浏览此站
联系我们相册切换到窄版 Language

 找回密码
 注册
易陆发现论坛»论坛 操作系统区 应用网络 linux下openvpn2.3.4服务器部署
返回列表 发新帖
查看: 5058|回复: 4

linux下openvpn2.3.4服务器部署

[复制链接]
admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
发表于 2019-9-5 17:00:01 | 显示全部楼层 |阅读模式
二、部署openvpn    本次部署openvpn服务器,因为使用了最新的openvpn2.3.4,而这个包里面没有包含最重要的证书制作部分:easy-rsa    openvpn官网也给出明确说明:Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages    所以,我们需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署    在部署openvpn之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!
# F' ]  `# }7 v  T+ u1、安装lzo& m- H, F6 }  g* c
    lzo是致力于解压速度的一种数据压缩算法123[root@vpn ~]# tar xf lzo-2.08.tar.gz[root@vpn ~]# cd lzo-2.08[root@vpn lzo-2.08]# ./configure && make && make install2、安装openvpn1234567[root@vpn ~]# tar xf openvpn-2.3.4.tar.gz[root@vpn ~]# cd openvpn-2.3.4[root@vpn openvpn-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib[root@vpn openvpn-2.3.4]# make && make install[root@vpn openvpn-2.3.4]# [root@vpn openvpn-2.3.4]# which openvpn/usr/local/sbin/openvpn      #看到这里,说明安装openvpn成功3、配置easyrsa服务端    openvpn-2.3.4软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3    Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages(来源openvpn官网)123456789101112[root@vpn ~]# unzip easy-rsa-master.zip [root@vpn ~]# mv easy-rsa-master easy-rsa[root@vpn ~]# cp -R easy-rsa/ openvpn-2.3.4/[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/[root@vpn easyrsa3]# cp vars.example vars[root@vpn easyrsa3]# vim varsset_var EASYRSA_REQ_COUNTRY "CN"set_var EASYRSA_REQ_PROVINCE "Beijing"set_var EASYRSA_REQ_CITY "Beijing"set_var EASYRSA_REQ_ORG "nmshuishui Certificate"set_var EASYRSA_REQ_EMAIL "353025240@qq.com"set_var EASYRSA_REQ_OU "My OpenVPN"4、创建服务端证书及key(1)初始化123456789[root@vpn easyrsa3]# lseasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types[root@vpn easyrsa3]# [root@vpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki(2)创建根证书12345678910111213141516171819202122[root@vpn easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key.............................................+++........+++writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key'Enter PEM pass phrase:                      #输入密码,此密码用途证书签名Verifying - Enter PEM pass phrase:          #确认密码-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:nmshuishui  #输入一个Common Name CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt(3)创建服务器端证书1234567891011121314151617181920[root@vpn easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key................................+++......+++writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [server]:nmshuishui-BJ  #该Common Name一定不要与创建根证书时的                                                                          #Common Name一样,这是血与泪的教训  Keypair and certificate request completed. Your files are:req: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.reqkey: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key(4)签约服务器端证书123456789101112131415161718192021222324252627282930[root@vpn easyrsa3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars  You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject=    commonName                = nmshuishui  Type the word 'yes' to continue, or any other input to abort.  Confirm request details: yes        #输入yes继续Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnfEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入刚才创建根证书时的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName            :PRINTABLE:'nmshuishui'Certificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days) Write out database with 1 new entriesData Base Updated Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:12345678[root@vpn easyrsa3]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./varsGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time...................................................................................................................................................................................................................+..........................................................................................................................+..................................................+.....................................................+..................................................................................................................................+............+............................................................................................................+...+............+...............+..............................................+.........................+..................................+.................+............................................................+..................................+........................................................................................................................................+................................................................+.......................................+...................................................................................................................................................++*++* DH parameters of size 2048 created at /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem5、创建客户端证书(1)在根目录下建立client目录123[root@vpn easyrsa3]# cd[root@vpn ~]# mkdir client[root@vpn ~]# cp -R easy-rsa/ client/(2)初始化123456789[root@vpn ~]# cd client/easy-rsa/easyrsa3/[root@vpn easyrsa3]# lseasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types[root@vpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki(3)创建客户端key及生成证书12345678910111213141516171819202122[root@vpn easyrsa3]# ./easyrsa gen-req nmshuishui Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key....................................................+++.................................................................................................................................................................................+++writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key'Enter PEM pass phrase:            #输入密码Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [nmshuishui]:nmshuishui   #输入nmshuishui                      Keypair and certificate request completed. Your files are:req: /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.reqkey: /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key(4)将得到的nmshuishui.req导入并签约证书12345678910111213141516171819202122232425262728293031323334353637383940[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/[root@vpn easyrsa3]#   #导入req[root@vpn easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req nmshuishui Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: nmshuishuiYou may now use this name to perform signing operations on this request. [root@vpn easyrsa3]#     #签约证书[root@vpn easyrsa3]# ./easyrsa sign client nmshuishui Note: using Easy-RSA configuration from: ./vars  You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject=    commonName                = nmshuishui  Type the word 'yes' to continue, or any other input to abort.  Confirm request details: yes       #输入yesUsing configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnfEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入创建根证书时的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName            :PRINTABLE:'nmshuishui'Certificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days) Write out database with 1 new entriesData Base Updated Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt   #签约成功(5)服务端及客户端生成的文件
5 f/ a4 Z9 Y/ R- G& _2 p7 b% I服务端:(/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki)文件夹12345678/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem客户端:(/root/client/easy-rsa)12/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key/root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key   #这个文件被我们导入到了服务端文件,所以那里也有(6)拷贝服务器密钥及证书等到openvpn目录1234[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem openvpn-2.3.4/(7)拷贝客户端密钥及证书等到client目录123[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client [root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt /root/client[root@vpn ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client(8)为服务端编写配置文件当安装好openvpn时候,它会提供一个server配置的文件例子1/root/openvpn-2.3.4/sample/sample-config-files/server.conf将此例子拷贝openvpn目录,然后配置123456789101112131415161718192021[root@vpn ~]# cp openvpn-2.3.4/sample/sample-config-files/server.conf openvpn-2.3.4/[root@vpn ~]# vim openvpn-2.3.4/server.conflocal 192.168.1.104    #(自己vps IP)port 1194proto udpdev tunca /root/openvpn-2.3.4/ca.crtcert /root/openvpn-2.3.4/server.crtkey /root/openvpn-2.3.4/server.key # This file should be kept secretdh /root/openvpn-2.3.4/dh.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 8.8.8.8"keepalive 10 120comp-lzomax-clients 100persist-keypersist-tunstatus openvpn-status.logverb 3(9)开启系统转发功能12345[root@vpn ~]# vim /etc/sysctl.confnet.ipv4.ip_forward = 0  改成 net.ipv4.ip_forward = 1[root@vpn ~]# sysctl -p[root@vpn ~]# sysctl -a | grep net.ipv4.ip_forwardnet.ipv4.ip_forward = 1(10)封装出去的数据包(eth0是你的vps外网的网卡):1/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE三、下载openvpn客户端,并进行配置1、将客户端密钥及证书等拷出到windows备用123[root@vpn ~]# cd client/[root@vpn client]# lsca.crt  easy-rsa  nmshuishui.crt  nmshuishui.key    #带后缀的这三个2、安装openvpn-gui工具* Y, G2 u7 E3 d/ _8 X( X
(1)将D:\Program Files (x86)\OpenVPN\sample-config\client.ovpn复制到D:\Program Files (x86)\OpenVPN\config(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下(3)编辑D:\Program Files (x86)\OpenVPN\config\client.ovpn,修改为12345678910111213clientdev tunproto udpremote 192.168.1.104 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crt //这里需要证书cert nmshuishui.crtkey nmshuishui.keycomp-lzoverb 3
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2019-9-5 17:00:02 | 显示全部楼层
   1.2 准备 OpenVPN 安装目录
# i- x% J: D) i+ q4 S# q- H/ B+ Y$ ~, {. k
        因为此文件是使用源码安装,所以选择的程序安装目录为: /usr/local/openvpn 目录, 配置文件目录为/etc/openvpn 目录
% N0 \4 F. D8 p0 k& s8 w; R2 k+ \+ W8 g( b, Y0 p& H- g
        程序目录: /usr/local/openvpn+ [" ~5 {7 L6 g$ m
4 L9 x) R$ u* E0 x$ z2 X; i
        配置目录: /etc/openvpn- G# w. A* s0 ]+ ?) v/ `1 i+ C0 {5 k+ U

) a( h% o* {3 g: p8 g2. 开始安装 OpenVPN
! D) t) D" Y! I- ~" J
) m% [. ]( h, d+ K0 |   2.1 编译 OpenVPN% b6 i5 ]* v/ S. Q( F: r9 h
+ W' ?# Z0 E3 B* i% ]1 E
        [root@client ~]#cd /home/src/openvpn; I* ^1 Q* y! ]6 |! A

