浏览此站
联系我们相册切换到窄版 Language

 找回密码
 注册
易陆发现论坛»论坛 操作系统区 应用网络 linux下openvpn2.3.4服务器部署
返回列表 发新帖
查看: 5056|回复: 4

linux下openvpn2.3.4服务器部署

[复制链接]
admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
发表于 2019-9-5 17:00:01 | 显示全部楼层 |阅读模式
二、部署openvpn    本次部署openvpn服务器,因为使用了最新的openvpn2.3.4,而这个包里面没有包含最重要的证书制作部分:easy-rsa    openvpn官网也给出明确说明:Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages    所以,我们需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署    在部署openvpn之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!
" r6 o/ Q8 Q2 I2 q* c1、安装lzo
3 q6 q, q5 W7 Z( `    lzo是致力于解压速度的一种数据压缩算法123[root@vpn ~]# tar xf lzo-2.08.tar.gz[root@vpn ~]# cd lzo-2.08[root@vpn lzo-2.08]# ./configure && make && make install2、安装openvpn1234567[root@vpn ~]# tar xf openvpn-2.3.4.tar.gz[root@vpn ~]# cd openvpn-2.3.4[root@vpn openvpn-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib[root@vpn openvpn-2.3.4]# make && make install[root@vpn openvpn-2.3.4]# [root@vpn openvpn-2.3.4]# which openvpn/usr/local/sbin/openvpn      #看到这里,说明安装openvpn成功3、配置easyrsa服务端    openvpn-2.3.4软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3    Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages(来源openvpn官网)123456789101112[root@vpn ~]# unzip easy-rsa-master.zip [root@vpn ~]# mv easy-rsa-master easy-rsa[root@vpn ~]# cp -R easy-rsa/ openvpn-2.3.4/[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/[root@vpn easyrsa3]# cp vars.example vars[root@vpn easyrsa3]# vim varsset_var EASYRSA_REQ_COUNTRY "CN"set_var EASYRSA_REQ_PROVINCE "Beijing"set_var EASYRSA_REQ_CITY "Beijing"set_var EASYRSA_REQ_ORG "nmshuishui Certificate"set_var EASYRSA_REQ_EMAIL "353025240@qq.com"set_var EASYRSA_REQ_OU "My OpenVPN"4、创建服务端证书及key(1)初始化123456789[root@vpn easyrsa3]# lseasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types[root@vpn easyrsa3]# [root@vpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki(2)创建根证书12345678910111213141516171819202122[root@vpn easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key.............................................+++........+++writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key'Enter PEM pass phrase:                      #输入密码,此密码用途证书签名Verifying - Enter PEM pass phrase:          #确认密码-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:nmshuishui  #输入一个Common Name CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt(3)创建服务器端证书1234567891011121314151617181920[root@vpn easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key................................+++......+++writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [server]:nmshuishui-BJ  #该Common Name一定不要与创建根证书时的                                                                          #Common Name一样,这是血与泪的教训  Keypair and certificate request completed. Your files are:req: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.reqkey: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key(4)签约服务器端证书123456789101112131415161718192021222324252627282930[root@vpn easyrsa3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars  You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject=    commonName                = nmshuishui  Type the word 'yes' to continue, or any other input to abort.  Confirm request details: yes        #输入yes继续Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnfEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入刚才创建根证书时的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName            :PRINTABLE:'nmshuishui'Certificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days) Write out database with 1 new entriesData Base Updated Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:12345678[root@vpn easyrsa3]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./varsGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time...................................................................................................................................................................................................................+..........................................................................................................................+..................................................+.....................................................+..................................................................................................................................+............+............................................................................................................+...+............+...............+..............................................+.........................+..................................+.................+............................................................+..................................+........................................................................................................................................+................................................................+.......................................+...................................................................................................................................................++*++* DH parameters of size 2048 created at /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem5、创建客户端证书(1)在根目录下建立client目录123[root@vpn easyrsa3]# cd[root@vpn ~]# mkdir client[root@vpn ~]# cp -R easy-rsa/ client/(2)初始化123456789[root@vpn ~]# cd client/easy-rsa/easyrsa3/[root@vpn easyrsa3]# lseasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types[root@vpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki(3)创建客户端key及生成证书12345678910111213141516171819202122[root@vpn easyrsa3]# ./easyrsa gen-req nmshuishui Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key....................................................+++.................................................................................................................................................................................+++writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key'Enter PEM pass phrase:            #输入密码Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [nmshuishui]:nmshuishui   #输入nmshuishui                      Keypair and certificate request completed. Your files are:req: /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.reqkey: /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key(4)将得到的nmshuishui.req导入并签约证书12345678910111213141516171819202122232425262728293031323334353637383940[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/[root@vpn easyrsa3]#   #导入req[root@vpn easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req nmshuishui Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: nmshuishuiYou may now use this name to perform signing operations on this request. [root@vpn easyrsa3]#     #签约证书[root@vpn easyrsa3]# ./easyrsa sign client nmshuishui Note: using Easy-RSA configuration from: ./vars  You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject=    commonName                = nmshuishui  Type the word 'yes' to continue, or any other input to abort.  Confirm request details: yes       #输入yesUsing configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnfEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入创建根证书时的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName            :PRINTABLE:'nmshuishui'Certificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days) Write out database with 1 new entriesData Base Updated Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt   #签约成功(5)服务端及客户端生成的文件" X4 `& q- M1 ^
服务端:(/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki)文件夹12345678/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem客户端:(/root/client/easy-rsa)12/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key/root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key   #这个文件被我们导入到了服务端文件,所以那里也有(6)拷贝服务器密钥及证书等到openvpn目录1234[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem openvpn-2.3.4/(7)拷贝客户端密钥及证书等到client目录123[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client [root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt /root/client[root@vpn ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client(8)为服务端编写配置文件当安装好openvpn时候,它会提供一个server配置的文件例子1/root/openvpn-2.3.4/sample/sample-config-files/server.conf将此例子拷贝openvpn目录,然后配置123456789101112131415161718192021[root@vpn ~]# cp openvpn-2.3.4/sample/sample-config-files/server.conf openvpn-2.3.4/[root@vpn ~]# vim openvpn-2.3.4/server.conflocal 192.168.1.104    #(自己vps IP)port 1194proto udpdev tunca /root/openvpn-2.3.4/ca.crtcert /root/openvpn-2.3.4/server.crtkey /root/openvpn-2.3.4/server.key # This file should be kept secretdh /root/openvpn-2.3.4/dh.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 8.8.8.8"keepalive 10 120comp-lzomax-clients 100persist-keypersist-tunstatus openvpn-status.logverb 3(9)开启系统转发功能12345[root@vpn ~]# vim /etc/sysctl.confnet.ipv4.ip_forward = 0  改成 net.ipv4.ip_forward = 1[root@vpn ~]# sysctl -p[root@vpn ~]# sysctl -a | grep net.ipv4.ip_forwardnet.ipv4.ip_forward = 1(10)封装出去的数据包(eth0是你的vps外网的网卡):1/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE三、下载openvpn客户端,并进行配置1、将客户端密钥及证书等拷出到windows备用123[root@vpn ~]# cd client/[root@vpn client]# lsca.crt  easy-rsa  nmshuishui.crt  nmshuishui.key    #带后缀的这三个2、安装openvpn-gui工具; W( r# f2 f. X
(1)将D:\Program Files (x86)\OpenVPN\sample-config\client.ovpn复制到D:\Program Files (x86)\OpenVPN\config(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下(3)编辑D:\Program Files (x86)\OpenVPN\config\client.ovpn,修改为12345678910111213clientdev tunproto udpremote 192.168.1.104 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crt //这里需要证书cert nmshuishui.crtkey nmshuishui.keycomp-lzoverb 3
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2019-9-5 17:00:02 | 显示全部楼层
   1.2 准备 OpenVPN 安装目录
" R" f5 r5 y/ ^% ~( Q  u( ^
; m9 i0 F0 D: n$ J" O- I1 h6 s, Y# q        因为此文件是使用源码安装,所以选择的程序安装目录为: /usr/local/openvpn 目录, 配置文件目录为/etc/openvpn 目录. p4 g" D1 N$ `/ N, U

4 I8 ^, Q+ H7 u3 w        程序目录: /usr/local/openvpn/ }( N0 m- n; `2 U" h; {0 b
# I- v6 E" H7 z2 ?% y! B
        配置目录: /etc/openvpn" z2 Q6 g8 j' w3 ~0 J

1 o) z2 ?; ]' L5 T0 P2. 开始安装 OpenVPN( J# |' U, C+ S& m+ P2 D  {

( h" P  i/ F4 @+ f1 x   2.1 编译 OpenVPN" o' U" P3 p, F( ^
5 g' K1 |" L4 D. B
        [root@client ~]#cd /home/src/openvpn; u5 e( ?0 O# C1 {0 A7 E! B/ B

