安装openvpn
openssl
lzo-2.03.tar.gz
openvpn-2.0.9.tar.gz
./configure --with -lzo -lib=/usr && make && make install
windows下连接VPN的工具
openvpn-2.0.9-gui-1.0.3-install.exe
一、修改vars信息,省得建ca或者client的时候要手动输入,大家可以根据自己的信息填写。
[root@vpn openvpn]# cd /etc/openvpn/easy-rsa/ [root@vpn easy-rsa]# vim vars export KEY_COUNTRY="CN" export KEY_PROVINCE="BJ" export KEY_CITY="Beijing" export KEY_ORG="EC" export KEY_ORG="EC" export KEY_EMAIL="admin@linzhennan.cn" export KEY_OU="linzhennan.cn" "vars" 69L, 1695C written
二、读取vars文件
[root@vpn easy-rsa]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
三、执行清理keys目录,初始化操作
[root@vpn easy-rsa]# ./clean-all [root@vpn easy-rsa]# ll keys/ total 4 -rw-r--r-- 1 root root 0 Nov 26 08:34 index.txt -rw-r--r-- 1 root root 3 Nov 26 08:34 serial
四、生成CA证书,用来签发server和client证书的,有了vars,就一路回车就行
[root@vpn easy-rsa]# ./build-ca Generating a 1024 bit RSA private key ..........................++++++ .................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [Beijing]: Organization Name (eg, company) [linzhennan]: Organizational Unit Name (eg, section) [linzhennan.cn]: Common Name (eg, your name or your server's hostname) [linzhennan CA]: Email Address [admin@linzhennan.cn]: [root@vpn easy-rsa]# ls -lsart keys/ | grep ca 4 -rw------- 1 root root 887 Nov 26 08:34 ca.key 4 -rw-r--r-- 1 root root 1261 Nov 26 08:34 ca.crt
五、生成Diffie-Hellman文件,配置server端需要用到
[root@vpn easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................................................
六、生成服务器端证书和密钥,Sign the certificate? [y/n]:和1 out of 1 certificate requests certified, commit? [y/n]的时候输入Y即可,最后2步的时候。
[root@vpn easy-rsa]# ./build-key-server server Generating a 1024 bit RSA private key .............++++++ ............++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [Beijing]: Organization Name (eg, company) [linzhennan]: Organizational Unit Name (eg, section) [linzhennan.cn]: Common Name (eg, your name or your server's hostname) [server]: Email Address [admin@linzhennan.cn]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:linzhennan.cn Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName : PRINTABLE : 'CN' stateOrProvinceName : PRINTABLE : 'BJ' localityName : PRINTABLE : 'Beijing' organizationName : PRINTABLE : 'linzhennan' organizationalUnitName: PRINTABLE : 'linzhennan.cn' commonName : PRINTABLE : 'server' emailAddress : IA5STRING : 'admin@linzhennan.cn' Certificate is to be certified until Nov 24 00:36:25 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
七、生成客户端证书文件、这边举例linzhennan
[root@vpn easy-rsa]# ./build-key linzhennan Generating a 1024 bit RSA private key .....++++++ ..++++++ writing new private key to 'linzhennan.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [Beijing]: Organization Name (eg, company) [linzhennan]: Organizational Unit Name (eg, section) [linzhennan.cn]: Common Name (eg, your name or your server's hostname) [linzhennan]: Email Address [admin@linzhennan.cn]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:linzhennan.cn Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName : PRINTABLE : 'CN' stateOrProvinceName : PRINTABLE : 'BJ' localityName : PRINTABLE : 'Beijing' organizationName : PRINTABLE : 'linzhennan' organizationalUnitName: PRINTABLE : 'linzhennan.cn' commonName : PRINTABLE : 'linzhennan' emailAddress : IA5STRING : 'admin@linzhennan.cn' Certificate is to be certified until Nov 24 00:38:26 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@vpn easy-rsa]# ll keys/ total 108 -rw-r--r-- 1 root root 3902 Nov 26 08:37 01.pem -rw-r--r-- 1 root root 3785 Nov 26 08:38 02.pem -rw-r--r-- 1 root root 3793 Nov 26 08:38 03.pem -rw-r--r-- 1 root root 3793 Nov 26 08:38 04.pem -rw-r--r-- 1 root root 3786 Nov 26 08:39 05.pem -rw-r--r-- 1 root root 1261 Nov 26 08:34 ca.crt -rw------- 1 root root 887 Nov 26 08:34 ca.key -rw-r--r-- 1 root root 245 Nov 26 08:35 dh1024.pem -rw-r--r-- 1 root root 589 Nov 26 08:39 index.txt -rw-r--r-- 1 root root 472 Nov 26 08:38 index.txt.old -rw-r--r-- 1 root root 3793 Nov 26 08:38 linzhennan.crt -rw-r--r-- 1 root root 765 Nov 26 08:38 linzhennan.csr -rw------- 1 root root 887 Nov 26 08:38 linzhennan.key -rw-r--r-- 1 root root 3 Nov 26 08:39 serial -rw-r--r-- 1 root root 3 Nov 26 08:38 serial.old -rw-r--r-- 1 root root 3902 Nov 26 08:37 server.crt -rw-r--r-- 1 root root 761 Nov 26 08:36 server.csr -rw------- 1 root root 891 Nov 26 08:36 server.key
八、修改配置文件、端口61194,这边看个人喜好,默认是1194,TCP,ca、cert、key、dh那四个,记得写绝对路径
server 是服务器VPN地址网段,verb 3是看日志
[root@vpn easy-rsa]# vim /etc/openvpn/server.conf port 61194 proto tcp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 192.168.10.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 100 1200 comp-lzo persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log verb 3 push "dhcp-option DNS 192.168.1.10" push "dhcp-option DNS 203.196.1.6" ;crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
九、开启路由转发
echo 1 > /proc/sys/net/ipv4/ip_forward
十、启动服务
[root@vpn easy-rsa]# /etc/openvpn/sbin/openvpn --config /etc/openvpn/server.conf & [1] 5410 [root@vpn easy-rsa]# lsof -i:61194 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME openvpn 5410 root 5u IPv4 14228 TCP *:61194 (LISTEN) [root@vpn network-scripts]# /etc/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf &
还没有评论,快来抢沙发!