8 k4 }! `( M2 K- f7 X5 F        [root@client openvpn]#tar zxvf lzo-2.03.tar.gz
2 c1 E0 D1 ]6 m) k
* ^( W( }1 b4 O4 Z& W6 s        [root@client openvpn]#cd lzo-2.031 w0 o* i  b9 w5 H& M

: ~& B& h$ h" s" g5 V0 \        [root@client lzo-2.03]#./configure && make && make install
- t; [  {( C, [) ]% g$ ?: @1 K! ^  C9 |+ k# u
        编辑/etc/ld.so.conf
9 D: v% T' K9 m3 ?3 l# z$ l! M+ y2 |( u2 m
        [root@client lzo-2.03]#cat >> /etc/ld.so.conf << EOF
. u5 |- Q/ @- q9 J, f
# n" |' p5 Z# M) w  P          /lib7 q* L; y; H( ?" e) C6 U/ E6 w

" T2 l  U" i9 a$ T4 o/ H          /lib64
4 i& a. E7 [- E5 |4 F" [+ v: G. Y: Y( [" I
          /usr/lib
' H! M1 m$ N! A, p1 L  d4 w/ o, }" C2 L5 k% z4 Y6 c
          /usr/lib64
3 i8 ~6 s0 f9 L# }* s! O/ t7 o0 U# O$ b; R
          /usr/local/lib
  X4 E9 M1 Y" _3 }  t9 I1 h$ O: O
          /usr/local/lib641 P  C, T; S1 K
  O# p, ~2 z% D. _. x! d
          EOF
7 _7 l% u- D; O! w0 y
, b9 U9 t/ [) k1 c6 D        编辑完后运行# T7 c6 E. }# g
+ l! U7 @: ~) v3 d. s* O4 P3 U# ^
        [root@client lzo-2.03]#ldconfig" K6 n+ s( N! J1 [2 \6 s. X/ r
- ?  Z9 l1 r+ L$ u
        使动态连接库文件生效,接下来编译 openvpn3 g4 A- G" H& L
4 e: X1 Q  w" N; I+ J9 ]
        [root@client openvpn]# tar zxvf openvpn-2.0.9.tar.gz: B8 S, T( ~+ a1 l- y2 I, @
: o0 V! z7 ]+ r4 P9 W5 }) H
        [root@client openvpn]# cd openvpn-2.0.9/ J' b* I! Y/ }0 I
" h" C! c* I5 G0 I, P- [3 b6 }0 b
        [root@client openvpn-2.0.9]# ./configure –prefix=/usr/local/openvpn && make && make install
, n5 o6 `2 ]' `; G5 W9 h/ H) }& L- k+ O5 V* w% a
        [root@client openvpn-2.0.9]#tree /usr/local/openvpn1 {* P2 N9 i5 v$ ^+ \
4 w* w$ p- R5 L* K) o
        应该有以下输出# j' F3 I4 w3 l4 W
1 h7 X  ]( h4 p8 L6 j$ v4 n1 x
        [root@client ~]# tree /usr/local/openvpn/
% F0 f3 |$ b5 b& @5 a0 q
) S0 S( d3 W+ R. e, A7 U3 l        /usr/local/openvpn/% J" s. M3 W! [2 w$ O0 e# [  P
* Z- S! I" j" n) J( [; d4 y! f+ J
        |-- man% g, V' m3 s  M
" g- s$ r% j1 X2 P$ H2 G6 J3 _
        | `-- man8' J7 c3 z( m/ R' f. B. H6 _

& G/ I6 n8 c8 K1 t0 k; M( Z5 F        |      `-- openvpn.81 ~% y, m# K$ d# h9 |' U. T
- U- w6 f5 R$ I& o% O
        `-- sbin
0 L+ W1 {$ r! C0 p$ E& m6 G+ r: A% [9 P  G8 c$ z
        |-- key+ L. {& H8 Y8 H$ a$ \4 z

: O) }- [6 D, l* R! R& ~5 m; Y' V        `-- openvpn7 }; r4 g' W; M* x. N! l3 a7 v* r
) g: _* I) i- h2 K; P( k
        3 directories, 3 files
* s; O) M1 y4 `3 _
$ q* g# V3 }- J6 T3. 配置的 OpenVPN Server3 e( q9 p4 c9 p' F( Z2 ?; X, g

" j- L5 K- A- `, z* S7 S   3.1 建立配置环境
% w! z% M$ S$ M" ^- s) f' `' f  C6 c3 L7 F
       [root@client ~]# mkdir -p /etc/openvpn
5 {) a) o' ^& G5 e0 C. o
" P! k+ S' G" r  k  t- i       [root@client ~]# cp -R /home/src/openvpn/openvpn-2.0.9/easy-rsa /etc/openvpn5 q7 j& @- N7 o# M" L9 I% \
% R8 v5 B( t" {6 v( R
       [root@client ~]# cd /etc/openvpn/easy-rsa/2.0/7 ^: o' r, A! `# ?1 t' `* j
4 {0 d  ?+ `  n
       此目录下以许多程序及脚本, 以下为使用到的程序及脚本说明
/ K' e/ H/ u/ X( b1 \- j, V- A  B' H! Y" W+ p( O; w# H
       vars                  脚本, 是用来创建环境变量,设置所需要要的变量的脚本7 L" X+ ]: i3 f% C

1 V7 P7 V& g$ h4 D" E. A       clean-all             脚本,是创建生成 ca 证书及密钥文件所需要的文件及目录% Y: u& x! P7 z, X
7 \& c5 E' E: K9 Q* ^7 |
    build-ca           脚本, 生成 ca 证书(交互)
1 Z( c4 C" Y& n" h5 a& v
% k1 a$ Q" x0 d    build-dh           脚本, 生成 Diffie-Hellman 文件(交互)8 U4 J- l& O5 n. W" l, ^; Q( p
1 }! d" _/ O6 X0 ?" u
    build-key-server   脚本, 生成服务器端密钥(交互)/ \0 ]* i- t* K' X) ?$ C2 ]2 o

: {* _0 @6 a& O! O; p+ x    build-key          脚本, 生成客户端密钥(交互)
7 a- h1 j+ Z  m5 k. L, I
1 ?6 ~" L; F8 g5 h    pkitool            脚本, 直接使用 vars 的环境变量设置, 直接生成证书(非交互)' F2 y3 a3 @3 \! o+ y5 B
; y3 I! x6 m. K7 D
3.2 生成 CA 证书及密钥[注意字符输入不要出错]
/ ]$ i8 J. I+ V5 E
7 R: [% [. Q$ g$ B# U3 T  q    [root@client 2.0]# . ../vars
& {! i) _' ~- o
5 j4 g" U* p# x* H; X; N# S: U/ Y    [root@client 2.0]# chmod +rwx ** W" X- Q' m7 B+ t$ w( M7 e

6 z! X$ ^) @" g' m1 j# |0 ]' q    初始化 keys 目录,创建生成 ca 证书及密钥文件所需要的文件和目录7 N% E$ e( z: Z  ?, z, O

. ?; [5 H  h( W# K" {3 d4 l% i    [root@client 2.0]# ./clean-all
+ A0 Q/ A0 P+ E, d( n" X  y: H6 ]% |" ?; Z: b9 k1 A; @) F
   编辑 vars 文件,生成环境变量, vars 里的参数根据自己需要改变.
* V& l1 b2 s7 {3 N) h7 {( q, `6 C( i; L: r2 a
   export KEY_SIZE=1024                     #生成密钥的位数
: R+ h5 n6 `' R9 _2 \# }& Q  T9 {+ L' K
   export KEY_COUNTRY=CN                    #定义所在的国家编码, 2 个字符
7 h- P+ {9 d1 r: d! Z' ]+ P- S6 A3 z  F; i
   export KEY_PROVINCE=BeiJing              #定义所在的省份
1 J+ w; E& c4 q! Q& T/ }! o5 V! D6 c  c& H: R3 g
   export KEY_CITY=BeiJing                  #定义所在的城市' e7 V9 A/ }% X9 N! |9 j  u9 Z* j$ L

# i  O6 Q, J& G+ ^+ ?   export KEY_ORG=”VPN Test org”            #定义所在的组织
* e0 ^7 Y6 A3 U- N+ E- z2 [0 P& n  l! d, G8 n* F' }
   export KEY_OU=”VPN COM”                  #定义所在的单位' S2 }( A3 g* C& A+ Z" v4 I  G- e

2 t+ U( D4 s$ C9 i' L' G   export KEY_EMAIL=”china.client@gmail.com” #定义你的邮件地址# a6 C! b1 m' I1 }) }4 Z1 P* c7 B

