搭建 OpenVPN 中转 【服务端】
时间:2009-03-17 来源:今天不打猎
openvpn 以前看了很多 2005 或2007年那些高手写的文章 看的我云里雾里,其实我感觉这个东西就是一个中转,路由功能,当然你也可以用它 来做全VPN,但是没有必要。
他优点就是 稳定 不管网速变化,不会因为丢包就断开传送连接,也不会断开你打游戏 呵呵
安装openvpn
你可以去下载 tgz 也可以直接 安装RPM 反正默认安装 都是那里
记得要安装 lzo 这个 压缩传送软件包
安装解压后
找到 easy-rsa 目录复制到 /etc/openvpn 。
# cd /etc/openvpn/easy-rsa/
# vi vars (下面蓝色部分是vars文件内容。)
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export D=`pwd`
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys
# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024 #需要更大的安全,可以把1024更改为2048
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="[email protected]"
(修改以下内容)
export KEY_COUNTRY=CN (国家)
export KEY_PROVINCE=JL (省份)
export KEY_CITY=YJ (城市)
export KEY_ORG="OpenVPN-Server" (组织或公司)
export KEY_EMAIL="[email protected]" (电子邮箱)
令vars 生效。
# . ./vars (注意这是两个点)
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# ./clean-all (清除已经存在的密钥和证书)
生成CA。运行build-ca。
# ./build-ca
Generating a 1024 bit RSA private key
.++++++
..................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JL]:
Locality Name (eg, city) [YJ]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your server's hostname) []:CA
Email Address [[email protected]]:
在/etc/openvpn/easy-rsa/keys目录中生成ca.crt 和ca.key。以后生成的密钥都在/etc/openvpn/easy-rsa/keys 目录中生成。
生成用于服务器的密钥。
# ./build-key-server server
Generating a 1024 bit RSA private key
.......................++++++
..++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JL]:
Locality Name (eg, city) [YJ]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your server's hostname) []:server
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JL'
localityName :PRINTABLE:'YJ'
organizationName :PRINTABLE:'OpenVPN-Server'
organizationalUnitName:PRINTABLE:'OpenVPN'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Dec 3 11:10:26 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#在 Common Name 输入 server 。在如上的两个选择中都选 y 。
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]: y
在/etc/openvpn/easy-rsa/keys目录中生成server.crt 和server.key。
服务器得生成Diffie Hellman parameters。
# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................................................................+..........................................................................................+.......................+..........................+......................................................................++*++*++*
在/etc/openvpn/easy-rsa/keys目录中生成dh1024.pem文件。
#防止 DoS 攻击 和 UDP 端口 flooding,生成一个"HMAC firewall"
在/etc/openvpn/easy-rsa/keys目录中生成。
# openvpn --genkey --secret ta.key
到此所有将在服务器端的密钥和证书生成完毕。
现在生成客户端密钥,如果有100个用户,就得生成100个密钥。假如用户名是 figo
# cd /etc/openvpn/easy-rsa/
# ./build-key figo
Generating a 1024 bit RSA private key
..........................++++++
....++++++
writing new private key to 'figo.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JL]:
Locality Name (eg, city) [YJ]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your server's hostname) []:figo
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JL'
localityName :PRINTABLE:'YJ'
organizationName :PRINTABLE:'OpenVPN-Server'
organizationalUnitName:PRINTABLE:'OpenVPN'
commonName :PRINTABLE:'figo'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Dec 3 11:46:03 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
