文章随机晒最新文章关照最多的

jiayi Rss

Linux VPN

| Posted in Linux |

0

系统环境:CentOS5操作系统。主机VPNSRV01是我的VPN Server。主机VPNCLNT00是我的测试VPN Client。
 
Yum 安装 OpenVPN
=========================================================
[root@VPNSRV01]# yum install openvpn*
Dependencies Resolved
=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 openvpn    (主程序包)              i386       2.0.9-1.el4.rf   dag               345 k
Installing for dependencies:
 lzo2         (相关依赖包)          i386       2.02-3.el4.rf    dag               101 k
 openssl097a   (相关依赖包)         i386       0.9.7a-9         base              825 k
Transaction Summary
=============================================================================
Install      3 Package(s)        
Update       0 Package(s)        
Remove       0 Package(s)        
Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): openvpn-2.0.9-1.el 100% |=========================| 345 kB    00:06    
(2/3): openssl097a-0.9.7a 100% |=========================| 825 kB    00:00    
(3/3): lzo2-2.02-3.el4.rf 100% |=========================| 101 kB    00:03    
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID e8562897
Importing GPG key 0xE8562897 "CentOS-5 Key (CentOS 5 Official Signing Key)
<centos-5-key@centos.org>" from ftp://123.123.123.214//RPM-GPG-KEY-CentOS-5
Is this ok [y/N]: y
Running Transaction Test
warning: openvpn-2.0.9-1.el4.rf: Header V3 DSA signature: NOKEY, key ID
6b8d79e6
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: lzo2                         ######################### [1/3]
  Installing: openssl097a                  ######################### [2/3]
  Installing: openvpn                      ######################### [3/3]
Installed: openvpn.i386 0:2.0.9-1.el4.rf
Dependency Installed: lzo2.i386 0:2.02-3.el4.rf openssl097a.i386 0:0.9.7a-9
Complete!
 
 
 
安装PAM功能包
===============================================================
[root@VPNSRV01]# yum install pam*
Dependencies Resolved
=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 pam-devel               i386       0.99.6.2-3.14.el5  base              186 k
 pam_abl                 i386       0.2.3-1.el4.rf   dag                50 k
 pam_script              i386       0.1.7-1.el4.rf   dag                11 k
 pam_shield              i386       0.9.2-1.el4.rf   dag                39 k
 pam_ssh                 i386       1.91-1.el4.rf    dag                88 k
 pamtester               i386       0.1.2-1.el4.rf   dag                15 k
Installing for dependencies:
 compat-db               i386       4.2.52-5.1       base              1.7 M
Transaction Summary
=============================================================================
Install      7 Package(s)        
Update       0 Package(s)        
Remove       0 Package(s)        
Total download size: 2.1 M
Is this ok [y/N]: y
Downloading Packages:
(1/7): pam_script-0.1.7-1 100% |=========================|  11 kB    00:00    
(2/7): pam_shield-0.9.2-1 100% |=========================|  39 kB    00:01    
(3/7): pam_abl-0.2.3-1.el 100% |=========================|  50 kB    00:01    
(4/7): pam-devel-0.99.6.2 100% |=========================| 186 kB    00:00    
(5/7): pamtester-0.1.2-1. 100% |=========================|  15 kB    00:00    
(6/7): compat-db-4.2.52-5 100% |=========================| 1.7 MB    00:00    
(7/7): pam_ssh-1.91-1.el4 100% |=========================|  88 kB    00:02    
Running Transaction Test
warning: pam_script-0.1.7-1.el4.rf: Header V3 DSA signature: NOKEY, key ID
6b8d79e6
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: compat-db                    ######################### [1/7]
  Installing: pam_script                   ######################### [2/7]
  Installing: pam_shield                   ######################### [3/7]
  Installing: pam_abl                      ######################### [4/7]
  Installing: pam-devel                    ######################### [5/7]
  Installing: pamtester                    ######################### [6/7]
  Installing: pam_ssh                      ######################### [7/7]
Installed: pam-devel.i386 0:0.99.6.2-3.14.el5 pam_abl.i386 0:0.2.3-1.el4.rf
pam_script.i386 0:0.1.7-1.el4.rf pam_shield.i386 0:0.9.2-1.el4.rf pam_ssh.i386
0:1.91-1.el4.rf pamtester.i386 0:0.1.2-1.el4.rf
Dependency Installed: compat-db.i386 0:4.2.52-5.1
Complete!
 
