查看当前Linux版本的详细信息命令lsb_rele
Linux下Apache日志分析工具--AWStat
May
17
需要的软件包:
1、安装加密软件包
[root@localhost ~]#rpm -ivh lzo-2.02-3.el5.kb.i386.rpm
2、安装openvpn
[root@localhost ~]#rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.i386.rpm
3、复制生成证书密钥的文件夹
[root@localhost ~]#cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/
4、复制范例的配制文件
[root@localhost ~]#cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
5、生成证书key
(1)初始化PKI
[root@localhost ~]# cd /etc/openvpn/2.0/
[root@localhost 2.0]# vi vars
修改正在面几项
export KEY_COUNTRY=”CN”(注:国家)
export KEY_PROVINCE=”SX”(注:省份)
export KEY_CITY=”XA”(注:城市)
export KEY_ORG=”VPN-TEST”(注:公司名称)
export KEY_EMAIL=”[email protected]”(注:电子邮件)
[root@localhost 2.0]#env |grep KEY(先查看一下,看到是没有)
[root@localhost 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
(注:如果你已经运行了./clean-all,就运行rm -rf /etc/openvpn/2.0/keys 删除)
[root@localhost 2.0]# env |grep KEY
KEY_EXPIRE=3650
[email protected]
KEY_SIZE=1024
KEY_DIR=/etc/openvpn/2.0/keys
KEY_CITY=XA
KEY_PROVINCE=SX
KEY_ORG=VPN-TEST
KEY_CONFIG=/etc/openvpn/2.0/openssl.cnf
KEY_COUNTRY=CN
[root@localhost 2.0]#
[root@localhost 2.0]# ./clean-all (这时会在当前目录生成一个keys的目录)
生成ca文件
[root@localhost 2.0]# ./build-ca
Generating a 1024 bit RSA private key
….++++++
..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [VPN-TEST CA]:server(注意一定要添server)
Email Address [[email protected]]:
[root@localhost 2.0]# ls keys/ (可以看到keys下生成了ca.crt ca.key 两个文件)
(2)生成server key
[root@localhost 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
………..++++++
…………………………………………………++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [server]:server
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke(注:密码一定要添)
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:40:06 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#
[root@localhost 2.0]# ls keys/ (可以看到生成了server.crt server.csr server.key)
(3)生成客户端 key
[root@localhost 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
……………………………..++++++
…..++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [client1]:
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’client1′
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:43:36 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以上选项要和那个server的保持一致。
[root@localhost 2.0]# ls keys/ (可以看到生成了 client1.crt client1.key client1.csr )
生成Diffie Hellman
[root@localhost 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
………………………………………………………………………………………………………………………………………………+……………………………………………+……………………………………+………………………………………………………+……..+………………………….+………………………………………….+…………………………………………………..
………………………………………+………………………………………………………………..+……………………………………………………………………………………………….+……………………….+……………+……………………………………………..+…………………..+……….+……….+.+………..+…………………………………..+………+…………………………………+…………………………………………+…………………….+…………………….+……………………………………………………………….+…………………………………+…..+……………………………………….+……………………+………………………………………….++*++*++*
[root@localhost 2.0]#
创建服务端配置文件
将keys下的 ca.crt server.crt server.key dh1024.pem 拷贝到/etc/openvpn下。
配制/etc/openvpn/server.conf
[root@localhost openvpn]# vi server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push “dhcp-option DNS “202.98.5.68″
“server.conf” 16L, 249C written
[root@localhost openvpn]#
启动服务
[root@localhost openvpn]# service openvpn restart
服务启动后用ifconfig查看 可以看到有一个新的接口tun0
[root@localhost openvpn]# ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2804 (2.7 KiB) TX bytes:18332 (17.9 KiB)
Windows上的客户端的设置
安装openvpn软件
copy 服务器上的/etc/openvpn/2.0/keys/下的ca.crt ca.key client1.crt client1.csr client1.key 到C:\Program Files\OpenVPN\config下
copy C:\Program Files\OpenVPN\sample-config\client.ovpn 到C:\Program Files\OpenVPN\config下
使用记事本编辑client.ovpn
client
dev tun
proto udp
remote 222.161.0.93 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
