6、创建服务器密钥。
& I0 Y2 x( s5 T
[
root@www.linuxidc.com easy-rsa]# ./build-key-server server #创建服务器端密钥
, a9 M) u7 c/ Q* _6 x
Generating a 1024 bit RSA private key
+ A0 W7 k2 v E+ l. t5 h- W............................................++++++
* L+ Y6 h0 b$ C/ M) ~ g8 }
....++++++
4 T8 m6 @! U9 x: m* Cwriting new private key to 'server.key'
. @8 @' O0 b+ B9 @ |
-----
5 u* A2 r) n+ g% g& u% k
You are about to be asked to enter information that will be incorporated
) v( E1 @6 t9 O% M
into your certificate request.
! C3 m3 L4 p3 }1 i& pWhat you are about to enter is what is called a Distinguished Name or a DN.
" f2 J7 r2 h; U9 h) t2 `% V% t
There are quite a few fields but you can leave some blank
9 G0 k# C' ]5 T3 q+ sFor some fields there will be a default value,
! C" F$ f( x6 w1 i6 E A
If you enter '.', the field will be left blank.
9 J, h( m/ \% w3 e-----
0 E; D H/ S% ?Country Name (2 letter code) [CN]:
1 U: }9 Y% t% O- X7 v& O
State or Province Name (full name) [GD]:
/ `# g# V3 E9 P9 Q7 l9 z" sLocality Name (eg, city) [SZ]:
# s6 w6 h4 R1 K) B7 ^: {Organization Name (eg, company) [DIC]:
2 L9 d/ a. ?* b1 N2 X
Organizational Unit Name (eg, section) []:
0 ?& j3 H+ @7 Y4 u) U O+ A
Common Name (eg, your name or your server's hostname) []:dic172 #服务器主机名
* x5 \& s6 @* v; g1 ]4 J, n; E2 j
Email Address [
tghfly222@126.com]:
Please enter the following 'extra' attributes
+ _5 i0 f2 i. y1 U1 P" w
to be sent with your certificate request
0 u h; W+ e8 z8 J3 {A challenge password []:dic172
4 Y& O6 }4 {; ~' l3 i; S
An optional company name []:dic172
3 d0 {8 {+ B- N7 L- B# Z
Using configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf
/ ^& u z6 d: ]) `; I( @4 n
Check that the request matches the signature
2 k/ g, _! E4 p5 r7 ~2 v
Signature ok
4 i& I- _) o$ a5 z
The Subject's Distinguished Name is as follows
6 J( D. `: S1 Z/ l- S+ U
countryName :PRINTABLE:'CN'
/ k k) ?# B9 g! k* L, ystateOrProvinceName :PRINTABLE:'GD'
2 F2 U6 c1 y* R f/ M7 S
localityName :PRINTABLE:'SZ'
8 p! Y6 @! S) F% I( `- z, Y! B
organizationName :PRINTABLE:'DIC'
- \& c9 I- J/ |( p3 scommonName :PRINTABLE:'dic172'
* m% K3 f/ u5 g6 s( Y' hemailAddress :IA5STRING:'tghfly222@126.com'
9 V9 M% [; s3 f' mCertificate is to be certified until Jul 16 05:51:08 2021 GMT (3650 days)
4 _- I) p* Q! D% a
Sign the certificate? [y/n]:y
s) g) W8 a% V8 I5 N6 W+ G( z
1 out of 1 certificate requests certified, commit? [y/n]y
6 P' c: b3 o& j6 G8 [) u
Write out database with 1 new entries
& ]" g% W$ A2 v ^* f9 w7 N
Data Base Updated
9 f3 t/ u" a* Y! E! g
7、创建客户端密钥,客户端密钥名可随意命名。
: k! Z" M: o' A* O2 k* |0 b[
root@www.linuxidc.com easy-rsa]# ./build-key client
1 G2 j: D' P, w
Generating a 1024 bit RSA private key
- f4 R$ X$ ] t0 u+ A: c
.....++++++
, ]' a% \8 {7 I9 C0 Z% m" f
.......................++++++
. f2 [3 w1 ] b# z6 m" xwriting new private key to 'client.key'
: G+ u% p2 |. Q: D
-----
) d: x* i R1 W. r2 C6 a
You are about to be asked to enter information that will be incorporated
8 _! ~! Y% z3 P4 [' X, v( D( {into your certificate request.
; W4 K8 W, _2 P7 K- k6 eWhat you are about to enter is what is called a Distinguished Name or a DN.
, Q4 \5 F1 X+ s6 J: t1 P, E
There are quite a few fields but you can leave some blank
8 y& `- q* A8 B$ d* S% iFor some fields there will be a default value,
! L, A& _% S+ [6 V/ q, j vIf you enter '.', the field will be left blank.
