6、创建服务器密钥。
( q, t6 C0 Z( x( }
[
root@www.linuxidc.com easy-rsa]# ./build-key-server server #创建服务器端密钥
1 y, i) M* q( SGenerating a 1024 bit RSA private key
5 Z1 p# M v! ?7 n/ a7 {
............................................++++++
, `9 o, t! y8 ]( x5 i- M
....++++++
5 p" \8 {( h7 a. H4 zwriting new private key to 'server.key'
/ R5 P& x2 O* J1 F1 |- f8 h-----
6 j2 H0 H4 b/ e0 d/ B, ^! v
You are about to be asked to enter information that will be incorporated
$ O" \0 n$ N" f& {3 J& s# }6 D
into your certificate request.
! n. h' o# c/ f M- Y/ Q
What you are about to enter is what is called a Distinguished Name or a DN.
9 ?/ R4 ]' f, B+ X/ f$ B0 f& K# t$ F% `
There are quite a few fields but you can leave some blank
; L& r3 r% s2 ?, _: NFor some fields there will be a default value,
( E' V/ q# ]. Z7 t9 N' T( J0 C
If you enter '.', the field will be left blank.
4 c$ H. F* w3 ^7 \& C3 A+ H-----
& J2 r' E8 Z- D" R3 m
Country Name (2 letter code) [CN]:
8 Z8 h* H! a/ D& N+ i- z% k1 F
State or Province Name (full name) [GD]:
' C6 I$ K; m" d$ {) T# H" X
Locality Name (eg, city) [SZ]:
! C0 Y5 T0 B4 @9 r) V& q( L* \Organization Name (eg, company) [DIC]:
4 \ O7 }8 h- k- a, b1 jOrganizational Unit Name (eg, section) []:
, A: u6 w$ R. J1 B5 j+ _
Common Name (eg, your name or your server's hostname) []:dic172 #服务器主机名
9 A! p. b7 t/ e- _: ^- fEmail Address [
tghfly222@126.com]:
Please enter the following 'extra' attributes
. J; X m) m8 |5 J1 h
to be sent with your certificate request
1 u- P, V1 x7 G; s8 {0 n0 r6 {
A challenge password []:dic172
0 l. L3 i5 y8 w: |# B
An optional company name []:dic172
6 ?/ f$ y+ G$ Q j
Using configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf
8 H5 @" v9 H9 T! s2 A8 N
Check that the request matches the signature
3 l2 o' [. K" X$ K4 Y. ]4 G" s5 J v
Signature ok
( R/ m7 O7 T8 t) [# j$ i( B* W
The Subject's Distinguished Name is as follows
* l2 L! o. J1 H
countryName :PRINTABLE:'CN'
; X7 T6 p5 i+ q( J
stateOrProvinceName :PRINTABLE:'GD'
3 a6 ?- h* p7 K* `+ `0 W" UlocalityName :PRINTABLE:'SZ'
- y( ^& m; P/ corganizationName :PRINTABLE:'DIC'
9 k7 P8 I+ h* d
commonName :PRINTABLE:'dic172'
2 V. X+ W+ o( w5 Q" G6 o* AemailAddress :IA5STRING:'tghfly222@126.com'
0 e B; A2 h# V3 ECertificate is to be certified until Jul 16 05:51:08 2021 GMT (3650 days)
( H1 N+ z7 f" q, d2 ?2 @; \Sign the certificate? [y/n]:y
0 }: O b! n' Z d$ b' x1 out of 1 certificate requests certified, commit? [y/n]y
' R( v# d4 M* z, E( g( p. ~2 ]Write out database with 1 new entries
) `8 t' n# n, [, p- e7 ]
Data Base Updated
. [+ T. ~+ b9 D; w7 \$ D
7、创建客户端密钥,客户端密钥名可随意命名。
: H. C5 w& e8 l, K5 E6 N
[
root@www.linuxidc.com easy-rsa]# ./build-key client
) f1 p6 y/ e+ ` o* w7 S t- HGenerating a 1024 bit RSA private key
j4 t. i/ b. ^% @9 j: w
.....++++++
) u+ m$ K+ M+ u- I% a* r3 N1 i.......................++++++
& M# L3 Z% @2 q, ]
writing new private key to 'client.key'
- f! e+ H/ L! Q6 w
-----
7 [7 [3 |" G5 ?5 wYou are about to be asked to enter information that will be incorporated
% N" o; Q& T; A, \5 x9 c0 u1 ]into your certificate request.
4 o9 T( m" U0 g) w& \0 |' Y- e
What you are about to enter is what is called a Distinguished Name or a DN.
/ {! U7 W$ G% A6 Y1 R( YThere are quite a few fields but you can leave some blank
; M1 I x, e9 F; r3 MFor some fields there will be a default value,
0 Y* ^5 P% _4 ?If you enter '.', the field will be left blank.
" d" K# @9 g3 ` w. R) t+ R+ ~
-----
/ H! B2 y. S" e
Country Name (2 letter code) [CN]:
0 L6 @& y1 Y2 t$ D( U' o9 v
State or Province Name (full name) [GD]:
, L; Z6 f* R5 K! M3 D
Locality Name (eg, city) [SZ]:
' r5 ]' u. Q: g, M7 |1 SOrganization Name (eg, company) [DIC]:
. k1 L3 [7 F* }/ ZOrganizational Unit Name (eg, section) []:
, j# A G$ E- W" D5 j
Common Name (eg, your name or your server's hostname) []:tgh #不同客户端,命名绝不能一样
, ~/ x2 }6 O+ `$ A4 }& Y! x/ O, e* {" UEmail Address [
tghfly222@126.com]:
Please enter the following 'extra' attributes4 U/ L& l5 }! Q
to be sent with your certificate request
. n% K( q) N5 E8 gA challenge password []:dic172
% L0 D% V/ q f2 F* k- [An optional company name []:dic172
$ Z- m t, c0 hUsing configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf9 z; o. K( f1 I- N1 f2 |. f6 y+ ?
