6、创建服务器密钥。
% l7 I. }! y( y; @ I6 ]* o
[
root@www.linuxidc.com easy-rsa]# ./build-key-server server #创建服务器端密钥
1 h9 y' m! k% D7 s, i
Generating a 1024 bit RSA private key
* Y# V- N, \3 A$ ^8 D( Q' l; \9 y Q
............................................++++++
- M2 a0 j# M0 X' a b) b8 d....++++++
x+ `2 i- {2 I* K7 l8 {writing new private key to 'server.key'
3 x3 A* [- n: E: a/ \7 A
-----
' \: g; j/ ~* b I/ EYou are about to be asked to enter information that will be incorporated
$ z# |; ^+ @/ N8 G% H1 X
into your certificate request.
( T8 U# z' a0 o HWhat you are about to enter is what is called a Distinguished Name or a DN.
& i" p9 l5 J* Z7 iThere are quite a few fields but you can leave some blank
5 d q8 z9 P% W. n: l! E& X
For some fields there will be a default value,
+ H' Q: ]; I0 z# s) x( l, w
If you enter '.', the field will be left blank.
0 @# c. U1 g: t-----
- |& e' }4 `" a/ [$ V4 a0 y0 iCountry Name (2 letter code) [CN]:
( e2 T" s$ V# g% E- mState or Province Name (full name) [GD]:
! R( T4 p# O% t. a
Locality Name (eg, city) [SZ]:
2 }7 ^1 E8 z9 V! e9 ?) I. L/ \* k, vOrganization Name (eg, company) [DIC]:
1 U" g( z; i0 q/ q- C& h
Organizational Unit Name (eg, section) []:
; ]1 O' @$ W0 _7 c2 L
Common Name (eg, your name or your server's hostname) []:dic172 #服务器主机名
, `$ a! F& m9 d w0 A
Email Address [
tghfly222@126.com]:
Please enter the following 'extra' attributes
, h& E+ m" f+ b" F- ito be sent with your certificate request
3 \* y: F m3 k+ R% W. p; r9 |
A challenge password []:dic172
% t$ _$ l; j7 |$ b5 p
An optional company name []:dic172
9 Q) V0 _( z: B0 q D
Using configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf
& }5 w( ?. _$ S& ?. S WCheck that the request matches the signature
! o6 j$ j' W! n( @( S
Signature ok
2 h* X2 N9 H' ]' [
The Subject's Distinguished Name is as follows
9 `! ?" r m+ N+ ]. xcountryName :PRINTABLE:'CN'
: X, s5 D8 f$ `$ A6 ?, L( N [5 K
stateOrProvinceName :PRINTABLE:'GD'
" |0 u' a6 |0 g+ MlocalityName :PRINTABLE:'SZ'
* O3 g- `2 ]( N
organizationName :PRINTABLE:'DIC'
) i ?5 X7 m' M }$ [4 Z- e/ _
commonName :PRINTABLE:'dic172'
! X$ q. @# H' N' w2 X+ T' ]
emailAddress :IA5STRING:'tghfly222@126.com'
2 a s9 |5 Q# H G0 g O
Certificate is to be certified until Jul 16 05:51:08 2021 GMT (3650 days)
/ ?! N' k7 ?+ }" {% I! s
Sign the certificate? [y/n]:y
: g* X5 Z+ G G$ v1 out of 1 certificate requests certified, commit? [y/n]y
2 S$ Q+ M3 Q) T& RWrite out database with 1 new entries
n: n3 Q ]' n* VData Base Updated
: T9 J o% [3 U) E7、创建客户端密钥,客户端密钥名可随意命名。
" E" f4 f3 b# y( f6 K! I
[
root@www.linuxidc.com easy-rsa]# ./build-key client
9 d( b4 ?5 E5 [6 {, T4 y5 t
Generating a 1024 bit RSA private key
) |! G+ a; h0 X) E, @: @.....++++++
4 [9 r3 l$ g0 A; [.......................++++++
7 X1 N: h( k+ g3 G, }4 c+ W
writing new private key to 'client.key'
* r* K( q4 y2 ?2 p. r+ `& x9 o' O6 [-----
. r2 K* O; j9 H3 u
You are about to be asked to enter information that will be incorporated
0 l( J+ M0 [; u+ B2 m: ~6 Jinto your certificate request.
% Q& S# Y9 h1 o, Z. Q; U3 t
What you are about to enter is what is called a Distinguished Name or a DN.
3 `' F2 ?* }- k iThere are quite a few fields but you can leave some blank
/ {* |& @2 n2 _3 H9 u. h
For some fields there will be a default value,
- E+ c3 r, i2 _& lIf you enter '.', the field will be left blank.