$ T9 x1 f9 d0 z% [( J0 K        [root@client openvpn]#tar zxvf lzo-2.03.tar.gz
' n! K! r$ F5 k1 G6 e9 b! N7 ~& N6 y+ L
        [root@client openvpn]#cd lzo-2.038 i+ s& V1 r1 _" ?+ T
" u) n! `- {% c6 N
        [root@client lzo-2.03]#./configure && make && make install/ C' o8 h4 _+ m& r

  W( u. `7 U( y! t/ W! Z6 ^        编辑/etc/ld.so.conf
0 q' e1 B8 q; j: s- A- s5 |5 O0 o  }5 @/ E1 R
        [root@client lzo-2.03]#cat >> /etc/ld.so.conf << EOF
" @! G2 _% ^3 E0 s! o( v$ `+ r4 Z
          /lib; j2 I! S$ `# t. o; D
$ [$ p- b* x. c  Q4 U- ^
          /lib64
5 W5 |9 s% T  A! @* ~3 A/ w9 \1 ?) B& ^5 k3 u
          /usr/lib2 b8 w# E, G0 n+ R# j5 m
9 B+ X' |9 Y0 k
          /usr/lib64
: @* R+ q2 L9 F3 r, z  f5 q! ]& P* Q# }5 ?- }
          /usr/local/lib
3 ~7 L/ S3 ^8 t6 @' T( g/ Q0 @
! U" D6 U3 {1 P          /usr/local/lib64  G- ?0 i) L6 u5 r% B) J' G8 ~# h

- s: b8 U$ Q: R          EOF
# Q5 x9 n* k1 A4 R, _0 K4 ~% \* ~: Q  ?0 [# c
        编辑完后运行
( {& I& T7 O7 K% v$ ?7 X: w0 T
9 u6 n' ]/ h4 G0 f. S        [root@client lzo-2.03]#ldconfig
$ I7 d( P+ y7 }- j$ B. b( ^) L3 m5 F& {$ O- b9 P; ]
        使动态连接库文件生效,接下来编译 openvpn4 @. N5 p1 k: p8 `! i% X

& B  A4 r, K+ o; W        [root@client openvpn]# tar zxvf openvpn-2.0.9.tar.gz
8 z$ o! z9 m: D# y
  H* y$ b1 J+ T4 w( A9 M* j: F& C& e        [root@client openvpn]# cd openvpn-2.0.9
8 ~) F! i% U8 q% T8 L" W4 Y4 V8 C) M% t; K7 E7 o, A0 n: p5 V+ \- B) P) D
        [root@client openvpn-2.0.9]# ./configure –prefix=/usr/local/openvpn && make && make install( D& O  c& _3 b- Z, R* [7 F/ D, Y' i
  R% T: _$ O: m, C2 b3 W
        [root@client openvpn-2.0.9]#tree /usr/local/openvpn
5 T  r. U" p5 w2 T9 Q% m  y! N6 x
3 `& I# h8 l6 ^6 v) L* q' u/ U        应该有以下输出
! r7 w; d: H8 `
* F! B1 j+ K6 ?8 B, T        [root@client ~]# tree /usr/local/openvpn/2 f5 n/ k( [* j" ^# E4 q5 J

( ^' K: L' x3 E( t/ t1 e- [7 q. n, F8 e& F        /usr/local/openvpn/
& x& F( i7 C/ v2 i. F
/ `5 J7 n0 k: a* _1 ^        |-- man
/ M% M4 d+ X& L9 ^
5 t" c8 g$ @2 r2 a% M8 B( [  P0 E        | `-- man8
0 F3 c2 i0 F* S! u+ H! P" x' A4 k) Q. O- p# [7 h% g- d
        |      `-- openvpn.8
2 o& ^5 l4 U. |. W
6 M3 V/ U. q# b3 D        `-- sbin
  Y4 Y/ r! i7 E6 Y* `! b1 J( H6 ], K6 x. |
        |-- key- h2 N* Y& f# x
1 M" O$ k& B4 X* m% n0 C% W
        `-- openvpn/ H% {! O( ]' Y: F& D* l  d

, ?2 S# U0 t9 s. m! j+ f        3 directories, 3 files" y* v- u2 C: N+ U7 |! c" L

$ O( l% M) \" I" R* r) y2 w% M3. 配置的 OpenVPN Server% I& [. B$ ~. w3 ?; u9 }4 S
7 v& W& J" e  \5 u- i' O6 ]
   3.1 建立配置环境
' e4 {0 a8 G1 J+ g/ Y3 R
' V8 |/ e+ L7 H       [root@client ~]# mkdir -p /etc/openvpn
5 o" u1 V1 x& m# }/ v2 A8 t& v
: ^3 \1 X% e/ T2 z; f: ]) F       [root@client ~]# cp -R /home/src/openvpn/openvpn-2.0.9/easy-rsa /etc/openvpn
0 H, q4 F% S. j% k0 _6 E! k  l& Y  n' b! J
       [root@client ~]# cd /etc/openvpn/easy-rsa/2.0/! M0 f  \+ D9 N: W$ K
/ T0 V9 E# S0 g3 Z5 G) r
       此目录下以许多程序及脚本, 以下为使用到的程序及脚本说明
/ m) |& N9 |) `$ n2 z) U8 h
$ y3 |, }# \" N3 z& a       vars                  脚本, 是用来创建环境变量,设置所需要要的变量的脚本
- p. O1 g2 E% H9 u, S) [9 c
- g8 p8 l; ^3 ?+ e0 U- T2 b" e       clean-all             脚本,是创建生成 ca 证书及密钥文件所需要的文件及目录- R" m2 J: d6 A! p# C+ ]  Y

/ c/ R4 a8 R. \* [    build-ca           脚本, 生成 ca 证书(交互)
& O7 I5 ~4 ]: v% J! o( J2 I+ t& c! |, p+ R. U2 {& s
    build-dh           脚本, 生成 Diffie-Hellman 文件(交互)
; b& b2 V8 r8 k' g0 j1 p
* x& K. R4 g3 c2 n    build-key-server   脚本, 生成服务器端密钥(交互)5 |2 E9 E0 T5 P" w

: k  q# b+ H6 `9 l    build-key          脚本, 生成客户端密钥(交互)' F9 W% K% |8 @

. ?! K- z# n5 b# w0 N' R2 Q$ O    pkitool            脚本, 直接使用 vars 的环境变量设置, 直接生成证书(非交互)
/ [7 n. f5 k) a; N
$ Y, P# q- _  z* L: b3.2 生成 CA 证书及密钥[注意字符输入不要出错]. d2 W* Q6 y, f1 P9 w

8 i* b3 F4 ?% R* z    [root@client 2.0]# . ../vars, m; O1 \) C8 n" _) `$ n
9 B2 N5 ]# a. g3 C. p8 m
    [root@client 2.0]# chmod +rwx *
- E- N$ r% j* N' F* H1 N$ s9 y' q
9 `) {/ U3 x6 I8 Y    初始化 keys 目录,创建生成 ca 证书及密钥文件所需要的文件和目录" c0 B1 n% F% T
! {) U+ n" v9 O! C1 ?; L; q# \
    [root@client 2.0]# ./clean-all6 L+ J- Z/ `! g" m% {

  X( }: _. H; Q( l  [) c3 g   编辑 vars 文件,生成环境变量, vars 里的参数根据自己需要改变.
6 a4 m! O& I$ M8 [& @- g. U: t3 B& ^( C8 W- u
   export KEY_SIZE=1024                     #生成密钥的位数
2 E  k% C- t* I9 J7 K/ Z4 Y- F2 p4 a! O' `
   export KEY_COUNTRY=CN                    #定义所在的国家编码, 2 个字符( {' W- L3 v3 K- v9 y' s1 _3 X9 Q
8 R. {9 E6 h) f# D
   export KEY_PROVINCE=BeiJing              #定义所在的省份
" e* x( E3 o- A! g- r
& X' c* t( O1 B0 V$ m   export KEY_CITY=BeiJing                  #定义所在的城市2 {: L3 k! x0 k$ w

& Y2 s  j% ?( }0 i1 y% q   export KEY_ORG=”VPN Test org”            #定义所在的组织8 W7 [! G- o1 u4 K+ L
" ?4 h' N" r) |0 T7 U5 e
   export KEY_OU=”VPN COM”                  #定义所在的单位
! w6 H7 f! T: \1 j- b; [1 ]
4 n- J4 Z1 L) P   export KEY_EMAIL=”china.client@gmail.com” #定义你的邮件地址
3 ^, @" M  k( r" v" b8 c5 b* ^/ \1 G, h: B5 H4 h/ g) |
    修改好 vars 文件后就可以开始生成 ca 证书及密钥文件了!
6 r) ^2 N: V) ^! h+ {7 ?' J  Z
* t5 R' {! ]% }    [root@client 2.0]# source ./vars% U/ n6 _. X' I; f  Q
1 T) ~" }7 U" N) @0 a- Y/ ?. N
    生成 Root Ca 证书, 用于签发 Server 和 Client 证书
  z, O5 H$ Z9 \1 }' z5 S8 w8 E% V% w- U/ N) }- W7 d
    [root@client 2.0]#./build-ca$ D# x7 T3 I9 Z& H