8 s3 A3 d/ i* ~+ Z0 f! B& V
-----
' d# I3 Q: h1 x) o4 A
Country Name (2 letter code) [CN]:
( L5 M: G5 j/ d. { z4 I& I q; X
State or Province Name (full name) [GD]:
) W b3 e& s' W/ Z
Locality Name (eg, city) [SZ]:
' y; V2 e- s9 m* D. A/ j5 H
Organization Name (eg, company) [DIC]:
% n3 ^ Q1 U5 j' ^+ N5 ]
Organizational Unit Name (eg, section) []:
9 [) Z$ r+ a$ V, YCommon Name (eg, your name or your server's hostname) []:tgh #不同客户端,命名绝不能一样
( V/ g, `' \$ N- o* B7 y5 T* rEmail Address [
tghfly222@126.com]:
Please enter the following 'extra' attributes
# M! o3 f& _4 I; k: S$ B8 Xto be sent with your certificate request
. r: I0 _, F' X8 ^) @! ]$ q9 VA challenge password []:dic172
6 C; H4 w0 y. V1 tAn optional company name []:dic172
4 H8 a% t( g: f% e$ m1 ^Using configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf# J9 X R" t2 L+ A
Check that the request matches the signature. S4 |1 ` t: m/ ]/ L/ P! b
Signature ok# T7 z) }' f3 \% W' E3 _% J
The Subject's Distinguished Name is as follows
9 E# Y% m7 b% K6 g0 o8 Y- ~5 {, l- E7 p fcountryName :PRINTABLE:'CN'6 h8 C; D9 Q5 y2 h, H* E
stateOrProvinceName :PRINTABLE:'GD'
& F/ C$ c ]9 ]* plocalityName :PRINTABLE:'SZ'
% Y9 q/ l1 n& C& F4 G+ zorganizationName :PRINTABLE:'DIC'
2 J$ a# Z$ M" N- RcommonName :PRINTABLE:'tgh'
6 E- z# {) g& \* FemailAddress :IA5STRING:'tghfly222@126.com' G( ]- E) ?: u1 ]" G
Certificate is to be certified until Jul 16 05:52:27 2021 GMT (3650 days)
# n' n: F9 X+ o; T/ m$ \Sign the certificate? [y/n]:y
/ c0 M# D; z* r
1 out of 1 certificate requests certified, commit? [y/n]y
$ y* R L6 ?4 B8 N# l! W3 ^" A% BWrite out database with 1 new entries$ q, i/ g$ i. W* Q5 d" }$ i
Data Base Updated
8、创建dhDiffie-Hellman )密钥算法文件
, e- `3 x' C( G( ~% z v" D
[
root@www.linuxidc.com easy-rsa]# ./build-dh
2 |# F2 ?& J" }% O0 A
Generating DH parameters, 1024 bit long safe prime, generator 2
" z. X) E3 c" L2 j- M
This is going to take a long time
3 d5 |' I6 ^4 j# p) F* @...+.......+.....+........................+......................+.....+...........................+..........+.......+.................................................+.....................+............+..............................................+..........................................................+..............................+...........................+..+.....+......++*++*++*
9、生成 tls-auth 密钥 ,tls-auth密钥可以为点对点的VPN连接提供了进一步的安全验证,如果选择使用这一方式,服务器端和客户端都必须拥有该密钥文件。
0 @) \8 U" y# t3 l, t2 X
[
root@www.linuxidc.com easy-rsa]# openvpn --genkey --secret keys/ta.key
% t7 y3 p6 R K* l9 E
[
root@www.linuxidc.com easy-rsa]# cp -rp keys/ /etc/openvpn/ #将证书文件复制到/etc/openvpn/
10、修改server.conf配置文件
4 {3 i5 g; w5 U9 S4 @1 \! ]* N" o
[
root@www.linuxidc.com openvpn]# grep -v "#" server.conf
local 192.168.161.172 #服务器所使用的IP+ }9 n& T9 h6 w! ]3 S" }
port 1194 #使用1194端口9 D# g- H9 e" I% Y
proto udp #使用UDP协议
$ j A# u, B3 d9 A) W9 h7 rdev tun #使用tun设备
9 }# V! P- u% p! b6 [3 }- \ca /etc/openvpn/keys/ca.crt #指定CA证书文件路径
. J8 Z. |4 V/ z# B+ b" Scert /etc/openvpn/keys/server.crt7 ]: p% m( t, [) W5 J# P
dh /etc/openvpn/keys/dh1024.pem
0 J3 s1 _! i" j; O+ i" c, u$ stls-auth /etc/openvpn/keys/ta.key 0
# S/ \5 E$ A' O" eserver 172.16.10.0 255.255.255.0 #VPN客户端拨入后,所获得的IP地址池- U! J% D5 X- K' Y* n
ifconfig-pool-persist ipp.txt
$ e' x7 A6 L% Q5 s* xpush "dhcp-option DNS 202.96.134.133" #客户端所获得的DNS- ~3 {) A0 E2 {
client-to-client
4 W, J9 l2 h. ?! O. W5 o9 hkeepalive 10 120
8 t' {( S1 V$ G& i, Q" M8 q1 qcomp-lzo: a) `! Z% s/ e# h, u: t4 }
persist-key) W; C& m) D4 y4 L1 E
persist-tun: u# y' a7 [% Y
status openvpn-status.log( A- \0 _1 H3 @ i* W6 D1 v( c/ _1 g2 n
verb 3
' b6 ~& {' y+ s1 {mute 20
[
root@www.linuxidc.com openvpn-2.0.9]# service openvpn start
5 I+ V$ j" H2 P% j' Z
Starting openvpn: [ OK ]
3 Z: ~. X* P7 U6 Q& a9 b: Z[
root@www.linuxidc.com openvpn-2.0.9]# netstat -anp |grep :1194
7 H( V c* P( u
udp 0 0 192.168.161.172:1194 0.0.0.0:* 25162/openvpn
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2020-1-19 08:52:01
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主