0 l& y7 n( `% L* W0 j    修改好 vars 文件后就可以开始生成 ca 证书及密钥文件了!
" ]. y9 U# O- {; r/ A5 y. o, x6 T
  ?3 j9 h( b& _4 M1 R1 a1 _    [root@client 2.0]# source ./vars
! f& o% l3 |6 \" v8 C/ s
) a+ x8 r! P- G9 z    生成 Root Ca 证书, 用于签发 Server 和 Client 证书
$ r( O& c3 V) @! O+ V! w% i) R8 O7 [! d: \* K# s# }3 \5 Z
    [root@client 2.0]#./build-ca
* i4 @! t" k# y& N1 }. {2 D# b, v, f7 E- z" \1 g
    [root@client 2.0]# ls keys
- e& j1 q! [9 E% T% w) H7 H3 t8 a# b$ T. y; g4 d
    可以看到已经生成了 ca.crt ca.key 文件
& w% B: b- p5 d$ J$ M1 r; D  c' I1 b, a; U6 a
    生成 Diffie-Hellman 文件) J5 x1 e( I8 e

4 s7 i1 B- D) K7 s0 h    [root@client 2.0]#./build_dh
' _) Z. }- M( t# m" F* o
% n$ O  V' P. N) F" N    [root@client 2.0]#ls -l keys/dh2048.pem
! u& C) E: n. |6 ^5 y5 a2 T; L0 D
4 G' T+ J/ L, H  f+ A: a6 `2 Z    可以看到生成了 2048 位的 Diffie-Hellman 文件
# j% |9 v3 ?( K& j( {
" x0 G& M/ C1 ~( f; F% R    生成服务器使用的 VPN server Ca 证书" I9 ]* r: ~' F* t( T! F
% k, }# I: ~( D. W, j; d7 u
    [root@client 2.0]#./build-key-server server
0 t; S7 J- R. c
. H# P6 x4 @, q& \2 O$ ?    server 是你为 CA 证书起的一个名字, 以 server 名字为例,生成的服务器使用的 CA 证书文件为: server.crt server.key
, ]/ H/ h: I% ^* f5 t" T) @
* x3 ]+ w% j6 P& j6 B1 z0 `    将生成的 CA 证书及密钥拷贝到/etc/openvpn 下! N0 m5 L  b7 V+ ?' t" @; N

9 e! ~% l% J6 {$ W0 ?# S* @    [root@client 2.0]#cp keys/{ca.crt,ca.key,server.crt, server.key, dh2048.pem} /etc/openvpn/
, S. n. z- J. @0 F3 R( p3 |# k- b5 O3 [( |
3.3 生成客户端 CA 证书及密钥6 B, ?* S6 Q% i2 n

/ Q( n3 L1 [! L; Z$ b, Q  ]    生成客户端 CA 证书及密钥使用:build-key 程序即可1 X! O% ]9 h: g

$ C+ R5 t; ]" Y    [root@client 2.0]#./build-key client
; ]. V  }( a- E0 k! J* }" {
' ^* V3 F6 x: @    将在 keys 目录下生成 client.crt client.csr client.key 三个客户端证书0 A, g$ I: o, z  V, K6 C/ U
' }- s' g: U* s% }1 {7 n
    将 ca.crt ca.key client.crt client.csr client.key 五个文件打包,以备客户端 vpn 使用) `4 `: I7 S) |+ O, C+ U+ N$ N  V8 ?

0 T+ W, x/ Q; E0 q7 A' H/ M# U    [root@client2.0]#tar zcvf client.vpn.key.tar.gz keys/{ca.crt,ca.key,client.crt,client.csr,client.key}" k- p3 O" j) A) R  c, [8 Q

; G: p. y( [6 d+ X% v8 j. i5 U3.4 生成 openvpn 配置文件
+ l  `; |6 Z/ \! M' h
  K6 Z  ]0 c/ z) N6 f    创建 openvpn 配置文件最好的方法是先看 openvpn 的样例文件,在源码目录下的 sample-config-files 下,本例为" [& H( f1 J# J1 U
+ p) p! a- v9 N( J( a. q0 t
    /home/src/openvpn/openvpn-2.0.9/sample-config-files
1 r& K* H3 C# m% ]- `, y% A( q
: a/ T7 ]4 F5 |3 ~* g& ]    服务器端配置文件名: server.conf* H$ J2 T( ]! O! \- v/ F
* i+ ]/ M" N& h/ t1 r- R' y; C
    客户端配置文件名为: client.conf; |# g4 k; ?5 k! r6 |
; E5 f) n7 [, T! t0 u
    可以根据需要修改.
1 Y! @) w$ M) ?+ O
+ @3 t, I7 `- w7 @5 _. d7 X, C    本例的配置文件 为:/etc/openvpn/openvpn.conf
. {8 i! T1 D* N) a) k: @
2 G% c( U' E7 u; J1 z! C     #########################################################################
+ {" D) [; t  r0 M) Q+ E7 [! E, H" f9 l2 M5 _  Q
     port 1723 #openvpn 默认端口为 1194
1 Z% o% X% M, {1 s1 T% \) d  f( W; D% M! T* k/ t
     proto tcp
1 g9 S; E  x; V# m* j& ^( M- }; l2 @: W' u2 N* l. f' G
       dev tun) h" b, r7 J. o2 t

+ g5 \+ u  m) d9 K& e1 T3 s/ D       #########################################################################
/ r( A" c, |( n$ A( }" d+ f& A4 j  q1 x  B' T* \% m$ C
       # ca 证书及服务器证书以所在的文件目录为准,本例是放在了/etc/openvpn 目录下,与配置文件相同目录) O  }+ s1 ?3 q* @) y* E3 o2 n. _9 [+ |

4 b; O- B+ ~: \" ]9 c* M, P       #########################################################################
! y+ p0 i! h# v/ E. U. d5 V: J5 p7 V+ G" V- s
       ca ca.crt+ M& J( R. C7 d7 U* e
7 u* I% b$ x* ?
       cert server.crt
* w8 n1 `5 X* }$ E& w
- K& ~! y9 P$ a$ w       key server.key
* `0 O# n7 F' O" D
$ S/ s  R" i* l, v+ R- b7 G, r       dh dh2048.pem
( k1 c+ b2 d7 {0 X$ j
) d$ u. A: _! M7 u) V       server 172.16.0.0 255.255.0.0
3 O$ R$ r2 \0 W0 ?  H/ s6 Z
, O; j* L: E7 f3 u       push "dhcp-option DNS 202.106.0.20"1 y: ~' a8 h0 p- s7 m+ I. M

7 U. P. _& a* m( _* \       push "dhcp-option DNS 168.210.2.2"* ^" b% i. O$ T2 d8 [2 b2 M: j  x6 C, m1 }
# R# K/ R5 w+ A) H( U* x1 Y, ^7 @4 N
       push "route 172.16.0.0 255.255.0.0"9 U8 }- I+ Z! |7 _' C4 e- H8 l7 W$ O

# B. q2 p! \5 w, z  {. u. C) w# M       ifconfig-pool-persist ipp.txt% ^8 L. x4 r$ L$ t& `& I. X
9 W2 R: y0 M5 |, n& I! U4 j
       keepalive 10 120/ n8 }- L) S+ ~6 Y  z4 K: M

: s$ i: _( S2 M; M6 s. U. v& @       comp-lzo7 I$ U- K, d9 j, z
4 l1 f9 f: ^+ P" Q$ l% r8 v
       user nobody% W2 c' t& |  C6 y: V% ^

0 Z* h& `, {, b& S       group nobody
4 r  S. U; o: G+ Y7 R0 `, K( E* v; m( J
       persist-key+ D- u3 ^6 u- E$ i; A5 V1 O0 E

  ^: `, r6 s2 N8 J/ Z! y: h       persist-tun
% r, F3 B9 G7 w- [9 u# h1 {3 E$ z! z/ W0 x# K3 }
       status /var/log/openvpn-status.log
, r/ U0 d4 o- y7 G$ a7 i1 k$ g& W% Y% V& r
       verb 3/ [; g7 r* i: t0 O8 r3 c9 Y0 {
4 ^: v4 V7 A" a  C& @
       #Client 之间可以相互访问
+ S3 h4 O5 G" k  }  |5 `
- g, J8 f, R' @/ {5 ^( s! H; D       client-to-client
" s4 M" k% Y$ C4 F5 W0 Y
1 \, }  F! F4 Q       #允许一个用户多次访问0 N; x+ H% {& v( d
2 g$ x7 V  X) q. i3 D: D: T, {
       duplicate-cn) ]4 _8 Q. ^( A  N6 N& B
& a6 }: x4 j$ s) e2 x6 M! V1 B
       log /var/log/openvpn.log
$ R5 l- ?0 w, `8 C0 z
( e; R+ L/ ^; Z6 ^& ?  v( O2 ?$ H; Y       log-append /var/log/openvpn.log
0 W* s) x+ ~+ M+ A3 j, ?$ t5 q% O( ~" ?9 Z8 t, T( t
       #########################################################################
/ Y! \% }3 j* J5 ~  p8 t( g# ]9 o3 w# ?' O( ^; S
  3.5 创建 openvpn 的启动脚本# Z! l6 \( a& z( W( O. g' o
) I6 V' f) t3 X3 R
      openvpn 的启动脚本在源码目录: sample-scripts 目录下* q8 u6 Z+ }; q: Z
4 b8 I$ H+ R% p& u0 Z
      文件名为: openvpn.init. f. x8 [8 f/ m