1、安装加密软件包
[root@localhost ~]#rpm -ivh lzo-2.02-3.el5.kb.i386.rpm
2、安装openvpn
[root@localhost ~]#rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.i386.rpm
3、复制生成证书密钥的文件夹
[root@localhost ~]#cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/
4、复制范例的配制文件
[root@localhost ~]#cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
5、生成证书key
(1)初始化PKI
[root@localhost ~]# cd /etc/openvpn/2.0/
[root@localhost 2.0]# vi vars
修改正在面几项
export KEY_COUNTRY=”CN”(注:国家)
export KEY_PROVINCE=”SX”(注:省份)
export KEY_CITY=”XA”(注:城市)
export KEY_ORG=”VPN-TEST”(注:公司名称)
export KEY_EMAIL=”[email protected]”(注:电子邮件)
[root@localhost 2.0]#env |grep KEY(先查看一下,看到是没有)
[root@localhost 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
(注:如果你已经运行了./clean-all,就运行rm -rf /etc/openvpn/2.0/keys 删除)
[root@localhost 2.0]# env |grep KEY
KEY_EXPIRE=3650
[email protected]
KEY_SIZE=1024
KEY_DIR=/etc/openvpn/2.0/keys
KEY_CITY=XA
KEY_PROVINCE=SX
KEY_ORG=VPN-TEST
KEY_CONFIG=/etc/openvpn/2.0/openssl.cnf
KEY_COUNTRY=CN
[root@localhost 2.0]#
[root@localhost 2.0]# ./clean-all (这时会在当前目录生成一个keys的目录)
生成ca文件
[root@localhost 2.0]# ./build-ca
Generating a 1024 bit RSA private key
….++++++
..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [VPN-TEST CA]:server(注意一定要添server)
Email Address [[email protected]]:
[root@localhost 2.0]# ls keys/ (可以看到keys下生成了ca.crt ca.key 两个文件)
(2)生成server key
[root@localhost 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
………..++++++
…………………………………………………++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [server]:server
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke(注:密码一定要添)
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:40:06 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#
[root@localhost 2.0]# ls keys/ (可以看到生成了server.crt server.csr server.key)
(3)生成客户端 key
[root@localhost 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
……………………………..++++++
…..++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [client1]:
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’client1′
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:43:36 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以上选项要和那个server的保持一致。
[root@localhost 2.0]# ls keys/ (可以看到生成了 client1.crt client1.key client1.csr )
生成Diffie Hellman
[root@localhost 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
………………………………………………………………………………………………………………………………………………+……………………………………………+……………………………………+………………………………………………………+……..+………………………….+………………………………………….+…………………………………………………..
………………………………………+………………………………………………………………..+……………………………………………………………………………………………….+……………………….+……………+……………………………………………..+…………………..+……….+……….+.+………..+…………………………………..+………+…………………………………+…………………………………………+…………………….+…………………….+……………………………………………………………….+…………………………………+…..+……………………………………….+……………………+………………………………………….++*++*++*
[root@localhost 2.0]#
创建服务端配置文件
将keys下的 ca.crt server.crt server.key dh1024.pem 拷贝到/etc/openvpn下。
配制/etc/openvpn/server.conf
[root@localhost openvpn]# vi server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push “dhcp-option DNS “202.98.5.68″
“server.conf” 16L, 249C written
[root@localhost openvpn]#
启动服务
[root@localhost openvpn]# service openvpn restart
服务启动后用ifconfig查看 可以看到有一个新的接口tun0
[root@localhost openvpn]# ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2804 (2.7 KiB) TX bytes:18332 (17.9 KiB)
Windows上的客户端的设置
安装openvpn软件
copy 服务器上的/etc/openvpn/2.0/keys/下的ca.crt ca.key client1.crt client1.csr client1.key 到C:\Program Files\OpenVPN\config下
copy C:\Program Files\OpenVPN\sample-config\client.ovpn 到C:\Program Files\OpenVPN\config下
使用记事本编辑client.ovpn
client
dev tun
proto udp
remote 222.161.0.93 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