3 l! _+ Y' V3 a. t! f* I
-----
# a, B6 K0 X L" A( ~: e
Country Name (2 letter code) [CN]:
" P/ X) I3 @5 y, w. m' ?$ k: {+ r3 w* U3 K% c
State or Province Name (full name) [GD]:
# V8 v6 j3 p# z* ^; M
Locality Name (eg, city) [SZ]:
, w) \5 E! v: [3 @5 r3 MOrganization Name (eg, company) [DIC]:
( p4 l. P# }+ T9 s6 p
Organizational Unit Name (eg, section) []:
3 `# S4 }6 q: j2 n% U1 ?Common Name (eg, your name or your server's hostname) []:tgh #不同客户端,命名绝不能一样
, L. _# q5 H/ _
Email Address [
tghfly222@126.com]:
Please enter the following 'extra' attributes
* O5 l/ ~7 S: [" m, M3 Hto be sent with your certificate request5 g: e' B/ t# K( |3 K B) D0 S
A challenge password []:dic172 \8 ]+ E2 C! I l5 h* ? P: A* K4 S
An optional company name []:dic172
3 _# N3 Y$ _4 [# B; g# YUsing configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf
% w6 Y% Y3 ]/ @" \4 QCheck that the request matches the signature( ~3 L: L' a: I) ^& [" I
Signature ok9 k" e! H, o3 M6 D
The Subject's Distinguished Name is as follows6 k9 c7 l& e0 c g% A2 J: s8 e
countryName :PRINTABLE:'CN'% \/ [- V" @8 `& U D9 r$ d" L
stateOrProvinceName :PRINTABLE:'GD', Z: I& V' e- ~8 t
localityName :PRINTABLE:'SZ'
5 w# @# Y3 b/ b0 f! F2 l% morganizationName :PRINTABLE:'DIC'3 G: D$ J6 _$ s2 [2 ^: e. |
commonName :PRINTABLE:'tgh'
% Y3 r1 P; k5 YemailAddress :IA5STRING:'tghfly222@126.com'# `, A% B% G2 @1 O
Certificate is to be certified until Jul 16 05:52:27 2021 GMT (3650 days), l) g! T l7 s$ F
Sign the certificate? [y/n]:y
# l" x2 E8 o6 k& v0 q
1 out of 1 certificate requests certified, commit? [y/n]y
! U+ q" C& L' s5 |3 T' @6 b# z0 }Write out database with 1 new entries; O/ y. y" d3 C
Data Base Updated
8、创建dhDiffie-Hellman )密钥算法文件
2 d' O& h; |9 K% @0 j[
root@www.linuxidc.com easy-rsa]# ./build-dh
' P4 X- w$ S% [7 N
Generating DH parameters, 1024 bit long safe prime, generator 2
' p0 d# c5 z2 n; u# BThis is going to take a long time
* C$ b0 q- \! |4 Y5 }# s) X
...+.......+.....+........................+......................+.....+...........................+..........+.......+.................................................+.....................+............+..............................................+..........................................................+..............................+...........................+..+.....+......++*++*++*
9、生成 tls-auth 密钥 ,tls-auth密钥可以为点对点的VPN连接提供了进一步的安全验证,如果选择使用这一方式,服务器端和客户端都必须拥有该密钥文件。
2 c1 r' @1 c; F- D
[
root@www.linuxidc.com easy-rsa]# openvpn --genkey --secret keys/ta.key
3 [0 R% E5 L/ ?8 j% t; \" Y
[
root@www.linuxidc.com easy-rsa]# cp -rp keys/ /etc/openvpn/ #将证书文件复制到/etc/openvpn/
local 192.168.161.172 #服务器所使用的IP! c+ J3 k- b' z8 k d9 b: w
port 1194 #使用1194端口
* e: D( ~+ W; H! l5 iproto udp #使用UDP协议
& o# ^/ m: g4 e1 o7 w4 Ydev tun #使用tun设备$ }3 o4 Z, F2 m$ [" Q1 f
ca /etc/openvpn/keys/ca.crt #指定CA证书文件路径) w$ k/ h) t$ Q/ s5 {0 H
cert /etc/openvpn/keys/server.crt |/ j5 W* g4 U% O
dh /etc/openvpn/keys/dh1024.pem
$ D* h2 \* D4 n$ ^9 n9 G5 Htls-auth /etc/openvpn/keys/ta.key 0
- a6 n" u0 y! V) H* e9 Cserver 172.16.10.0 255.255.255.0 #VPN客户端拨入后,所获得的IP地址池
: M8 q( N2 u& ~5 L) x1 _8 mifconfig-pool-persist ipp.txt
1 ?+ j5 i ?( P8 o$ Y; t; r4 wpush "dhcp-option DNS 202.96.134.133" #客户端所获得的DNS
4 c. Q; H, M, e ^" h6 l' _* c" Gclient-to-client% P, r/ L7 S; u% r) f8 q4 R! Z* H C
keepalive 10 120
0 E2 f2 c! [0 B( H( }comp-lzo' M! e2 q# [! [2 }1 x- Y
persist-key6 P. G- A2 ~: r# f4 ~
persist-tun K3 A" ]- J3 i
status openvpn-status.log7 N6 b0 B5 [/ ?& |1 h
verb 3
8 s# }! C" s* I f1 Mmute 20
[
root@www.linuxidc.com openvpn-2.0.9]# service openvpn start
) S3 P6 @* k9 k3 Q! z
Starting openvpn: [ OK ]
) T& E" f. g9 r# S/ M: O, X* Y[
root@www.linuxidc.com openvpn-2.0.9]# netstat -anp |grep :1194
8 P; u( [; e; ]7 @' r, L3 _
udp 0 0 192.168.161.172:1194 0.0.0.0:* 25162/openvpn
发表于 2020-1-19 08:52:01