马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
一、OpenVPN是靠虚拟的TUN/TAP设备实现SSL VPN的,因此内核必须支持TUN/TAP设备模块,这个配置选项在2.6.x内核中,位于Device Drivers ->Network device support 菜单中,全称是Universal TUN/TAP device driver support ,通常在标准内核 中,会以模块方式提供,在Open VPN启动时,它会自动加载此模块,因此不需要手工加载此模块。
2 p& Z% D: x) V1 p& u5 l[root@www.linuxidc.com 2.6.18-238.12.1.el5-i686]# pwd2 S* b, o3 O4 B* e+ S D+ d2 c
/usr/src/kernels/2.6.18-238.12.1.el5-i686; }2 h" {$ m6 Q% z% P' j i: F& I
[root@www.linuxidc.com 2.6.18-238.12.1.el5-i686]# make menuconfig #打开内核菜单
& G! z. R8 j% ]" b4 a Device Drivers --->
/ h; x5 s" f. J: o: D Network device support --->
0 E) v, s5 H7 ~5 p( _# v5 a& C+ y' s5 A<M> Universal TUN/TAP device driver support #<M>即表示以模块化加载到内核中 . P# ?0 r& S: g
二、在安装OpenVPN之前,还需要安装一些支持包,包括OpenSSL开发库和LZO压缩开发库- M" F6 l) S# R; o
1、可使用yum安装OpenSSL开发库,但需要手工下载并安装LZO开发包。8 S: |* x5 |; w, c5 s$ ]
#yum install openssl
( L9 j0 R* x/ u- z Z4 p7 e! M# yum install openssl-devel #yum install pam-devel 2、可到 http://www.oberhumer.com/opensource/lzo/ 下载LZO5 P; S. L. o( F6 o! d, ]! A3 k, E
# tar -zxvf lzo-2.10.tar.gz
9 z1 V4 A9 k' z7 s# cd lzo-2.10: A& o- W6 \1 _( J+ Y5 j" c
#./configure
# k" p3 w( t, j0 f) z# make
G2 O) X; M1 X3 I# W' y7 d2 P# make install 三、配置SSL VPN服务# I! t& o4 M7 e7 N6 d
1、到 http://openvpn.net/release/ 下载openvpn-2.0.9.tar.gz并安装) g' W; _9 `- l& P' ^2 Q6 Y8 _/ v
# tar -zxvf openvpn-2.1.1.tar.gz / B: c4 g* I) X' Z' \
# cd openvpn-2.1.1( Y/ M4 Y2 u J, C+ I
[root@webbs168x openvpn-2.1.1]# ./configure --prefix=/usr/local/openvpn) w K( ~9 p' D
[root@webbs168x openvpn-2.1.1]# make
- F: @6 a5 e7 E6 C[root@webbs168x openvpn-2.1.1]# make install
% m) H6 y% |9 t& g- O/ M6 t[root@webbs168x openvpn-2.1.1]#cp -p sample-scripts/openvpn.init /etc/init.d/openvpn [1 C+ q! c$ d* G0 v
[root@webbs168x openvpn-2.1.1]# chkconfig --add openvpn
/ z6 {# M' }0 v `2 L' u2 t5 f& v[root@webbs168x openvpn-2.1.1]# service openvpn status #查看服务状态1 t1 @; e$ \/ Z
openvpn: service not started
5 Y6 m: x" x1 j& e* A* \
1 w( _7 i0 H8 U; n# h7 n: m# chkconfig --list openvpn* \ t1 B8 P3 D
openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off 2、开启IP转发功能
9 Z! w0 A% E+ m" @5 u. h/ A- C#vi /etc/sysctl.conf8 b: v2 m+ W' g& }, Z
net.ipv4.ip_forward = 1
, O. A+ w. H" R4 R; I, z# sysctl -p
+ m6 B% k' p2 E' P/ @3、定义OpenVPN的配置目录为/etc/openvpn,把服务器配置文件定义为/etc/openvpn/server.conf+ }+ V. H; q, S/ q! V0 l: C: K
OpenVPN是一个SSL VPN实现,因此,认证中最重要的是服务器和客户端的SSL证书管理,如果管理员之前没有SSL证书发布机制,那么可以使用OpenVPN附带的一组工具来完成所有的工作。' Y+ G" P5 K3 {/ X8 K) K9 |
在/root/openvpn-2.1.1中,有一个easy-rsa目录,这下面就是一些一成和管理SSL证书的工具,以下为生成证书操作。