8 q7 d& K4 ~. \2 I      将 openvpn.ini 拷贝到/etc/init.d 下,并重新命名为 openvpn4 B" A8 u0 j& H$ c

: c6 |  `/ }( p4 j      [root@client ~]#cp -f /home/src/openvpn/openvpn-2.0.9/sample-scripts/openvpn.init /etc/init.d/openvpn! i1 i; D% Q' ~% r! z+ D8 ?& @" A
1 ^5 J. P" |) S/ t- i, C: s& o: a
      因为是用源码编译安装并指定了目录,所以需要修改/etc/init.d/openvpn 的 69 行
9 Z; o% R- Z- m( P6 j, y2 ]& X: [( {& ~# q  r. S; ~- V6 a/ D
       openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
- U8 c; x: x8 u+ f  b! w6 q* a6 v
      修改为:  v  j! m4 t! E5 k* h
" \' P  y4 @8 w# c+ a1 Y8 N- g! Y5 R
        openvpn_locations="/usr/local/openvpn/sbin/openvpn /usr/sbin/openvpn /usr/local/sbin/openvpn", b4 }4 B! O1 F3 K$ r
6 g4 y0 [( B& z5 j! R
  3.6 将 openvpn 添加到系统自启动6 }: A- D0 q$ v$ _, l" @! K3 q; p

8 J: z0 v' p, n      [root@client ~]# chkconfig –add openvpn
1 b- p% Q/ \# [. i2 z* ~  @  v% T4 u) z3 ~, J/ b
  3.7 启动/停止 openvpn 服务/ R7 y/ k% A! t) b

: b, \( s5 ?+ n& H5 n5 Z7 G         启动 openvpn 服务' k1 I! k2 g5 u  D6 A+ o, p

! f; e: q' P3 G# t         [root@client ~]#service openvpn start/ H4 p$ f9 J- c3 S

- I' `! k+ D& U. z: u0 Q0 L         停止 openvpn 服务
: ]! `# P2 L/ e6 ~: v# V) |$ \5 }2 s, @( j
         [root@client ~]#service openvpn stop
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2019-9-5 17:00:03 | 显示全部楼层
安装 LZO 代码:
3 `6 t! i. s7 Z# h0 n. Z6 y- ~cd /lzo-2.02
( K# p- p5 g- b./configure : W9 @: \! V1 @  V
make
- s) O! ?* j* Q3 Gmake check . [; |9 W% A& h& Z9 F3 K
make install
3 H7 a7 X$ m0 \9 z. b- z安装 OpenVPN2 A* K4 w$ S4 h! [
代码:
; Y" C+ L3 |% \+ s! L( f; T3 v- F4 ]  k1 M7 U2 S2 q
cd /openvpn-2.0.5
, a4 n- r5 R& R1 o) j./configure
4 A/ o/ W: F5 N8 k/ L9 `# 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行)& r' L7 c5 t' L: @6 m# H
# ./configure --with-lzo-headers=/usr/local/include 4 o2 b( Z9 X7 k2 o7 [
#  --with-lzo-lib=/usr/local/lib
) r# m7 C5 o* `  W# t& }#  --with-ssl-headers=/usr/local/include/openssl , J0 S2 ~  d; k4 \2 v
#  --with-ssl-lib=/usr/local/lib 4 l: _3 g/ g- F! c! C
make
$ {  K# ~# @( I; ~' M& Dmake install
6 U2 o' M$ y7 \2 O8 G. m; w4 Y生成证书Key
- Q1 W) A* {1 Z, R0 Z初始化 PKI8 c7 R" ^9 y2 s) n% K. n

1 [4 z. F$ f- B4 v) X( i(如果没有 export 命令也可以用 setenv [name] [value] 命令)
$ J; P$ Y5 w% X- ~" V9 |. n; a9 M+ ]8 l* {  p
代码:) O/ g$ r* N( j
: v, {9 e. u1 o; F
cd /openvpn-2.0.5/easy-rsa ! a4 X( D+ s, q; w
export D=`pwd` ' ]; ]2 `2 X0 M3 o
export KEY_CONFIG=$D/openssl.cnf
+ M2 w2 x6 Q6 m4 {* p3 _: o1 Pexport KEY_DIR=$D/keys
8 x) V. v8 o  x$ ^. Texport KEY_SIZE=1024
: M& q& b' }. t/ Hexport KEY_COUNTRY=CN , E2 z7 L+ U2 R8 n# S% O
export KEY_PROVINCE=GD
7 {" q% n; Q, R4 M6 Sexport KEY_CITY=SZ
* c* |1 w( N' l" X0 [* iexport KEY_ORG="xiaohui.com" - a: e7 ^0 p" o. V) K
export KEY_EMAIL="your-email [at] xiaohui.com" 1 m8 D; c, [0 Z+ L/ ?. P9 N. u
Build:6 V9 r& k" J9 Y6 N/ n# T* S& D/ d
代码:* s* s: ~1 d! X7 M) D: A
1 z/ E9 z" [. X- G6 n  z
./clean-all 3 Q* C& _) C) ~  ~- |
./build-ca
- [: S: P2 f2 e& S$ J7 G* P: E: i
Generating a 1024 bit RSA private key
$ J+ t' d) P& f, }/ I................++++++
! N3 J' w' ]5 l! H# O........++++++ 1 c, N5 H* G* o& S7 B
writing new private key to 'ca.key' + ]! F! F; T$ R3 [& E9 c. q
----- 5 M- S/ Q# z/ u) s% I- l* C9 h
You are about to be asked to enter information that will be incorporated 0 I2 _6 e; l! R' F* m7 w' R( D
into your certificate request.
  h- h8 h' @" `What you are about to enter is what is called a Distinguished Name or a DN.
6 d- @3 y7 M1 EThere are quite a few fields but you can leave some blank , v) j: j8 ]  ~3 ~+ \! v
For some fields there will be a default value,
3 k1 u8 i* q9 T: l  ?8 O! @If you enter '.', the field will be left blank. 9 E! }4 T9 d$ V; C
-----
2 `# t8 t5 I) ACountry Name (2 letter code) [CN]:
4 B, z1 ?# v( W( K# Z! X9 J: aState or Province Name (full name) [GD]: 0 Z0 f* R: `. r( a1 \4 d; R$ U
Locality Name (eg, city) [SZ]: $ L- N* B/ M7 l# V; d! ?. ~3 x; {
Organization Name (eg, company) [xiaohui.com]: & @) H& _  g* w% ^. j5 d
Organizational Unit Name (eg, section) []:xiaohui.com + b: j) a! G& z; ]  N8 X
Common Name (eg, your name or your server's hostname) []:server
4 I' b/ n: a5 S9 U& P9 H2 D" t7 BEmail Address [your-email [at] xiaohui.com]:
9 s8 L' e5 y* {$ g4 q# a; n# 建立 server key 代码: 代码:  x  H& h* X6 h' I0 }; y- D
./build-key-server server 5 S/ t5 H  o( s" I# x; [
  n; `4 A% Q$ y( B) ]1 p  H
Generating a 1024 bit RSA private key
8 @7 l" I9 c1 X3 W. M% i......++++++ 2 P) X; a6 z( }+ o
....................++++++
7 E2 J7 t1 o2 f7 H2 k0 V& Qwriting new private key to 'server.key'
/ n+ }" u, a0 z-----
$ [/ R' X9 g' d' f9 w5 N' J, y5 `You are about to be asked to enter information that will be incorporated $ h; C9 g" j, U- t/ Z" V
into your certificate request.
  A% \& I) f& U* |1 IWhat you are about to enter is what is called a Distinguished Name or a DN. * W2 k1 z" u2 S( S) M# Q" N
There are quite a few fields but you can leave some blank
& C2 |2 T6 C! c( k: oFor some fields there will be a default value, 4 O: f! k' u6 e" A
If you enter '.', the field will be left blank. # c/ r( w+ Z2 T2 h5 O! _+ |
----- 5 n7 n; K& m& \% O# o
Country Name (2 letter code) [CN]:
# R: H5 z) f+ ]1 @( i( H0 J$ l6 zState or Province Name (full name) [GD]:
% X% O$ `8 O% [8 Z7 f! S' VLocality Name (eg, city) [SZ]: " P) }9 T$ e9 A. Q8 e: x" E
Organization Name (eg, company) [xiaohui.com]:
; Q& W2 F0 M) N/ cOrganizational Unit Name (eg, section) []:xiaohui.com
7 d9 k# l1 F4 ^1 z3 G! f' G: XCommon Name (eg, your name or your server's hostname) []:server
4 r5 a# E8 w/ [. K  n* {' y2 aEmail Address [your-email [at] xiaohui.com]:
9 q* ]% `; z6 }
4 j: s6 k& w! S* F; jPlease enter the following 'extra' attributes 1 ^, y! ]. V( g; W7 v
to be sent with your certificate request 3 @3 O0 D8 W: d  u* V$ t; T! v6 Y
A challenge password []:abcd1234
0 @/ p) B: Z% r( a' \+ r, s% HAn optional company name []:xiaohui.com
; ]7 u  n: R- G6 ~Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
. \/ K% X* {* yCheck that the request matches the signature
2 l* `' y! V: CSignature ok 1 ]* e. q$ w1 x* e% L
The Subject's Distinguished Name is as follows
  N- [' F3 K4 i1 o* c# S) ZcountryName           :PRINTABLE:'CN' , |- z4 J2 g0 X
stateOrProvinceName   :PRINTABLE:'GD' 7 L4 \) U9 `# p$ Z' K8 U% X
localityName          :PRINTABLE:'SZ'
3 o0 x5 a1 w1 A1 x' G+ norganizationName      :PRINTABLE:'xiaohui.com' 7 B2 ^0 M5 ?! t' A% M/ ]
organizationalUnitName:PRINTABLE:'xiaohui.com'
- O1 l+ h  j, C# I) ycommonName            :PRINTABLE:'server'
( r, e8 w4 \% Q) A) g2 i( I: l( CemailAddress          :IA5STRING:'your-email [at] xiaohui.com'
6 L8 K! f( B- X1 fCertificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) : {4 b  P3 c; i  I# Q5 `
Sign the certificate? [y/n]:y 0 b# @; c. a, z4 P5 W- w* g( C. d, Y7 l5 y
8 y& F) d& l4 ?