5 f9 O0 b6 I) o$ z    [root@client 2.0]# ls keys
, \  L* \8 p9 M/ N  g- p2 k" \
6 Z+ L9 W5 I% g) W1 x" H2 p& g7 B    可以看到已经生成了 ca.crt ca.key 文件- Q& s, q. F6 V" d7 I  k

2 e. d% W* G9 Z+ A/ w/ t9 [    生成 Diffie-Hellman 文件
1 H( X9 y1 \# B7 @
* A& l* ?1 {  r& e# g) U3 B    [root@client 2.0]#./build_dh
- Z* d; a9 i  Q+ Y& g4 r2 U
0 s2 m+ ^, H" |% R: c    [root@client 2.0]#ls -l keys/dh2048.pem" w- P2 `9 J1 D+ i5 L) ^6 w
9 k( f8 t  @5 y
    可以看到生成了 2048 位的 Diffie-Hellman 文件  s" R  h" w; U9 S1 e# V: [
5 U  Q7 R+ y% f$ [
    生成服务器使用的 VPN server Ca 证书/ y% Z3 |; T+ X4 c/ a6 i
& y; V; s7 M( ?6 G
    [root@client 2.0]#./build-key-server server0 u' g9 N) N9 `
6 b7 a& v/ M0 d) `" t
    server 是你为 CA 证书起的一个名字, 以 server 名字为例,生成的服务器使用的 CA 证书文件为: server.crt server.key4 N, D) g8 ]* \% I

9 z4 Y9 y  ]3 m    将生成的 CA 证书及密钥拷贝到/etc/openvpn 下" \9 }5 P; \) e! b
' F7 h# ^$ |% y' u! a. l3 J
    [root@client 2.0]#cp keys/{ca.crt,ca.key,server.crt, server.key, dh2048.pem} /etc/openvpn/) R3 [2 c. a* ~8 {9 b
; U2 n5 o/ t* K2 M& p2 O
3.3 生成客户端 CA 证书及密钥
3 Q% _/ r+ p# A, `9 Q& @+ X
$ X' X9 ~4 p/ s8 I& {    生成客户端 CA 证书及密钥使用:build-key 程序即可5 o; N7 c' y+ `. [9 M

  ?* q( d' M- }- f. @0 T. O, [    [root@client 2.0]#./build-key client" S8 W6 V) ]9 X: Y# r

4 A* [5 l$ x6 k# R$ e9 I8 t& V+ F    将在 keys 目录下生成 client.crt client.csr client.key 三个客户端证书" [) H1 z" ~7 Z; X3 r
$ l* B) s2 \3 @' U: G, _  Y
    将 ca.crt ca.key client.crt client.csr client.key 五个文件打包,以备客户端 vpn 使用# `1 I. R  a9 ]  J( q

: r' Q! ~& n+ S    [root@client2.0]#tar zcvf client.vpn.key.tar.gz keys/{ca.crt,ca.key,client.crt,client.csr,client.key}: o" ~$ h+ R( M& X: H5 Q% g
2 O' U- W8 r2 }3 f- `: S
3.4 生成 openvpn 配置文件
* _  S7 s% f* g2 Y, ^) n0 p( ]: s) H& f6 F0 V3 P
    创建 openvpn 配置文件最好的方法是先看 openvpn 的样例文件,在源码目录下的 sample-config-files 下,本例为
3 @/ P0 k. W4 W% U4 E8 d; f1 N4 Z# V) S" x1 m
    /home/src/openvpn/openvpn-2.0.9/sample-config-files/ K+ e9 R9 Z, d- E9 `, v; H
& u6 Y8 O) K. X, d  U5 x5 ?
    服务器端配置文件名: server.conf1 }1 O* d+ ]. l; A% F% C3 g3 q

! ?7 z# B* n. N7 B# ]    客户端配置文件名为: client.conf8 H1 w4 k4 @0 h% A3 C
* J+ E/ o" T$ c: W1 D6 i
    可以根据需要修改.
" I; Q/ r$ H, R
7 `$ ?( i& c2 f3 f- x5 _- I    本例的配置文件 为:/etc/openvpn/openvpn.conf
, i; }* U9 s& b. m' r& m! ]# X+ i# P" p! V* G0 T
     #########################################################################' ~3 K/ G( t& ^; T
( M  \: J0 s* M5 x8 M
     port 1723 #openvpn 默认端口为 1194
* H# P9 G  P! N9 p2 ?, b1 p/ l- ]& n* z% i1 D
     proto tcp( L9 y+ r4 N5 j( [' `1 u. b! p7 o

# t/ p+ ]: O9 E7 G       dev tun
  t* z3 q/ I# e) c6 Y4 u- H4 G) Y4 q6 {6 U% H1 U: j' P( i. Q
       #########################################################################
7 k) s7 O; k" G9 A5 q5 a9 }+ m& @  X% c
       # ca 证书及服务器证书以所在的文件目录为准,本例是放在了/etc/openvpn 目录下,与配置文件相同目录; V8 X4 _* j6 w3 G' A
! Q% U* q9 K2 e* N
       #########################################################################
' O; V- W7 I2 e9 F- B
$ F' [( r. [8 G       ca ca.crt
; E, C6 @5 i: C5 d& ?% ?7 n$ ?
6 V) C4 W4 ?0 G! [$ M  u       cert server.crt
5 N) [" U" K3 S) R( [8 ]0 E/ N6 p: \; J! ~
       key server.key! a. [9 K' D: u. e1 y" c
; w7 }% O7 Y, Q5 F* d, L
       dh dh2048.pem) P/ ]( }9 l2 t/ d" d; M

) d  b( \1 i+ R8 Y7 o* V& f       server 172.16.0.0 255.255.0.0
( a) ~0 k4 m! m$ z! B$ [8 I# Q4 L4 p; E8 r2 ?- U
       push "dhcp-option DNS 202.106.0.20"
+ K4 h" z3 n& U* j, v9 X- C
: M5 o1 S' L9 m" k5 h6 }: W% g       push "dhcp-option DNS 168.210.2.2"
: i1 T) \. }. ^' a2 x: H' B$ z( g
) q* Y1 n2 F" o7 _( J( X' @. |7 L       push "route 172.16.0.0 255.255.0.0") f$ @7 k5 c3 U( H- S5 G
' P3 d, u; |( J5 S- s3 ]( T
       ifconfig-pool-persist ipp.txt
7 d6 ^7 _; O( T2 ?4 V& F
& f) u' \1 I$ F( t" u, {7 C       keepalive 10 120
/ J! p, h9 N( Z4 k
2 a2 @& \0 p6 k       comp-lzo
9 f) n# q% ^5 p6 Z1 ]# G8 A$ ]! m3 Z& w, E4 _" d# N
       user nobody
4 u( v# ~4 p7 K9 l6 {/ @% Y4 n1 t; v8 {/ r9 T# v4 ~1 {- P
       group nobody+ R" q3 ^1 T$ ~0 W' S' G+ N

/ R, _. ^6 l) p2 M8 n# k       persist-key3 |# h, P: I% c0 L9 c0 |% ~; r" b

1 \2 q# _. X5 J2 ^: N+ }1 a' m) K5 q       persist-tun8 x; g% J4 C# E5 V( s! Y( j

9 i* a) E1 p. u, I! P6 @4 ?- H       status /var/log/openvpn-status.log% X( {( `0 D7 W, L# u
, c# X4 `7 A, t$ c: i
       verb 33 v9 N5 Z: x* a" O
( w& L( \. n% s2 r* y& J: ?- ?% e
       #Client 之间可以相互访问+ @& |" _; i+ |. p

. j2 O2 m$ s: K; S       client-to-client
: p) p6 n2 ~2 c' r) w7 c" v, K: y0 o
       #允许一个用户多次访问
% J9 \. B' B- }. s# o* R0 t$ R8 J( Z. C% @5 l
       duplicate-cn+ P, H. z# f: Z/ L
$ \: W* t( Z  i6 g# b+ ~* O8 H
       log /var/log/openvpn.log
* \; i; i% i* p9 }% u$ n4 j: [- ?5 p% T0 z, `
       log-append /var/log/openvpn.log  P9 e; a6 b6 {+ S

7 c. }# D5 s4 d6 l       #########################################################################- q0 p0 P) J. C% g1 t+ m

