千万个美丽的未来,抵不上一个温暖的现在,每一个真实的现在,都是我们曾经幻想的未来!
May
18
一. OpenVPN 安装环境
Server 端的环境
1.CentOS, kernel版本: 2.6.18, IP 为 221.233.59.16(ADSL拨号)
2.kernel 需要支持 tun 设备, 需要加载 iptables 模块.
3.安装的 OpenVPN 的版本: 2.1.rc15.(目前最新版 可在http://openvpn.net 上下载).
Client 端的环境: 1.Windows XP SP2
2.openvpn-2.1_rc15-install.exe(此版本集成了 OpenVPN GUI 客户端)
二. OpenVPN 服务端安装过程
1.用putty登录到CentOS
2.下载LZO和OpenVPN 2.1.rc15 wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz yum install -y openssl-devel
3.安装LZO和OpenVPN tar zxvf lzo-2.03.tar.gz
cd lzo-2.03
./configure
make
make install
cd ..
tar zxvf openvpn-2.1_rc15.tar.gz
cd openvpn-2.1_rc15
./configure
make
make install
cd ..
cp /root/openvpn-2.1_rc15/easy-rsa/ -r /etc/openvpn
4.生成证书初始化PKI cd /etc/openvpn/2.0/#可以设置下OpenVPN参数(也可以修改vars文件来配置)
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="dvdmaster"
export KEY_EMAIL="[email protected]"
#也可以不用设置直接执行下面的命令
. vars
创建证书颁发机构(CA)
./clean-all
./build-ca
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:server
Email Address [[email protected]]:
建立server key
./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:server
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:dvdmaster
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'dvdmaster'
organizationalUnitName:PRINTABLE:'dvdmaster'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
生成客户端 key
./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的client 生成的证书, 名字必须不同.
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:dvdmaster
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'dvdmaster'
organizationalUnitName:PRINTABLE:'dvdmaster'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以此类推建立其他客户端 key
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.
5.生成Diffie Hellman参数 ./build-dh
6.将 keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等……) tar zcvf yskeys.tar.gz keys/
7.创建服务端配置文件 mkdir /etc/openvpn/2.0/conf
cp /root/openvpn-2.1_rc15/sample-config-files/server.conf /etc/openvpn/2.0/conf/server.conf
服务端配置文件(server.conf)样例
port 1194
proto udp
dev tun
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/ovpnser.crt
key /etc/openvpn/2.0/keys/ovpnser.key # This file should be kept secret
dh /etc/openvpn/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址
push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
8.启动OpenVPN /usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &
三. OpenVPN GUI For Windows客户端安装过程
1.下载 openvpn-2.1_rc15-install.exe(此版本集成 OpenVPN GUI)官方下载地址:http://openvpn.net/release/openvpn-2.1_rc15-install.exe
2.依屏幕指示安装OpenVPN GUI
3.配置 openvpn gui将上面第6步打包的yskeys.tar.gz中的下列证书文件解压到 你的OpenVPN GUI安装路径OpenVPNconfig文件夹下 ca.crt
ca.key
client1.crt
client1.csr
client1.key
4.修改client.ovpn把你的OpenVPN GUI安装路径OpenVPNsample-config下的client.ovpn文件复制到你的OpenVPN GUI安装路径OpenVPNconfig文件夹下,用记事本打开client.ovpn #找到remote my-server-1 1194,把my-server-1改成你的ip地址
remote 221.233.59.16 1194
5.双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.
三. OpenVPN 访问外网的设置
1.开启CentOS 5 的路由转发功能 echo 1 > /proc/sys/net/ipv4/ip_forward
#为了使CentOS重启后仍然开启路由转发功能我们需要再执行下列命令
sysctl -w net.ipv4.ip_forward=1
2.添加iptables转发规则 #因为我那天CentOS是ADSL拨号上网,所以把出口设置成ppp0,请根据实际情况设置
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE
3.必须保证server.conf配置中,有下面三个配置 push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址
push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址
当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:
Ethernet adapter 本地连接 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-F2-1A-44-BD
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.5
DHCP Server . . . . . . . . . . . : 10.8.0.5
DNS Servers . . . . . . . . . . . : 10.8.0.1
202.103.44.150
202.103.24.68
Lease Obtained. . . . . . . . . . : 2009年5月8日 23:55:06
Lease Expires . . . . . . . . . . : 2010年5月8日 23:55:06
四. 设置 OpenVPN 服务器 reboot后自动启动 openvpn
执行
vi /etc/rc.local
然后在最后面加入此行:
/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &
五.OpenVPN 测试
连接成功之后,去www.ip138.com上看看外网ip是多少,如果是CentOS系统的外网ip那说明测试成功了~
Server 端的环境
1.CentOS, kernel版本: 2.6.18, IP 为 221.233.59.16(ADSL拨号)
2.kernel 需要支持 tun 设备, 需要加载 iptables 模块.
