) license key (per original license key) for use solely on
       failover purposes free of charge. Other failover and/or load balancing use
       cases will not be eligible for this exception, and a separate license key
       would have to be acquired to satisfy the licensing requirements. To request
       a license exception, please file a support ticket in the OpenVPN Access
       Server ticketing system. A staff member will be responsible for determining
       exception eligibility, and we reserve the right to decline any requests not
       meeting our eligibility criteria, or requests which we believe may be
       fraudulent in nature.
    8. Activating a license key ties it to the specific hardware/software
       combination that it was activated on, and activated license keys are
       nontransferable. Substantial software and/or hardware changes may
       invalidate an activated license. In case of substantial software and/or
       hardware changes, caused by for example, but not limited to failure and
       subsequent repair or alterations of (virtualized) hardware/software, our
       software product will automatically attempt to contact our online licensing
       systems to renegotiate the licensing state. On any given license key, you
       are limited to three (3) automatic renegotiations within the license key
       lifetime. After these renegotiations are exhausted, the license key is
       considered invalid, and the activation state will be locked to the last
       valid system configuration it was activated on. OpenVPN Inc.reserves the
       right to grant exceptions to this policy for license holders under
       extenuating circumstances, and such exceptions can be requested through a
       ticket via the OpenVPN Access Server ticketing system.
    9. Once an activated license key expires or becomes invalid, the concurrency
       limit on our software product will decrease by the amount of concurrent
       connections previously granted by the license key. If all of your purchased
       license key(s) have expired, the product will revert to demonstration mode,
       which allows a maximum of two (2) concurrent users to be connected to your
       server. Prior to your license expiration date(s), OpenVPN Inc. will attempt
       to remind you to renew your license(s) by sending periodic email messages
       to the licensee email address on record. You are solely responsible for
       the timely renewal of your license key(s) prior to their expiration if
       continued operation is expected after the license expiration date(s).
       OpenVPN Inc. will not be responsible for any misdirected and/or undeliverable
       email messages, nor does it have an obligation to contact you regarding
       your expiring license keys.
   10. Any valid license key holder is entitled to use our ticketing system for
       support questions or issues specifically related to the OpenVPN Access
       Server product. To file a ticket, go to our website at http://openvpn.net/
       and sign in using the account that was registered and used to purchase the
       license key(s). You can then access the support ticket system through our
       website and submit a support ticket. Tickets filed in the ticketing system
       are answered on a best-effort basis. OpenVPN Inc. staff
       reserve the right to limit responses to users of our demo / expired
       licenses, as well as requests that substantively deviate from the OpenVPN
       Access Server product line. Tickets related to the open source version of
       OpenVPN will not be handled here.
   11. Purchasing a license key does not entitle you to any special rights or
       privileges, except the ones explicitly outlined in this user agreement.
       Unless otherwise arranged prior to your purchase with OpenVPN,
       Inc., software maintenance costs and terms are subject to change after your
       initial purchase without notice. In case of price decreases or special
       promotions, OpenVPN Inc. will not retrospectively apply
       credits or price adjustments toward any licenses that have already been
       issued. Furthermore, no discounts will be given for license maintenance
       renewals unless this is specified in your contract with OpenVPN Inc.

Please enter 'yes' to indicate your agreement [no]: yes

Once you provide a few initial configuration settings,
OpenVPN Access Server can be configured by accessing
its Admin Web UI using your Web browser.

Will this be the primary Access Server node?
(enter 'no' to configure as a backup or standby node)
> Press ENTER for default [yes]:

Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces: 0.0.0.0
(2) ens5: 172.31.0.18
Please enter the option number from the list above (1-2).
> Press Enter for default [1]:

Please specify the port number for the Admin Web UI.
> Press ENTER for default [943]:

Please specify the TCP port number for the OpenVPN Daemon
> Press ENTER for default [443]:

Should client traffic be routed by default through the VPN?
> Press ENTER for default [no]:

Should client DNS traffic be routed by default through the VPN?
> Press ENTER for default [no]:

Use local authentication via internal DB?
> Press ENTER for default [yes]:

Private subnets detected: ['172.31.0.0/16']

Should private subnets be accessible to clients by default?
> Press ENTER for EC2 default [yes]:

To initially login to the Admin Web UI, you must use a
username and password that successfully authenticates you
with the host UNIX system (you can later modify the settings
so that RADIUS or LDAP is used for authentication instead).

