6、创建服务器密钥。
, p' D) x4 ~+ _9 p1 {
[
root@www.linuxidc.com easy-rsa]# ./build-key-server server #创建服务器端密钥
9 o' E7 M1 z2 y5 y k
Generating a 1024 bit RSA private key
+ R+ ^; u+ t2 {; k# f) S, {............................................++++++
8 R {' `( n' d+ ]7 K H) N
....++++++
. N9 I* Y4 \; h( d
writing new private key to 'server.key'
1 p( \! f; e, [1 h( l
-----
( D5 z: H4 ^, j, MYou are about to be asked to enter information that will be incorporated
$ n n5 f" Y5 Z* [' u, t3 z
into your certificate request.
8 r1 h' \- ?) ~$ Y/ cWhat you are about to enter is what is called a Distinguished Name or a DN.
) e6 ^( |3 R! A% D% o6 `
There are quite a few fields but you can leave some blank
8 N* |: X0 F2 G. ^
For some fields there will be a default value,
' K- g6 S* s4 _
If you enter '.', the field will be left blank.
4 P) G2 b0 p" ?, Z
-----
' a7 M6 w; G x! O, O5 \Country Name (2 letter code) [CN]:
& H( s$ G3 {' a3 S' t
State or Province Name (full name) [GD]:
, }/ h2 K1 T7 S2 R# l
Locality Name (eg, city) [SZ]:
% Y4 o; p; Z% D$ [* jOrganization Name (eg, company) [DIC]:
7 S. H1 l R( S1 K5 [: K: H' FOrganizational Unit Name (eg, section) []:
" i/ p' d" c' C: uCommon Name (eg, your name or your server's hostname) []:dic172 #服务器主机名
# v$ W% K* D( o; {
Email Address [
tghfly222@126.com]:
Please enter the following 'extra' attributes
9 s$ O% V4 V, X
to be sent with your certificate request
9 Y1 e7 }: I/ Q% ]7 e, [/ \) cA challenge password []:dic172
2 P0 ^, F" M& EAn optional company name []:dic172
+ z: s+ L2 F- J2 z; w9 }' qUsing configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf
5 a! |& A% u5 p9 j- a6 a) y4 n
Check that the request matches the signature
- c4 s/ e1 @5 Y" R$ ^Signature ok
2 ]$ Y5 x: n( ~( k$ s8 M1 E& _7 \The Subject's Distinguished Name is as follows
3 V9 h9 `4 x' Y4 p+ bcountryName :PRINTABLE:'CN'
$ S( h' b0 K9 v* ~stateOrProvinceName :PRINTABLE:'GD'
# X& G( i% Y) M9 R8 f U# O
localityName :PRINTABLE:'SZ'
/ Y, \& E8 ~) d6 G) ]6 j7 eorganizationName :PRINTABLE:'DIC'
8 V: X# s; g3 |* y* V9 v; w8 EcommonName :PRINTABLE:'dic172'
6 Y; N2 a5 O8 J+ Z, BemailAddress :IA5STRING:'tghfly222@126.com'
' V; p: N; `$ `, d# n6 n
Certificate is to be certified until Jul 16 05:51:08 2021 GMT (3650 days)
5 r) T1 M. {. P
Sign the certificate? [y/n]:y
- N2 Q) [& G9 v# `' x9 @
1 out of 1 certificate requests certified, commit? [y/n]y
\2 A$ t2 j% r0 t! Z- F9 b
Write out database with 1 new entries
# z" v4 o- [1 x5 @Data Base Updated
% b, e+ t) `, v; J1 l0 {7、创建客户端密钥,客户端密钥名可随意命名。
; j5 C L5 r* R4 {
[
root@www.linuxidc.com easy-rsa]# ./build-key client
8 ^3 N9 R0 H5 K' | L& \" [8 ]. bGenerating a 1024 bit RSA private key
) ~5 ~6 q) u' R( E$ m/ @* a6 ~.....++++++
$ a% R. X' s( w7 \) l+ x" G
.......................++++++
& Z2 \( J+ P" o) @writing new private key to 'client.key'
E8 D6 _6 I2 C& s5 r2 W+ m, X-----
& a. h. d& M& a4 n! v) U
You are about to be asked to enter information that will be incorporated
/ J: {5 \9 Y8 V$ P' Yinto your certificate request.
+ j! ?1 \% e# f, P" V8 y' t( ^7 l z6 XWhat you are about to enter is what is called a Distinguished Name or a DN.
8 O. |0 W. Z) w, S
There are quite a few fields but you can leave some blank
/ M# ^+ u1 g& s3 a& ^# [
For some fields there will be a default value,
, p# K$ @% @- `8 k u. l! FIf you enter '.', the field will be left blank.