5 ^9 _/ t. ?' l. l/ _  3.5 创建 openvpn 的启动脚本0 I6 T; j  ?+ T7 S1 a

+ N7 w. Y7 r. m8 O: D      openvpn 的启动脚本在源码目录: sample-scripts 目录下
9 ?1 g$ w2 X3 V, H9 z% K3 f8 X2 t
      文件名为: openvpn.init
4 `# z* C$ b* F, |  Z9 v( A$ B$ h6 v6 h+ t. z* i; K; B0 p, d
      将 openvpn.ini 拷贝到/etc/init.d 下,并重新命名为 openvpn) E- E& ^9 t, N5 @: x; \- e; x
/ i6 Y* K8 t+ n, L. o
      [root@client ~]#cp -f /home/src/openvpn/openvpn-2.0.9/sample-scripts/openvpn.init /etc/init.d/openvpn! Z) l6 y6 y4 r9 O/ Y
3 c! f: b9 ~) q! c  H; y
      因为是用源码编译安装并指定了目录,所以需要修改/etc/init.d/openvpn 的 69 行
! ]2 L; i: K' \. {
' e, |0 J0 j- R, [       openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
  W6 k3 T9 j9 A
1 g8 }3 y8 {7 _: r      修改为:, r$ K) l, ]2 s3 A6 c1 G
0 u" a/ w0 L5 X6 {
        openvpn_locations="/usr/local/openvpn/sbin/openvpn /usr/sbin/openvpn /usr/local/sbin/openvpn"
+ q+ E5 b0 y9 J7 ~
9 t' A# [4 h3 N9 i. [' z7 T# ?  T  3.6 将 openvpn 添加到系统自启动
4 u/ t- I( N, K/ h* i5 r
2 f& e/ C; a2 }. c  ^) G      [root@client ~]# chkconfig –add openvpn( P6 w* a+ @  Q1 L$ z

0 C$ g8 F1 I& B# c9 [. Y- j: ]  3.7 启动/停止 openvpn 服务
# v0 F/ [0 x) e/ x- W, s$ T3 ?) a9 G; `# m) J( r
         启动 openvpn 服务! B* X" |: q0 t. }1 k8 p* P

% A4 l/ g) k8 y: R0 g         [root@client ~]#service openvpn start
8 ~* F$ @6 O) ^# @2 B7 {7 g8 R/ b) D$ B; |
         停止 openvpn 服务1 k! B5 N' u. t+ K5 m5 N
3 n/ k; L/ k( C1 J( u' ~- a- u2 X
         [root@client ~]#service openvpn stop
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2019-9-5 17:00:03 | 显示全部楼层
安装 LZO 代码:1 |$ o; }; H0 s+ C* {) h
cd /lzo-2.02 + b2 K/ j6 g) [
./configure
) B, c9 t4 p6 A, f- m+ r$ U/ emake
5 {3 p4 Q: S* K7 Qmake check
0 v2 f  A* r5 i3 U  ]make install
2 T6 Y; S0 X9 y6 w$ Y5 X; \; U. f安装 OpenVPN& W9 w6 G4 C- m7 H+ N- `
代码:& E0 }% F, u5 c* [' O/ E
* g2 L$ @% d( y: v
cd /openvpn-2.0.5
( d9 |# E# F, ]+ B9 p( i./configure
# ?/ H6 Q. ?- p# b: I* L% n1 E# 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行)! Q  s% i% F  S, x* I( d4 A# `; H
# ./configure --with-lzo-headers=/usr/local/include
+ [- q% Q( z  `6 {#  --with-lzo-lib=/usr/local/lib 5 x7 I  d5 z$ u2 g% R1 b9 E
#  --with-ssl-headers=/usr/local/include/openssl , |8 a7 _, s2 m
#  --with-ssl-lib=/usr/local/lib
9 `, v/ e& z+ U* S" B$ Qmake
$ u9 N1 w, C( k. fmake install
9 R% s( w' G8 C8 V' k% C4 S) k生成证书Key
! b4 N2 ]% k% e% ?6 [8 m. [! ^4 q初始化 PKI# N1 c6 A9 Y3 s$ K8 V- g0 a

+ B8 a: F- E, |; ?7 W( s(如果没有 export 命令也可以用 setenv [name] [value] 命令)
4 I! K1 w5 T1 t* e
) D8 S* e' k9 E8 @代码:
  D  ]) c, \% e: f5 l* |  [$ L& T) E
/ O9 w: S& u0 G+ N  c% o$ D" ocd /openvpn-2.0.5/easy-rsa
( l  ~8 a% ^" O6 Eexport D=`pwd`
# }9 Y, {* ~' k' a+ }export KEY_CONFIG=$D/openssl.cnf
' ?9 j2 D/ {2 b1 {* }export KEY_DIR=$D/keys
  D$ M6 q$ t- Z) c4 Y$ cexport KEY_SIZE=1024 # E; Y. ~$ V! W# Y; ^$ o
export KEY_COUNTRY=CN
" ~* G* ~; _9 v6 L1 T5 Pexport KEY_PROVINCE=GD 6 L) G. B& i1 O3 w3 Z5 q% i
export KEY_CITY=SZ
2 n5 m8 d% b0 |9 `- n' hexport KEY_ORG="xiaohui.com"
! u% ^6 I5 j5 {( |2 s2 ]export KEY_EMAIL="your-email [at] xiaohui.com" 9 V9 k9 w# n1 k  R9 t4 }
Build:
& A% z, H; k- |; N代码:
6 j7 t$ u0 v! j
- E5 B0 i4 N9 z" P./clean-all
, w% G* }3 _2 U./build-ca
; d! L& i: `& w1 I3 ^$ `' N+ u
& ~0 R2 k9 ?9 I* H: D" A4 D7 XGenerating a 1024 bit RSA private key # F% N( G: H' |6 c; V) q0 N2 P9 O
................++++++
% T$ \. l" {# l" F8 I5 y........++++++ * n& C) q& |& n+ I
writing new private key to 'ca.key'
% J* K1 T/ I* |$ P----- & B" b# _8 v9 I1 [) B' r: Q
You are about to be asked to enter information that will be incorporated ; M& k& S( S; e6 C: s6 t/ h9 ^% j
into your certificate request. 8 u: y  [! j; h0 S! U& H4 F( U
What you are about to enter is what is called a Distinguished Name or a DN. 9 i8 \: u5 h, m1 l
There are quite a few fields but you can leave some blank
7 D. }0 a! C5 `+ q, q; {% @For some fields there will be a default value,   t( `! R  X1 Z0 G/ F/ F! G
If you enter '.', the field will be left blank.
# x2 S6 T' K' w+ J. L% Z4 H6 ?& O- A-----
$ ]  U6 t( Z! n  j& b0 b; LCountry Name (2 letter code) [CN]: ' v1 L+ _/ }' G/ d6 H+ i) g7 `$ \2 J  \
State or Province Name (full name) [GD]:
9 K5 p6 L* W# K0 r4 K* f' wLocality Name (eg, city) [SZ]: $ n8 A" b6 M8 a1 A0 q. Y7 V
Organization Name (eg, company) [xiaohui.com]:
# a- `6 f, P; r0 ?6 d; wOrganizational Unit Name (eg, section) []:xiaohui.com 7 q" L  a0 d& x8 I, s
Common Name (eg, your name or your server's hostname) []:server
8 ~  l8 Q- n1 MEmail Address [your-email [at] xiaohui.com]:
5 R+ G% ^6 n. o# 建立 server key 代码: 代码:
! k' ?7 v$ w5 s& m5 D- W./build-key-server server
" P  i$ K+ b! r% L1 Q, N4 I2 C
; i& f7 T2 Q' m% `5 M+ \" E# eGenerating a 1024 bit RSA private key
0 u7 [) q# z, [! t  t- \6 d......++++++
# x- ^+ d! p* s$ i# p* i  y7 u....................++++++ 4 r: j& s1 a9 X; u# R
writing new private key to 'server.key'
7 B" |0 p) h9 d0 i4 u----- 8 {1 _2 t6 n8 s, V8 y
You are about to be asked to enter information that will be incorporated ! }" @9 M" u0 q5 |/ d" K* b$ l  q; O
into your certificate request. + i: f+ v3 W& U9 j* e
What you are about to enter is what is called a Distinguished Name or a DN.
6 Q- e0 p( P. d2 y# C3 \- h% kThere are quite a few fields but you can leave some blank : C% S: X6 y2 D( t/ ~4 C! `
For some fields there will be a default value, 0 T0 z+ P: X4 x# r6 \
If you enter '.', the field will be left blank.
6 ]: q1 ~# a0 L0 }# H9 V) P- D) M4 h-----
4 D7 q& [* n3 p: ?Country Name (2 letter code) [CN]:
8 a+ N1 G2 R* m9 C. P% }State or Province Name (full name) [GD]: : |& s2 `' {$ P; v0 g) K/ w& t+ a3 {
Locality Name (eg, city) [SZ]:
0 e: h) ^; N; `+ t/ n# w8 m* GOrganization Name (eg, company) [xiaohui.com]:
: r' T6 n# p( Y) d! FOrganizational Unit Name (eg, section) []:xiaohui.com
/ v+ P9 T* v5 }9 `1 ^0 G1 \Common Name (eg, your name or your server's hostname) []:server
; d% F- Q$ p2 D) N& ^' _Email Address [your-email [at] xiaohui.com]: ( p# c) n5 r4 Z' |. c' \' r" N