& ?& G# ?, }1 [) i, m: g% Y1 out of 1 certificate requests certified, commit? [y/n]y
( N3 j- F8 E. y$ J# X9 a0 `Write out database with 1 new entries - G5 t) \, N+ t, Y- r6 [) Q$ e
Data Base Updated % j9 g4 I( b! Q5 X/ C7 x0 R3 h0 r! N
#生成客户端 key9 X+ U1 r7 \5 F8 a+ J% M

1 R$ N. a% `! E代码:4 }7 U. p9 Q5 [9 R* A5 p9 U
) v0 v3 T, ?$ S
./build-key client1 2 r7 [* M7 |- p& s3 Y+ e! R: v
Generating a 1024 bit RSA private key ) ?( x+ j3 E# S4 l
.....++++++
- o9 d: F1 x# r! C: {9 A......++++++
6 O( O: B) i( B8 I, |$ Pwriting new private key to 'client1.key' 0 @' Y; S$ d, }; z# S- u
----- 6 o' d/ |% R* P) C! V# [  @& e4 m) s
You are about to be asked to enter information that will be incorporated
' E" N7 W# b  kinto your certificate request.
. D5 _9 b5 {* n/ j* x) BWhat you are about to enter is what is called a Distinguished Name or a DN.
7 R  P- `  h2 dThere are quite a few fields but you can leave some blank
$ @6 |9 u/ T: U* U! I) VFor some fields there will be a default value,
; C" S4 {* l/ r( M2 _If you enter '.', the field will be left blank.
. z1 `6 {* \; X* T4 }$ h----- - ]9 z& ?) g1 `7 q8 m  O
Country Name (2 letter code) [CN]: + O0 L/ ^% k% D/ M& l$ j2 t
State or Province Name (full name) [GD]:
; n& ?! Q3 c: s1 o- V0 ?; GLocality Name (eg, city) [SZ]:   X* N( X4 U' {% ^, P- b5 h* v2 q: w
Organization Name (eg, company) [xiaohui.com]:
9 K3 r5 A: R8 Y1 t5 U: G0 pOrganizational Unit Name (eg, section) []:xiaohui.com
" T& K+ m% [( A! k5 ]. q/ vCommon Name (eg, your name or your server's hostname) []:client1    #重要: 每个不同的 client 生成的证书, 名字必须不同. ) U5 c6 l- `. X4 W$ {0 M
Email Address [your-email [at] xiaohui.com]:
& y1 f% [: h$ c4 A) [: {
' r3 j. C5 v+ Q8 b% OPlease enter the following 'extra' attributes
4 |9 C' x- z. Vto be sent with your certificate request . k# x( K. O6 p6 ?  `
A challenge password []:abcd1234 " l$ Z# m& z9 b
An optional company name []:xiaohui.com
/ H$ f0 E/ N2 r  K5 z8 g* o& h; B3 fUsing configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
$ m! a  a% q# l: V# xCheck that the request matches the signature
" Q5 L" `# g1 I( b6 _: c' v4 C6 ESignature ok
6 g: ~4 l6 M+ i6 t% e! G* G+ ZThe Subject's Distinguished Name is as follows ! y+ b  o6 }) A. O
countryName           :PRINTABLE:'CN' / P6 N5 ]% s: \8 m* {
stateOrProvinceName   :PRINTABLE:'GD' / \- a3 b! }, r& @# O
localityName          :PRINTABLE:'SZ' + L* @9 p1 y; b( d% L
organizationName      :PRINTABLE:'xiaohui.com'
/ t1 O  [- Z6 J7 E6 P2 U' forganizationalUnitName:PRINTABLE:'xiaohui.com' 0 n9 u# g$ O2 i
commonName            :PRINTABLE:'client1' 6 z6 i1 B$ V* t4 I( F+ ~
emailAddress          :IA5STRING:'your-email [at] xiaohui.com'
& w; W2 {( S3 u! i3 B; l7 Y0 HCertificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) 9 O! x, \) ?, C$ p
Sign the certificate? [y/n]:y
$ R; O! b( |( J" R& q8 \; E! J* p
' U4 e6 K! L) G- i" `" U
. p. G$ ^4 F" w$ k1 out of 1 certificate requests certified, commit? [y/n]y # e% l, v* A) ?" e1 S: O
Write out database with 1 new entries : @; h3 M4 s4 c
Data Base Updated
! z  g$ z- c  n2 g( H依次类推生成其他客户端证书/key
9 O: e: ~$ s2 J1 Y( S
0 W. O$ p+ V+ \; U7 X$ h: m6 P, ^: Q代码:7 ^/ N0 Y# g' ?
8 s) `% h; o- _
./build-key client2 : Y. f" m6 e/ B3 ^. k& ~" u
./build-key client3
* O6 n7 g, c% _" S+ Y# K注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
4 f) b7 V& i! Z* X$ V生成 Diffie Hellman 参数 。代码:
+ Z* ^' [1 |, m./build-dh 2 x" ~& m8 ?# g5 p
将 keys 下的所有文件打包下载到本地+ E; D; i: g" |' f
代码:
% w' ]1 U$ p& c- j6 i! }" n7 p
2 s) h) X3 m' y. ?3 y) \( F: atar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys ' e5 v) x: C! l
cp mykeys.tar /home/xiaohui.comsys/public_html/mykeys.tar ' d# |# D6 T) @) o4 P5 k
将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 http://www.a.com/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除: 代码:# ?" h7 N0 O/ z
rm /home/xiaohui.comsys/public_html/mykeys.tar ) b; A/ b* M; l
也可以用其他方法把 key file搞到本地,例如 ftp.
. J6 V4 l* ^1 ]5 o9 k) u1 F创建服务端配置文件
) W2 _/ K, [* L从样例文件创建:3 N7 Q3 r, i1 P8 ]
5 Y4 z+ l+ u* d& j5 l5 ^
代码:
3 r! K* h7 H9 u# w" n: `" M9 j& g7 X. k/ R1 I4 H9 T
cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
) h9 N; X0 b2 E. i1 e' E" w. Qcp server.conf /usr/local/etc  # cp服务器配置文件到/usr/local/etc
% w3 Y, m  i( f; o* p- [- vvi /usr/local/etc/server.conf & D1 x) n( e" k9 Z5 }
我建立的server.conf 的内容稍后另附.7 ]& c7 O8 {$ _4 W7 B/ p& e: D
创建客户端配置文件: t+ Q3 T7 g4 W% T. F+ k
代码:0 r' O- D2 x4 i, ?  ^
5 |% u  J) n; u
cd $dir/sample-config-files/  #进入源代码解压目录下的sample-config-files子目录 8 S0 D8 ^# A6 h) L
cp client.conf /usr/local/etc  #cp客户端配置文件到/usr/local/etc
. O5 K; I2 s, Cvi /usr/local/etc/client.conf
* e* ^1 R$ W4 D, D# K7 n4 U2 Z我建立的client.conf 的内容稍后另附.4 ~9 I% D8 ~( ]& j  a
启动Openvpn: openvpn [server config file] 代码:
. o/ t4 C; L$ V, A/usr/local/sbin/openvpn --config /usr/local/etc/server.conf
9 I/ j1 d: }4 \/ M& ~% @7 ?7 z
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2019-9-6 10:55:09 | 显示全部楼层
二、部署openvpn2 o3 _) V- c( \; o# r$ t
. ^& {/ F% z# I* }& I
    本次部署openvpn服务器,因为使用了最新的openvpn2.3.4,而这个包里面没有包含最重要的证书制作部分:easy-rsa4 o/ l. j$ V2 ~2 K' f- `( |

