6、创建服务器密钥。
9 h' a. l0 |( b4 P( s U, C1 d[
root@www.linuxidc.com easy-rsa]# ./build-key-server server #创建服务器端密钥
0 V+ p1 _1 U6 x! ?/ G( V B
Generating a 1024 bit RSA private key
5 ]" K! F" ?5 j& H& P$ W............................................++++++
3 B& i. P3 P3 ^0 F....++++++
8 J) B2 U! X$ k% P0 w2 Kwriting new private key to 'server.key'
( c* v5 I! I& A6 X
-----
4 N9 _1 f8 a# d' ?3 x# C% ?; O
You are about to be asked to enter information that will be incorporated
# y( J3 G: V! G3 q) ?into your certificate request.
9 i5 Q" q6 S2 s, B8 v
What you are about to enter is what is called a Distinguished Name or a DN.
8 ]/ j' O' H- l6 nThere are quite a few fields but you can leave some blank
/ f* d8 k9 T9 |. [+ V
For some fields there will be a default value,
" C2 x7 `" |$ ]: d) e! V
If you enter '.', the field will be left blank.
+ k( o, O0 ~8 P-----
6 e7 n! p1 v. C" t5 KCountry Name (2 letter code) [CN]:
9 y0 U K) s' V( \( jState or Province Name (full name) [GD]:
: Q- l. x1 u& gLocality Name (eg, city) [SZ]:
. Q _* v7 v( gOrganization Name (eg, company) [DIC]:
/ f G) q% f/ ]0 q$ x( x( p2 z+ MOrganizational Unit Name (eg, section) []:
5 q& X3 `: ^9 p8 a
Common Name (eg, your name or your server's hostname) []:dic172 #服务器主机名
2 j4 H6 e+ E4 B# h
Email Address [
tghfly222@126.com]:
Please enter the following 'extra' attributes
`; P% |; M G8 f
to be sent with your certificate request
% b" N& r; I5 b3 s$ T W: L' X
A challenge password []:dic172
' g" Z9 z8 \0 b0 q* @
An optional company name []:dic172
' c2 N" d5 F3 C: U' l' H0 V
Using configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf
5 \/ d& L5 l3 f, zCheck that the request matches the signature
7 B$ Q" `; Z" ?; _2 a. T7 |8 s
Signature ok
- L4 g. P3 \* x; m# {
The Subject's Distinguished Name is as follows
8 ?% R) [5 w) Z- N0 ncountryName :PRINTABLE:'CN'
4 q4 C- O6 N- a0 a: K4 `
stateOrProvinceName :PRINTABLE:'GD'
! Z4 H; d9 }# s% n+ l8 K! E# QlocalityName :PRINTABLE:'SZ'
& S; c4 V* D" Q7 m1 d$ s' W- W, c
organizationName :PRINTABLE:'DIC'
% F* Y, b& w) ~8 X" N6 f
commonName :PRINTABLE:'dic172'
3 }9 ^# h( u2 U/ ^
emailAddress :IA5STRING:'tghfly222@126.com'
5 v& G+ l. B* @7 n. n8 J, M' BCertificate is to be certified until Jul 16 05:51:08 2021 GMT (3650 days)
+ M( J/ D$ F3 F3 U$ J7 o
Sign the certificate? [y/n]:y
# ? a- ?) F0 a$ Y5 C
1 out of 1 certificate requests certified, commit? [y/n]y
6 i- j; R$ n( ^: Z! Y& p hWrite out database with 1 new entries
$ m' ^( s u) x* l
Data Base Updated
8 W# _, H' H$ ^* U/ R7、创建客户端密钥,客户端密钥名可随意命名。
7 ~* J! m" ^& y2 B: S/ h/ k2 F/ z3 S[
root@www.linuxidc.com easy-rsa]# ./build-key client
0 Z) K/ h. U! MGenerating a 1024 bit RSA private key
* o0 T7 p/ ^5 e7 t$ d! a: ].....++++++
5 E* p+ r- b( I: t& Y/ M# f5 ^
.......................++++++
3 f; r! g1 K7 z4 L/ L7 A, Y& F$ m
writing new private key to 'client.key'
3 M/ `, G8 v; W# M0 v5 T6 K r-----
+ R7 S! n, R* |( ]% j! P7 f
You are about to be asked to enter information that will be incorporated
7 S3 d3 x, _1 Pinto your certificate request.
! h q; t* x( ^4 w( o. z
What you are about to enter is what is called a Distinguished Name or a DN.
5 d O- @% |/ V% H5 t& dThere are quite a few fields but you can leave some blank
! @, H/ J# t5 D% E" n$ V
For some fields there will be a default value,
4 s6 d7 f4 e8 i) u! M
If you enter '.', the field will be left blank.