7 V& s) q1 @) m' h8 `" s+ @#mkdir -p /etc/openvpn
9 E. s8 R6 t# ~( n#cp -p sample-config-files/server.conf /etc/openvpn/ #将样本配置文件复制到/etc/openvpn/,后面再做修改 4、修改vars文件变量,设置国家代码、省份、地市、机构名单、单位名称邮件等
6 r# v' ~ p+ i$ Y/ S#cd easy-rsa/; Y7 U$ W1 y0 C' h1 W
# grep -v "#" vars 9 P, A* P. L: Y. t$ I5 a
export D=`pwd`& `& b3 z1 Z) g/ ~* U/ {
export KEY_CONFIG=$D/openssl.cnf1 u) v/ t! V/ d5 T8 R
export KEY_DIR=$D/keys
4 H/ ]+ [5 q. Xecho NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
' n) |& n+ m8 e5 V5 c8 gexport KEY_SIZE=1024
) Q: K5 R" T5 v5 J& Hexport KEY_COUNTRY=CN
; Q; K7 V; D3 f9 q4 g0 Bexport KEY_PROVINCE=GD
$ S( A, g2 H/ l9 j; ]# u9 U9 Qexport KEY_CITY=SZ7 o1 D' k4 A& w. \
export KEY_ORG="DIC"& Q( }" J8 x- t% x# A/ ]' l j
export KEY_EMAIL="tghfly222@126.com"6 C3 N& b9 d" }& g
easy-rsa# source vars
8 F( r. \+ L0 x. ENOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/src/openvpn-2.0.9/easy-rsa/keys #提示可使用./clean-all清除所有包括CA在内的所有证书 5、使用clean-all脚本清除包括CA在内的所有证书,再创建CA证书。
8 A+ ] f5 T2 m3 h% u, Z5 L8 l[root@www.linuxidc.com easy-rsa]# ./clean-all #先清除证书,再创建证书8 I: B- s1 i( T% H: f: q
[root@www.linuxidc.com easy-rsa]# ./build-ca #创建CA证书4 A T5 d, J0 x/ ]( {1 Z2 s! B
Generating a 1024 bit RSA private key: H. ~4 V) p' P( E
..........++++++! q2 P; {& d& Y: z; p' h& }1 r
................++++++9 n* F2 [7 ]0 Q
writing new private key to 'ca.key'
3 L; b4 L7 t5 F-----& B3 x2 {9 f3 [' f. u
You are about to be asked to enter information that will be incorporated! X) a" I7 v) N6 Q R2 f
into your certificate request.
& ~3 b6 |6 U1 wWhat you are about to enter is what is called a Distinguished Name or a DN.8 e4 S" G4 ]0 A# ~1 [2 i* D
There are quite a few fields but you can leave some blank
6 g; T I: Q' {For some fields there will be a default value,
7 I4 \2 K: [- j$ SIf you enter '.', the field will be left blank.
& S1 |. }3 D) z( `-----4 ]# p4 i, I K: A
Country Name (2 letter code) [CN]:" [3 N" T# d8 e3 _0 | ]
State or Province Name (full name) [GD]:' f; f; k/ R. ]6 ~, g! P2 A- x# Q/ L
Locality Name (eg, city) [SZ]:
$ ~( T3 d) }' ~# nOrganization Name (eg, company) [DIC]:9 R0 K2 O) \; x( b
Organizational Unit Name (eg, section) []:" Z( X$ ^2 _4 \9 r
Common Name (eg, your name or your server's hostname) []:dic172 #服务器主机名
, X% Y4 ^( }% [9 K9 f9 CEmail Address [tghfly222@126.com]: 6、创建服务器密钥。
M8 R3 i( K, ~1 L4 j[ root@www.linuxidc.com easy-rsa]# ./build-key-server server #创建服务器端密钥 2 n, }. m2 J- k/ N4 ~+ l) U8 l
Generating a 1024 bit RSA private key 8 Q4 Z1 j, D% e' [6 E# J3 ?