6 J5 _6 s2 [" m  g- J( b7 N    openvpn官网也给出明确说明:Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages  e5 q+ H  D. Q8 S" @
9 x' S0 t8 z8 ?' C( ?; B
    所以,我们需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署" a* W& u9 Y2 a* j& Q1 U3 F, b# C
8 I# i  P% Q3 {% ?
    在部署openvpn之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!  H  ^/ r4 r5 x+ G9 n* H: h
3 h. i4 V/ M' u' o9 Z
1、安装lzo
' g% x9 v2 e/ s' }7 e  L0 z- O) G9 Z! c0 Y
    lzo是致力于解压速度的一种数据压缩算法. y% _; }2 r2 r' p- A
3 l* q4 n# d3 u6 p5 y' n5 x' W1 r
( m3 \; d' b" p0 ]- C; |
[root@vpn ~]# tar xf lzo-2.08.tar.gz6 Y2 g" q8 `! T, c) _: N/ c
[root@vpn ~]# cd lzo-2.08; v  s$ L+ J  U) [4 t
[root@vpn lzo-2.08]# ./configure && make && make install
/ ^0 d% ~5 q9 y% B9 X2、安装openvpn
  C) e; ?. S5 b( H+ u+ r# H
/ Y* E% S: [9 T" A3 Y# j  b! z. |, V
3 e5 `& N* L1 I0 h1 Y2 z) @& k[root@vpn ~]# tar xf openvpn-2.3.4.tar.gz
" K( q" O& D2 @  m- O[root@vpn ~]# cd openvpn-2.3.4
! e: p" V* j. _+ E[root@vpn openvpn-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib
6 O3 h2 d  S3 v. g[root@vpn openvpn-2.3.4]# make && make install
1 F  R. Q4 K; v0 o9 y/ t[root@vpn openvpn-2.3.4]#
! N0 ?6 c+ {$ Z7 L5 Q[root@vpn openvpn-2.3.4]# which openvpn
1 B6 F( m; P' {7 l3 |/usr/local/sbin/openvpn      #看到这里,说明安装openvpn成功8 c) F$ U# R0 H0 }
3、配置easyrsa服务端
; S6 q3 X8 _- C# r6 c
* j5 ^% b6 A  B3 g    openvpn-2.3.4软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3
# a8 e7 T3 ]5 b
% F# R3 k1 ~8 y$ F    Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages(来源openvpn官网)
" H' s5 C* r2 k! U0 A
) k! D4 g" i4 r: [  x) t/ ^0 G' o: s3 @3 B2 q* p3 c
[root@vpn ~]# unzip easy-rsa-master.zip
3 T  b; w5 I2 K5 l4 @[root@vpn ~]# mv easy-rsa-master easy-rsa
0 z% V; j' c5 S0 x/ B6 |[root@vpn ~]# cp -R easy-rsa/ openvpn-2.3.4/
0 P8 e* r8 W. W# [! a[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/
6 R  T! k* W6 r; `7 t- W[root@vpn easyrsa3]# cp vars.example vars
. r/ m) e1 e+ ]5 |[root@vpn easyrsa3]# vim vars# d& [0 Z2 _" e/ |3 Y$ s; p# l
set_var EASYRSA_REQ_COUNTRY "CN"& G( F% `+ h: L1 Q
set_var EASYRSA_REQ_PROVINCE "Beijing"
) H* b/ @; _1 |& y4 E9 tset_var EASYRSA_REQ_CITY "Beijing"2 M1 P% b7 I# S9 C
set_var EASYRSA_REQ_ORG "nmshuishui Certificate"+ j( x; h) i; |7 ]/ e
set_var EASYRSA_REQ_EMAIL "353025240@qq.com"$ F8 Q) j; F5 M2 _
set_var EASYRSA_REQ_OU "My OpenVPN"
' }/ ^6 z' y: T' r* s" f" S5 M4、创建服务端证书及key$ d- Y, p# V! v. L

& `1 b* ]9 n& F  k  I(1)初始化3 P0 X; a8 W1 J! _

! l2 e" Q6 A" Y8 d# t8 f9 _- f0 I, d, B6 ^
[root@vpn easyrsa3]# ls
; Y- l6 U' P. R9 m/ M& `; M+ I3 Veasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types& K& \( z, ]9 \3 B* f
[root@vpn easyrsa3]# $ {7 ]$ P/ H& X, v5 Q" f/ t& a7 X
[root@vpn easyrsa3]# ./easyrsa init-pki  T- L: ^9 y0 g3 }; F( x
" z2 T1 F( x# N4 j
Note: using Easy-RSA configuration from: ./vars
) T; t( b: m( o( k( a
6 F8 H, ~/ j" e( |8 Ninit-pki complete; you may now create a CA or requests.
+ K, t3 ^- p, q+ Q. C! \9 r) s/ ?: d" g. zYour newly created PKI dir is: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki; Q/ k. o5 K. u/ D% i4 J
(2)创建根证书/ l8 p0 Y  i5 c0 C

& B; P7 P0 i& m1 Q* E* }; p# o1 S& y6 a5 H3 Z8 q4 d  r  @+ A  s

6 v( ]' N- m* k7 |* Q1 H[root@vpn easyrsa3]# ./easyrsa build-ca
6 }8 M  i* ~4 N, e* W* S
! J1 n# I$ r8 ?# JNote: using Easy-RSA configuration from: ./vars
# @& F; G- }* I7 i8 A- XGenerating a 2048 bit RSA private key. X3 l( I" X5 {3 k
.............................................+++2 r5 R9 \$ @, @! L" u9 e" ^4 k3 @  t
........+++. f& X; q3 F  m' c
writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key'
- U; ~+ D: e& I; [' o9 dEnter PEM pass phrase:                      #输入密码,此密码用途证书签名
3 S# K* Q, m+ A: D+ [Verifying - Enter PEM pass phrase:          #确认密码
7 v+ D4 [! c( u  i- g& r" b' p-----) V+ z: K* a8 r7 _
You are about to be asked to enter information that will be incorporated
+ X* d/ \8 p9 [into your certificate request.- h4 B$ {8 p4 z; |1 X4 O) v8 Y
What you are about to enter is what is called a Distinguished Name or a DN.: p# f' B( N, t7 P( c. \$ x7 c
There are quite a few fields but you can leave some blank
  a* j9 L2 y' [/ f* NFor some fields there will be a default value,/ w8 Z) ~$ k5 K# s
If you enter '.', the field will be left blank.% r* z* d2 ^6 t' V* x2 o7 q' g
-----5 `/ O$ N7 C# j1 y2 e5 v
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:nmshuishui  #输入一个Common Name
" ]+ D  Q) I6 | " k' k& ?0 Y+ H' }& U: e
CA creation complete and you may now import and sign cert requests.
' Q* c# R9 J. v7 h! OYour new CA certificate file for publishing is at:
3 @$ v+ I% O5 u% x  \/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt
( n) s% Z8 Q/ E/ `(3)创建服务器端证书
+ S) g* Q# e9 J& K# C5 _# m9 v  C3 S. f/ n7 T% a/ J7 D/ M
4 J! F5 S" e( ^) Y' Y6 D8 X8 q
[root@vpn easyrsa3]# ./easyrsa gen-req server nopass9 X9 a2 {: H" D9 [2 C% K6 y

( v7 u+ z1 z+ }* d9 kNote: using Easy-RSA configuration from: ./vars# }$ i* v+ t- z* I, d  X
Generating a 2048 bit RSA private key
# O0 B4 x# k4 x) J0 F................................+++
3 q: m3 s+ w0 A& D' U......+++8 b# t+ ~4 @, v$ Q5 u5 p, H
writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key'
- V5 n/ x. O; c3 p-----) {( }; ^. y  f& a! G
You are about to be asked to enter information that will be incorporated9 j# J& t% E1 {
into your certificate request.# x3 g3 f* O. P9 m8 ]" H4 `
What you are about to enter is what is called a Distinguished Name or a DN.
6 g! ^: w2 C, [: k* o! P% UThere are quite a few fields but you can leave some blank1 w' Q5 }, Q2 k0 L6 G8 U* a
For some fields there will be a default value,: i% T% u( ~$ ?1 a  A
If you enter '.', the field will be left blank.4 d9 }8 Q2 Z; N& B! j
-----
+ _* f+ t$ n9 VCommon Name (eg: your user, host, or server name) [server]:nmshuishui-BJ  #该Common Name一定不要与创建根证书时的
+ X3 B* z: D( q4 O- I7 s                                                                          #Common Name一样,这是血与泪的教训  
/ k! `! o  P; b( `3 j' D- ~Keypair and certificate request completed. Your files are:" ~4 G0 X8 b% Z
req: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req
. A1 D" e8 D! D& j6 mkey: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key
  p9 Z: C* d, \0 C0 Y(4)签约服务器端证书
8 x/ F' G$ O& U) r% l( ~
2 P3 m9 \3 O* e. O% A+ `
% A0 a+ X1 j6 E  C- e6 s8 U$ F% V( P2 |/ M1 e* B2 o3 C& j
[root@vpn easyrsa3]# ./easyrsa sign server server
- S* V* y; g2 J/ Y+ m7 V+ ^ * r, D6 p  Q* L5 O8 u4 b4 s' {
Note: using Easy-RSA configuration from: ./vars6 D5 s. F- w1 D  {2 P2 q
6 G2 P9 j6 F  |0 v

