VyOS Azure 版 OpenVPN

1. 概要

Azure 版の VyOS を使用し、Azure 内の特定のサブネットに VPN 経由でアクセスできるように構成します。

2. バージョン

Azure のマーケットプレイスで入手可能な VyOS は、現時点では以下となります。オンプレミスの VyOS のようにバージョンアップは不可となります。

show version

Version:          VyOS 1.4.3
Release train:    sagitta
Release flavor:   azure

Built by:         autobuild@vyos.net
Built on:         Tue 08 Jul 2025 08:28 UTC
Build UUID:       XXXXXXXX
Build commit ID:  XXXXXXXX

Architecture:     x86_64
Boot via:         installed image
System type:      Microsoft Hyper-V guest

Hardware vendor:  Microsoft Corporation
Hardware model:   Virtual Machine
Hardware S/N:     XXXXXXXX
Hardware UUID:    XXXXXXXX

Copyright:        VyOS maintainers and contributors

2. 初期設定値

初期設定値は以下のとおりです。

show configuration commands

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 hw-id XXXXXXXX
set interfaces ethernet eth0 mtu '1500'
set interfaces loopback lo
set service ntp allow-client address '127.0.0.0/8'
set service ntp allow-client address '169.254.0.0/16'
set service ntp allow-client address '10.0.0.0/8'
set service ntp allow-client address '172.16.0.0/12'
set service ntp allow-client address '192.168.0.0/16'
set service ntp allow-client address '::1/128'
set service ntp allow-client address 'fe80::/10'
set service ntp allow-client address 'fc00::/7'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh client-keepalive-interval '180'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user myadmin authentication public-keys XXXXXXXX key XXXXXXXX
set system login user myadmin authentication public-keys XXXXXXXX type 'ssh-ed25519'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'

3. 基本設定

OpenVPN 以外の設定は以下のようにしています。必要最低限の設定です。

configure
set system name-server 8.8.8.8
delete service ntp
set service ntp server time.google.com
set service ssh disable-password-authentication
delete system conntrack

4. ta.key

ta.key を作成します。これは TLS-Auth で使用する鍵となり、OpenVPN のセキュリティ強度を高めます。不特定多数に OpenVPN を公開する場合は、特に有効です。

openvpn --genkey secret /config/auth/ta.key

5. TLS 証明書と ta.key のインポート

TLS 証明書と ta.key をインポートします。

configure
run import pki ca si1230.com file /config/auth/ca.crt
run import pki certificate server.si1230.com file /config/auth/server.si1230.com.crt
run import pki certificate server.si1230.com key-file /config/auth/server.si1230.com.key
run import pki crl si1230.com file /config/auth/crl.pem
run import pki openvpn shared-secret ta file /config/auth/ta.key

TLS 証明書の発行はこちらを参照してください。

6. OpenVPN

OpenVPN の設定を追加します。

configure
set interfaces openvpn vtun2000 description openvpn-server
set interfaces openvpn vtun2000 hash sha512
set interfaces openvpn vtun2000 local-host 192.168.0.200
set interfaces openvpn vtun2000 local-port 22000
set interfaces openvpn vtun2000 mode server
set interfaces openvpn vtun2000 openvpn-option auth-nocache
set interfaces openvpn vtun2000 persistent-tunnel
set interfaces openvpn vtun2000 protocol udp
set interfaces openvpn vtun2000 server name-server 8.8.8.8
set interfaces openvpn vtun2000 server push-route 192.168.0.0/24
set interfaces openvpn vtun2000 server subnet 192.168.210.0/24
set interfaces openvpn vtun2000 server topology subnet
set interfaces openvpn vtun2000 tls auth-key ta
set interfaces openvpn vtun2000 tls ca-certificate si1230.com
set interfaces openvpn vtun2000 tls certificate server.si1230.com
set interfaces openvpn vtun2000 tls role passive
set interfaces openvpn vtun2000 tls tls-version-min 1.3