灯火阑珊处,转角消失的背影
分类: LINUX
2015-11-26 11:55:37
yum install openssl openssl-devel openvpn easy-rsa
第一步生成CA证书&私钥
[root@card ~]# cd /usr/share/easy-rsa/2.0/
[root@card 2.0]# pwd
/usr/share/easy-rsa/2.0
[root@card 2.0]# vim vars
[root@card 2.0]# grep '^[^#;]' vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="Sichuan"
export KEY_CITY="ChengDu"
export KEY_ORG="Wawo-Card"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="WOW"
export KEY_NAME="wawocard"
[root@card 2.0]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
|
[root@card 2.0]# ./clean-all |
|
清除所有证书 |
|
[root@card 2.0]# ./build-ca |
|
创建根证书CA证书 |
Generating a 2048 bit RSA private key
.............................................................................................................................................................................................+++
.+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Sichuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [Wawo-Card]:
Organizational Unit Name (eg, section) [WOW]:
Common Name (eg, your name or your server's hostname) [Wawo-Card CA]:card
Name [wawocard]:
Email Address [root@localhost]:
第二步:创建服务端证书
|
[root@card 2.0]# ./build-key-server server |
|
生成服务端证书&私钥 |
Generating a 2048 bit RSA private key
..................+++
...........................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Sichuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [Wawo-Card]:
Organizational Unit Name (eg, section) [WOW]:
Common Name (eg, your name or your server's hostname) [server]:
Name [wawocard]:
Email Address [root@localhost]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Sichuan'
localityName :PRINTABLE:'ChengDu'
organizationName :PRINTABLE:'Wawo-Card'
organizationalUnitName:PRINTABLE:'WOW'
commonName :PRINTABLE:'server'
name :PRINTABLE:'wawocard'
emailAddress :IA5STRING:'root@localhost'
Certificate is to be certified until Nov 20 07:40:33 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
这里需要输入两个y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
第三步:创建客户端的证书&私钥
|
[root@card 2.0]# ./build-key client-w01 |
|
client-w01是客户端的证书的名字,可自定义 |
Generating a 2048 bit RSA private key
...................+++
............+++
writing new private key to 'client-w01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Sichuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [Wawo-Card]:
Organizational Unit Name (eg, section) [WOW]:
Common Name (eg, your name or your server's hostname) [client-w01]:
Name [wawocard]:
Email Address [root@localhost]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Sichuan'
localityName :PRINTABLE:'ChengDu'
organizationName :PRINTABLE:'Wawo-Card'
organizationalUnitName:PRINTABLE:'WOW'
commonName :PRINTABLE:'client-w01'
name :PRINTABLE:'wawocard'
emailAddress :IA5STRING:'root@localhost'
Certificate is to be certified until Nov 20 07:44:47 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
同样需要输入两个y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
生成多个客户端证书,供多个不同的用户使用
[root@card 2.0]# ./build-key client-w02
[root@card 2.0]# ./build-key client-w03
第四步:生成Diffie Hellman参数:
|
[root@card 2.0]#./build-dh |
|
生成过程比价漫长,需等待 |
第五步:生成ta.key文件