在 Common Name 输入 figo 。在如上的两个选择中都选 y 。
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]: y
在/etc/openvpn/easy-rsa/keys目录中生成figo.crt 、figo.key、figo.csr
1) 环境设定
配置openvpn服务器端配置文件。
找到你解压文件夹
openvpn/sample-config-files/ 目录中有配置文件的模板文件。把服务器配置文件 server.conf 复制到 /etc/openvpn/
编辑 server.conf 。
# cd /etc/openvpn/
# vi server.conf (#后是注释)(蓝色部分是服务器配置文件)
############################################################
port 1194 #端口
proto tcp # 协议,udp 在大部分环境中运行良好,在这里需要玩联网游戏。
dev tun0 # 虚拟网络设备
ca /etc/openvpn/easy-rsa/keys/ca.crt # 根 ca证书
cert /etc/openvpn/easy-rsa/keys/server.crt # 服务器证书
key /etc/openvpn/easy-rsa/keys/server.key # 服务器密钥
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # Diffie hellman parameters
server 10.8.0.0 255.255.255.0 # VPN 虚拟网段
ifconfig-pool-persist ipp.txt #从新连接后分配刚刚使用过的ip地址
push "redirect-gateway"
#改变默认网关,要做代理这一点很重要。可以把openvpn服务器当作网关,上网都通过openvpn服务器上网(在openbsd的pf中nat了tun0)
push "dhcp-option DNS 10.8.0.1" #openvpn服务器当作DNS服务器,域名直接由openvpn服务器上解析,除了在这里可以用 10.8.0.1 之外,还可以直接输入openvpn服务器当地的DNS服务器的ip地址,这时openvpn服务器不用再充当DNS服务器了。
#client-to-client # 在这里不需要虚拟网中的机器互相看到服务器以外的机器,所以要注释掉
keepalive 10 120 #每10秒ping一次,120秒不响应,从新连接
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
#防止 DoS 攻击 和 UDP 端口 flooding,生成一个"HMAC firewall"
comp-lzo # 用lzo压缩
user nobody
group nobody
#为了减少风险,改变openvpn进程的用户id为 nobody,但是要想同时使用证书验证和密码验证
# 就要注释。双重验证的方法在下面说明。
persist-key
persist-tun
status openvpn-status.log # 每分中更新openvpn状态记录
verb 3
############################################################
测试一下服务器
# openvpn /etc/openvpn/server.conf
Mon Dec 31 00:25:13 2007 OpenVPN 2.0.6 i386-unknown-openbsd4.1 [SSL] [LZO] built on Mar 9 2007
Mon Dec 31 00:25:13 2007 Diffie-Hellman initialized with 1024 bit key
Mon Dec 31 00:25:13 2007 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key file
Mon Dec 31 00:25:13 2007 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 31 00:25:13 2007 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 31 00:25:13 2007 TLS-Auth MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
openvpn: writing to routing socket: No such process
Mon Dec 31 00:25:13 2007 /sbin/ifconfig tun0 destroy
Mon Dec 31 00:25:13 2007 /sbin/ifconfig tun0 create
Mon Dec 31 00:25:13 2007 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Mon Dec 31 00:25:13 2007 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Mon Dec 31 00:25:13 2007 TUN/TAP device /dev/tun0 opened
Mon Dec 31 00:25:13 2007 /sbin/route add -net 10.8.0.0 10.8.0.2 -netmask 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Mon Dec 31 00:25:13 2007 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Dec 31 00:25:13 2007 GID set to nobody
Mon Dec 31 00:25:13 2007 UID set to nobody
Mon Dec 31 00:25:13 2007 Listening for incoming TCP connection on [undef]:1194
Mon Dec 31 00:25:13 2007 TCPv4_SERVER link local (bound): [undef]:1194
Mon Dec 31 00:25:13 2007 TCPv4_SERVER link remote: [undef]
Mon Dec 31 00:25:13 2007 MULTI: multi_init called, r=256 v=256
Mon Dec 31 00:25:13 2007 IFCONFIG POOL: base=10.8.0.4 size=62
Mon Dec 31 00:25:13 2007 IFCONFIG POOL LIST
Mon Dec 31 00:25:13 2007 MULTI: TCP INIT maxclients=1024 maxevents=1028
Mon Dec 31 00:25:13 2007 Initialization Sequence Completed
最后出现Initialization Sequence Completed ,表示openvpn服务器启动成功
相关阅读 更多 +
