OpenVPN服务器配置.docx
- 文档编号:24546515
- 上传时间:2023-05-28
- 格式:DOCX
- 页数:30
- 大小:24.94KB
OpenVPN服务器配置.docx
《OpenVPN服务器配置.docx》由会员分享,可在线阅读,更多相关《OpenVPN服务器配置.docx(30页珍藏版)》请在冰豆网上搜索。
OpenVPN服务器配置
OpenVPN服务器配置
系统信息:
OS:
debianlenny
关键字:
VPNOpenVPNSSLOpenSSL证书
参考文章:
在Debian5.0.2下源代码安装OpenVPN笔记[使用Mysql+PAM认证]第二版
Linux下OpenVPN安装和WindowsOpenVPNGUI安装笔记
OpenVPN服务器搭建详解
一、下载所需的软件
1、安装所需的编译工具
#aptitudeinstallgccg++make
2、下载LZO库
#mkdir/home/src_software/
#cd/home/src_software/
#wget
说明:
lzo是一个实用的无损压缩工具
3、下载openssl
#cd/home/src_software/
#wgethttp:
//www.openssl.org/source/openssl-0.9.8.tar.gz
说明:
OpenVPN依赖OpenSSL库,用于加密
4、下载openvpn
#cd/home/src_software
#wget
二、安装OpenVPN以及相关软件
1、安装lzo
#cd/home/src_software/
#tar–zxvflzo-2.03.tar.gz
#cdlzo-2.03
#./configure–prefix=/usr/local/lzo&&make&&makeinstall
编辑/etc/ld.so.conf
#cat>>/etc/ld.so.conf<<EOF
Include/etc/ld.so.conf.d/*.conf
/lib
/lib64
/usr/lib
/usr/lib64
/usr/local/lib
/usr/local/lib64
EOF
编辑完成后运行
#ldconfig
使用/etc/ld.so.conf中的内容生效,即动态库生效
2、安装openssl
#cd..
#tar–zxvfopenssl-0.9.8.tar.gz
#cdopenssl-0.9.8
#./config–prefix=/usr/local/openssl&&make&&makeinstall
3、安装openvpn
#cd..
#tar–zxvfopenvpn-2.0.9.tar.gz
#cdopenvpn-2.0.9
#./configure–prefix=/usr/local/openvpn&&make&&makeinstall
三、配置OpenVPNServer
1、创建配置环境
#mkdir–p/etc/openvpn
#cp–R/home/src_software/openvpn-2.0.9/easy-rsa/etc/openvpn
#cd/etc/openvpn/easy-rsa/2.0
#ls
结果是程序以及脚本,这个简要的说明一下:
vars脚本,是用来创建环境变量,设置所需要的变量的脚本
clean-all脚本,是创建生成CA证书及密钥文件所需要的文件和目录
build-ca脚本,生成CA证书(交互)
build-dh脚本,生成Diffie-Hellman文件(交互)
build-key-server脚本,生成服务器端密钥(交互)
build-key脚本,生成客户端密钥(交互)
pkitool脚本,直接使用vars的环境变量设置直接生成证书(非交互)
2、生成CA证书及密钥[注意字符输入不要出错]
初始化系统环境变量,你可以看一下这个脚本的内容就知道它在干什么了:
#./vars
NOTE:
Ifyourun./clean-all,Iwillbedoingarm–rfon/etc/openvpn/easy-rsa/2.0/keys
请理解警告的意思
#chmod+rwx*
修改vars文件,内容如下:
exportKEY_COUNTRY=”CN”
exportKEY_PROVINCE=”BJ”
exportKEY_CITY=”BeiJing”
exportKEY_ORG=”NCS”
exportKEY_EMAIL=crf@ncs-
#source./vars
3、生成并初始化keys文件夹
#./clean-all
#./build-ca
Generatinga1024bitRSAprivatekey
....++++++
.++++++
writingnewprivatekeyto'ca.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[BJ]:
LocalityName(eg,city)[BeiJing]:
OrganizationName(eg,company)[NCS]:
OrganizationalUnitName(eg,section)[]:
ncs
CommonName(eg,yournameoryourserver'shostname)[NCSCA]:
EmailAddress[ncs@ncs-]:
#lskeys
可以看到已经生成了ca.crtca.key文件
4、生成Diffie-Hellman文件
#./build-dh
GeneratingDHparameters,1024bitlongsafeprime,generator2
Thisisgoingtotakealongtime
......+................................+...+................+..............+....+....+......................................................................+......................................................................................................................................................................................................+.......+........+........++*++*++*
#ls–lkeys/dh1024.pem
可以看到生成了1024为的Diffie-Hellman文件
5、生成服务器使用的VPNserverca证书
#./build-key-serverncs-server
根据提示输入相关信息,ncs-server是你为CA证书其的一个名字,以server名字为例,生成的服务器使用的CA证书文件为:
ncs-server.crt、ncs-server.key
Generatinga1024bitRSAprivatekey
.......................................++++++
..........++++++
writingnewprivatekeyto'ncs-server.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[BJ]:
LocalityName(eg,city)[BeiJing]:
OrganizationName(eg,company)[NCS]:
OrganizationalUnitName(eg,section)[]:
ncs
CommonName(eg,yournameoryourserver'shostname)[ncs-server]:
EmailAddress[ncs@ncs-]:
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
Usingconfigurationfrom/etc/openvpn/easy-rsa/2.0/f
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDistinguishedNameisasfollows
countryName:
PRINTABLE:
'CN'
stateOrProvinceName:
PRINTABLE:
'BJ'
localityName:
PRINTABLE:
'BeiJing'
organizationName:
PRINTABLE:
'NCS'
organizationalUnitName:
PRINTABLE:
'ncs'
commonName:
PRINTABLE:
'ncs-server'
emailAddress:
IA5STRING:
'ncs@ncs-'
CertificateistobecertifieduntilSep2509:
20:
492019GMT(3650days)
Signthecertificate?