[root@card 2.0]# openvpn --genkey --secret keys/ta.key
主要用于防御DoS、UDP淹没等恶意攻击
生成的key文件:
[root@card 2.0]# ll keys/
total 128
-rw-r--r-- 1 root root 5414 Nov 23 15:40 01.pem
-rw-r--r-- 1 root root 5304 Nov 23 15:44 02.pem
-rw-r--r-- 1 root root 5304 Nov 23 15:54 03.pem
-rw-r--r-- 1 root root 5304 Nov 23 15:54 04.pem
-rw-r--r-- 1 root root 1679 Nov 23 15:38 ca.crt
-rw------- 1 root root 1704 Nov 23 15:38 ca.key
-rw-r--r-- 1 root root 5304 Nov 23 15:44 client-w01.crt
-rw-r--r-- 1 root root 1074 Nov 23 15:44 client-w01.csr
-rw------- 1 root root 1704 Nov 23 15:44 client-w01.key
-rw-r--r-- 1 root root 5304 Nov 23 15:54 client-w02.crt
-rw-r--r-- 1 root root 1074 Nov 23 15:54 client-w02.csr
-rw------- 1 root root 1704 Nov 23 15:54 client-w02.key
-rw-r--r-- 1 root root 5304 Nov 23 15:54 client-w03.crt
-rw-r--r-- 1 root root 1074 Nov 23 15:54 client-w03.csr
-rw------- 1 root root 1708 Nov 23 15:54 client-w03.key
-rw-r--r-- 1 root root 516 Nov 23 15:54 index.txt
-rw-r--r-- 1 root root 21 Nov 23 15:54 index.txt.attr
-rw-r--r-- 1 root root 21 Nov 23 15:54 index.txt.attr.old
-rw-r--r-- 1 root root 386 Nov 23 15:54 index.txt.old
-rw-r--r-- 1 root root 3 Nov 23 15:54 serial
-rw-r--r-- 1 root root 3 Nov 23 15:54 serial.old
-rw-r--r-- 1 root root 5414 Nov 23 15:40 server.crt
-rw-r--r-- 1 root root 1070 Nov 23 15:40 server.csr
-rw------- 1 root root 1704 Nov 23 15:40 server.key
第六步:服务器端的配置:
拷贝服务器端需要的key文件
[root@card keys]# cp ca.crt ta.key dh2048.pem server.crt server.key /etc/openvpn/keys/
编辑服务端配置文件
[root@card openvpn]# cp /usr/share/doc/openvpn-2.3.8/sample/sample-config-files/server.conf /etc/openvpn/
[root@card openvpn]# vim server.conf
[root@card openvpn]# grep '^[^#;]' server.conf
port 1199
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
server 10.8.110.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
启动服务:
/etc/init.d/openvpn start
添加虚拟网卡:
cd /etc/sysconfig/network-scripts/
cp ifcfg-eth1 ifcfg-eth1:1
DEVICE=eth1:1
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.10.5
NETMASK=255.255.252.0
/etc/init.d/network reload
配置iptables规则
iptables -A INPUT -p tcp -m tcp --dport 1199 -m comment --comment "openvpn" -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.110.0/24 -j MASQUERADE
service iptables save
第七步:打包客户端配置文件
编辑服务端配置文件(windows的客户端配置文件的后缀为.ovpn)
cp /usr/share/doc/openvpn-2.3.8/sample/sample-config-files/client.conf client.ovpn
client
dev tun
proto tcp
remote 120.125.26.55 1199
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client-w01.crt
key client-w01.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
复制客户端需要的key文件&配置文件
cp ta.key client.ovpn ca.crt client-w02.crt client-w02.key /opt/c2/
zip -r vpn-client02.zip c2
客户端安装openvpn
将对应的key文件&配置文件放到安装路径的config目录下即可。
附注:
一、添加openvpn用户
在服务端执行以下步骤
source vars
./build-key client-xxx
第七步
二、注销openvpn用户
在服务器端:
cd /usr/share/easy-rsa/2.0/
source vars
revoke-full 客户端名称
执行注销命令成功后,将会在easy-rsa目录的keys文件夹下,生成几个文件,其中有一个crl.pem文件。crl就是英文certificate revocation list(作废证书列表)的缩写,当然,crl.pem存储的就是被注销的证书列表。我们每禁用一个客户端证书,OpenVPN就会向该文件中追加一个该客户端的加密标识。
仅仅这样还是不够的,我们还需要在配置文件中告诉OpenVPN服务器,叫它以后与客户端连接的时候,记得通过crl.pem文件验证该客户端的证书是否已经被注销。因此,我们需要在服务器端的配置文件server.conf的最后一行加上
crl-verify "../easy-rsa/keys/crl.pem"