8 d, i. t) Z. i9 GYou are about to sign the following certificate.
& l& ?2 @2 ~1 ~; G$ c! ]Please check over the details shown below for accuracy. Note that this request
. b" L/ U* C2 d5 V( Dhas not been cryptographically verified. Please be sure it came from a trusted+ X' Y. K8 T0 v4 K: X
source or that you have verified the request checksum with the sender.4 t7 {7 J. C0 W  I# T: x# z

* Q5 U9 e) o1 [3 j, T2 sRequest subject, to be signed as a server certificate for 3650 days:
+ M9 k& t# @% `5 U9 p- n6 O0 o: i / e- X. [* W: Y4 ~' B
subject=
& s5 ]6 g! P4 T! m3 O2 |    commonName                = nmshuishui
1 z% c9 ?9 s8 b8 h0 \
6 \% x1 h' t- T 5 Q# B- M; S! f/ V
Type the word 'yes' to continue, or any other input to abort.
6 y" G, ?. J& X/ U  Confirm request details: yes        #输入yes继续
% u$ Y& L% @; [+ g4 h4 d: t  X, VUsing configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf- M- i& T, Q' v2 H* u
Enter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入刚才创建根证书时的密码; _/ @% v6 p$ J) ~( ?/ z' i4 |
Check that the request matches the signature: R. I7 g2 ~( F& j  C& ~: l
Signature ok  \3 m, Z5 Y9 w) j& E! i& J. K
The Subject's Distinguished Name is as follows# B! O7 G8 {0 v
commonName            :PRINTABLE:'nmshuishui'- g- v! U5 ~2 w* h' J* |* C- j/ g' O
Certificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days)
; P' i. o3 A& a1 T9 u
6 Y% V1 g' f6 d0 GWrite out database with 1 new entries
( F- T* l5 p8 b- ]  o* W# j; b6 CData Base Updated
3 Q/ f" Y& C3 D' G1 r1 j + A2 N: f. B. H( r0 X% ^# f# O/ r
Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt3 K2 e5 @; S" z5 n
(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:9 \# h% ^  {/ d7 ^7 m/ n
1 u& ^! T" ?/ Z5 d" H1 U
" u8 l8 k1 I1 b+ J1 q
  x5 j$ g) R5 R" K$ @
[root@vpn easyrsa3]# ./easyrsa gen-dh
( l! \5 m+ d: p, H; x - a3 f7 \. L; B' m+ v
Note: using Easy-RSA configuration from: ./vars  F0 V1 i* n, n) w  ^4 x$ h
Generating DH parameters, 2048 bit long safe prime, generator 27 B# U( d9 d, G8 o
This is going to take a long time
$ U& p* c' G: R...................................................................................................................................................................................................................+..........................................................................................................................+..................................................+.....................................................+..................................................................................................................................+............+............................................................................................................+...+............+...............+..............................................+.........................+..................................+.................+............................................................+..................................+........................................................................................................................................+................................................................+.......................................+...................................................................................................................................................++*++*
. _, m8 r- _3 z( ^# ], b " P/ k: G6 g( y& L4 }9 b0 P
DH parameters of size 2048 created at /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem8 S2 C) R# S. y
5、创建客户端证书
7 y. V8 @7 Q/ o" V5 y$ P/ o2 U) C3 h9 f; p+ F9 ^9 ^) D
(1)在根目录下建立client目录
' \8 G9 e) f3 [( P8 J/ @- F$ q) e" b* A9 N6 ]8 e) t. X; G

6 o3 x7 P% [5 p. y. [/ E[root@vpn easyrsa3]# cd
% W  g( p/ o; x- }$ Q[root@vpn ~]# mkdir client$ s8 @; J0 s4 N5 N1 B
[root@vpn ~]# cp -R easy-rsa/ client/
7 g. |4 n: S- x(2)初始化
& z; C' Q7 p. q
" K$ ?2 j8 i: D. E+ D7 s0 ?1 E# n; [; W( |0 E! b& @8 R; Y
[root@vpn ~]# cd client/easy-rsa/easyrsa3/  q; @! U# C2 W+ ]# K* Z& p, m3 E  M
[root@vpn easyrsa3]# ls+ [+ |8 P; c% o0 Q) I  \5 g
easyrsa  openssl-1.0.cnf  vars  vars.example  x509-types
- a2 p5 ?# s& p$ x" K* L[root@vpn easyrsa3]# ./easyrsa init-pki
/ i# n# k& c/ @9 `0 M0 s9 {: z
$ Q/ p) J* c: N4 y( DNote: using Easy-RSA configuration from: ./vars
7 C- g8 A' p+ m5 V
: ?9 M" [) E3 b5 X; `init-pki complete; you may now create a CA or requests.) F$ T+ ~: z0 z% r$ |
Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
$ z) h- X5 J8 F3 r# q, z$ r0 P(3)创建客户端key及生成证书+ Q3 V* A$ N& o
3 s% V+ X7 b5 k. k/ A( i# [) @! E

8 n4 U) Z9 M5 Q) |- |
! l: M$ C; k& }4 P9 x+ p$ e0 e[root@vpn easyrsa3]# ./easyrsa gen-req nmshuishui
2 ]4 {$ @- n7 {2 i ! b+ d' J6 y6 F* D9 D0 d! F
Note: using Easy-RSA configuration from: ./vars
% W+ X' E! S; z" U$ T' |1 `6 S) bGenerating a 2048 bit RSA private key
# P7 g6 h. ]9 D' S$ ~' ^: k....................................................+++9 U- U2 \- M; [# b3 T
.................................................................................................................................................................................+++2 o4 e6 [  H2 k$ E9 f6 V, t
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key'
$ o; i: B1 S  i- S, \/ a  JEnter PEM pass phrase:            #输入密码
, {' J( B8 B; C2 G% j* @Verifying - Enter PEM pass phrase:
6 L( }) I: s- p1 [1 ~" \, l0 Z7 q-----0 z- d- n8 w; }+ z6 t
You are about to be asked to enter information that will be incorporated& }5 W; J. [7 |  x' a+ h: s$ D
into your certificate request.
- ^6 y: d! p2 FWhat you are about to enter is what is called a Distinguished Name or a DN.
% w9 C# e" _- @There are quite a few fields but you can leave some blank
' _; I/ O3 Z3 G1 D3 J) ]& LFor some fields there will be a default value,
. W" u0 L& f* a) pIf you enter '.', the field will be left blank.  p3 N7 [7 ?. H7 n8 G
-----
3 h! C+ c" m* C( _0 N% t4 FCommon Name (eg: your user, host, or server name) [nmshuishui]:nmshuishui   #输入nmshuishui                     5 e) ?6 h; k' a7 O* C

& n! f6 O* f9 o8 RKeypair and certificate request completed. Your files are:( Q$ f- ]5 T* h) D: n0 V1 Q
req: /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req
4 L4 W& d, T  |/ P3 a, fkey: /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key
( t0 R" |# r8 }0 _1 N' q(4)将得到的nmshuishui.req导入并签约证书
/ J* a$ I6 @: O7 l1 ?: h7 t: C4 s, A1 ?# p" [
  E. Z' A, E  t4 j- K$ u$ D
[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/- s6 Y) I& _" ]- [: D' \1 x
[root@vpn easyrsa3]#   #导入req& r7 \8 l! T/ ?
[root@vpn easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req nmshuishui  {1 Q' \' n- s% a: u

' }& L/ }, P2 [5 \) hNote: using Easy-RSA configuration from: ./vars
, i* {8 E: n. `& e ; D9 m5 A* j* @" S" \/ Q5 j
The request has been successfully imported with a short name of: nmshuishui8 l$ E( n! ^. U1 @0 q0 \4 t# ?; a3 A
You may now use this name to perform signing operations on this request.
4 d+ T2 I0 X4 t3 m) t& f- } 0 h/ ^5 d: Y7 q) l8 z* n
[root@vpn easyrsa3]#     #签约证书
+ O; \; `1 ]8 C# p[root@vpn easyrsa3]# ./easyrsa sign client nmshuishui
" ]* t3 [4 \1 {! U: M' T& J
* a8 A4 |# w0 J6 N$ i7 l. N5 [Note: using Easy-RSA configuration from: ./vars- r2 d' P- U$ i& N6 J1 q' N( `" r

