sudo vim \/etc\/openvpn\/easy-rsa\/vars<\/code><\/pre>\n\n\n\nEASYRSA_KEY_SIZE \u306e\u5024\u3092\u30c7\u30d5\u30a9\u30eb\u30c8\u306e 2048 \u304b\u3089 4096 \u306b\u5909\u66f4\u3057\u3066\u9375\u9577\u3092\u9577\u304f\u3057\u3066\u304a\u304d\u307e\u3059\u3002<\/p>\n\n\n\n
EASYRSA_CERT_EXPIRE \u306e\u5024\u3092\u30c7\u30d5\u30a9\u30eb\u30c8\u306e 825 \u304b\u3089 3650 \u306b\u3057\u3066\u8a3c\u660e\u66f8\u306e\u6709\u52b9\u671f\u9650\u3092\u9577\u304f\u3057\u3066\u304a\u304d\u307e\u3059\u3002<\/p>\n\n\n\n
\u30eb\u30fc\u30c8\u30e6\u30fc\u30b6\u30fc\u306b\u5909\u66f4\u3057\u3066\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067 PKI \u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
sudo su -\ncd \/etc\/openvpn\/easy-rsa\/\n.\/easyrsa init-pki\n.\/easyrsa build-ca<\/code><\/pre>\n\n\n\nCA \u7528\u306e\u30ad\u30fc\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3092\u6c42\u3081\u3089\u308c\u308b\u306e\u3067\u5165\u529b\u3057\u307e\u3059\u3002\u3053\u3053\u3067\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u5165\u529b\u306f\u79d8\u5bc6\u9375\u304c\u5e73\u6587\u3067\u8868\u793a\u3055\u308c\u308b\u306e\u3092\u9632\u304e\u307e\u3059\u3002<\/p>\n\n\n\n
CA \u306e\u540d\u524d\u306e\u5165\u529b\u3092\u6c42\u3081\u3089\u308c\u307e\u3059\u304c Enter \u30ad\u30fc\u306e\u5165\u529b\u3067\u30c7\u30d5\u30a9\u30eb\u30c8\u5024\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
<\/span>\u30b5\u30fc\u30d0\u30fc\u7528\u306e\u9375\u3068\u8a3c\u660e\u66f8\u3092\u4f5c\u6210<\/span><\/h2>\n\n\n\n\u5f15\u304d\u7d9a\u304d\u30eb\u30fc\u30c8\u30e6\u30fc\u30b6\u30fc\u3067\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u30b5\u30fc\u30d0\u30fc\u7528\u306e\u9375\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
\u4f5c\u6210\u5f8c\u306b\u540d\u524d\u306e\u5165\u529b\u3092\u6c42\u3081\u3089\u308c\u307e\u3059\u304c Enter \u30ad\u30fc\u3067\u30c7\u30d5\u30a9\u30eb\u30c8\u5024\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
.\/easyrsa gen-req <SERVER_NAME> nopass<\/code><\/pre>\n\n\n\n\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067 Diffie Hellman \u30d1\u30e9\u30e1\u30fc\u30bf\u30fc\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002OpenVPN \u30b5\u30fc\u30d0\u30fc\u306b\u5fc5\u8981\u3067\u3059\u3002<\/p>\n\n\n\n
.\/easyrsa gen-dh<\/code><\/pre>\n\n\n\n\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u30b5\u30fc\u30d0\u30fc\u7528\u306e\u8a3c\u660e\u66f8\u3092 CA \u304b\u3089\u767a\u884c\u3057\u307e\u3059\u3002\u767a\u884c\u6642\u306b CA \u306e\u9375\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
.\/easyrsa sign-req server <SERVER_NAME><\/code><\/pre>\n\n\n\n\u4f5c\u6210\u3057\u305f CA \u306e\u8a3c\u660e\u66f8\u3001\u30b5\u30fc\u30d0\u30fc\u7528\u306e\u9375\u3068\u8a3c\u660e\u66f8\u3001DH \u30d1\u30e9\u30e1\u30fc\u30bf\u30fc\u3092 \/etc\/openvpn\/ \u306b\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
cp pki\/dh.pem pki\/ca.crt pki\/issued\/<SERVER_NAME>.crt pki\/private\/<SERVER_NAME>.key \/etc\/openvpn\/<\/code><\/pre>\n\n\n\n<\/span>\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u7528\u306e\u8a3c\u660e\u66f8\u3092\u4f5c\u6210<\/span><\/h2>\n\n\n\n\u5f15\u304d\u7d9a\u304d\u30eb\u30fc\u30c8\u30e6\u30fc\u30b6\u30fc\u3067\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u7528\u306e\u8a3c\u660e\u66f8\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<CLIENT_NAME> \u90e8\u5206\u3092\u5909\u66f4\u3057\u3066\u5fc5\u8981\u306a\u30e6\u30fc\u30b6\u30fc\u306e\u6570\u3060\u3051\u767a\u884c\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
.\/easyrsa gen-req <CLIENT_NAME> nopass\n.\/easyrsa sign-req client <CLIENT_NAME><\/code><\/pre>\n\n\n\n\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u7528\u306e\u8a3c\u660e\u66f8\u306e\u767a\u884c\u304c\u7d42\u308f\u3063\u305f\u3089\u30eb\u30fc\u30c8\u30e6\u30fc\u30b6\u30fc\u304b\u3089\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u306b\u623b\u308a\u307e\u3059\u3002<\/p>\n\n\n\n
