<![CDATA[静怡家园]]>

<![CDATA[静怡家园]]> http://www.zhanghaijun.com/index.php zh-cn http://www.zhanghaijun.com/post// <![CDATA[openvpn成功安装笔记使用rpm包安装]]> 碟舞飞扬 <webmaster@zhanghaijun.com> Mon, 16 May 2011 18:11:18 +0000 http://www.zhanghaijun.com/post//
1、安装加密软件包

[root@localhost ~]#rpm -ivh lzo-2.02-3.el5.kb.i386.rpm

2、安装openvpn

[root@localhost ~]#rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.i386.rpm

3、复制生成证书密钥的文件夹

[root@localhost ~]#cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/

4、复制范例的配制文件

[root@localhost ~]#cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/

5、生成证书key

(1)初始化PKI

[root@localhost ~]# cd /etc/openvpn/2.0/

[root@localhost 2.0]# vi vars

修改正在面几项

export KEY_COUNTRY=”CN”(注：国家)

export KEY_PROVINCE=”SX”(注：省份)

export KEY_CITY=”XA”(注：城市)

export KEY_ORG=”VPN-TEST”(注：公司名称)

export KEY_EMAIL=”ganxing888@qq.com”(注：电子邮件)

[root@localhost 2.0]#env |grep KEY(先查看一下，看到是没有)

[root@localhost 2.0]# source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys

(注：如果你已经运行了./clean-all,就运行rm -rf /etc/openvpn/2.0/keys 删除)

[root@localhost 2.0]# env |grep KEY

KEY_EXPIRE=3650

KEY_EMAIL=ganxing888@qq.com

KEY_SIZE=1024

KEY_DIR=/etc/openvpn/2.0/keys

KEY_CITY=XA

KEY_PROVINCE=SX

KEY_ORG=VPN-TEST

KEY_CONFIG=/etc/openvpn/2.0/openssl.cnf

KEY_COUNTRY=CN

[root@localhost 2.0]#

[root@localhost 2.0]# ./clean-all (这时会在当前目录生成一个keys的目录)

生成ca文件

[root@localhost 2.0]# ./build-ca

Generating a 1024 bit RSA private key

….++++++

..++++++

writing new private key to ‘ca.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [SX]:

Locality Name (eg, city) [XA]:

Organization Name (eg, company) [VPN-TEST]:

Organizational Unit Name (eg, section) []:vpn

Common Name (eg, your name or your server’s hostname) [VPN-TEST CA]:server(注意一定要添server)

Email Address [ganxing888@qq.com]:

[root@localhost 2.0]# ls keys/ (可以看到keys下生成了ca.crt ca.key 两个文件)

(2)生成server key

[root@localhost 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key

………..++++++

…………………………………………………++++++

writing new private key to ‘server.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [SX]:

Locality Name (eg, city) [XA]:

Organization Name (eg, company) [VPN-TEST]:

Organizational Unit Name (eg, section) []:vpn

Common Name (eg, your name or your server’s hostname) [server]:server

Email Address [ganxing888@qq.com]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:boobooke(注：密码一定要添)

An optional company name []:

Using configuration from /etc/openvpn/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :PRINTABLE:’CN’

stateOrProvinceName :PRINTABLE:’SX’

localityName :PRINTABLE:’XA’

organizationName :PRINTABLE:’VPN-TEST’

organizationalUnitName:PRINTABLE:’vpn’

commonName :PRINTABLE:’server’

emailAddress :IA5STRING:’ganxing888@qq.com’

Certificate is to be certified until Dec 31 13:40:06 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@localhost 2.0]#

[root@localhost 2.0]# ls keys/ (可以看到生成了server.crt server.csr server.key)

(3)生成客户端 key

[root@localhost 2.0]# ./build-key client1

Generating a 1024 bit RSA private key

……………………………..++++++

…..++++++

writing new private key to ‘client1.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [SX]:

Locality Name (eg, city) [XA]:

Organization Name (eg, company) [VPN-TEST]:

Organizational Unit Name (eg, section) []:vpn

Common Name (eg, your name or your server’s hostname) [client1]:

Email Address [ganxing888@qq.com]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:boobooke

An optional company name []:

Using configuration from /etc/openvpn/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :PRINTABLE:’CN’

stateOrProvinceName :PRINTABLE:’SX’

localityName :PRINTABLE:’XA’

organizationName :PRINTABLE:’VPN-TEST’

organizationalUnitName:PRINTABLE:’vpn’

commonName :PRINTABLE:’client1′

emailAddress :IA5STRING:’ganxing888@qq.com’

Certificate is to be certified until Dec 31 13:43:36 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

以上选项要和那个server的保持一致。

[root@localhost 2.0]# ls keys/ (可以看到生成了 client1.crt client1.key client1.csr )

生成Diffie Hellman

[root@localhost 2.0]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

………………………………………………………………………………………………………………………………………………+……………………………………………+……………………………………+………………………………………………………+……..+………………………….+………………………………………….+…………………………………………………..

………………………………………+………………………………………………………………..+……………………………………………………………………………………………….+……………………….+……………+……………………………………………..+…………………..+……….+……….+.+………..+…………………………………..+………+…………………………………+…………………………………………+…………………….+…………………….+……………………………………………………………….+…………………………………+…..+……………………………………….+……………………+………………………………………….++*++*++*

[root@localhost 2.0]#

创建服务端配置文件

将keys下的 ca.crt server.crt server.key dh1024.pem 拷贝到/etc/openvpn下。

配制/etc/openvpn/server.conf

[root@localhost openvpn]# vi server.conf

port 1194

proto udp

dev tun

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

server 10.8.0.0 255.255.255.0

client-to-client

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 4

push “dhcp-option DNS “202.98.5.68″

“server.conf” 16L, 249C written

[root@localhost openvpn]#

启动服务

[root@localhost openvpn]# service openvpn restart

服务启动后用ifconfig查看可以看到有一个新的接口tun0

[root@localhost openvpn]# ifconfig

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

RX packets:26 errors:0 dropped:0 overruns:0 frame:0

TX packets:22 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:2804 (2.7 KiB) TX bytes:18332 (17.9 KiB)

Windows上的客户端的设置

安装openvpn软件

copy 服务器上的/etc/openvpn/2.0/keys/下的ca.crt ca.key client1.crt client1.csr client1.key 到C:\Program Files\OpenVPN\config下

copy C:\Program Files\OpenVPN\sample-config\client.ovpn 到C:\Program Files\OpenVPN\config下

使用记事本编辑client.ovpn

client

dev tun

proto udp

remote 222.161.0.93 1194

persist-key

persist-tun

ca ca.crt

cert client1.crt

key client1.key

ns-cert-type server

comp-lzo

verb 3

redirect-gateway def1
Tags - openvpn ]]> http://www.zhanghaijun.com/post//#blogcomment <![CDATA[[评论] openvpn成功安装笔记使用rpm包安装]]> <user@domain.com> Thu, 01 Jan 1970 00:00:00 +0000 http://www.zhanghaijun.com/post//#blogcomment