Check that the request matches the signature3 q/ P5 c( m: X1 a+ r% k
Signature ok
1 Z. [# R& X6 j5 x; v) TThe Subject's Distinguished Name is as follows6 U8 B" i9 Y' D) H
countryName :PRINTABLE:'CN'
. _$ {, O: {6 o% R. k2 q) J# U: nstateOrProvinceName :PRINTABLE:'GD'
, R( Y( F+ A: \" r0 {8 Z/ ^localityName :PRINTABLE:'SZ'$ K; E# g. ^+ }9 e$ ~: H4 [
organizationName :PRINTABLE:'DIC'+ ? \; f4 l, g" v/ P* f7 h+ r
commonName :PRINTABLE:'tgh'
% Y" L3 E' k5 @3 }emailAddress :IA5STRING:'tghfly222@126.com'( `6 w2 A, }# H9 h+ O3 v3 F
Certificate is to be certified until Jul 16 05:52:27 2021 GMT (3650 days)
: B! C V, t7 O1 U% b5 ?, x' ZSign the certificate? [y/n]:y
" A' K7 h' J3 D( ^: u1 out of 1 certificate requests certified, commit? [y/n]y
/ a# t( n$ M; m2 x+ rWrite out database with 1 new entries
: J$ q0 N/ G: x0 R5 [Data Base Updated
8、创建dhDiffie-Hellman )密钥算法文件
8 u( Z' T0 o# V[
root@www.linuxidc.com easy-rsa]# ./build-dh
. ~+ e# h* L, z( A; f; ~4 e8 a
Generating DH parameters, 1024 bit long safe prime, generator 2
3 D0 |: L6 _$ q! J) W
This is going to take a long time
. z) d7 a7 b4 W8 g3 t7 N
...+.......+.....+........................+......................+.....+...........................+..........+.......+.................................................+.....................+............+..............................................+..........................................................+..............................+...........................+..+.....+......++*++*++*
9、生成 tls-auth 密钥 ,tls-auth密钥可以为点对点的VPN连接提供了进一步的安全验证,如果选择使用这一方式,服务器端和客户端都必须拥有该密钥文件。
$ t7 w m: I9 P( G- z# R9 w1 i$ \[
root@www.linuxidc.com easy-rsa]# openvpn --genkey --secret keys/ta.key
& L7 H' N3 H- U8 n/ S
[
root@www.linuxidc.com easy-rsa]# cp -rp keys/ /etc/openvpn/ #将证书文件复制到/etc/openvpn/
local 192.168.161.172 #服务器所使用的IP
- X' m! V1 `$ |0 c7 Fport 1194 #使用1194端口8 v u& T4 G; P7 F6 z7 P( u; H2 i
proto udp #使用UDP协议3 W9 p. l! q2 D' `5 c
dev tun #使用tun设备
- t# C6 q0 Q, {ca /etc/openvpn/keys/ca.crt #指定CA证书文件路径% F* p( J2 j# B" O
cert /etc/openvpn/keys/server.crt* K' @' s' @, j8 B1 `: w; K6 d2 }
dh /etc/openvpn/keys/dh1024.pem, |4 e' |; ^, h' ^9 B" g& S
tls-auth /etc/openvpn/keys/ta.key 0/ H. W' H4 E7 a9 d: Q
server 172.16.10.0 255.255.255.0 #VPN客户端拨入后,所获得的IP地址池 s- T1 V2 b3 k% P8 V6 a1 `
ifconfig-pool-persist ipp.txt
9 k5 j9 v5 f& w8 Ipush "dhcp-option DNS 202.96.134.133" #客户端所获得的DNS2 |2 D! I- p- m, X- n
client-to-client
6 T% k" @* h& u' G+ F! Qkeepalive 10 120
; O' r7 R9 B$ ^8 ` K3 Hcomp-lzo
- I& S% {& M: gpersist-key2 {5 M+ S8 r: T+ x Z$ P+ P
persist-tun0 |8 a& M7 {, {6 E& [# C! ?- j
status openvpn-status.log
; v j5 h! R% T4 Z- I; T0 Yverb 3( z9 z& u% e9 w6 c# \% q$ O/ c# Q
mute 20
[
root@www.linuxidc.com openvpn-2.0.9]# service openvpn start
( u3 ~( Q; J1 \( ?5 X4 @- o- G6 @" A. VStarting openvpn: [ OK ]
6 h: Q" h0 T5 z, t! m: N
[
root@www.linuxidc.com openvpn-2.0.9]# netstat -anp |grep :1194
6 Q7 {2 u$ [0 b* y+ R* Q& ^6 s. {
udp 0 0 192.168.161.172:1194 0.0.0.0:* 25162/openvpn
发表于 2020-1-19 08:52:01