9 B$ V' r% u, _6 `$ t- F' F
-----
; ~6 y+ T6 I$ d. ^Country Name (2 letter code) [CN]:
/ Q7 r6 ~& O% P4 _5 I
State or Province Name (full name) [GD]:
+ V+ V$ w9 Y8 M" v" y" B: wLocality Name (eg, city) [SZ]:
9 X0 f% A; [/ n* K5 ?
Organization Name (eg, company) [DIC]:
8 L, G3 _( M0 o- E0 @
Organizational Unit Name (eg, section) []:
/ w7 s" Z7 Y7 \: G* t' Z
Common Name (eg, your name or your server's hostname) []:tgh #不同客户端,命名绝不能一样
k( X2 e! h- W& f6 s- `
Email Address [
tghfly222@126.com]:
Please enter the following 'extra' attributes& e5 k0 P4 o+ `1 e6 S7 a
to be sent with your certificate request
/ W6 y% v4 }; R, vA challenge password []:dic172- [& @. n! K4 b! J3 z9 q; X: W
An optional company name []:dic172
9 Z- W) ]! P* u' _1 L& ^+ bUsing configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf
0 v$ T$ q/ Q7 C/ `; D3 N* zCheck that the request matches the signature
1 V0 J+ h, w* p& d' sSignature ok2 ~6 q! s: E( {
The Subject's Distinguished Name is as follows1 H" [/ h$ ^! D' z
countryName :PRINTABLE:'CN'3 F6 W [% @* w) L1 Z
stateOrProvinceName :PRINTABLE:'GD'* P8 E; U, r, H, a/ t& F- Z
localityName :PRINTABLE:'SZ'( H& ], l9 _9 |/ S$ k! ?
organizationName :PRINTABLE:'DIC'
) j$ \* |+ f$ v8 z/ k Q$ w8 gcommonName :PRINTABLE:'tgh'- q% @( `$ Q) X9 E& h) U
emailAddress :IA5STRING:'tghfly222@126.com'
( s: Y5 _6 b0 O. ^+ B( ZCertificate is to be certified until Jul 16 05:52:27 2021 GMT (3650 days)
- @0 y9 a3 v# o9 W$ aSign the certificate? [y/n]:y
. f5 v6 R$ d' X3 m1 out of 1 certificate requests certified, commit? [y/n]y
( y) c% C }, |* U4 h. ~& S- s bWrite out database with 1 new entries- v, u! J5 B+ _% S" p+ e
Data Base Updated
8、创建dhDiffie-Hellman )密钥算法文件
6 [) L4 P# U) V- G# F w8 u[
root@www.linuxidc.com easy-rsa]# ./build-dh
! \9 H( n) G! h i k$ }% y [$ \Generating DH parameters, 1024 bit long safe prime, generator 2
$ Q* _4 t* p6 v. B8 E+ g# p* m: EThis is going to take a long time
! }; B1 L+ y8 m7 i5 N...+.......+.....+........................+......................+.....+...........................+..........+.......+.................................................+.....................+............+..............................................+..........................................................+..............................+...........................+..+.....+......++*++*++*
9、生成 tls-auth 密钥 ,tls-auth密钥可以为点对点的VPN连接提供了进一步的安全验证,如果选择使用这一方式,服务器端和客户端都必须拥有该密钥文件。
) E( P. B4 m( v* ?3 J/ @[
root@www.linuxidc.com easy-rsa]# openvpn --genkey --secret keys/ta.key
r5 x& k: j4 y9 Y% N. F, z
[
root@www.linuxidc.com easy-rsa]# cp -rp keys/ /etc/openvpn/ #将证书文件复制到/etc/openvpn/
local 192.168.161.172 #服务器所使用的IP( L+ N) r1 f g9 K9 P! Z7 V
port 1194 #使用1194端口
: l# n/ a! @; Yproto udp #使用UDP协议' q+ Q" P& F! p/ z" a) ` D
dev tun #使用tun设备
" a8 n- w& Y4 g+ gca /etc/openvpn/keys/ca.crt #指定CA证书文件路径
! ~0 `4 i' v4 n$ K+ K, N' ?cert /etc/openvpn/keys/server.crt
) g8 z$ A3 s2 T8 d- Idh /etc/openvpn/keys/dh1024.pem" k! I% x* C/ [$ y: e: `* Q
tls-auth /etc/openvpn/keys/ta.key 0$ ?; ]( G( o$ W( x; w' ]* B4 |6 k
server 172.16.10.0 255.255.255.0 #VPN客户端拨入后,所获得的IP地址池 v& t" f6 Y3 T+ ~
ifconfig-pool-persist ipp.txt0 t4 U- R8 a: g7 S
push "dhcp-option DNS 202.96.134.133" #客户端所获得的DNS; J& W5 H* w6 v) m& j! I4 `; j
client-to-client
2 j* r% l! `; g2 Dkeepalive 10 120
! M9 U( @ `$ ], o6 ~$ vcomp-lzo
. ^" Y# n$ c$ Z$ k) O' f! zpersist-key, B: M6 G5 }( ]9 y9 d
persist-tun
* Z6 g* p+ P* \+ Hstatus openvpn-status.log) ~$ I; `& _8 m+ J
verb 3% B# t* o8 _) n5 P6 r. A
mute 20
[
root@www.linuxidc.com openvpn-2.0.9]# service openvpn start
4 x) d) h& d) k' o$ P
Starting openvpn: [ OK ]
+ x# l+ }( @- m! L5 ^, p7 n* Z9 |/ S
[
root@www.linuxidc.com openvpn-2.0.9]# netstat -anp |grep :1194
6 O- ~8 r! ?- X2 b$ K3 \6 S
udp 0 0 192.168.161.172:1194 0.0.0.0:* 25162/openvpn
4 `- V E3 w4 F- g+ v
发表于 2020-1-19 08:52:01