<\/span>\u30b5\u30fc\u30d0\u30fc\u3092\u8a2d\u5b9a<\/span><\/h2>\n\n\n\n\u30b5\u30fc\u30d0\u30fc\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u304b\u3089\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
sudo cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf \/etc\/openvpn\/server.conf<\/code><\/pre>\n\n\n\n\u8ffd\u52a0\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8a2d\u5b9a tls-auth \u3067\u4f7f\u7528\u3059\u308b\u30ad\u30fc\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
cd \/etc\/openvpn\nsudo openvpn --genkey tls-auth ta.key<\/code><\/pre>\n\n\n\n\/etc\/openvpn\/server.conf \u3092\u7de8\u96c6\u3057\u3066\u30b5\u30fc\u30d0\u30fc\u306e\u8a2d\u5b9a\u3092\u5909\u66f4\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
sudo vim \/etc\/openvpn\/server.conf<\/code><\/pre>\n\n\n\n\u4ee5\u4e0b\u306e\u9375\u3068\u8a3c\u660e\u66f8\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u5b9f\u969b\u306b\u5b58\u5728\u3057\u3066\u3044\u308b\u30d5\u30a1\u30a4\u30eb\u3068\u4e00\u81f4\u3059\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
ca ca.crt\ncert <SERVER_NAME>.crt\nkey <SERVER_NAME>.key\ndh dh.pem<\/code><\/pre>\n\n\n\n\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5411\u4e0a\u306e\u305f\u3081\u30dd\u30fc\u30c8\u3092\u5909\u66f4\u3057\u3066\u304a\u304d\u307e\u3059\u3002<\/p>\n\n\n\n
port 11940<\/code><\/pre>\n\n\n\n\u4ee5\u4e0b\u306e\u884c\u306e\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3092\u89e3\u9664\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
;tls-auth ta.key 0<\/code><\/pre>\n\n\n\nVPN \u7528\u306e\u30b5\u30d6\u30cd\u30c3\u30c8\u3092\u5909\u66f4\u3057\u305f\u3044\u5834\u5408\u306f\u4ee5\u4e0b\u3092\u5909\u66f4\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
server 10.8.0.0 255.255.255.0<\/code><\/pre>\n\n\n\n\u4ee5\u4e0b\u306e\u884c\u306e\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3092\u89e3\u9664\u3057\u3066\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304c VPN \u7d4c\u7531\u3067\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u3078\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
;push \"redirect-gateway def1 bypass-dhcp\"<\/code><\/pre>\n\n\n\nVPN \u63a5\u7d9a\u3067\u4f7f\u7528\u3059\u308b DNS \u30b5\u30fc\u30d0\u30fc\u306e IP \u3092\u6307\u5b9a\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
push \"dhcp-option DNS 8.8.8.8\"\npush \"dhcp-option DNS 8.8.4.4\"<\/code><\/pre>\n\n\n\n\u4ee5\u4e0b\u306e\u884c\u3092\u7de8\u96c6\u3057\u3066\u5f31\u3044\u6697\u53f7\u65b9\u5f0f\u304c\u4f7f\u7528\u3055\u308c\u306a\u3044\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305<\/code><\/pre>\n\n\n\n\u4ee5\u4e0b\u306e\u884c\u3092\u8ffd\u52a0\u3057\u3066\u5f31\u3044\u6697\u53f7\u65b9\u5f0f\u304c\u4f7f\u7528\u3055\u308c\u306a\u3044\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
auth SHA256\ntls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256<\/code><\/pre>\n\n\n\nIP \u30d1\u30b1\u30c3\u30c8\u304c\u30d5\u30e9\u30b0\u30e1\u30f3\u30c8\u5316\u3055\u308c\u308b\u3068\u9014\u4e2d\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u6a5f\u5668\u3067\u30d1\u30b1\u30c3\u30c8\u304c\u7834\u68c4\u3055\u308c\u3066\u63a5\u7d9a\u3067\u304d\u306a\u3044\u30b5\u30fc\u30d0\u30fc\u304c\u51fa\u3066\u304d\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u8a2d\u5b9a\u3092\u8ffd\u52a0\u3057\u3066\u30d1\u30b1\u30c3\u30c8\u30b5\u30a4\u30ba\u3092\u5c0f\u3055\u304f\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
# To avoid IP packet fragment error. Client config must have the same setting\ntun-mtu 1500\n# Client config should have the below related to packet fragmentation issue\n# mssfix 1400<\/code><\/pre>\n\n\n\n