............................................++++++ 3 Q5 d' S9 j/ g
....++++++ 1 ^8 P' ?; Q0 @ `! t8 g
writing new private key to 'server.key'
' A7 H$ r6 F- ~- s6 z, \. L-----
) a* I5 [) i% g+ V w1 G% m0 ~- jYou are about to be asked to enter information that will be incorporated & z Z: p, b L# a0 R' z
into your certificate request. ; j, A4 e" b0 e v+ C+ {8 Q
What you are about to enter is what is called a Distinguished Name or a DN. & z/ s. H* P ]( v6 K8 h8 T, I
There are quite a few fields but you can leave some blank . |' a3 C6 A, [; p& R
For some fields there will be a default value, % A2 k' x) @- _8 ^% c
If you enter '.', the field will be left blank.
5 |2 _. w5 B* o& _-----
q" M% o8 W2 d4 j3 [1 E8 N+ QCountry Name (2 letter code) [CN]:
( b$ L! K! M- f+ XState or Province Name (full name) [GD]: 9 o8 Q& K& p3 ^1 l2 R+ `
Locality Name (eg, city) [SZ]: $ b/ a( S; D. W7 x- i
Organization Name (eg, company) [DIC]: * @+ k L7 Z& @/ L/ f5 @& y8 q
Organizational Unit Name (eg, section) []: " W% [8 \2 X# B% y' w
Common Name (eg, your name or your server's hostname) []:dic172 #服务器主机名
2 S" Y+ K( U) V. O- Z2 JEmail Address [ tghfly222@126.com]: Please enter the following 'extra' attributes ) ]" b9 o: a$ }, G
to be sent with your certificate request & x) w/ ~7 o+ ]. G
A challenge password []:dic172
+ W8 m7 n. K f9 E; VAn optional company name []:dic172 - T; K+ u# w4 I
Using configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf
( K s% f: C% F+ j5 |+ ICheck that the request matches the signature 2 [, U1 ^% J' X J
Signature ok , y7 w* s( m3 T$ D- }5 ^
The Subject's Distinguished Name is as follows
4 J2 |% R" c, E2 Q x$ Y7 scountryName :PRINTABLE:'CN' # v+ Y" \3 p/ V" Q. W
stateOrProvinceName :PRINTABLE:'GD'
- B& i: |' `0 R) tlocalityName :PRINTABLE:'SZ' 3 D7 `$ \+ U$ ]7 _$ R) K
organizationName :PRINTABLE:'DIC'
9 A- f6 @$ P _+ m" qcommonName :PRINTABLE:'dic172'
C# ] c0 U" @" n/ ?emailAddress :IA5STRING:'tghfly222@126.com'
D; ?2 O5 C& [7 L# R8 w$ y& DCertificate is to be certified until Jul 16 05:51:08 2021 GMT (3650 days) 3 F0 Y Z+ L' [3 m% r& l
Sign the certificate? [y/n]:y
/ ?* d# a4 c. J, ^# {4 o1 out of 1 certificate requests certified, commit? [y/n]y
+ C6 j% f. d9 [ aWrite out database with 1 new entries * ^& Y4 e3 u$ _0 ^& A+ I0 ^
Data Base Updated $ B6 S4 Q6 d) K% e
7、创建客户端密钥,客户端密钥名可随意命名。 5 R& o0 ~" Y0 r
[ root@www.linuxidc.com easy-rsa]# ./build-key client . s6 G- L: V- [ j
Generating a 1024 bit RSA private key , T; @/ W# L* w" j1 ^( B
.....++++++
- _2 N( d! I* K! ?; ]( P.......................++++++ ( w* n- {, i1 _9 |1 O1 G
writing new private key to 'client.key'
) }: i+ | G. t/ R/ ?-----
; v! V1 Q' H, p* z$ k: G4 ZYou are about to be asked to enter information that will be incorporated
