# NOTE: If you installed from an RPM, # don't edit this file in place in # /usr/share/openvpn/easy-rsa -- # instead, you should copy the whole # easy-rsa directory to another location # (such as /etc/openvpn) so that your # edits will not be wiped out by a future # OpenVPN package upgrade.
# This variable should point to # the top level of the easy-rsa # tree. export D=`pwd`
# This variable should point to # the openssl.cnf file included # with easy-rsa. export KEY_CONFIG=$D/openssl.cnf
# Edit this variable to point to # your soon-to-be-created key # directory. # # WARNING: clean-all will do # a rm -rf on this directory # so make sure you define # it correctly! export KEY_DIR=$D/keys
# Issue rm -rf warning echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=1024
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. # 定義你所在的國家,2個字符 export KEY_COUNTRY=CN # 你所在的省份 export KEY_PROVINCE=Liaoning # 你所在的城市 export KEY_CITY=Shenyang # 你所在的組織 export KEY_ORG="ELM OpenVPN ORG" # 你的單位 export KEY_OU="OpenVPN Service" # 你的郵件地址 export KEY_EMAIL="[email protected]" -------------CUT Here----------------- 修改後保存,下面我們開始什成keys,以下為shell命令 "#" 為提示符 #. vars #使修改的變量生效 NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys #./clean-all #初始化keys目錄,創建所需要的文件和目錄 #./build-ca #什成Root CA證書,用於簽發Server和Client證書,請保護好keys/ca.key文件。 Generating a 1024 bit RSA private key ........................++++++ .............++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: #如果無需修改,直接回車 State or Province Name (full name) [Liaoning]: Locality Name (eg, city) [Shenyang]: Organization Name (eg, company) [ELM OpenVPN ORG]: Organizational Unit Name (eg, section) [OpenVPN Service]: Common Name (eg, your name or your server's hostname) []:OpenVPN Root CA Email Address [[email protected]]:
# ls keys ca.crt ca.key index.txt serial 我們可以看到ca.crt ca.key文件已經什成了。 下面我們為服務器生成 Diffie-Hellman 文件 # ./build-dh #TLS server 需要使用的一個文件 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..+..............................................................+....................................................................+.. 創建並簽發VPN Server使用的CA # ./build-key-server server # server 為創建後的文件名,分別為server.crt server.key Generating a 1024 bit RSA private key ......................++++++ ...............++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Liaoning]: Locality Name (eg, city) [Shenyang]: Organization Name (eg, company) [ELM OpenVPN ORG]: Organizational Unit Name (eg, section) [OpenVPN Service]: Common Name (eg, your name or your server's hostname) []:Server No.1 Email Address [[email protected]]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'Liaoning' localityName :PRINTABLE:'Shenyang' organizationName :PRINTABLE:'ELM OpenVPN ORG' organizationalUnitName:PRINTABLE:'OpenVPN Service' commonName :PRINTABLE:'Server No.1' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Feb 26 14:43:44 2015 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
接下來為VPN Client頒發CA證書,如果以後要為其他Client頒發證書,直接使用build-key命令簽發新證書。 # ./build-key elm Generating a 1024 bit RSA private key ........++++++ ....................++++++ writing new private key to 'elm.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Liaoning]: Locality Name (eg, city) [Shenyang]: Organization Name (eg, company) [ELM OpenVPN ORG]: Organizational Unit Name (eg, section) [OpenVPN Service]: Common Name (eg, your name or your server's hostname) []:ELM #注意Common Name最好不要相同,如果相同[server要加duplicate-cn選項],那麼Email地址也不能相同 Email Address [[email protected]]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'Liaoning' localityName :PRINTABLE:'Shenyang' organizationName :PRINTABLE:'ELM OpenVPN ORG' organizationalUnitName:PRINTABLE:'OpenVPN Service' commonName :PRINTABLE:'ELM' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Feb 26 14:45:36 2015 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 為防止惡意攻擊(如DOS、UDP port flooding),我們生成一個"HMAC firewall" #openvpn --genkey --secret keys/ta.key 生成證書吊銷鏈文件,防止日後有人丟失證書,被非法用戶接入VPN #./make-crl vpncrl.pem Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
# Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap
# 如果你使用HTTP代理連接VPN Server,把Proxy的IP地址和端口寫到下面 # 如果代理需要驗證,使用http-proxy server port [authfile] [auth-method] # 其中authfile是一個2行的文本文件,用戶名和密碼各占一行,auth-method可以省略,詳細信息查看Manual ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #]
# 對於無線設備使用VPN的配置,看看就明白了 # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings
# Root CA 文件的文件名,用於驗證Server CA證書合法性,通過easy-rsa/build-ca生成的ca.crt,和Server配置裡的ca.crt是同一個文件 ca ca.crt # easy-rsa/build-key生成的key pair文件,上面生成key部分中有提到,不同客戶使用不同的keys修改以下兩行配置並使用他們的keys即可。 cert elm.crt key elm.key
# Server使用build-key-server腳本什成的,在x509 v3擴展中加入了ns-cert-type選項 # 防止VPN client使用他們的keys + DNS hack欺騙vpn client連接他們假冒的VPN Server # 因為他們的CA裡沒有這個擴展 ns-cert-type server