openvpn-2.0.9版--简单安装配置
时间:2010-05-28 来源:搅局者
|
|
|
Linux localhost 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux [root@localhost ~]# cat /etc/issue
CentOS release 5.2 (Final)
Kernel \r on an \m 1.先要查看是否有openssl和openssl-deve这两个包 [root@localhost ~]# rpm -qa |grep openssl
openssl-devel-0.9.8b-10.el5
openssl-0.9.8b-10.el5
如果没有就用yum装就可以 2.装lzo这个包,这是用来让vpn连接时使用压缩特性,这个包可以不装 [root@localhost ~]# tar zxvf lzo-2.03.tar.gz
[root@localhost ~]# ls
Desktop lzo-2.03 lzo-2.03.tar.gz openvpn-2.0.9 openvpn-2.0.9.tar.gz
[root@localhost ~]# cd lzo-2.03 [root@localhost lzo-2.03]# ./configure
[root@localhost lzo-2.03]# make
[root@localhost lzo-2.03]# make install ************************************
[root@localhost lzo-2.03]# make install
[root@localhost lzo-2.03]# make
[root@localhost lzo-2.03]# ./configure --prefix=/usr/local/lzo
****************************************************** 3.安装openvpn [root@localhost ~]# tar zxvf openvpn-2.0.9.tar.gz
[root@localhost ~]# ls
Desktop openvpn-2.0.9 openvpn-2.0.9.tar.gz
[root@localhost ~]# cd openvpn-2.0.9
[root@localhost openvpn-2.0.9]# pwd
/root/openvpn-2.0.9 [root@localhost openvpn-2.0.9]# ./configure
[root@localhost openvpn-2.0.9]# make
[root@localhost openvpn-2.0.9]# make install 就这么简单就安装完啦!!! 下面就是配置啦。先生成证书,公密钥、等 先启用ip转发,echo 1 > /proc/sys/net/ipv4/ip_forward [root@localhost openvpn-2.0.9]# cd easy-rsa/
[root@localhost easy-rsa]# pwd
/root/openvpn-2.0.9/easy-rsa [root@localhost easy-rsa]# vim vars 更改环境变量
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="3jia5"
export KEY_EMAIL="[email protected]" [root@localhost easy-rsa]# chmod +x vars
[root@localhost easy-rsa]# source ./vars 加载环境变量
NOTE: when you run ./clean-all, I will be doing a rm -rf on /root/openvpn-2.0.9/easy-rsa/keys
[root@localhost easy-rsa]#
[root@localhost easy-rsa]# ./clean-all 清除openvpn所有证书相关值
[root@localhost easy-rsa]# ./build-ca
[root@localhost easy-rsa]# ./build-ca 生成ca信任证书
Generating a 1024 bit RSA private key
.....................................................................................................................++++++
....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [3jia5]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server 应输入vpn服务器人FQDN
Email Address [[email protected]]:
[root@localhost easy-rsa]# [root@localhost easy-rsa]# ./build-key-server server 建立vpn服务器证书 私钥
Generating a 1024 bit RSA private key
......................................................................................++++++
...++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [3jia5]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server openvpn的FQDN
Email Address [[email protected]]: Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:abc
Using configuration from /root/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'3jia5'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until May 22 06:43:32 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost easy-rsa]# 生成客户端证书,在这种方式中,每一个客户端都需要一个证书 [root@localhost easy-rsa]# ./build-key client2 所需拨入人客户端证书私钥
Generating a 1024 bit RSA private key
..................................++++++
........++++++
writing new private key to 'client2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [3jia5]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client2 客户端FQDN,这个名字确保每个都不一样
Email Address [[email protected]]: Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:abc
Using configuration from /root/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'3jia5'
commonName :PRINTABLE:'client2'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until May 22 06:47:55 2020 GMT (3650 days)
Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost easy-rsa]#
[root@localhost easy-rsa]# ./build-dh 建立diffie-hellman参数
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
[root@localhost easy-rsa]# 加密用 openvpn --genkey --secret key/ta.key 防止恶意攻击,生成一个经加密的散列消息验证码 [root@localhost easy-rsa]# ls keys/ 所有生成的密钥都放在这里 [root@localhost 2.0]# cp /root/openvpn-2.1_rc22/sample-config-files/server.conf /usr/local/etc/server.conf 复制服务端配置文件模版到这里 配置文件 [root@localhost ~]# vim /usr/local/etc/server.conf ;local 192.168.17.133 proto tcp 这里是更改为tcp协议
;proto udp 注释掉udp协议。
;dev tap 申明使用的设备可选tap和tun,tap是二层设备,支持链路层协议,tun是ip层的点对点协议,限制稍微多一些
dev tun
;dev-node MyTap ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt 这里地方指定刚才生成的证书的路径
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret # Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem server 10.0.0.0 255.255.255.0 指定要分给客户端的ip
ifconfig-pool-persist ipp.txt
;push "route 192.168.10.0 255.255.255.0" 这里可以指定一条路由
push "dhcp-option DNS 10.8.0.1"
client-to-client 如果打开则是允许登陆进来的客户端之间可以通信
keepalive 10 120 每10秒ping一次,如果120秒连不上则为断开
comp-lzo 开启压缩
;max-clients 100 客户端最大连接数
verb 5 日志级别 其余别的配置项可到网上自己查,也不多,像可以指定默认网关,日志记录方式,dns的指定,指定客户端的固定ip等 启动vpn [root@localhost ~]# /usr/local/sbin/openvpn --config /usr/local/etc/server.conf [root@localhost ~]# ps -e |grep open
6487 ? 00:00:00 openvpn 客户端: 安装完程序 openvpn-2.0.9-gui-1.0.3-install.exe 这个一定要和服务端的版本一样。
然后导入刚才在服务端生成的证书到 C:\Program Files\OpenVPN\config 这个目录下,然后建立一个客户端配置文件,这里面除去指定vpn服务器ip外,别的选项意义和服务端的意义一样。。需要的证书,client1.key client1.crt ca.crt ta.key 客户端配置文件 client.ovpn
client
dev tun
proto tcp
remote 192.168.100.100
persist-key 这个是指 断开后在连上还是使用这个第一次使用的证书,
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3 基本上完啦!!如果还做什么限制就用iptables加规则就行。 下一个使用别一种验证控制方式radius
相关阅读 更多 +
排行榜 更多 +
