Chinaunix首页 | 论坛 | 博客
  • 博客访问: 632853
  • 博文数量: 151
  • 博客积分: 4010
  • 博客等级: 上校
  • 技术积分: 1664
  • 用 户 组: 普通用户
  • 注册时间: 2009-08-13 16:37
文章分类

全部博文(151)

文章存档

2010年(16)

2009年(135)

我的朋友

分类: LINUX

2009-10-24 23:19:23

 架构:

 

 

环境:RHEL4.5

软件包:

lzo-1.08.tar.gzopenssl-0.9.8e.tar.gzopenvpn-2.0.9.tar.gz

openvpn-2.0.9-gui-1.0.3-install.exe windowns客户端】

 

1> 打开forward功能

vi /etc/sysctl.conf:

net.ipv4.ip_forward = 1

2>安装

tar zxvf openssl-0.9.8e.tar.gz

cd openssl/0.9.8e

./config –prefix=/usr/local/openssl

make

make install

cd

tar zxvf lzo-1.08.tar.gz

cd lzo

./configure –prefix=/usr/local/lzo

make

make install

cd ..

 

tar zxvf openvpn-2.0.9.tar.gz

cd openvpn-2.0.9

./configure --with-lzo-headers=/usr/local/lzo/inlcude --with-lzo-lib=/usr/local/lzo/lib

make

make install

 

3>生成证书:

cd /root/openvpn-2.0.9/easy-rsa

export D=`pwd`

export KEY_CONFIG=$D/openssl.cnf

export KEY_DIR=$D/keys

export KEY_SIZE=1024

export KEY_COUNTRY=CN

export KEY_PROVINCE=BJ

export KEY_CITY=BJ

export KEY_ORG="buaa"

export KEY_EMAIL=liang3391@126.com

b) ./clean-all

c) ./build-ca

./clean-all

./build-ca

--------------------------------------------------------------------

[root@smart007 easy-rsa]# ./clean-all

[root@smart007 easy-rsa]# ./build-ca

Generating a 1024 bit RSA private key

.....++++++

..........................................++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [SH]:

Locality Name (eg, city) [SH]:

Organization Name (eg, company) [BaCai]:

Organizational Unit Name (eg, section) []:SH

Common Name (eg, your name or your server's hostname) []:SH

Email Address [yimu1023@163.com]:

[root@smart007 easy-rsa]# cd keys/

[root@smart007 keys]# ls

ca.crt  ca.key  index.txt  serial

[root@smart007 keys]# cd ..

[root@smart007 easy-rsa]# ls

2.0          build-key-pass    clean-all    ppp          vars

build-ca     build-key-pkcs12  keys         README       Windows

build-dh     build-key-server  list-crl     revoke-crt

build-inter  build-req         make-crl     revoke-full

build-key    build-req-pass    openssl.cnf  sign-req

[root@smart007 easy-rsa]# ./build-key-server SH

Generating a 1024 bit RSA private key

...........................++++++

....++++++

writing new private key to 'SH.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [SH]:

Locality Name (eg, city) [SH]:

Organization Name (eg, company) [BaCai]:

Organizational Unit Name (eg, section) []:SH

Common Name (eg, your name or your server's hostname) []:SH

Email Address [yimu1023@163.com]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:smartvpp123456

An optional company name []:BaCai

Using configuration from /usr/local/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'SH'

localityName          :PRINTABLE:'SH'

organizationName      :PRINTABLE:'BaCai'

organizationalUnitName:PRINTABLE:'SH'

commonName            :PRINTABLE:'SH'

emailAddress          :IA5STRING:'yimu1023@163.com'

Certificate is to be certified until May  2 03:00:21 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@smart007 easy-rsa]#

--------------------------------------------------------------

4>生成客户端证书

openvpn中,这种配置方法是每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。下面建立三份,名称分别为client1 client3

./build-key client1

Generating a 1024 bit RSA private key

.....++++++

......++++++

writing new private key to 'client1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [buaa]:

Organizational Unit Name (eg, section) []:gait

Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.

Email Address [support@cooldvd.com]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:abcd1234

An optional company name []:gait

Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName RINTABLE:'CN'

stateOrProvinceName RINTABLE:'GD'

localityName RINTABLE:'SZ'

organizationName RINTABLE:'dvdmaster'

organizationalUnitNameRINTABLE:'dvdmaster'

commonName RINTABLE:'client1'

emailAddress :IA5STRING:'support@cooldvd.com'

Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

#依次类推生成其他客户端证书/key:

./build-key client2

./build-key client3

 

注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.

g) 执行./build-dh

h) 生成的所有证书在/root/openvpn-2.0.9/easy-rsa/keys下。

i. 其中服务器需要的是ca.crtserver.crtserver.keydh1024.pem,每个客户端需要的是ca.crtclient1-3.crtclient1-3.key

7 配置文件

a) cp /root/openvpn-2.0.9/sample-config-files/server.conf /usr/local/etc/server.conf

b) vi /usr/local/etc/server.conf

i. proto udp改成proto tcp

ii. ca那四行改成

ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt

cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt

key /root/openvpn-2.0.9/easy-rsa/keys/server.key

dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem

iii. server.conf 配置文件见(参考文件server.conf

 

8 启动服务:

a) 关闭服务器、防火墙上所有对SSH22)、openvpn1194)的拦截。

b) echo 1 > /proc/sys/net/ipv4/ip_forward

c) /usr/local/sbin/openvpn --config /usr/local/etc/server.conf

d) 为了实现开机启动,在/etc/rc.local后面添加

/usr/local/sbin/openvpn --config /usr/local/etc/server.conf > /dev/null 2>&1 &

4. 安装客户端

1 上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows

a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe

2 执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。

3 ca.crtclient1.crtclient1.key复制到C:\Program Files\OpenVPN\config。(不同用户使用不同的证书,每个证书包括.crt.key两个文件,如client2.crtclient2.key

4 /root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件,改名为C:\Program Files\OpenVPN\config\client.ovpn

a) proto udp改成proto tcp

 

b) remote那行改成

这里填写vpn服务器公网ip 1194(端口号)

c) ca3行改为

ca ca.crt

cert client1.crt

key client1.key

d) 注释掉comp-lzo

erver.conf 配置文件见(参考文件client.ovpn

 

SERVER端设置NAT可以使得VPN客户通过vpn隧道访问Internet,内部网络等

阅读(960) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~