一. OpenVPN 安裝環境
Server 端的環境
1. CentOS, kernel版本: 2.6.18, IP 為 192.168.1.254(虛擬機 6.5)
2. kernel 需要支持 tun 設備, 需要加載 iptables 模塊.
3. 安裝的 OpenVPN 的版本: 2.1.rc15.(目前最新版 可在http://openvpn.net 上下載).
Client 端的環境:
1. Windows XP SP2
2. openvpn-2.0.9-gui-1.0.3-install.exe
二. OpenVPN 服務端安裝過程
1. 用putty登錄到CentOS
2. 下載OpenVPN 2.1.rc15
wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz
lzo-2.03.tar.gz
3. 安裝LZO和OpenVPN
tar zxvf lzo-2.03.tar.gz
cd lzo-2.03
./configure
make
make install
cd ..
tar zxvf openvpn-2.1_rc15.tar.gz
cd openvpn-2.1_rc15
./configure
make
make install
拷貝配置文件:
cp –rf /root/openvpn-2.1_rc15/ /etc/openvpn
生成證書
初始化PKI
編輯/etc/openvpn/easy-rsa/2.0/vars
添加以下內容:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="CN"
export KEY_CITY="beijing"
export KEY_ORG="beijing"
export [email protected]
保存
三.創建證書頒發機構(CA)
Cd /etc/openvpn/easy-rsa/2.0
[root@server 2.0]# ./clean-all
[root@server 2.0]# ./build-ca
Generating a 1024 bit RSA private key
.............++++++
........................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CN]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [test]:beijing
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [test CA]:
Name []:
Email Address [[email protected]]:
四.建立server key
執行./build-key-server server
[root@server 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
.....++++++
...............................................................................................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CN]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [test]:beijing
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'CN'
localityName :PRINTABLE:'beijing'
organizationName :PRINTABLE:'beijing'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Aug 12 14:55:28 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server 2.0]#
五.生成客戶端 key
[root@server 2.0]# ./build-key test
Generating a 1024 bit RSA private key
.........................++++++
..................++++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CN]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [test]:beijing
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [test]:
Name []:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'CN'
localityName :PRINTABLE:'beijing'
organizationName :PRINTABLE:'beijing'
commonName :PRINTABLE:'test'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Aug 12 14:57:18 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server 2.0]#
以此類推建立其他客戶端 key
./build-key test2
./build-key test3
生成Diffie Hellman參數
執行
./build-dh
將 keys 下的所有文件打包下載到本地(可以通過winscp,http,ftp等等……)
創建服務端配置文件
cp /root/openvpn-2.1_rc15/sample-config-files/server.conf /etc/openvpn
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
客戶端:
3.2 Client
# 下載並安裝 openvpn (GUI 版本)
http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
# 設定環境
進入 "c:\Program Files\OpenVPN\easy-rsa"目錄中
將 openssl.cnf.sample 另存為openssl.cnf
將vars.bat.sample 另存為vars.bat
編輯 vars.bat
set KEY_COUNTRY="CN"
set KEY_PROVINCE="CN"
set KEY_CITY="beijing"
set KEY_ORG="beijing"
set KEY_EMAIL="[email protected]"
(內容必須與server 一至, 尤其 KEY_ORG 項目.)
安裝 CA 文件 //在客戶端操作
進入c:\Program Files\OpenVPN\config目錄中
把服務器上的XXX.crt(客戶端證書名稱)和ca.crt 下載到本地的OpenVPN的config目錄
# 復制 sample 目錄下的client.ovpn:
復制
c:\Program Files\OpenVPN\config\sample-config\client.ovpn
到c:\Program Files\OpenVPN\config 目錄中
# 配置 client
右下角(OpenVPN GUI)
右鍵--> Edit Config (沒提及的, 請保持原貌)
dev tap
;dev tun
remote remote 192.168.1.254 1194
ca ca.crt
cert test.crt
key test.key
雙點擊桌面右下角的openvpn-gui的圖標就會彈出界面,正在連接
測試:cmd --> ipconfig /all
Ping 10.8.0.1
給客戶端制定具體的ip地址而不是自動分配,需要以下操作:
進入/etc/openvpn/ccd中,
Vi client1 並寫入ifconfig-push 10.8.0.X 255.255.255.0
綁定虛擬ip。
本文出自 “影子騎士” 博客,請務必保留此出處http://andylhz2009.blog.51cto.com/728703/192520