OPenvpn配置說明

來源:本站原創 服務器技術 超過829 views圍觀 0條評論

1.軟件包:lzo openvpn openssl

2.系統環境:Vps centos5

3.采用編譯方式進行安裝

tar xzvf openssl-version.tar.gz

tar xzvf lzo-version.tat.gz

tar xzvf openvpn-version.tar.gz

cd /openssl

./configure –prefix=/usr/local/openssl

make;make install

cd ..

cd /lzo

./config

make;make install

cd ..

cd openvpn

./configure –with-lzo-headers=/usr/local/lzo/inlcude –with-lzo-lib=/usr/local/lzo/lib

make;make install

4.生成證書:

cd /root/openvpn-2.0.9/easy-rsa

i. export D=`pwd`

ii. export KEY_CONFIG=$D/openssl.cnf

iii. export KEY_DIR=$D/keys

iv. export KEY_SIZE=1024

v. export KEY_COUNTRY=CN

vi. export KEY_PROVINCE=BJ

vii. export KEY_CITY=BJ

viii. export KEY_ORG="buaa"

ix. export [email protected]

b) ./clean-all

c) ./build-ca

./clean-all

./build-ca

Generating a 1024 bit RSA private key

…………….++++++

……..++++++

writing new private key to ‘ca.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [dvdmaster]: buaa

Organizational Unit Name (eg, section) []:gait

Common Name (eg, your name or your server’s hostname) []:server

Email Address [[email protected]]:

d) ./build-key-server server

./build-key-server server

Generating a 1024 bit RSA private key

……++++++

………………..++++++

writing new private key to ‘server.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [buaa]:

Organizational Unit Name (eg, section) []:gait

Common Name (eg, your name or your server’s hostname) []:server

Email Address [[email protected]]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:abcd1234

An optional company name []:dvdmaster

Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName RINTABLE:’CN’

stateOrProvinceName RINTABLE:’GD’

localityName RINTABLE:’SZ’

organizationName RINTABLE:’dvdmaster’

organizationalUnitNameRINTABLE:’dvdmaster’

commonName RINTABLE:’server’

emailAddress :IA5STRING:’[email protected]

Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

5.客戶端證書

在openvpn中,這種配置方法是每一個登陸的VPN客戶端需要有一個證書,每個證書在同一時刻只能供一個客戶端連接(如果有兩個機器安裝相同證書,同時撥服務器,都能撥上,但是只有第一個撥上的才能連通網絡)。所以需要建立許多份證書。下面建立三份,名稱分別為client1 – client3。

./build-key client1

Generating a 1024 bit RSA private key

…..++++++

……++++++

writing new private key to ‘client1.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [buaa]:

Organizational Unit Name (eg, section) []:gait

Common Name (eg, your name or your server’s hostname) []:client1 #重要: 每個不同的 client 生成的證書, 名字必須不同.

Email Address [[email protected]]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:abcd1234

An optional company name []:gait

Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName RINTABLE:’CN’

stateOrProvinceName RINTABLE:’GD’

localityName RINTABLE:’SZ’

organizationName RINTABLE:’dvdmaster’

organizationalUnitName:PRINTABLE:’dvdmaster’

commonName :PRINTABLE:’client1′

emailAddress :IA5STRING:’[email protected]

Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

) 依次類推生成其他客戶端證書/key:

./build-key client2

./build-key client3

注意在進入 Common Name (eg, your name or your server’s hostname) []: 的輸入時, 每個證書輸入的名字必須不同.

g) 執行./build-dh

h) 生成的所有證書在/root/openvpn-2.0.9/easy-rsa/keys下。

i. 其中服務器需要的是ca.crt、server.crt、server.key、dh1024.pem,每個客戶端需要的是ca.crt、client1-3.crt、client1-3.key。

7、 配置文件

a) cp /root/openvpn-2.0.9/sample-config-files/server.conf /usr/local/etc/server.conf

b) vi /usr/local/etc/server.conf

i. proto udp改成proto tcp

ii. ca那四行改成

ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt

cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt

key /root/openvpn-2.0.9/easy-rsa/keys/server.key

dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem

iii. server.conf 配置文件見(參考文件server.conf)