0 p5 [8 [3 N4 M4 S8 dPlease enter the following 'extra' attributes ( q& ]. L% ~+ [$ b
to be sent with your certificate request * p1 [' w, p9 a. t: B" W0 L
A challenge password []:abcd1234
$ Q* |; J; P) N+ BAn optional company name []:xiaohui.com   O" }" V: a6 J- B# c9 ^
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
& S# h8 q) G9 m3 F( y3 i* BCheck that the request matches the signature
/ |$ P0 ^9 d/ {, ]5 C% R! }& ~Signature ok * a6 Q/ B. q6 X; N
The Subject's Distinguished Name is as follows
& ^% [, b2 g- C" `2 ~9 I/ EcountryName           :PRINTABLE:'CN' 2 n! l" B- c; X
stateOrProvinceName   :PRINTABLE:'GD' ; b( l0 K6 D4 u+ D5 x, ~/ j
localityName          :PRINTABLE:'SZ'
2 p7 Q+ r# d8 W* S( U% v0 H5 v5 C+ |organizationName      :PRINTABLE:'xiaohui.com' ( G5 E) w, L2 m' z6 e
organizationalUnitName:PRINTABLE:'xiaohui.com'
# D% b9 }3 {  t' [) Z. g% PcommonName            :PRINTABLE:'server'
' }7 W8 h1 w; S8 C0 K# \emailAddress          :IA5STRING:'your-email [at] xiaohui.com'
3 e2 P9 s/ h  ^Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) . w' B+ c% X3 p9 Z( k
Sign the certificate? [y/n]:y 3 _( G! t( N& E; w" B0 I

$ s; h) E2 @+ J! x8 X: x3 d; y8 B% l
1 out of 1 certificate requests certified, commit? [y/n]y
$ \+ ^2 Z8 s& E) }' H: C/ GWrite out database with 1 new entries
3 u+ F- D) D0 B6 ~) {Data Base Updated
, v7 ]5 c/ S7 G7 c. Q2 R/ r$ i8 G#生成客户端 key" ?, _  ?8 s$ o. m" w7 T

4 l+ Z6 \' I0 y' b$ j代码:
4 M1 J7 Z5 F) E( R
, U: _, v: ^8 g& g' [./build-key client1
0 N4 ]$ L6 N3 F8 J( QGenerating a 1024 bit RSA private key ' l! A/ z  D5 e- x/ ?
.....++++++ " [: E1 V8 Y+ R# `6 ?
......++++++
, p. t, k/ p  k8 i3 |# G9 awriting new private key to 'client1.key' 2 |% ~, W) J, H  B6 U/ L9 p
-----
% E3 z8 e8 G0 s( {You are about to be asked to enter information that will be incorporated 5 C( h) n- L$ `7 ^
into your certificate request. ( u: U, T) ]7 f  g6 }6 o
What you are about to enter is what is called a Distinguished Name or a DN. 2 V2 K* g% R. }& N7 _# R' f
There are quite a few fields but you can leave some blank
( `5 e) \' J: G0 uFor some fields there will be a default value,
7 ]  [  _* G; Q9 ^: w; m0 _4 |  AIf you enter '.', the field will be left blank.
; b3 S% O( H6 F. s----- ; {) ~3 Z7 D9 v! w3 G0 {
Country Name (2 letter code) [CN]:
7 ], i2 ^3 F+ H$ @State or Province Name (full name) [GD]:
2 R6 C5 |4 f5 NLocality Name (eg, city) [SZ]: # N1 w6 J2 W! D+ e* C) w
Organization Name (eg, company) [xiaohui.com]: , b* j7 y' Q: t' d& l  j# x
Organizational Unit Name (eg, section) []:xiaohui.com # e* c6 Y- j6 y3 b1 B
Common Name (eg, your name or your server's hostname) []:client1    #重要: 每个不同的 client 生成的证书, 名字必须不同. + X; @( H$ u# P! ~$ }; a* Z$ W
Email Address [your-email [at] xiaohui.com]: 0 J3 O8 B0 a+ v1 f( I0 ^* d
, e! T* t0 R: q. r/ O, ^
Please enter the following 'extra' attributes / M* u3 _, c8 w
to be sent with your certificate request
7 l) Y$ h6 b7 |A challenge password []:abcd1234 & @& t7 ?& h" u0 u3 K8 R
An optional company name []:xiaohui.com ; B# O& i" F* P7 Q$ ]8 O
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf # N% V/ h- k4 ]( W
Check that the request matches the signature - N, C5 e3 T1 J: n! c
Signature ok . M* S  ~3 t8 q$ O$ T1 B
The Subject's Distinguished Name is as follows
5 b* `1 `4 C) E+ L/ {countryName           :PRINTABLE:'CN' 2 q: n! V4 s: N! B6 a- x$ {
stateOrProvinceName   :PRINTABLE:'GD' / Y, }- [% g/ b9 w6 p7 N5 e
localityName          :PRINTABLE:'SZ'
1 Y) }4 j5 V/ a5 morganizationName      :PRINTABLE:'xiaohui.com' . e- v7 F7 G( U  @3 U2 F& A
organizationalUnitName:PRINTABLE:'xiaohui.com'
" i  L+ {8 z- D+ [commonName            :PRINTABLE:'client1' 5 ^6 G: e( T# N; \+ I
emailAddress          :IA5STRING:'your-email [at] xiaohui.com' : ?: `, P/ X" }9 r$ z4 ^- ]
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
! j; |. J) w& K7 d2 wSign the certificate? [y/n]:y 0 s( z+ K1 P) l8 g4 `/ p$ K. m

9 r1 d0 V' a* k: J- X4 R1 z' O: u' m9 d, X& N; e, a0 ~
1 out of 1 certificate requests certified, commit? [y/n]y 4 M" a$ p( B. \2 U4 v
Write out database with 1 new entries 5 E8 s# \. N; Z4 f" }/ V  p- V
Data Base Updated . O  N# y) v+ B: S7 }7 f/ G
依次类推生成其他客户端证书/key
  T( C$ y: z: F8 Y8 S( A4 y* D0 Q5 ?, a! ^0 b; Z0 Z7 m2 w
代码:1 h1 a3 O5 a+ ]  h' S" c

! Q+ r# A/ e7 k$ X  Y./build-key client2   M# k. B( j- ?; m0 _
./build-key client3
% ~6 X: w0 X2 h" S注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.  A3 Y( ], P, F7 S2 V
生成 Diffie Hellman 参数 。代码:
" H, _' ?; I6 S. o) m./build-dh ' V: U# y  r- @4 \# |( G1 |+ b7 T
将 keys 下的所有文件打包下载到本地5 A0 o/ g2 r# g* ?4 P& \
代码:
$ R; ~3 |1 k0 F# K
1 G* i# S2 c+ x- s" s* g1 Ztar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys
! |$ d5 _! M* d' I8 {8 kcp mykeys.tar /home/xiaohui.comsys/public_html/mykeys.tar
' k7 H' M7 v" s/ I) e1 p将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 http://www.a.com/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除: 代码:
2 X" q4 |7 I8 X. \# H5 u8 ]7 p5 Grm /home/xiaohui.comsys/public_html/mykeys.tar
  `7 ]0 g9 o. @* A1 l也可以用其他方法把 key file搞到本地,例如 ftp.9 ?" F0 C* g( T; s6 Z( f
创建服务端配置文件4 O8 e, A$ p4 P2 n
从样例文件创建:
) n6 w; `  L3 P, d, ^+ I( V% f, a' Z3 ~8 j1 ]0 K# U7 _
代码:0 @8 k# s2 B7 W2 y' z+ b
; r) m) N, `# v7 ]# o/ D# p
cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
3 j) a0 _% p: Q. K5 U4 Ccp server.conf /usr/local/etc  # cp服务器配置文件到/usr/local/etc
$ |0 q( Y; m8 u  N" l7 }0 P9 A+ wvi /usr/local/etc/server.conf
4 M" {$ f- _. x8 T我建立的server.conf 的内容稍后另附.8 U2 p- c8 s$ g; h% M
创建客户端配置文件+ t9 T+ \8 p6 |. x
代码:2 k% p, [$ R. E" K
3 I1 Z2 b2 n2 L0 x5 E+ ^: q" {
cd $dir/sample-config-files/  #进入源代码解压目录下的sample-config-files子目录
$ K3 j. G: \( }- {" _: ?# e, \cp client.conf /usr/local/etc  #cp客户端配置文件到/usr/local/etc 8 ~2 P  ?" _! t/ K; w8 a. i
vi /usr/local/etc/client.conf 9 }( S3 h3 h) |8 |4 S" z
我建立的client.conf 的内容稍后另附.
0 }* V' P2 \8 l& Y2 f7 C启动Openvpn: openvpn [server config file] 代码:
! ~9 A  z' V  L: N9 r  c0 {/usr/local/sbin/openvpn --config /usr/local/etc/server.conf
" q3 D4 r) L% E8 f8 Z4 B0 {
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2019-9-6 10:55:09 | 显示全部楼层
二、部署openvpn3 @4 C, @% `; D2 S5 |. N
2 O* `/ |$ n; J% @/ ?8 I# E5 j5 t
    本次部署openvpn服务器,因为使用了最新的openvpn2.3.4,而这个包里面没有包含最重要的证书制作部分:easy-rsa
4 o  o2 b9 O2 r6 Y! ^' r/ w) v/ f+ `3 \- u: D( `
    openvpn官网也给出明确说明:Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages
/ G+ [; d2 o) }  U6 d; v9 C/ L6 ]9 S# ^1 @% W
    所以,我们需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署$ I$ E4 ^& f& O3 y( I+ q