3.安装的 OpenVPN 的版本: 2.1.rc15.(目前最新版 可在http://openvpn.net 上下载).
Client 端的环境: 1.Windows XP SP2
2.openvpn-2.1_rc15-install.exe(此版本集成了 OpenVPN GUI 客户端)
二. OpenVPN 服务端安装过程
1.用putty登录到CentOS
2.下载LZO和OpenVPN 2.1.rc15 wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz yum install -y openssl-devel
3.安装LZO和OpenVPN tar zxvf lzo-2.03.tar.gz
cd lzo-2.03
./configure
make
make install
cd ..
tar zxvf openvpn-2.1_rc15.tar.gz
cd openvpn-2.1_rc15
./configure
make
make install
cd ..
cp /root/openvpn-2.1_rc15/easy-rsa/ -r /etc/openvpn
4.生成证书初始化PKI cd /etc/openvpn/2.0/#可以设置下OpenVPN参数(也可以修改vars文件来配置)
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="dvdmaster"
export KEY_EMAIL="[email protected]"
#也可以不用设置直接执行下面的命令
. vars
创建证书颁发机构(CA)
./clean-all
./build-ca
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:server
Email Address [[email protected]]:
建立server key
./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:server
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:dvdmaster
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'dvdmaster'
organizationalUnitName:PRINTABLE:'dvdmaster'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
生成客户端 key
./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的client 生成的证书, 名字必须不同.
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:dvdmaster
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'dvdmaster'
organizationalUnitName:PRINTABLE:'dvdmaster'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以此类推建立其他客户端 key
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.
5.生成Diffie Hellman参数 ./build-dh
6.将 keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等……) tar zcvf yskeys.tar.gz keys/
7.创建服务端配置文件 mkdir /etc/openvpn/2.0/conf
cp /root/openvpn-2.1_rc15/sample-config-files/server.conf /etc/openvpn/2.0/conf/server.conf
服务端配置文件(server.conf)样例
port 1194
proto udp
dev tun
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/ovpnser.crt
key /etc/openvpn/2.0/keys/ovpnser.key # This file should be kept secret
dh /etc/openvpn/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址
push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
8.启动OpenVPN /usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &
三. OpenVPN GUI For Windows客户端安装过程
1.下载 openvpn-2.1_rc15-install.exe(此版本集成 OpenVPN GUI)官方下载地址:http://openvpn.net/release/openvpn-2.1_rc15-install.exe
2.依屏幕指示安装OpenVPN GUI
3.配置 openvpn gui将上面第6步打包的yskeys.tar.gz中的下列证书文件解压到 你的OpenVPN GUI安装路径OpenVPNconfig文件夹下 ca.crt
ca.key
client1.crt
client1.csr
client1.key
4.修改client.ovpn把你的OpenVPN GUI安装路径OpenVPNsample-config下的client.ovpn文件复制到你的OpenVPN GUI安装路径OpenVPNconfig文件夹下,用记事本打开client.ovpn #找到remote my-server-1 1194,把my-server-1改成你的ip地址
remote 221.233.59.16 1194
5.双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.