! |! p! h4 V! C8 E% L0 p2 K$ ^1 i
: U, b) }4 {  W* g, LYou are about to sign the following certificate., c5 h' ]6 o/ V* j+ @
Please check over the details shown below for accuracy. Note that this request
4 l" Y) K# O% G% \* Z8 @- t5 f' H8 W- [( ihas not been cryptographically verified. Please be sure it came from a trusted$ r2 W7 v; j. k) @0 T( ~# p
source or that you have verified the request checksum with the sender.
. x' M5 }% x. e0 |2 t
$ b4 b7 D& Q# ]  {& aRequest subject, to be signed as a client certificate for 3650 days:; N9 v1 y$ S9 Z# O

8 A  n( @: A$ w# K% dsubject=
+ c7 x6 L- ]. H    commonName                = nmshuishui! L! V2 R4 j& d# ?9 O0 {6 M/ h/ _% u

. U6 @1 ]& u8 l4 `! B- B/ E
/ D* l! q/ h, L1 uType the word 'yes' to continue, or any other input to abort.
( I( p0 u' s  h1 e  Confirm request details: yes       #输入yes
, n" z, g' J! f$ L- X# e1 M/ d2 D! ZUsing configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf
3 S! `. D7 i& P7 L) G, L/ SEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入创建根证书时的密码
) L" b( {9 H1 I0 V8 m! U5 kCheck that the request matches the signature- E5 B; n6 z! W- E& r
Signature ok
" s* M) O4 |. ~& IThe Subject's Distinguished Name is as follows
) P1 |1 S. R/ D4 }. EcommonName            :PRINTABLE:'nmshuishui'; `" |) c0 V$ F/ u2 U, e' V' X
Certificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days)2 Q" z( F! ]7 T# `6 @& W
% {' F5 W7 Y+ ?
Write out database with 1 new entries
1 F) J. z7 H% q' @; f$ a1 }Data Base Updated
, Z5 L3 e; r2 }1 W ' `# d/ L, v; \. V" L) U
Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt   #签约成功! P* M4 ?4 u) s% v. }4 V! |0 l7 l
(5)服务端及客户端生成的文件( Y8 R6 Y+ W# q' d3 Q0 Z5 S+ _  l! ?# k& b
0 F+ O( N5 I. T8 _
服务端:(/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki)文件夹6 b, S& W, M+ v# x# Z
" E1 X1 Y; A' |5 Q
9 P1 {! g0 [/ i# ?) z  r# M; ?9 n
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt6 Y  b! r$ o. o, H( q8 d% y
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req; N: i1 V  y8 ~1 h
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req
) l) f& `2 g  v9 Y$ T8 R/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key
/ f6 |1 c7 z3 g; y. S4 W/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key
4 }* s7 t. R% c) U% V8 ]/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt
7 C4 f  Q  h, d* P3 v9 l$ ?4 q/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt
1 s7 K4 W+ }/ I, C) j+ H/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem) y6 |# @. n2 [% i- g
客户端:(/root/client/easy-rsa)
. a0 ^# a: x, K4 ?( }9 I, ?* C1 d% C
) z8 v* b. O, e& g6 a
/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key
) h! u1 ^1 y8 Q/root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key   #这个文件被我们导入到了服务端文件,所以那里也有
; M  x5 }! c( i$ b& X  k7 U5 Y(6)拷贝服务器密钥及证书等到openvpn目录! m' Y- V( p2 Y! C* }& I
; Y1 G* D+ z* X1 z
: L7 r" l8 S6 n1 e
[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt openvpn-2.3.4/- \7 }* ?" i( V1 P* f: R
[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key openvpn-2.3.4/% Q+ F) I9 ?0 l* X, M
[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt openvpn-2.3.4/
7 O& b. s, `4 ^" S( _$ ][root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem openvpn-2.3.4/
/ G* O+ `- C5 n(7)拷贝客户端密钥及证书等到client目录
% Y, _5 ^) ?4 K# x( I9 {/ r. d+ L, a

: O8 z8 S4 e" w7 d' M[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client
) q- ~' {9 _, x9 ~/ `  e+ G3 H" Q5 y[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt /root/client, N! f. O9 `) B+ j" Y# [
[root@vpn ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client' V6 \/ W, f; ?) P
(8)为服务端编写配置文件
% z8 o5 O9 P9 V5 ^! S9 W) e) q& ^9 {" n% \2 {6 J, ?0 t' p
当安装好openvpn时候,它会提供一个server配置的文件例子* A9 q/ S4 `. t& [2 g

3 ?7 C/ i4 G% J1
, o! a% E- D# b, _/root/openvpn-2.3.4/sample/sample-config-files/server.conf/ a& R; c3 D& [: z7 o
将此例子拷贝openvpn目录,然后配置* l: X- {7 F# n' p

( e7 @# W; t4 Q. q% G6 h2 a5 a) @4 N6 |
[root@vpn ~]# cp openvpn-2.3.4/sample/sample-config-files/server.conf openvpn-2.3.4/
6 ^3 F3 z2 K$ C1 e0 P+ ?. G, w2 N[root@vpn ~]# vim openvpn-2.3.4/server.conf
  q( ?$ L' v! q# ?$ N6 S; blocal 192.168.1.104    #(自己vps IP)
9 g! M7 m: V, Iport 1194
" ~% w6 d+ i4 o9 ~5 f3 J- d2 N2 [/ zproto udp+ C$ g1 G' w3 e$ e
dev tun
( C- h+ t; \; ~ca /root/openvpn-2.3.4/ca.crt8 n9 S+ v  q9 ?' Q0 \" t, G
cert /root/openvpn-2.3.4/server.crt$ p0 R) Z+ @8 I+ s+ n0 ^& L
key /root/openvpn-2.3.4/server.key # This file should be kept secret
) \2 k$ f% r. L8 o" S( c# Ydh /root/openvpn-2.3.4/dh.pem! }0 V. J. M# J% {* V5 N4 G& ~
server 10.8.0.0 255.255.255.0
" [0 E( }4 K0 Rifconfig-pool-persist ipp.txt7 M9 {9 h, e3 _: D
push "redirect-gateway def1 bypass-dhcp"
, ]( ^" s# Q2 d5 y& J# npush "dhcp-option DNS 8.8.8.8"
7 W& R. G! W& z5 j; ikeepalive 10 1208 T8 E% e% f0 Y' j: r7 F* }! Q; ~
comp-lzo
1 g  v0 M6 K# N/ u9 ^; z( z8 omax-clients 100! L: M3 p; b0 {5 O
persist-key7 V- T- `# m- W3 |
persist-tun
7 e8 A+ l0 Z, R, B7 ^status openvpn-status.log4 Z+ t) r* ^1 b. N$ l
verb 3
6 |# J8 }; @0 U8 S  B3 T( K(9)开启系统转发功能$ c, A% h: @, ~. x
0 N6 _1 D+ x0 t& j8 H
% X6 B4 W+ w" \, }% H
[root@vpn ~]# vim /etc/sysctl.conf
3 P, K8 H! c& H0 j# {8 K+ m( Tnet.ipv4.ip_forward = 0  改成 net.ipv4.ip_forward = 1
! T- o5 q- k1 q[root@vpn ~]# sysctl -p
7 }$ D; p" u1 a& D, W[root@vpn ~]# sysctl -a | grep net.ipv4.ip_forward5 u9 r! R; J  C1 L3 g- N5 W
net.ipv4.ip_forward = 1, X. V( J$ Z' c+ g7 ^
(10)封装出去的数据包(eth0是你的vps外网的网卡):
7 P( D( K+ A( k4 ~3 G/ G# H
8 \# @7 h9 j& H$ w; Y; O
; a, L9 P8 \4 B. q% s/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2019-9-6 11:00:54 | 显示全部楼层
下载openvpn客户端,并进行配置
* @* O# d5 {9 S& u
2 L$ s1 N8 R, Z$ a) l, o# ^1、将客户端密钥及证书等拷出到windows备用, v- ?1 I# ~; M4 |9 r

6 G. c/ ^+ h8 S% ~
# l( B( t0 P$ c[root@vpn ~]# cd client/
) h( O* M7 ^1 \7 Y9 j+ u2 M[root@vpn client]# ls
. U& E! d" p: @& ?$ q( tca.crt  easy-rsa  nmshuishui.crt  nmshuishui.key    #带后缀的这三个0 X+ J/ B+ w6 I& a

, J. H( V* n7 D2、安装openvpn-gui工具2 }  r; ?% T2 b8 I

6 d, j' A5 a7 W8 h% A(1)将D:\Program Files (x86)\OpenVPN\sample-config\client.ovpn复制到D:\Program Files (x86)\OpenVPN\config
/ Z! q1 E& X; {/ e' i" ~8 J, D) t6 q8 t/ D& V& q. E) y+ Y# q
(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

返回首页|Archiver|手机版|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )

GMT+8, 2026-6-12 00:25 , Processed in 0.019811 second(s), 22 queries .

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表