% f# j9 k( A$ a. F" _. t1 _    在部署openvpn之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!
+ f+ s" n; R; m7 V" W4 M
; C9 O/ D' n9 {  ?. [' U% h+ W1、安装lzo# h, ^& \8 w+ s3 I  l

" K; @6 u. e) D' t1 ~0 f    lzo是致力于解压速度的一种数据压缩算法! q7 S5 |0 c; T% T) m: s* z
+ Q. `" x  j9 ~

, v3 r7 |/ [- o% H: E2 j[root@vpn ~]# tar xf lzo-2.08.tar.gz6 r& z  W, C7 v5 N; O! H3 x" |
[root@vpn ~]# cd lzo-2.08
2 O" p' w  U" `$ u/ I3 [" V$ D[root@vpn lzo-2.08]# ./configure && make && make install
: ?4 W' V! S( K4 p  a2、安装openvpn
6 m/ s3 S; L4 Y, X! ^, J. r- s9 E& t4 U1 w1 {3 P
3 [! f$ H- ?! j2 @) t2 T$ `
[root@vpn ~]# tar xf openvpn-2.3.4.tar.gz
. k0 A7 H1 c$ o' A, d/ p& b[root@vpn ~]# cd openvpn-2.3.4" u5 l2 [  f, R) B1 p- e
[root@vpn openvpn-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib
/ V% a# X6 \; G, G/ A, G[root@vpn openvpn-2.3.4]# make && make install: _8 c; r. H2 B9 J+ B
[root@vpn openvpn-2.3.4]#
6 `2 p5 f. s- }% c% y[root@vpn openvpn-2.3.4]# which openvpn6 W+ P' b% h7 I3 W' B3 w) c3 w& Z
/usr/local/sbin/openvpn      #看到这里,说明安装openvpn成功  x" [, r& S5 w% p+ }# ]( C
3、配置easyrsa服务端
7 C. L6 P$ U) W7 I5 [0 H0 \+ I. ^! O! k  V: N( C* h  `
    openvpn-2.3.4软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3
: K8 _% c( B( G9 K
0 S2 p' x  }( i8 q    Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages(来源openvpn官网); p$ q- x( n* f0 O5 o

+ _: S1 d2 u6 z9 ^6 s' I3 D1 E% U. _/ a( ?
[root@vpn ~]# unzip easy-rsa-master.zip . K2 V4 q& h0 F9 N. o
[root@vpn ~]# mv easy-rsa-master easy-rsa
* z, @" X. I3 b6 F* O* ]% ]6 Y[root@vpn ~]# cp -R easy-rsa/ openvpn-2.3.4/
, }- i; V/ x& P. X- W; G) W% G[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/
8 Q0 S; i' c6 C[root@vpn easyrsa3]# cp vars.example vars9 s2 o; X4 T0 Z, e; L% I7 W0 m
[root@vpn easyrsa3]# vim vars
$ J' ?6 d2 v3 a1 hset_var EASYRSA_REQ_COUNTRY "CN"3 B& E+ H! I* k/ D; n
set_var EASYRSA_REQ_PROVINCE "Beijing"
. o, B5 V2 M( `+ y( B4 mset_var EASYRSA_REQ_CITY "Beijing"
9 U' i. B. B1 m8 d3 Kset_var EASYRSA_REQ_ORG "nmshuishui Certificate"4 F% ~* H( O; a  ?" |6 C& _! q4 M
set_var EASYRSA_REQ_EMAIL "353025240@qq.com"
% d1 ]2 y8 Q9 t- ]set_var EASYRSA_REQ_OU "My OpenVPN"
4 |2 ^! z1 O% r, y: O  a0 T4、创建服务端证书及key
. j7 |& b% S0 f8 e& l4 V4 \2 j
0 w, c4 \& F! }/ [# X(1)初始化8 x+ p) {, T( u& ~0 a
$ ?1 }7 j/ j/ O- `' m% ^2 ?2 E

: u/ Y; Y: g1 l. j' N0 Y[root@vpn easyrsa3]# ls# O; R0 @! S- d2 ^. r4 `2 M& G
easyrsa  openssl-1.0.cnf  vars  vars.example  x509-types6 s# _( x6 d# N0 r0 T: d
[root@vpn easyrsa3]#
+ p! ^6 J7 L6 M; |% r# x& o1 B/ d# b[root@vpn easyrsa3]# ./easyrsa init-pki9 E4 G- }! g3 O4 n1 Q
4 j* U  a7 X: [, t$ ]7 m
Note: using Easy-RSA configuration from: ./vars9 K; O  [- X: y3 m  ~
3 Y: d  `5 `" i" a
init-pki complete; you may now create a CA or requests.
% n% f$ ?6 o! t8 g9 O1 x8 V1 ?4 FYour newly created PKI dir is: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki
# l/ q+ G% z9 X! L(2)创建根证书: J' M, R, Y1 N  }" g6 q

$ Z; y2 ~; M" v
% |2 e/ p4 S, ^7 E7 O1 Z4 g
; `2 L# o' Z+ m2 U2 \  G[root@vpn easyrsa3]# ./easyrsa build-ca* u; l9 I' f4 s) R; v- x% V, ]9 ^
- w0 i! U3 p8 x7 c- R* p
Note: using Easy-RSA configuration from: ./vars
* L1 _' E3 Y. A* ~2 ]2 Q/ ]: TGenerating a 2048 bit RSA private key
% p2 }9 X( ]9 j6 r2 l.............................................+++
& @- h) {/ Y- G7 x........+++
/ }  ]2 Z' M+ B- F4 u! awriting new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key'
% B4 X% D% C. ~0 ZEnter PEM pass phrase:                      #输入密码,此密码用途证书签名% X4 J" b* c! ^& K" {
Verifying - Enter PEM pass phrase:          #确认密码5 O0 v+ P0 p$ D2 b
-----4 Z- a. H- H4 P/ C
You are about to be asked to enter information that will be incorporated' \5 O. b5 a, c
into your certificate request.
6 U1 x4 G5 l0 CWhat you are about to enter is what is called a Distinguished Name or a DN.
( t6 n3 n1 z3 G+ MThere are quite a few fields but you can leave some blank: y, ^( F$ c% S7 U
For some fields there will be a default value,: ?: ~7 A9 N# S+ s- y6 J
If you enter '.', the field will be left blank.
3 w3 M; }2 `/ b2 \-----& F* x! `' `  }- [5 Z- v. O
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:nmshuishui  #输入一个Common Name) u5 `0 A4 x: `* K5 d: w

+ z3 J/ N1 p' f$ r4 s& }/ O) w1 X/ X9 PCA creation complete and you may now import and sign cert requests.! F( q& i4 u) o2 ?1 G( K
Your new CA certificate file for publishing is at:' `& l0 d1 V# @; b1 i/ c! K
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt
: l3 l) W6 a0 T5 d- h(3)创建服务器端证书& y4 Q4 p# Q- {; i, d
# w( Y% k- n5 ]8 ~
% z! f% Z6 w( j0 O4 q) l
[root@vpn easyrsa3]# ./easyrsa gen-req server nopass' z6 h) \. P4 g( m

( I5 z8 z! d2 L# H  RNote: using Easy-RSA configuration from: ./vars7 G& g! j! `- Q# P5 E6 z
Generating a 2048 bit RSA private key
4 l. W2 V( _+ u1 R4 Q) y................................+++
0 O. O) [6 s, C8 r# |4 c8 Q......+++
4 J/ W, J; D. N: e$ Dwriting new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key'( u# V" \/ l" X7 A
-----
1 q, P2 p  |# f* x" lYou are about to be asked to enter information that will be incorporated
* j# r2 l9 D* m9 G8 `7 ginto your certificate request./ ^- [4 F5 x# Q+ _( \
What you are about to enter is what is called a Distinguished Name or a DN.
! J, B: b/ w5 B- g3 J  t& ZThere are quite a few fields but you can leave some blank. Z# D& ?7 k" b! Q' ~  O
For some fields there will be a default value,
6 O  |- \% p5 |* F0 {6 ]If you enter '.', the field will be left blank.! N$ u4 L( @5 }# M4 c, N) C& `/ I4 i
-----* {1 v& z+ ~6 a
Common Name (eg: your user, host, or server name) [server]:nmshuishui-BJ  #该Common Name一定不要与创建根证书时的5 [) H. ^3 u1 f4 m2 B5 |, l) @  [
                                                                          #Common Name一样,这是血与泪的教训  
; u& J0 }8 n0 DKeypair and certificate request completed. Your files are:
# ?+ \& x# K( f  t1 h* p! k* [req: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req
$ g3 y' `/ m4 O0 v7 b% ekey: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key$ j- h. M$ a3 l" V+ R' m5 g
(4)签约服务器端证书7 U8 c1 E  U5 ^! z7 B- K8 S
& D5 T/ w2 C  ~0 d8 v7 E0 Q) M+ g7 Z
6 w" d+ U6 Q- u8 g5 ?