三. OpenVPN 访问外网的设置
1.开启CentOS 5 的路由转发功能 echo 1 > /proc/sys/net/ipv4/ip_forward
#为了使CentOS重启后仍然开启路由转发功能我们需要再执行下列命令
sysctl -w net.ipv4.ip_forward=1
2.添加iptables转发规则 #因为我那天CentOS是ADSL拨号上网,所以把出口设置成ppp0,请根据实际情况设置
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE
3.必须保证server.conf配置中,有下面三个配置 push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址
push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址
当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:
Ethernet adapter 本地连接 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-F2-1A-44-BD
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.5
DHCP Server . . . . . . . . . . . : 10.8.0.5
DNS Servers . . . . . . . . . . . : 10.8.0.1
202.103.44.150
202.103.24.68
Lease Obtained. . . . . . . . . . : 2009年5月8日 23:55:06
Lease Expires . . . . . . . . . . : 2010年5月8日 23:55:06
四. 设置 OpenVPN 服务器 reboot后自动启动 openvpn
执行
vi /etc/rc.local
然后在最后面加入此行:
/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &
五.OpenVPN 测试
连接成功之后,去www.ip138.com上看看外网ip是多少,如果是CentOS系统的外网ip那说明测试成功了~
May
17
需要的软件包:
1、安装加密软件包
[root@localhost ~]#rpm -ivh lzo-2.02-3.el5.kb.i386.rpm
2、安装openvpn
[root@localhost ~]#rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.i386.rpm
3、复制生成证书密钥的文件夹
[root@localhost ~]#cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/
4、复制范例的配制文件
[root@localhost ~]#cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
5、生成证书key
(1)初始化PKI
[root@localhost ~]# cd /etc/openvpn/2.0/
[root@localhost 2.0]# vi vars
修改正在面几项
export KEY_COUNTRY=”CN”(注:国家)
export KEY_PROVINCE=”SX”(注:省份)
export KEY_CITY=”XA”(注:城市)
export KEY_ORG=”VPN-TEST”(注:公司名称)
export KEY_EMAIL=”[email protected]”(注:电子邮件)
[root@localhost 2.0]#env |grep KEY(先查看一下,看到是没有)
[root@localhost 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
(注:如果你已经运行了./clean-all,就运行rm -rf /etc/openvpn/2.0/keys 删除)
[root@localhost 2.0]# env |grep KEY
KEY_EXPIRE=3650
[email protected]
KEY_SIZE=1024
KEY_DIR=/etc/openvpn/2.0/keys
KEY_CITY=XA
KEY_PROVINCE=SX
KEY_ORG=VPN-TEST
KEY_CONFIG=/etc/openvpn/2.0/openssl.cnf
KEY_COUNTRY=CN
[root@localhost 2.0]#
[root@localhost 2.0]# ./clean-all (这时会在当前目录生成一个keys的目录)
生成ca文件
[root@localhost 2.0]# ./build-ca
Generating a 1024 bit RSA private key
….++++++
..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [VPN-TEST CA]:server(注意一定要添server)
Email Address [[email protected]]:
[root@localhost 2.0]# ls keys/ (可以看到keys下生成了ca.crt ca.key 两个文件)
(2)生成server key
[root@localhost 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
………..++++++
…………………………………………………++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [server]:server
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke(注:密码一定要添)
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:40:06 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#
[root@localhost 2.0]# ls keys/ (可以看到生成了server.crt server.csr server.key)
(3)生成客户端 key
[root@localhost 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
……………………………..++++++
…..++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [client1]:
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’client1′
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:43:36 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以上选项要和那个server的保持一致。
[root@localhost 2.0]# ls keys/ (可以看到生成了 client1.crt client1.key client1.csr )
生成Diffie Hellman
[root@localhost 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
………………………………………………………………………………………………………………………………………………+……………………………………………+……………………………………+………………………………………………………+……..+………………………….+………………………………………….+…………………………………………………..