You can login to the Admin Web UI as "openvpn" or specify
a different user account to use for this purpose.

Do you wish to login to the Admin UI as "openvpn"?
> Press ENTER for default [yes]:

> Please specify your Activation key (or leave blank to specify later):



Initializing OpenVPN...
Removing Cluster Admin user login...
userdel "admin_c"
Adding new user login...
useradd -s /sbin/nologin "openvpn"
Writing as configuration file...
Perform sa init...
Wiping any previous userdb...
Creating default profile...
Modifying default profile...
Adding new user to userdb...
Modifying new user as superuser in userdb...
Getting hostname...
Hostname: 3.36.120.182
Preparing web certificates...
Getting web user account...
Adding web group account...
Adding web group...
Adjusting license directory ownership...
Initializing confdb...
Generating PAM config...
Enabling service
Starting openvpnas...

NOTE: Your system clock must be correct for OpenVPN Access Server
to perform correctly.  Please ensure that your time and date
are correct on this system.

Initial Configuration Complete!

You can now continue configuring OpenVPN Access Server by
directing your Web browser to this URL:

https://3.36.120.182:943/admin
Login as "openvpn" with the same password used to authenticate
to this UNIX host.

During normal operation, OpenVPN AS can be accessed via these URLs:
Admin  UI: https://3.36.120.182:943/admin
Client UI: https://3.36.120.182:943/

See the Release Notes for this release at:
   https://openvpn.net/vpn-server-resources/release-notes/

 

서버 설치는 이렇게 간단하게 완료 되었습니다.
admin 페이지 URL을 잘 확인해둡시다! 명령어 마지막 부분에 있습니다.

NOTE: Your system clock must be correct for OpenVPN Access Server
to perform correctly.  Please ensure that your time and date
are correct on this system.

Initial Configuration Complete!

You can now continue configuring OpenVPN Access Server by
directing your Web browser to this URL:

https://3.36.120.182:943/admin
Login as "openvpn" with the same password used to authenticate
to this UNIX host.

During normal operation, OpenVPN AS can be accessed via these URLs:
Admin  UI: https://3.36.120.182:943/admin
Client UI: https://3.36.120.182:943/

이제, 관리자 계정인 OpenVPN의 비밀번호를 생성합니다.

openvpnas@ip-172-31-0-18:~$ sudo passwd openvpn
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

이제 정말 완료되었습니다. 다음 단계로 넘어갑시다. 🤗

 

---

2. OpenVPN 사용자 생성하기

---

먼저, 관리자 페이지에 로그인 합니다.
웹브라우저를 하나 키고 관리자 페이지에 접속합니다.

위에서 생성했던 openvpn 계정의 비밀번호를 입력합니다.
처음 로그인 시에는 약관이 나오는데, 동의하고 바로 다음으로 넘어갑니다.

왼쪽 네비게이션 바 User Management > User Permissions 을 클릭하고, 
사용자를 새로 생성하겠습니다.

저는 user01 사용자를 생성할 예정이며, 비밀번호만 추가로 입력해주고 "Save Settings"를 클릭합니다.

이 다음 단계에서 "Update Running Server"를 클릭합니다.

이제 사용자 생성이 완료되었습니다! 
다음 단계로 넘어갑니다.

---

3. 사용자 로그인 하기

---

사용자로 로그인 합니다.
사용자URL은 관리자URL에서 뒤에 admin만 제거하면 됩니다.

사용자로 로그인 하면, Client를 다운받을 수 있습니다. (비밀번호도 변경 가능하네요😊)
저는 MacOS를 사용하기 때문에 알맞는 클라이언트를 다운받아 설치했습니다.

아래 그램 순서대로 진행해주시면 됩니다.
Invalid Certificate 경고창이 나올텐데, 사설인증서라 나오는 팝업입니다. Accept 해주세요🤗

VPN 연결이 모두 완료 되었습니다.
이제 물리적으로는 회사/집 이지만, 논리적으로는 VPC 내부 네트워크에 들어와있는것과 같습니다.

---

 

다음 포스팅에서는 OpenVPN에 MFA를 설정해보겠습니다!

다음포스팅 보러가기

[openVPN #2] 무료버전 OpenVPN에 MFA 설정하기!