* e Y& H" A: q) r- Z; sinto your certificate request. 3 j9 j5 b a3 H7 [! @
What you are about to enter is what is called a Distinguished Name or a DN. , ]3 @9 g7 B& @5 i. k' ^
There are quite a few fields but you can leave some blank
& P1 d @/ ]" K3 zFor some fields there will be a default value, % N6 e" w3 m4 b W
If you enter '.', the field will be left blank. * ^1 o2 C- C$ m: L6 `
-----
- o3 ~0 I# e( l' P9 C* i9 o pCountry Name (2 letter code) [CN]:
, z/ {9 F u* S, a' k YState or Province Name (full name) [GD]: / l7 }2 s5 o' _" U
Locality Name (eg, city) [SZ]:
9 g/ l% s/ Q4 z! {* Z4 k4 LOrganization Name (eg, company) [DIC]: % T, I' K, _! M& t
Organizational Unit Name (eg, section) []:
$ k8 ^8 E3 A/ C+ NCommon Name (eg, your name or your server's hostname) []:tgh #不同客户端,命名绝不能一样
8 ?% W' h8 d6 r1 B" A6 jEmail Address [ tghfly222@126.com]: Please enter the following 'extra' attributes
: O: y' }- e( k' V2 c: E* T, x/ jto be sent with your certificate request
8 a8 N* J& \: B: T0 R' LA challenge password []:dic172* i- q |- A: T; m9 i: e4 _0 Y, y
An optional company name []:dic172% h* j. e: g% p4 t# |, v
Using configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf
6 d1 w2 t) C9 h: f! `2 \/ mCheck that the request matches the signature& E% J" W/ S; c; h3 P$ S) M
Signature ok4 w+ {1 q9 c" J) h' r9 L) H( U
The Subject's Distinguished Name is as follows( _# V0 E" j0 D3 z3 H% f# B
countryName :PRINTABLE:'CN'
. g+ m; k6 ^) }, A9 QstateOrProvinceName :PRINTABLE:'GD'5 S9 Z' M" ?# X+ _
localityName :PRINTABLE:'SZ'2 p2 x, G! _" S( Z
organizationName :PRINTABLE:'DIC'0 b3 R0 N8 L% q/ E! z2 g* [
commonName :PRINTABLE:'tgh'
& z9 k# c/ B+ r8 k+ w% UemailAddress :IA5STRING:'tghfly222@126.com'
; \4 W* U) ~( c g7 |% f% |- qCertificate is to be certified until Jul 16 05:52:27 2021 GMT (3650 days)
s. Y5 N: ]4 ]Sign the certificate? [y/n]:y
* s0 i+ G, d$ ^' ~ X# ]1 out of 1 certificate requests certified, commit? [y/n]y* _3 g, M3 N9 l0 j4 U2 x
Write out database with 1 new entries
; X% n4 ^$ v) a* E3 {Data Base Updated
8、创建dhDiffie-Hellman )密钥算法文件 / e2 l! m. l/ f' |0 p3 r, _7 w
[ root@www.linuxidc.com easy-rsa]# ./build-dh ' k0 y# N2 S/ h% Q4 M
Generating DH parameters, 1024 bit long safe prime, generator 2 / f7 ?0 } B+ d. V
This is going to take a long time
4 G; Z+ K4 ^0 C t/ I: X" z...+.......+.....+........................+......................+.....+...........................+..........+.......+.................................................+.....................+............+..............................................+..........................................................+..............................+...........................+..+.....+......++*++*++* 9、生成 tls-auth 密钥 ,tls-auth密钥可以为点对点的VPN连接提供了进一步的安全验证,如果选择使用这一方式,服务器端和客户端都必须拥有该密钥文件。 ; |) A$ H8 F4 N3 V2 J# U* D9 E
