|
为了以后升级的方便,此处安装 OpenVPN 服务器不采用源码编译的方式,而是直接使用 yum 。在 yum 安装 OpenVPN 之前,先安装一下 rpmforge 软件包(详见:http://www.groad.net/bbs/read.php?tid-6938.html),若不如此,默认的 yum 源下并没有 OpenVPN 的安装包。
接着安装 openssl 以及 OpenVPN 等软件包:# yum -y install openvpn openssl openssl-devel 当安装好 OpenVPN 后,会自动生成 /etc/openvpn 目录,我们会利用该目录存放证书,密钥以及服务器配置文件。
接下来要生成 CA 证书,服务器端证书,客户端证书以及先关的密钥。
1. 复制相关文件到 /etc/openvpn 目录下并使相关脚本具有可执行权限
[Plain Text] 纯文本查看 复制代码 # cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
# chmod u+x /etc/openvpn/easy-rsa/2.0/*
2. 修改 vars 文件
vars 文件位于 /etc/openvpn/easy-rsa/2.0 下,根据实际情况主要修改其中的几个变量为:KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, 和 KEY_EMAIL ,目的是为了避免在生成证书过程中需要交互式地重复输入操作,如:export KEY_PROVINCE="HaiNan"
export KEY_CITY="WenChang"
export KEY_ORG="Groad"
export KEY_EMAIL="vpnmaster@groad.net"
#export KEY_EMAIL=mail@host.domain
export KEY_CN=ca.qunet.info
export KEY_NAME=ca.qunet.info
export KEY_OU=Dev
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
3. 生成 CA 证书# source ./vars
-bash: /etc/openvpn/easy-rsa/2.0/whichopensslcnf: Permission denied
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
# ./clean-all
# ./build-ca
Generating a 1024 bit RSA private key
.....++++++
..................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HaiNan]:
Locality Name (eg, city) [WenChang]:
Organization Name (eg, company) [Groad]:
Organizational Unit Name (eg, section) [Dev]:
Common Name (eg, your name or your server's hostname) [ca.qunet.info]:
Name [ca.qunet.info]:
Email Address [vpnmaster@groad.net]: 由于之前已经配置并执行过 vars 文件,因此在执行 build-ca 时只需要一路回车即可。执行完后,会在 keys 目录下看到生成 ca.crt 和 ca.key 这两个文件,前者是根 CA 证书;后者是私钥,用来签发其它证书之用。
4. 生成服务器证书及私钥# ./build-key-server server
Generating a 1024 bit RSA private key
....++++++
.......................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HaiNan]:
Locality Name (eg, city) [WenChang]:
Organization Name (eg, company) [Groad]:
Organizational Unit Name (eg, section) [Dev]:
Common Name (eg, your name or your server's hostname) [server]:ca.qunet.info
Name [ca.qunet.info]:
Email Address [vpnmaster@groad.net]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'HaiNan'
localityName :PRINTABLE:'WenChang'
organizationName :PRINTABLE:'Groad'
organizationalUnitName:PRINTABLE:'Dev'
commonName :PRINTABLE:'ca.qunet.info'
name :PRINTABLE:'ca.qunet.info'
emailAddress :IA5STRING:'vpnmaster@groad.net'
Certificate is to be certified until May 1 05:39:04 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5. 生成服务端证书及私钥# ./build-key WIN-AFDEJ8TS1B0
Generating a 1024 bit RSA private key
....................++++++
.............++++++
writing new private key to 'WIN-AFDEJ8TS1B0.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HaiNan]:
Locality Name (eg, city) [WenChang]:
Organization Name (eg, company) [Groad]:
Organizational Unit Name (eg, section) [Dev]:
Common Name (eg, your name or your server's hostname) [WIN-AFDEJ8TS1B0]:
Name [ca.qunet.info]:WIN-AFDEJ8TS1B0
Email Address [vpnmaster@groad.net]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'HaiNan'
localityName :PRINTABLE:'WenChang'
organizationName :PRINTABLE:'Groad'
organizationalUnitName:PRINTABLE:'Dev'
commonName :PRINTABLE:'WIN-AFDEJ8TS1B0'
name :PRINTABLE:'WIN-AFDEJ8TS1B0'
emailAddress :IA5STRING:'vpnmaster@groad.net'
Certificate is to be certified until May 1 05:47:25 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
6. 生成服务器所需的 Diffie Hellman 参数# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+....+........................
..............++*++*++*
7. 生成 HMACFirewall
为了防止恶意攻击,因此也需要生成一个 HMAC firewall 防火墙。HMAC 是一种经加密的散列消息验证码。
[qutoe]# openvpn --genkey --secret keys/ta.key[/quote]
8. 编辑服务器配置文件# vim /etc/openvpn/server.conf
local 173.242.117.244
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
status openvpn-status.log
log openvpn.log
verb 4
9. iptables 防火墙设置# iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
# /etc/init.d/iptables save
10. 让 openvpn 服务开机启动 # echo "/usr/sbin/openvpn --config /etc/openvpn/server.conf &" >> /etc/rc.local
11. 下载及安装客户端
客户端的下载链接目录位于:http://swupdate.openvpn.org/community/releases/
注意,必须选择和服务器版本一致的客户端版本下载。安装过程很简单,一路 next 下去即可。
12. 客户端配置文件及安装证书
将之前生成的 CA 证书(ca.crt)和客户端证书(WIN-AFDEJ8TS1B0.crt),客户端私钥文件(WIN-AFDEJ8TS1B0.key)拷贝到 OpenVPN 的安装目录下的 config 文件夹中(这里用 Windows 客户端)。然后双击安装并导入 ca.crt 和 WIN-AFDEJ8TS1B0.crt 这两个证书:
选择“安装证书”,然后选择“下一步”,接着如下图选择:
单击“浏览”,再将下图的“显示物理区域”勾选上:
将证书存放在"本地计算机“:
两个证书导入成功后,现在书写客户端配置文件,内容如下:remote ca.qunet.info 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert WIN-AFDEJ8TS1B0.crt
key WIN-AFDEJ8TS1B0.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
route-delay 2
route-method exe
verb 4
最后重启 Linux 服务器上的 OpenVPN 服务,然后双击打开 Windows OpenVPN 客户端,右键选择”连接“,没什么意外的话,已经可以成功连接了:
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|