8、 啟動服務:

a) 關閉服務器、防火墻上所有對SSH(22)、openvpn(1194)的攔截。

b) echo 1 > /proc/sys/net/ipv4/ip_forward

c) /usr/local/sbin/openvpn –config /usr/local/etc/server.conf

d) 為了實現開機啟動,在/etc/rc.local后面添加

/usr/local/sbin/openvpn –config /usr/local/etc/server.conf > /dev/null 2>&1 &

4. 安裝客戶端

1、 從http://openvpn.se/上下載與openvpn服務器版本一致的Windows客戶端“OpenVPN GUI For Windows”

a) 例如, 服務器裝的是 OpenVPN 2.09, 那么下載的 OpenVPN GUI fow windows應該是: openvpn-2.0.9-gui-1.0.3-install.exe

2、 執行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默認設置。

3、 將ca.crt、client1.crt、client1.key復制到C:\Program Files\OpenVPN\config。(不同用戶使用不同的證書,每個證書包括.crt和.key兩個文件,如client2.crt和client2.key)

4、 在/root/openvpn-2.0.9/sample-config-files/client.conf 的基礎上建立客戶端配置文件,改名為C:\Program Files\OpenVPN\config\client.ovpn

a) proto udp改成proto tcp

b) remote那行改成

這里填寫vpn服務器公網ip 1194(端口號)

c) ca那3行改為

ca ca.crt

cert client1.crt

key client1.key

d) 注釋掉comp-lzo

server.conf 配置文件見(參考文件client.ovpn)

四,問題總結:

1. 在sever.conf/client.conf 里的證書keys相關的文件要寫編對路徑.

2. proto udp改成proto tcp

3. ./build-key client ..不同的client不一樣的common name 不能和上面的

common name一樣

4. 考慮證書生效時間問題,要考慮服務端和客戶端的時間同步問題,具體設置時方法:

Eg: date -s 20:30:30 #設置系統時間為20:30:30, clock –w #將系統時間(如由date設置的時間)寫入Bios;利用網絡時間同步時間: ntpdate pool.ntp.org

5.在 openvz vps 上搭建openvpnv之前先執行以下過程:

vzctl set 120 --devices c:10:200:rw --save
vzctl exec 120 mkdir -p /dev/net
vzctl exec 120 mknod /dev/net/tun c 10 200
vzctl exec 120 chmod 600 /dev/net/tun

否則會不能開啟 TUN

6.在 vi ./etc/vz/vz.conf 里找到

## IPv4 iptables kernel modules

IPTABLES="iptable_nat ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"

將這里的模塊加到 vi /etc/vz/conf/120.conf

# CPU fair sheduler parameter

CPUUNITS="1000"

VE_ROOT="/vz/root/$VEID"

VE_PRIVATE="/vz/private/$VEID"

OSTEMPLATE="centos-4-i386-default"

ORIGIN_SAMPLE="vps.basic"

IP_ADDRESS="61.191.20.26"

HOSTNAME="vps120"

NAMESERVER="202.102.192.68"

DEVICES="c:10:200:rw "

IPTABLES="ip_tables iptable_nat iptable_filter iptable_mangle ipt_limit ipt_REJECT ipt_length "

CAPABILITY="NET_ADMIN:on "

否則會報 nat filter模塊不存在需要重新編譯內核。

再執行vzctl set 120 –iptables iptable_filter –iptables ipt_length –iptables ipt_limit –iptables iptable_mangle –iptables ipt_REJECT –save

重啟openvz 宿機。

最后在iptables里開 NAT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -j SNAT –to-source 61.191.20.26

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文標題:OPenvpn配置說明
本文鏈接:http://www.qdxgqk.live/?p=3334轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
  • 相關文章
  • 為您推薦
  • 各種觀點
?
暫時還木有人評論,坐等沙發!
發表評論

您必須 [ 登錄 ] 才能發表留言!

?
?
萌宠夺宝游戏