[ root@www.linuxidc.com easy-rsa]# openvpn --genkey --secret keys/ta.key
3 S5 L' I+ }8 o- z8 B! K[ root@www.linuxidc.com easy-rsa]# cp -rp keys/ /etc/openvpn/ #将证书文件复制到/etc/openvpn/ local 192.168.161.172 #服务器所使用的IP/ J& O8 a1 I3 U$ [
port 1194 #使用1194端口6 Y4 }( \6 v/ h* h, l0 Q2 a" G, f4 F
proto udp #使用UDP协议
% O+ Q& K! n; F, p2 y$ {dev tun #使用tun设备
+ R7 i7 I) I7 b( ~# K! @1 U0 [ca /etc/openvpn/keys/ca.crt #指定CA证书文件路径! H! {: d( N& E% A0 E7 V N
cert /etc/openvpn/keys/server.crt6 x, ]; i6 r ?( F. J
dh /etc/openvpn/keys/dh1024.pem+ s8 n* q: Y n% F4 [" s
tls-auth /etc/openvpn/keys/ta.key 0
, P7 f: p7 h' [* B5 w( b' `server 172.16.10.0 255.255.255.0 #VPN客户端拨入后,所获得的IP地址池8 X. R Q& R( C2 B
ifconfig-pool-persist ipp.txt
/ ]+ A& e+ }2 I* q$ `( }. ]4 `push "dhcp-option DNS 202.96.134.133" #客户端所获得的DNS8 c: O3 f0 N5 `5 G9 y+ m7 K
client-to-client6 f& B. F# A f' V
keepalive 10 1201 W+ z; o* @( h8 a
comp-lzo
- R& y6 h' W! P$ z7 m5 dpersist-key
) j. `& w8 W' H- ~( \persist-tun, |# z( S, h3 Z) M' L, `
status openvpn-status.log
- K0 E6 L( P! x' cverb 3
0 D* U; |3 C/ ^# u. L9 Qmute 20 [ root@www.linuxidc.com openvpn-2.0.9]# service openvpn start 5 I8 T6 q5 _! z4 g
Starting openvpn: [ OK ] , B& ~4 ~; j9 b+ w3 y
[ root@www.linuxidc.com openvpn-2.0.9]# netstat -anp |grep :1194
0 T% A9 c; x' j( w Mudp 0 0 192.168.161.172:1194 0.0.0.0:* 25162/openvpn
四、在XP客户端配置SSL VPN(客户端IP 192.168.163.96)
2 R8 H" x, R' N5 S1、到http://openvpn.se/files/install_packages/下载openvpn-2.0.9-gui-1.0.3-install.exe
4 V/ Y# W3 G9 m$ k$ x2、安装openvpn-2.0.9-gui-1.0.3-install.exe,一路next。由于只是做客户端使用,不必安装OpenVPN Service
& p) j# v9 a, \, U9 _$ y) |, j安装完成后,在任务栏会新增加一个OpenVPN GUI和本地连接图标。 3、配置客户端,把服务器上/etc/openvpn/keys/ca.*,client.*,ta.* 复制客户端C:\Program Files\OpenVPN\config下;再从C:\Program Files\OpenVPN\sample-config复制一个客户端配置样本文件client.ovpn到C:\Program Files\OpenVPN\config下。- O8 W u" E( K: J4 ^/ }5 o4 h
6 r% E' D# h9 A: L/ m
4、修改client.ovpn文件如下并保存。, _8 ]' d4 m/ X& c, e' ]! R" I
client
1 b: T# K, E8 K: t7 z5 }, Ydev tun
) F5 G! O% Q% m7 U" g; q4 P- _proto udp
, S1 L% w7 u2 k2 r0 T8 }remote 192.168.161.172 1194% x* V9 A6 i$ c0 o/ A
resolv-retry infinite
* i7 b* p* z9 T7 o9 a# J7 D, Cnobind
$ K# s' u8 N) @( Tca ca.crt9 u# A M( M; L, }. L9 ~/ _: K2 C
cert client.crt1 e: T, a9 k6 Q
key client.key* D$ @* a B3 U7 | q/ E
tls-auth ta.key 1
3 Y6 ~9 {8 `( H( B+ F( k; }, {1 _comp-lzo8 h$ b0 S6 R. M- T- i3 b
verb 3. v5 t) H! ]# o* v
mute 20! h# P6 V5 ~& g+ J7 m- ` ?( w/ u; A0 [
5、启动连接。右击右下角的OpenVPN GUI图标,连接 6、连接成功后,图标如下。到此,SSL VPN服务就配置好了。 |
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2020-1-19 08:52:01
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主