[y/n]:
y
1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
将生成的CA证书及密钥拷贝到/etc/openvpn/下:
#cpkeys{ca.crt,ca.key,ncs-server.crt,ncs-server.key,dh1024.pem}/etc/openvpn/
6、生成客户端CA证书及密钥
生成客户端CA证书及密钥使用:
build-key程序即可
#./build-keyncs-user1
根据提示输入相关信息,将在keys目录下生成ncs-user1.crt、ncs-user1.csr、ncs-user1.key三个客户端证书
Generatinga1024bitRSAprivatekey
..................++++++
..............++++++
writingnewprivatekeyto'user1.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[BJ]:
LocalityName(eg,city)[BeiJing]:
OrganizationName(eg,company)[NCS]:
OrganizationalUnitName(eg,section)[]:
ncs
CommonName(eg,yournameoryourserver'shostname)[user1]:
EmailAddress[ncs@ncs-]:
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
Usingconfigurationfrom/etc/openvpn/easy-rsa/2.0/f
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDistinguishedNameisasfollows
countryName:
PRINTABLE:
'CN'
stateOrProvinceName:
PRINTABLE:
'BJ'
localityName:
PRINTABLE:
'BeiJing'
organizationName:
PRINTABLE:
'NCS'
organizationalUnitName:
PRINTABLE:
'ncs'
commonName:
PRINTABLE:
'user1'
emailAddress:
IA5STRING:
'ncs@ncs-'
CertificateistobecertifieduntilSep2509:
22:
322019GMT(3650days)
Signthecertificate?
[y/n]:
y
1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
将ca.crt、ca.key、ncs-user1.crt、ncs-user1.csr、ncs-user1.key五个文件打包,以便客户端vpn使用
#mkdiruserkey
#cpkeys/{ca.crt,ca.key,user1.csr,user1.crt,user1.key}userkey/
#tar–zcvfuser-key.tar.gzuser-key
上面这件打包文件要COPY到客户端时使用
7、生成openvpn配置文件
创建openvpn配置文件最好的方法是先看openvpn的样例文件,在源码目录下的sample-config-files下,本例为服务器配置文件名:
server.conf
客户端配置文件名为:
client.conf
可以根据需要修改。
#cp/home/src_software/openvpn-2.0.9/sample-config-files/server.conf
/etc/openvpn/openvpn.conf
#mkdir–p/usr/local/openvpn/logs
#groupaddnobody
#vim/etc/openvpn/openvpn.conf
#################################################
#SampleOpenVPN2.0configfilefor#
#multi-clientserver.#
##
#Thisfileisfortheserverside#
#ofamany-clients<->one-server#
#OpenVPNconfiguration.#
##
#OpenVPNalsosupports#
#single-machine<->single-machine#
#configurations(SeetheExamplespage#
#onthewebsiteformoreinfo).#
##
#ThisconfigshouldworkonWindows#
#orLinux/BSDsystems.Rememberon#
#Windowstoquotepathnamesanduse#
#doublebackslashes,e.g.:
#
#"C:
\\ProgramFiles\\OpenVPN\\config\\foo.key"#
##
#Commentsareprecededwith'#'or';'#
#################################################
#WhichlocalIPaddressshouldOpenVPN
#listenon?
(optional)
;locala.b.c.d
#WhichTCP/UDPportshouldOpenVPNlistenon?
#IfyouwanttorunmultipleOpenVPNinstances
#onthesamemachine,useadifferentport
#numberforeachone.Youwillneedto
#openupthisportonyourfirewall.
#port1194
port2009
#TCPorUDPserver?
;prototcp
#protoudp
prototcp
#"devtun"willcreatearoutedIPtunnel,
#"devtap"willcreateanethernettunnel.
#Use"devtap0"ifyouareethernetbridging
#andhaveprecreatedatap0virtualinterface
#andbridgeditwithyourethernetinterface.
#Ifyouwanttocontrolaccesspolicies
#overtheVPN,youmustcreatefirewall
#rulesforthetheTUN/TAPinterface.
#Onnon-Windowssystems,youcangive
#anexplicitunitnumber,suchastun0.
#OnWindows,use"dev-node"forthis.
#Onmostsystems,theVPNwillnotfunction
#unlessyoupartiallyorfullydisable
#thefirewallfortheTUN/TAPinterface.
;devtap
devtun
#WindowsneedstheTAP-Win32adaptername
#fromtheNetworkConnectionspanelifyou
#havemorethanone.OnXPSP2orhigher,
#youmayneedtoselectivelydisablethe
#WindowsfirewallfortheTAPadapter.
#Non-Windowssystemsusuallydon'tneedthis.
;dev-node
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- OpenVPN 服务器 配置