Php文档 Php问答行业资讯 Php论坛 Php手册 Php博客

游戏榜单

软件榜单

关闭导航

热搜榜

热门下载

热门标签

关闭搜索

php爱好者> php文档>OpenVPN 建置方案

OpenVPN 建置方案

时间：2007-01-24 来源：ppzlyg

一, 功能介绍

* SSL vpn 方案

* 可完整支持 L2 及 L3 联机

* 使用 CA 签章确认及加密, 也可使用单一键值对称加密

* 同时支持 Linux, FreeBSD, OS X 与 Windows

* 支持 tunnel 及 TAP 联机方式

* GPL 授权方式

二, 实作环境

2.1 server

        OS:     CentOS 4.1 Linux

        real IP:       192.168.100.151

        vpn IP: 10.8.0.1

2.2 client

        OS:     Windows XP(home)

        real IP:       192.168.100.x(dhcp)

        vpn IP: 10.8.0.x(server assigned)

三, 安装

3.1 server

# 安装 lzo (source rpm)

rpmbuild --rebuild http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

rpm -ivh /usr/src/redhat/RPMS/i386/lzo-*.rpm

# 安装 openvpn

mkdir /usr/src/pkgs

cd /usr/src/pkgs

wget http://openvpn.net/release/openvpn-2.0.2.tar.gz

rpmbuild -tb openvpn-1.6.0.tar.gz

rpm -ivh  /usr/src/redhat/RPMS/i386/openvpn-2.0.2-1.i386.rpm

# 复制设定范例

cp -r /usr/share/doc/openvpn-2.0.2/easy-rsa/ /etc/openvpn/

cp /usr/share/doc/openvpn-2.0.2/sample-config-files/server.conf /etc/openvpn/

# 设定 CA 环境

cd /etc/openvpn/easy-rsa/

vi vars

        export KEY_COUNTRY=TW

        export KEY_PROVINCE=Taiwan

        export KEY_CITY=Tainan

        export KEY_ORG="Study-Area"

        export KEY_EMAIL="[email protected]"

. ./vars

./clean-all

# 建置 root CA

./build-ca

        Generating a 1024 bit RSA private key

        ......++++++

        ................++++++

        writing new private key to 'ca.key'

        -----

        You are about to be asked to enter information that will be incorporated

        into your certificate request.

        What you are about to enter is what is called a Distinguished Name or a DN.

        There are quite a few fields but you can leave some blank

        For some fields there will be a default value,

        If you enter '.', the field will be left blank.

        -----

        Country Name (2 letter code) [TW]:

        State or Province Name (full name) [Taiwan]:

        Locality Name (eg, city) [Tainan]:

        Organization Name (eg, company) [Study-Area]:

        Organizational Unit Name (eg, section) []:test

        Common Name (eg, your name or your server's hostname) []:CA

        Email Address [[email protected]]:

# 建置 server key 及 crt

./build-key-server ovpnsrv1

        Generating a 1024 bit RSA private key

        ............................++++++

        ....++++++

        writing new private key to 'ovpnsrv1.key'

        -----

        You are about to be asked to enter information that will be incorporated

        into your certificate request.

        What you are about to enter is what is called a Distinguished Name or a DN.

        There are quite a few fields but you can leave some blank

        For some fields there will be a default value,

        If you enter '.', the field will be left blank.

        -----

        Country Name (2 letter code) [TW]:

        State or Province Name (full name) [Taiwan]:

        Locality Name (eg, city) [Tainan]:

        Organization Name (eg, company) [Study-Area]:

        Organizational Unit Name (eg, section) []:test

        Common Name (eg, your name or your server's hostname) []:ovpnsrv1

        Email Address [[email protected]]:

        Please enter the following 'extra' attributes

        to be sent with your certificate request

        A challenge password []:

        An optional company name []:

        Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

        Check that the request matches the signature

        Signature ok

        The Subject's Distinguished Name is as follows

        countryName           :PRINTABLE:'TW'

        stateOrProvinceName   :PRINTABLE:'Taiwan'

        localityName          :PRINTABLE:'Tainan'

        organizationName      :PRINTABLE:'Study-Area'

        organizationalUnitName:PRINTABLE:'test'

        commonName            :PRINTABLE:'ovpnsrv1'

        emailAddress          :IA5STRING:'[email protected]'

        Certificate is to be certified until Sep  7 20:36:58 2015 GMT (3650 days)

        Sign the certificate? [y/n]:y

        1 out of 1 certificate requests certified, commit? [y/n]y

        Write out database with 1 new entries

        Data Base Updated

# 建置 Diffie Hellman 参数

./build-dh

        Generating DH parameters, 1024 bit long safe prime, generator 2

        This is going to take a long time

        ..................................+............................................

