全部博文(151)
分类: LINUX
2009-10-24 23:19:23
环境:RHEL4.5
软件包:
lzo-1.08.tar.gz,openssl-
openvpn-
1> 打开forward功能
vi /etc/sysctl.conf:
net.ipv4.ip_forward = 1
2>安装
tar zxvf openssl-
cd openssl/
./config –prefix=/usr/local/openssl
make
make install
cd
tar zxvf lzo-1.08.tar.gz
cd lzo
./configure –prefix=/usr/local/lzo
make
make install
cd ..
tar zxvf openvpn-
cd openvpn-
./configure --with-lzo-headers=/usr/local/lzo/inlcude --with-lzo-lib=/usr/local/lzo/lib
make
make install
3>生成证书:
cd /root/openvpn-
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="buaa"
export KEY_EMAIL=liang3391@126.com
b) ./clean-all
c) ./build-ca
./clean-all
./build-ca
--------------------------------------------------------------------
[root@smart007 easy-rsa]# ./clean-all
[root@smart007 easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.....++++++
..........................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SH]:
Organization Name (eg, company) [BaCai]:
Organizational Unit Name (eg, section) []:SH
Common Name (eg, your name or your server's hostname) []:SH
Email Address [yimu1023@163.com]:
[root@smart007 easy-rsa]# cd keys/
[root@smart007 keys]# ls
ca.crt ca.key index.txt serial
[root@smart007 keys]# cd ..
[root@smart007 easy-rsa]# ls
2.0 build-key-pass clean-all ppp vars
build-ca build-key-pkcs12 keys README Windows
build-dh build-key-server list-crl revoke-crt
build-inter build-req make-crl revoke-full
build-key build-req-pass openssl.cnf sign-req
[root@smart007 easy-rsa]# ./build-key-server SH
Generating a 1024 bit RSA private key
...........................++++++
....++++++
writing new private key to 'SH.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SH]:
Organization Name (eg, company) [BaCai]:
Organizational Unit Name (eg, section) []:SH
Common Name (eg, your name or your server's hostname) []:SH
Email Address [yimu1023@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:smartvpp123456
An optional company name []:BaCai
Using configuration from /usr/local/openvpn-
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'SH'
organizationName :PRINTABLE:'BaCai'
organizationalUnitName:PRINTABLE:'SH'
commonName :PRINTABLE:'SH'
emailAddress :IA5STRING:'yimu1023@163.com'
Certificate is to be certified until May 2 03:00:21 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@smart007 easy-rsa]#
--------------------------------------------------------------
4>生成客户端证书
在openvpn中,这种配置方法是每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。下面建立三份,名称分别为client1 – client3。
./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [buaa]:
Organizational Unit Name (eg, section) []:gait
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [support@cooldvd.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:gait
Using configuration from /openvpn-
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName RINTABLE:'CN'
stateOrProvinceName RINTABLE:'GD'
localityName RINTABLE:'SZ'
organizationName RINTABLE:'dvdmaster'
organizationalUnitNameRINTABLE:'dvdmaster'
commonName RINTABLE:'client1'
emailAddress :IA5STRING:'support@cooldvd.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#依次类推生成其他客户端证书/key:
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
g) 执行./build-dh
h) 生成的所有证书在/root/openvpn-
i. 其中服务器需要的是ca.crt、server.crt、server.key、dh1024.pem,每个客户端需要的是ca.crt、client1-3.crt、client1-3.key。
7、 配置文件
a) cp /root/openvpn-
b) vi /usr/local/etc/server.conf
i. proto udp改成proto tcp
ii. ca那四行改成
ca /root/openvpn-
cert /root/openvpn-
key /root/openvpn-
dh /root/openvpn-
iii. server.conf 配置文件见(参考文件server.conf)
8、 启动服务:
a) 关闭服务器、防火墙上所有对SSH(22)、openvpn(1194)的拦截。
b) echo 1 > /proc/sys/net/ipv4/ip_forward
c) /usr/local/sbin/openvpn --config /usr/local/etc/server.conf
d) 为了实现开机启动,在/etc/rc.local后面添加
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf > /dev/null 2>&1 &
4. 安装客户端
1、 从上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows”
a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-
2、 执行openvpn-
3、 将ca.crt、client1.crt、client1.key复制到C:\Program Files\OpenVPN\config。(不同用户使用不同的证书,每个证书包括.crt和.key两个文件,如client2.crt和client2.key)
4、 在/root/openvpn-
a) proto udp改成proto tcp
b) remote那行改成
这里填写vpn服务器公网ip 1194(端口号)
c) ca那3行改为
ca ca.crt
cert client1.crt
key client1.key
d) 注释掉comp-lzo
erver.conf 配置文件见(参考文件client.ovpn)