………………………………………+………………………………………………………………..+……………………………………………………………………………………………….+……………………….+……………+……………………………………………..+…………………..+……….+……….+.+………..+…………………………………..+………+…………………………………+…………………………………………+…………………….+…………………….+……………………………………………………………….+…………………………………+…..+……………………………………….+……………………+………………………………………….++*++*++*
[root@localhost 2.0]#
创建服务端配置文件
将keys下的 ca.crt server.crt server.key dh1024.pem 拷贝到/etc/openvpn下。
配制/etc/openvpn/server.conf
[root@localhost openvpn]# vi server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push “dhcp-option DNS “202.98.5.68″
“server.conf” 16L, 249C written
[root@localhost openvpn]#
启动服务
[root@localhost openvpn]# service openvpn restart
服务启动后用ifconfig查看 可以看到有一个新的接口tun0
[root@localhost openvpn]# ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2804 (2.7 KiB) TX bytes:18332 (17.9 KiB)
Windows上的客户端的设置
安装openvpn软件
copy 服务器上的/etc/openvpn/2.0/keys/下的ca.crt ca.key client1.crt client1.csr client1.key 到C:\Program Files\OpenVPN\config下
copy C:\Program Files\OpenVPN\sample-config\client.ovpn 到C:\Program Files\OpenVPN\config下
使用记事本编辑client.ovpn
client
dev tun
proto udp
remote 222.161.0.93 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
1、安装加密软件包
[root@localhost ~]#rpm -ivh lzo-2.02-3.el5.kb.i386.rpm
2、安装openvpn
[root@localhost ~]#rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.i386.rpm
3、复制生成证书密钥的文件夹
[root@localhost ~]#cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/
4、复制范例的配制文件
[root@localhost ~]#cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
5、生成证书key
(1)初始化PKI
[root@localhost ~]# cd /etc/openvpn/2.0/
[root@localhost 2.0]# vi vars
修改正在面几项
export KEY_COUNTRY=”CN”(注:国家)
export KEY_PROVINCE=”SX”(注:省份)
export KEY_CITY=”XA”(注:城市)
export KEY_ORG=”VPN-TEST”(注:公司名称)
export KEY_EMAIL=”[email protected]”(注:电子邮件)
[root@localhost 2.0]#env |grep KEY(先查看一下,看到是没有)
[root@localhost 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
(注:如果你已经运行了./clean-all,就运行rm -rf /etc/openvpn/2.0/keys 删除)
[root@localhost 2.0]# env |grep KEY
KEY_EXPIRE=3650
[email protected]
KEY_SIZE=1024
KEY_DIR=/etc/openvpn/2.0/keys
KEY_CITY=XA
KEY_PROVINCE=SX
KEY_ORG=VPN-TEST
KEY_CONFIG=/etc/openvpn/2.0/openssl.cnf
KEY_COUNTRY=CN
[root@localhost 2.0]#
[root@localhost 2.0]# ./clean-all (这时会在当前目录生成一个keys的目录)
生成ca文件
[root@localhost 2.0]# ./build-ca
Generating a 1024 bit RSA private key
….++++++
..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [VPN-TEST CA]:server(注意一定要添server)
Email Address [[email protected]]:
[root@localhost 2.0]# ls keys/ (可以看到keys下生成了ca.crt ca.key 两个文件)
(2)生成server key
[root@localhost 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
………..++++++
…………………………………………………++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [server]:server
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke(注:密码一定要添)
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:40:06 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#
[root@localhost 2.0]# ls keys/ (可以看到生成了server.crt server.csr server.key)
(3)生成客户端 key
[root@localhost 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
……………………………..++++++
…..++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [client1]:
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’client1′
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:43:36 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以上选项要和那个server的保持一致。
[root@localhost 2.0]# ls keys/ (可以看到生成了 client1.crt client1.key client1.csr )
生成Diffie Hellman
[root@localhost 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
………………………………………………………………………………………………………………………………………………+……………………………………………+……………………………………+………………………………………………………+……..+………………………….+………………………………………….+…………………………………………………..
………………………………………+………………………………………………………………..+……………………………………………………………………………………………….+……………………….+……………+……………………………………………..+…………………..+……….+……….+.+………..+…………………………………..+………+…………………………………+…………………………………………+…………………….+…………………….+……………………………………………………………….+…………………………………+…..+……………………………………….+……………………+………………………………………….++*++*++*
[root@localhost 2.0]#
创建服务端配置文件
将keys下的 ca.crt server.crt server.key dh1024.pem 拷贝到/etc/openvpn下。
配制/etc/openvpn/server.conf
[root@localhost openvpn]# vi server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push “dhcp-option DNS “202.98.5.68″
“server.conf” 16L, 249C written
[root@localhost openvpn]#
启动服务
[root@localhost openvpn]# service openvpn restart
服务启动后用ifconfig查看 可以看到有一个新的接口tun0
[root@localhost openvpn]# ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2804 (2.7 KiB) TX bytes:18332 (17.9 KiB)
Windows上的客户端的设置
安装openvpn软件
copy 服务器上的/etc/openvpn/2.0/keys/下的ca.crt ca.key client1.crt client1.csr client1.key 到C:\Program Files\OpenVPN\config下
copy C:\Program Files\OpenVPN\sample-config\client.ovpn 到C:\Program Files\OpenVPN\config下
使用记事本编辑client.ovpn
client
dev tun
proto udp
remote 222.161.0.93 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