* t1 o. a+ ~/ Z/ g9 |[root@vpn easyrsa3]# ./easyrsa sign server server
! m0 w& I' [# D0 b# Q4 ]2 r& t # a+ b5 L  t- f8 K* D; D
Note: using Easy-RSA configuration from: ./vars- t8 _; C  p+ _8 |5 @7 X3 H2 }
7 E9 G; O5 n+ L$ k; S% Z
* A/ i1 s% z' o
You are about to sign the following certificate.
9 {( x& J3 b! k" S- YPlease check over the details shown below for accuracy. Note that this request
2 t0 w+ A1 j& g& u+ X4 khas not been cryptographically verified. Please be sure it came from a trusted" Z7 g% J; e- I' ^: H6 t+ n) z
source or that you have verified the request checksum with the sender.
( i% [; n0 E( P" L- N1 X- h
% O$ c" H; N. Y0 H: b& v: BRequest subject, to be signed as a server certificate for 3650 days:
# h" L5 `; `" _3 y$ Q
& f2 o3 e# ^" a' Q8 P) ]+ C: y- Bsubject=$ @  H# t+ a# C% u  ?3 q1 m
    commonName                = nmshuishui; S  H3 d* y' f! V

+ J: r4 G9 }$ L
! A+ d( Y, ~5 ^! L: W* [1 zType the word 'yes' to continue, or any other input to abort.3 A! Z1 z0 z. b3 |
  Confirm request details: yes        #输入yes继续+ N: |, n' }& i8 t7 H: l7 b- J
Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf
, n, A' Q1 y6 |6 T2 UEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入刚才创建根证书时的密码7 k; T8 Q! k' C6 Z" f
Check that the request matches the signature
/ P" h) C2 `& r, O. QSignature ok+ P6 y2 C- e; @* N
The Subject's Distinguished Name is as follows/ L" f' o; P* o4 y
commonName            :PRINTABLE:'nmshuishui'
6 V$ N5 `4 l7 B& ^! o8 SCertificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days)
- G  J- q6 V  Z- p1 N1 U' H0 r) m
, k$ a9 h8 k! sWrite out database with 1 new entries
0 }9 B# x; f8 ~- G8 CData Base Updated
, V' K, J% @7 A( {$ D* k1 A
. F  m, Y3 C/ h3 n* }% h% ?Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt- S& r0 \( \% s- w% z' j
(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:0 M2 g$ s5 N  E# U9 z2 W) |+ I& J
5 [" v6 O1 H/ }  j
8 K6 p, J. X8 d0 |1 G. Z! {

  \9 `! ?5 g  F& C5 U5 \[root@vpn easyrsa3]# ./easyrsa gen-dh1 V: Q( e( _% W/ F' \: C: d
) ?. q2 H" \. ?
Note: using Easy-RSA configuration from: ./vars
. f* u1 ?" G, h  `3 oGenerating DH parameters, 2048 bit long safe prime, generator 2
' d' u  w- Z" g$ QThis is going to take a long time
% o  s" Z& U- \; ?( G+ T# W0 i0 h- A...................................................................................................................................................................................................................+..........................................................................................................................+..................................................+.....................................................+..................................................................................................................................+............+............................................................................................................+...+............+...............+..............................................+.........................+..................................+.................+............................................................+..................................+........................................................................................................................................+................................................................+.......................................+...................................................................................................................................................++*++*
2 }4 p, k# `/ A " M: P9 s9 f9 N
DH parameters of size 2048 created at /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem
* B# `+ {/ u5 w. T5、创建客户端证书5 ]# d) U8 }# P6 ]8 {$ D; ^

) l$ ^7 K( B8 W# M5 m+ {; Q2 w( {  b3 a(1)在根目录下建立client目录  l: k2 R/ T5 y  F
& v/ E" I* ?+ {1 h& m7 F7 }6 _+ R

5 Q1 c2 `! G4 a' h[root@vpn easyrsa3]# cd: C. V- H; U7 I
[root@vpn ~]# mkdir client4 K) v0 E6 ^, Z7 z% J
[root@vpn ~]# cp -R easy-rsa/ client/+ h# ~4 \: a, y
(2)初始化% f. {6 Q) N; O/ }! Y$ E
& p; z" I4 h$ v0 @
# x  L1 n# G* o7 E
[root@vpn ~]# cd client/easy-rsa/easyrsa3/
# x# S. d7 E" t, e[root@vpn easyrsa3]# ls
+ l6 X! P7 r% M9 k' Deasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types
& t+ n4 _+ ~0 }8 \[root@vpn easyrsa3]# ./easyrsa init-pki
) ^8 X$ r$ ?. V; w- F
! _/ ~) T  F0 a# J3 |" `Note: using Easy-RSA configuration from: ./vars
' Q: c' S; ^) g. c
9 K6 |! ]4 B7 o' ]: zinit-pki complete; you may now create a CA or requests.
7 ?- [0 @, \) }Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
) R! `% n' a9 R  s( j1 h& A(3)创建客户端key及生成证书% x' V  Z, m' L" ~7 [' Q$ e! H

9 n* ^) v1 M/ S/ Y) S3 @4 N
9 E) c( Z# W$ e6 X( |* d9 t1 e- Q
# {+ I" T' g8 Y9 T0 m2 ]7 F, v[root@vpn easyrsa3]# ./easyrsa gen-req nmshuishui# u( B' v! k4 k9 i& [
2 r3 \( s5 C. E6 F4 w' f5 e
Note: using Easy-RSA configuration from: ./vars
8 J0 @, P6 ?3 O; X( gGenerating a 2048 bit RSA private key
% w, v1 v& [8 f# `6 J....................................................+++
) S2 g% G/ j7 l! Q' [) w.................................................................................................................................................................................+++2 \/ w( i3 p: [. U& b
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key'4 j& G" q/ R  l" l
Enter PEM pass phrase:            #输入密码
$ E& x/ P7 O0 O" M1 ^, S6 yVerifying - Enter PEM pass phrase:; C" x6 L$ Q' y% J/ K8 Z
-----, j2 w+ i5 Q1 \  O, H2 w$ l: ]4 j* B
You are about to be asked to enter information that will be incorporated2 N/ V: Z. K- b* [
into your certificate request.
6 c. x7 e( R7 [! c: c* a6 \# \5 VWhat you are about to enter is what is called a Distinguished Name or a DN.
6 m. y) I2 K: _+ W% h' H( `There are quite a few fields but you can leave some blank
3 g) D7 k9 P) N' X6 q4 J, MFor some fields there will be a default value,
  ]& x# N% k- s$ |+ e+ C, C- gIf you enter '.', the field will be left blank.% E/ ~' |0 [/ q1 A
-----
3 B$ @& d8 C. F- E1 x: S- O( f) LCommon Name (eg: your user, host, or server name) [nmshuishui]:nmshuishui   #输入nmshuishui                     
: ~- t( |5 u- M$ o) g6 ]- d" H# V 7 w. a/ p! Z+ ^* \8 M* R" l8 C
Keypair and certificate request completed. Your files are:
8 r$ ~$ K" K: Vreq: /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req
1 Z& R- A% R# d  ckey: /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key- T* F1 t3 ?5 @+ ?
(4)将得到的nmshuishui.req导入并签约证书% t/ R, L/ e- T, V6 v5 E. H

! n: u8 v' i+ M* o: M
/ {! \1 G: N5 o* o, A$ ^[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/
3 F. |. H5 Z4 p: ?, P, J[root@vpn easyrsa3]#   #导入req( n6 N# q: }4 p5 ?
[root@vpn easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req nmshuishui
8 T7 [9 Z2 N* e$ y
7 g" X& c) A) Z6 q2 bNote: using Easy-RSA configuration from: ./vars. N- I3 K( L# @* A! |! I& _5 m
7 k2 X- D/ o% ^, u$ v4 K: R
The request has been successfully imported with a short name of: nmshuishui
# |0 L4 f9 N5 h5 PYou may now use this name to perform signing operations on this request.
& X  s; |3 G( v- s' h" R( ~
) }3 L/ n, E3 n. e1 d1 ~$ t3 z" T[root@vpn easyrsa3]#     #签约证书' G* Y8 d1 z6 g
[root@vpn easyrsa3]# ./easyrsa sign client nmshuishui( ~2 Y; }6 y/ ~) M4 R" L/ w
- z) A: F- q$ W/ b- y, u, \  ]* u
Note: using Easy-RSA configuration from: ./vars
' ]4 I; e+ v; i 8 y' g5 @% n& l. {0 O. t5 z
7 C# V' x$ c8 ]! m( R2 q8 }; ]
You are about to sign the following certificate.$ `" c7 l  X* s4 l  y
Please check over the details shown below for accuracy. Note that this request6 k" k3 u- f. s% P
has not been cryptographically verified. Please be sure it came from a trusted
! g. D) l4 U9 b+ }& o$ n4 m* n8 Psource or that you have verified the request checksum with the sender.
- b- n9 q1 ?  f# K
; D/ C1 O) A: p5 X( QRequest subject, to be signed as a client certificate for 3650 days:1 B2 m& N/ n- X( o: z

