搭建 OpenVPN 服务器

beyes

为了以后升级的方便，此处安装 OpenVPN 服务器不采用源码编译的方式，而是直接使用 yum 。在 yum 安装 OpenVPN 之前，先安装一下 rpmforge 软件包(详见：http://www.groad.net/bbs/read.php?tid-6938.html)，若不如此，默认的 yum 源下并没有 OpenVPN 的安装包。


接着安装 openssl 以及 OpenVPN 等软件包：

# yum -y install openvpn openssl openssl-devel

当安装好 OpenVPN 后，会自动生成 /etc/openvpn 目录，我们会利用该目录存放证书，密钥以及服务器配置文件。


接下来要生成 CA 证书，服务器端证书，客户端证书以及先关的密钥。

1. 复制相关文件到 /etc/openvpn 目录下并使相关脚本具有可执行权限

[Plain Text] 纯文本查看 复制代码

# cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
# chmod u+x  /etc/openvpn/easy-rsa/2.0/*

2. 修改 vars 文件
vars 文件位于 /etc/openvpn/easy-rsa/2.0 下，根据实际情况主要修改其中的几个变量为：KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, 和 KEY_EMAIL ，目的是为了避免在生成证书过程中需要交互式地重复输入操作，如：

export KEY_PROVINCE="HaiNan"
export KEY_CITY="WenChang"
export KEY_ORG="Groad"
export KEY_EMAIL="vpnmaster@groad.net"
#export KEY_EMAIL=mail@host.domain
export KEY_CN=ca.qunet.info
export KEY_NAME=ca.qunet.info
export KEY_OU=Dev
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

3. 生成 CA 证书

# source ./vars
-bash: /etc/openvpn/easy-rsa/2.0/whichopensslcnf: Permission denied
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys

# ./clean-all

# ./build-ca
Generating a 1024 bit RSA private key
.....++++++
..................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HaiNan]:
Locality Name (eg, city) [WenChang]:
Organization Name (eg, company) [Groad]:
Organizational Unit Name (eg, section) [Dev]:
Common Name (eg, your name or your server's hostname) [ca.qunet.info]:
Name [ca.qunet.info]:
Email Address [vpnmaster@groad.net]:

由于之前已经配置并执行过 vars 文件，因此在执行 build-ca 时只需要一路回车即可。执行完后，会在 keys 目录下看到生成 ca.crt 和 ca.key 这两个文件，前者是根 CA 证书；后者是私钥，用来签发其它证书之用。

4. 生成服务器证书及私钥

# ./build-key-server server
Generating a 1024 bit RSA private key
....++++++
.......................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HaiNan]:
Locality Name (eg, city) [WenChang]:
Organization Name (eg, company) [Groad]:
Organizational Unit Name (eg, section) [Dev]:
Common Name (eg, your name or your server's hostname) [server]:ca.qunet.info
Name [ca.qunet.info]:
Email Address [vpnmaster@groad.net]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'HaiNan'
localityName          :PRINTABLE:'WenChang'
organizationName      :PRINTABLE:'Groad'
organizationalUnitName:PRINTABLE:'Dev'
commonName            :PRINTABLE:'ca.qunet.info'
name                  :PRINTABLE:'ca.qunet.info'
emailAddress          :IA5STRING:'vpnmaster@groad.net'
Certificate is to be certified until May  1 05:39:04 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

5. 生成服务端证书及私钥

# ./build-key WIN-AFDEJ8TS1B0
Generating a 1024 bit RSA private key
....................++++++
.............++++++
writing new private key to 'WIN-AFDEJ8TS1B0.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HaiNan]:
Locality Name (eg, city) [WenChang]:
Organization Name (eg, company) [Groad]:
Organizational Unit Name (eg, section) [Dev]:
Common Name (eg, your name or your server's hostname) [WIN-AFDEJ8TS1B0]:
Name [ca.qunet.info]:WIN-AFDEJ8TS1B0
Email Address [vpnmaster@groad.net]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'HaiNan'
localityName          :PRINTABLE:'WenChang'
organizationName      :PRINTABLE:'Groad'
organizationalUnitName:PRINTABLE:'Dev'
commonName            :PRINTABLE:'WIN-AFDEJ8TS1B0'
name                  :PRINTABLE:'WIN-AFDEJ8TS1B0'
emailAddress          :IA5STRING:'vpnmaster@groad.net'
Certificate is to be certified until May  1 05:47:25 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

6. 生成服务器所需的 Diffie Hellman 参数

# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+....+........................
..............++*++*++*

7. 生成 HMACFirewall
为了防止恶意攻击，因此也需要生成一个 HMAC firewall 防火墙。HMAC 是一种经加密的散列消息验证码。
[qutoe]# openvpn --genkey --secret keys/ta.key[/quote]

8. 编辑服务器配置文件

# vim /etc/openvpn/server.conf
local 173.242.117.244
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
status openvpn-status.log
log openvpn.log
verb 4

9. iptables 防火墙设置

# iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE

# /etc/init.d/iptables save

10. 让 openvpn 服务开机启动

# echo "/usr/sbin/openvpn --config /etc/openvpn/server.conf &" >> /etc/rc.local

11. 下载及安装客户端
客户端的下载链接目录位于：http://swupdate.openvpn.org/community/releases/
注意，必须选择和服务器版本一致的客户端版本下载。安装过程很简单，一路 next 下去即可。

12. 客户端配置文件及安装证书
将之前生成的 CA 证书(ca.crt)和客户端证书(WIN-AFDEJ8TS1B0.crt)，客户端私钥文件(WIN-AFDEJ8TS1B0.key)拷贝到 OpenVPN 的安装目录下的 config 文件夹中(这里用 Windows 客户端)。然后双击安装并导入 ca.crt 和  WIN-AFDEJ8TS1B0.crt 这两个证书：

选择“安装证书”，然后选择“下一步”，接着如下图选择：

单击“浏览”，再将下图的“显示物理区域”勾选上：

将证书存放在"本地计算机“：


两个证书导入成功后，现在书写客户端配置文件，内容如下：

remote ca.qunet.info 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert WIN-AFDEJ8TS1B0.crt
key WIN-AFDEJ8TS1B0.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
route-delay 2
route-method exe
verb 4

最后重启 Linux 服务器上的 OpenVPN 服务，然后双击打开 Windows OpenVPN 客户端，右键选择”连接“，没什么意外的话，已经可以成功连接了：