        ..+............................................................................

        ...................+....................................+......................

        .......................+...

# 安装 server 所需的 CA 文件

cp keys/ca.crt ../

cp keys/dh1024.pem ../

cp keys/ovpnsrv1.key ../

cp keys/ovpnsrv1.crt ../

# 配置 server 设定文件(没提及的请保持原样)

cd ../

vi server.conf

        dev tap

        ;dev tun

        ca ca.crt

        cert ovpnsrv1.crt

        key ovpnsrv1.key  # This file should be kept secret

# 启动 server

service openvpn restart

chkconfig openvpn on

--------------------------

3.2 Client

# 下载并安装 openvpn (GUI 版本)

http://openvpn.se/files/install_packages/openvpn-2.0.2-gui-1.0.3-install.exe

# 设定环境

cmd.exe

cd "c:\Program Files\OpenVPN\easy-rsa"

edit vars.bat

        (内容必需与 server 一至, 尤其 KEY_ORG 项目.)

# 建置 CA环境

vars

# 建置 client key 与 crs

build-key ovpnclt1

        ....

        Common Name (eg, your name or your server's hostname) []:ovpnclt1

        ....

# 提交 crs (请使用安全方式, 本例用 pscp.exe .)

pscp keys/ovpnclt1.csr [email protected]:/etc/openvpn/easy-rsa/keys

# 转至 server, 签署 client crt

------------------------

cd /etc/openvpn/easy-rsa/

./sign-req ovpnclt1

        Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

        Check that the request matches the signature

        Signature ok

        The Subject's Distinguished Name is as follows

        countryName           :PRINTABLE:'TW'

        stateOrProvinceName   :PRINTABLE:'Taiwan'

        localityName          :PRINTABLE:'Tainan'

        organizationName      :PRINTABLE:'Study-Area'

        organizationalUnitName:PRINTABLE:'test'

        commonName            :PRINTABLE:'ovpnclt1'

        emailAddress          :IA5STRING:'[email protected]'

        Certificate is to be certified until Sep  7 21:07:33 2015 GMT (3650 days)

        Sign the certificate? [y/n]:y

        1 out of 1 certificate requests certified, commit? [y/n]y

        Write out database with 1 new entries

        Data Base Updated

------------------------

# 安装 CA 文件

cd ..\config

pscp [email protected]:/etc/openvpn/easy-rsa/keys/ovpnclt1.crt  .\

pscp [email protected]:/etc/openvpn/easy-rsa/keys/ca.crt  .\

copy ..\easy-rsa\keys\ovpnclt1.key .\

# 复制 sample 设定档:

copy ..\sample-config\client.ovpn .\

# 配置 client 端设定文件

右下角(OpenVPN GUI)

右键--> Edit Config (没提及的, 请保持原貌)

        dev tap

        ;dev tun

        dev-node OpenVPN_Tap

        remote 192.168.100.151 1194

        ca ca.crt

        cert ovpnclt1.crt

        key ovpnclt1.key

        ns-cert-type server

# 设定 openvpn TAP 界面

控制台-->网络联机-->TAP-Win32#(#)

右键-->重新命名-->OpenVPN_Tap

# 启动 openvpn client

右下角(OpenVPN GUI)

右键--> Connect

# 测试

ping 10.8.0.1

四, 注意:

4.1 要允许多个 client 相互联机, 须在 server 端打开:

client-to-client

4.2 若想隐藏 server IP, 但纯作 bridge 来用:

;server 10.3.0.0 255.255.255.0

server-bridge 10.8.0.1 255.255.255.0 10.8.0.129 10.8.0.246

4.3 若由其它 CA 建的 csr , Organization(KEY_ORG=)必需要一至.

否则, 不能签署.

4.4 CA 文件分布:

        server:

               ca.crt

               dh1024.pem

               server.crt

               server.key     # 必须保密

        client:

               ca.crt

               client.crt

               client.key     # 必须保密

        CA server:

               ca.crt

               ca.key         # 必须保密

4.5 Windows XP + SP2 与某些安全套件一并运行可能会导至 windows client 端不能成功.

目前除了移除 SP2 或冲突套件外, 暂无更好方法.

参考: http://openvpn.se/xpsp2_problem.html

五, 官方网站及文件:

http://openvpn.net/

http://openvpn.net/howto.html

---------------本文结束 -----------------------