# }# d% ?2 `- Z6 t( J' W0 a8 ~/ e9 C' Psubject=
+ C  X  |$ h7 i; C9 U# p- m) y    commonName                = nmshuishui
% `4 d% S) w' y8 x 0 c" E. W1 p2 Q/ w$ u, [$ B
% k0 P, ~. Z# M# J) E& r, T7 @
Type the word 'yes' to continue, or any other input to abort.
8 O+ E$ @* Q- [  Confirm request details: yes       #输入yes( W) r7 {7 Y' e, B' K* `
Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf$ K3 C5 p$ A/ D2 r4 _$ X1 V
Enter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入创建根证书时的密码
. f! b5 A/ b9 d: |& hCheck that the request matches the signature
" b. Z' R. w! N2 w3 RSignature ok
: H2 u, A; c% i1 ]; Q9 LThe Subject's Distinguished Name is as follows
6 J6 x" V# N/ q7 |1 ncommonName            :PRINTABLE:'nmshuishui'
4 r! [# B- D* g5 o( UCertificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days)8 ~- a3 ^! G- F& D
# h7 c& \9 |! ^0 o
Write out database with 1 new entries/ L/ P) N" V8 ]1 w. [
Data Base Updated5 P$ x( f, H, ~" V+ ~7 h5 G/ I5 u
* ]( y2 o' ?' T/ q2 s
Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt   #签约成功
5 h: {% t" U' B; m(5)服务端及客户端生成的文件
2 R* X; x' C! P+ @. Y% i. Z8 P
# V4 R  i0 q5 q& n服务端:(/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki)文件夹
% u7 H' W+ {( t' J9 H. F5 V; I! u8 c5 U6 J+ ]7 n
" D" v' `) j8 Z2 A+ }& ^& t
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt
+ l+ I7 \6 n4 d, ~$ A/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req/ u# L5 f1 E* q3 [4 L7 W. y
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req* g8 z$ v7 O% _* j; J' J4 F. w
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key
$ ?$ |" m8 L8 ]% I/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key
! Z3 K, ~( _( C+ u5 Z/ ?3 e$ m/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt
( R# ^" c3 d% G. _0 A' ^' Z/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt
' z& ~% N* k' Z5 v3 t/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem
: M% C4 l/ m- R: w3 {客户端:(/root/client/easy-rsa)' P+ }; j; E' d

, Z- I' l9 @  G5 t
8 C4 ]3 M* D2 G: e  g+ ~/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key
. S' j5 G4 O  N. Q* M' x/root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key   #这个文件被我们导入到了服务端文件,所以那里也有# E' I- D% l  P" g: ^& m" s) K/ y
(6)拷贝服务器密钥及证书等到openvpn目录
  y' a7 e& S# M7 K+ I" ^: F9 l
3 u  z+ L# @! F, b0 r' n# h! `  N) z4 j
% q& P- ^5 c; V7 |* j[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt openvpn-2.3.4/1 m/ C0 }! _5 g7 J$ a
[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key openvpn-2.3.4/
& ]; y0 C5 S2 U: p3 o9 v[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt openvpn-2.3.4/
0 o* V' b' h- }* `- c& r[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem openvpn-2.3.4/
7 E" o" F4 i4 ](7)拷贝客户端密钥及证书等到client目录# ^" I% }) a' ]' q4 _" v" |
& w$ ]; H' i+ n9 k

" H2 g# u7 m, `4 n; ^: M[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client 0 W2 v. V; z7 W: v! L
[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt /root/client3 L; {5 @: W! W4 Y" i  A$ y
[root@vpn ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client
) p" ~5 i, y9 Z7 d4 [(8)为服务端编写配置文件
8 G: L$ [# I" [+ o/ h6 I* q6 W
# i5 a* D1 s/ d+ @当安装好openvpn时候,它会提供一个server配置的文件例子
! Q0 f3 |. o/ j# O# f8 [6 Y6 u- j% U- H0 B! V. G
1* e) C) N9 E0 y% J: q
/root/openvpn-2.3.4/sample/sample-config-files/server.conf. h. c# B9 v$ P) J, X7 g
将此例子拷贝openvpn目录,然后配置
8 i) a4 n9 \2 {0 Z) k, u4 q/ R8 w' ~- k( N- c$ V( L3 c

: \" i: \# E/ [9 L[root@vpn ~]# cp openvpn-2.3.4/sample/sample-config-files/server.conf openvpn-2.3.4/
- D" \( I6 B# b) Z[root@vpn ~]# vim openvpn-2.3.4/server.conf' W( n+ _2 m5 ]8 T$ M
local 192.168.1.104    #(自己vps IP), x0 X0 w3 N" z$ o
port 11940 x3 [0 H. ?$ a
proto udp& K% q/ F9 f' V) I" ]. e" ^
dev tun
5 J# `& p/ t* @. }0 {ca /root/openvpn-2.3.4/ca.crt% i0 j" }7 {, Q  J9 z
cert /root/openvpn-2.3.4/server.crt9 \8 d9 S/ |0 x# `/ r
key /root/openvpn-2.3.4/server.key # This file should be kept secret1 [1 h& x8 I; W3 r; j1 f
dh /root/openvpn-2.3.4/dh.pem1 ^% f3 S: {2 Q- y) d$ R
server 10.8.0.0 255.255.255.0
2 \$ T) Q8 s# Y: i/ G) Jifconfig-pool-persist ipp.txt
0 k! o) K% L5 z6 P8 ?8 N% m8 m* ypush "redirect-gateway def1 bypass-dhcp"
, A$ W$ Q( B1 x- B5 a/ Ppush "dhcp-option DNS 8.8.8.8"
6 f% k8 m8 O% ]' O9 R4 `0 ?; Akeepalive 10 120# r5 N4 ~. h( k
comp-lzo. w6 A/ I! y# h1 J" x
max-clients 100; y# a3 C5 @7 `" l1 L
persist-key
8 ?/ j! K, A. q5 {$ e3 K6 c, L) _persist-tun
3 u* j% ?( z; P# m. ^8 c5 k# K2 Lstatus openvpn-status.log3 d! `3 U; f. o/ E8 S; C
verb 3
. Y# d* z$ r% w# k& h) R3 O(9)开启系统转发功能. O7 @. i& Q( U+ M" x9 G" ^* B
& C) M5 e2 M0 S4 ]2 h3 G
) L& f0 O- ~+ Q4 z' R4 r4 g
[root@vpn ~]# vim /etc/sysctl.conf" [" j" q4 j' d% i7 M9 d3 B
net.ipv4.ip_forward = 0  改成 net.ipv4.ip_forward = 1
6 d6 }& ]8 n' s5 Y' U[root@vpn ~]# sysctl -p
4 q' P7 l7 K& Y9 O8 ]" ]* N[root@vpn ~]# sysctl -a | grep net.ipv4.ip_forward
; d& |$ B5 u5 o5 }# Pnet.ipv4.ip_forward = 1/ K! n. K2 o9 R% k: k- A+ P* W
(10)封装出去的数据包(eth0是你的vps外网的网卡):
" s2 X% I& R' j* z' h+ W
/ `$ ]  X. g/ A5 m
% K5 Q; p; \& b; r# U: h/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2019-9-6 11:00:54 | 显示全部楼层
下载openvpn客户端,并进行配置& W2 M. E. l- J% H

+ t# y* s& \$ i' c7 u; b1、将客户端密钥及证书等拷出到windows备用8 |6 g2 B/ s( M8 G& Y+ p
6 [9 k0 p4 d1 L3 a1 f( ^

: r, h" {% h, U: V[root@vpn ~]# cd client/. g$ V! q, b' B% `& J3 L4 t
[root@vpn client]# ls
& n  C8 _5 `: l7 ^, x7 mca.crt  easy-rsa  nmshuishui.crt  nmshuishui.key    #带后缀的这三个4 r" c* u( S9 l

# {: g- Q0 _9 B) A2、安装openvpn-gui工具
' k! R1 V- {! u
& w1 t/ g  `' M+ h: u(1)将D:\Program Files (x86)\OpenVPN\sample-config\client.ovpn复制到D:\Program Files (x86)\OpenVPN\config# c+ @3 V! {: H- g6 N; _$ V

0 c4 Y$ n' L- @7 Q2 N2 Z3 s(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

返回首页|Archiver|手机版|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )

GMT+8, 2026-6-11 23:15 , Processed in 0.027701 second(s), 24 queries .

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表