* s& M$ m- P4 ~
-----
4 T# {. S& m& I5 |, E( ]Country Name (2 letter code) [CN]:
/ a# ] L' [& C, t: p* c. I4 zState or Province Name (full name) [GD]:
7 q9 q5 a2 O! z3 B2 @
Locality Name (eg, city) [SZ]:
3 @' H0 y% ?: e& B. j& Q
Organization Name (eg, company) [DIC]:
/ F8 o0 m6 M0 T/ s! C7 L& x9 ?+ S" ^
Organizational Unit Name (eg, section) []:
2 n, m/ w1 M6 q' r9 J5 V) wCommon Name (eg, your name or your server's hostname) []:tgh #不同客户端,命名绝不能一样
0 L4 k2 ?7 x- }# T
Email Address [
tghfly222@126.com]:
Please enter the following 'extra' attributes1 E5 D7 |9 x' Z0 J5 J! Y7 D
to be sent with your certificate request) g) r; l2 Z* r2 K3 I6 Q
A challenge password []:dic172( c! r6 k/ W9 Q- n
An optional company name []:dic172
' [5 `) G& q+ V y8 nUsing configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf8 X" q0 J% m6 G9 C
Check that the request matches the signature
5 b1 z. m" f8 x! p7 h1 b6 P% W2 KSignature ok. u; H% p- z! T' f8 w- ^8 ` {2 ?
The Subject's Distinguished Name is as follows
# v7 t# ^0 k$ n- Z# N! LcountryName :PRINTABLE:'CN'
# C1 G- \% j* p5 D& ?3 `8 rstateOrProvinceName :PRINTABLE:'GD'
8 F, m- f: ~( ?# D9 z1 L8 ClocalityName :PRINTABLE:'SZ'; @7 O! }7 }! Y; m
organizationName :PRINTABLE:'DIC'
6 {( H0 N1 v: S& _7 A; EcommonName :PRINTABLE:'tgh'
1 G5 A+ _+ S' @5 i& [& remailAddress :IA5STRING:'tghfly222@126.com'
. p8 ^3 q5 T1 G, G: M! Q3 VCertificate is to be certified until Jul 16 05:52:27 2021 GMT (3650 days)
: A9 | S9 K1 I6 O4 @7 [- F% vSign the certificate? [y/n]:y
2 {. W8 } E" o+ x0 e) B1 out of 1 certificate requests certified, commit? [y/n]y% @' G5 N: h% N+ s4 }) g+ x; q
Write out database with 1 new entries
% ^- m+ U( M4 PData Base Updated
8、创建dhDiffie-Hellman )密钥算法文件
( S$ [$ F u0 G* s( ^( M[
root@www.linuxidc.com easy-rsa]# ./build-dh
8 `( `, H* o+ R' J# r$ Z
Generating DH parameters, 1024 bit long safe prime, generator 2
6 @" ~; v' k6 [
This is going to take a long time
$ s5 L6 e/ K1 ?5 x...+.......+.....+........................+......................+.....+...........................+..........+.......+.................................................+.....................+............+..............................................+..........................................................+..............................+...........................+..+.....+......++*++*++*
9、生成 tls-auth 密钥 ,tls-auth密钥可以为点对点的VPN连接提供了进一步的安全验证,如果选择使用这一方式,服务器端和客户端都必须拥有该密钥文件。
. }8 _6 V% q; h% z2 B
[
root@www.linuxidc.com easy-rsa]# openvpn --genkey --secret keys/ta.key
' c+ N0 J5 x3 K! D4 r0 B. P
[
root@www.linuxidc.com easy-rsa]# cp -rp keys/ /etc/openvpn/ #将证书文件复制到/etc/openvpn/
local 192.168.161.172 #服务器所使用的IP& c6 v0 S; ^$ P$ f; c! ]
port 1194 #使用1194端口9 N! E9 i3 ?4 E+ N* P3 j
proto udp #使用UDP协议
. W& L8 G8 O; ?, k8 gdev tun #使用tun设备
; M5 r. @1 `% c- V, T3 H yca /etc/openvpn/keys/ca.crt #指定CA证书文件路径
% A' i. W# u% k- d- Ccert /etc/openvpn/keys/server.crt7 Z2 \- l4 Q% |, l o+ k
dh /etc/openvpn/keys/dh1024.pem
1 {/ o7 W; ~4 v# J+ U5 |2 x7 F2 gtls-auth /etc/openvpn/keys/ta.key 0
C, _' B7 v; T$ |- ^. Bserver 172.16.10.0 255.255.255.0 #VPN客户端拨入后,所获得的IP地址池# o- a- m9 x0 i3 _$ ~8 h/ q( \
ifconfig-pool-persist ipp.txt5 f7 r+ ]- y$ A! ]
push "dhcp-option DNS 202.96.134.133" #客户端所获得的DNS: L2 T& o7 j" i* v3 l' p
client-to-client6 ~' i, p/ x6 B% B7 O0 V% z0 s
keepalive 10 120( G, P3 v& r$ J! o" z
comp-lzo
/ V6 @2 }% J8 u0 F1 {: h4 wpersist-key, d- q1 W& n5 H% R
persist-tun9 k' L. C: A- R V, _. Q
status openvpn-status.log. d5 C* o' N! |8 m7 R( q; Q
verb 3* S* j/ i0 N0 q; K# O! c% s; ^6 `
mute 20
[
root@www.linuxidc.com openvpn-2.0.9]# service openvpn start
6 @9 `; l, o! @9 L- y
Starting openvpn: [ OK ]
) r$ ]& a- G7 e3 o
[
root@www.linuxidc.com openvpn-2.0.9]# netstat -anp |grep :1194
$ Q7 b2 p* x7 K6 L8 Oudp 0 0 192.168.161.172:1194 0.0.0.0:* 25162/openvpn
# p9 q4 r3 \- F) C# V
发表于 2020-1-19 08:52:01