 
察看OpenVPN的所有相关文档
============================================================
[root@VPNSRV01]# updatedb
[root@VPNSRV01]# locate openvpn
/etc/openvpn
/etc/rc.d/init.d/openvpn
/etc/rc.d/rc0.d/K76openvpn
/etc/rc.d/rc1.d/K76openvpn
/etc/rc.d/rc2.d/K76openvpn
/etc/rc.d/rc3.d/S24openvpn
/etc/rc.d/rc4.d/S24openvpn
/etc/rc.d/rc5.d/S24openvpn
/etc/rc.d/rc6.d/K76openvpn
/usr/sbin/openvpn
/usr/share/openvpn
/usr/share/doc/openvpn-2.0.9
/usr/share/doc/openvpn-2.0.9/AUTHORS
/usr/share/doc/openvpn-2.0.9/COPYING
/usr/share/doc/openvpn-2.0.9/COPYRIGHT.GPL
/usr/share/doc/openvpn-2.0.9/ChangeLog
/usr/share/doc/openvpn-2.0.9/INSTALL
/usr/share/doc/openvpn-2.0.9/NEWS
/usr/share/doc/openvpn-2.0.9/PORTS
/usr/share/doc/openvpn-2.0.9/README
/usr/share/doc/openvpn-2.0.9/README.auth-pam
/usr/share/doc/openvpn-2.0.9/README.down-root
/usr/share/doc/openvpn-2.0.9/README.plugins
/usr/share/doc/openvpn-2.0.9/contrib
/usr/share/doc/openvpn-2.0.9/easy-rsa
/usr/share/doc/openvpn-2.0.9/management
/usr/share/doc/openvpn-2.0.9/sample-config-files
/usr/share/doc/openvpn-2.0.9/sample-keys
/usr/share/doc/openvpn-2.0.9/sample-scripts
/usr/share/doc/openvpn-2.0.9/contrib/README
/usr/share/doc/openvpn-2.0.9/contrib/multilevel-init.patch
/usr/share/doc/openvpn-2.0.9/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn-2.0.9/contrib/pull-resolv-conf
/usr/share/doc/openvpn-2.0.9/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn-2.0.9/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn-2.0.9/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn-2.0.9/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn-2.0.9/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn-2.0.9/easy-rsa/.externals
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0
/usr/share/doc/openvpn-2.0.9/easy-rsa/README
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows
/usr/share/doc/openvpn-2.0.9/easy-rsa/build-ca
/usr/share/doc/openvpn-2.0.9/easy-rsa/build-dh
/usr/share/doc/openvpn-2.0.9/easy-rsa/build-inter
/usr/share/doc/openvpn-2.0.9/easy-rsa/build-key
/usr/share/doc/openvpn-2.0.9/easy-rsa/build-key-pass
/usr/share/doc/openvpn-2.0.9/easy-rsa/build-key-pkcs12
/usr/share/doc/openvpn-2.0.9/easy-rsa/build-key-server
/usr/share/doc/openvpn-2.0.9/easy-rsa/build-req
/usr/share/doc/openvpn-2.0.9/easy-rsa/build-req-pass
/usr/share/doc/openvpn-2.0.9/easy-rsa/clean-all
/usr/share/doc/openvpn-2.0.9/easy-rsa/list-crl
/usr/share/doc/openvpn-2.0.9/easy-rsa/make-crl
/usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
/usr/share/doc/openvpn-2.0.9/easy-rsa/revoke-crt
/usr/share/doc/openvpn-2.0.9/easy-rsa/revoke-full
/usr/share/doc/openvpn-2.0.9/easy-rsa/sign-req
/usr/share/doc/openvpn-2.0.9/easy-rsa/vars
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/Makefile
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/README
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-ca
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-dh
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-inter
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-key
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-key-pass
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-key-pkcs12
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-key-server
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-req
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-req-pass
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/clean-all
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/inherit-inter
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/list-crl
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/openssl-0.9.6.cnf
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/openssl.cnf
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/pkitool
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/revoke-full
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/sign-req
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/vars
/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/whichopensslcnf
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/README.txt
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/build-ca.bat
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/build-dh.bat
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/build-key-pkcs12.bat
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/build-key-server.bat
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/build-key.bat
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/clean-all.bat
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/index.txt.start
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/init-config.bat
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/revoke-full.bat
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/serial.start
/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/vars.bat.sample
/usr/share/doc/openvpn-2.0.9/management/management-notes.txt
/usr/share/doc/openvpn-2.0.9/sample-config-files/README
/usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf
/usr/share/doc/openvpn-2.0.9/sample-config-files/firewall.sh
/usr/share/doc/openvpn-2.0.9/sample-config-files/home.up
/usr/share/doc/openvpn-2.0.9/sample-config-files/loopback-client
/usr/share/doc/openvpn-2.0.9/sample-config-files/loopback-server
/usr/share/doc/openvpn-2.0.9/sample-config-files/office.up
/usr/share/doc/openvpn-2.0.9/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn-2.0.9/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf
/usr/share/doc/openvpn-2.0.9/sample-config-files/static-home.conf
/usr/share/doc/openvpn-2.0.9/sample-config-files/static-office.conf
/usr/share/doc/openvpn-2.0.9/sample-config-files/tls-home.conf
/usr/share/doc/openvpn-2.0.9/sample-config-files/tls-office.conf
/usr/share/doc/openvpn-2.0.9/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn-2.0.9/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn-2.0.9/sample-keys/README
/usr/share/doc/openvpn-2.0.9/sample-keys/client.crt
/usr/share/doc/openvpn-2.0.9/sample-keys/client.key
/usr/share/doc/openvpn-2.0.9/sample-keys/dh1024.pem
/usr/share/doc/openvpn-2.0.9/sample-keys/pass.crt
/usr/share/doc/openvpn-2.0.9/sample-keys/pass.key
/usr/share/doc/openvpn-2.0.9/sample-keys/pkcs12.p12
/usr/share/doc/openvpn-2.0.9/sample-keys/server.crt
/usr/share/doc/openvpn-2.0.9/sample-keys/server.key
/usr/share/doc/openvpn-2.0.9/sample-keys/tmp-ca.crt
/usr/share/doc/openvpn-2.0.9/sample-keys/tmp-ca.key
/usr/share/doc/openvpn-2.0.9/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn-2.0.9/sample-scripts/bridge-start
/usr/share/doc/openvpn-2.0.9/sample-scripts/bridge-stop
/usr/share/doc/openvpn-2.0.9/sample-scripts/openvpn.init
/usr/share/doc/openvpn-2.0.9/sample-scripts/verify-cn
/usr/share/doc/selinux-policy-2.4.6/html/services_openvpn.html
/usr/share/logwatch/default.conf/services/openvpn.conf
/usr/share/logwatch/scripts/services/openvpn
/usr/share/man/man8/openvpn.8.gz
/usr/share/openvpn/plugin
/usr/share/openvpn/plugin/lib
/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
/usr/share/openvpn/plugin/lib/openvpn-down-root.so
 
 
将模版中的easy-rsa的目录复制到/etc/openvpn/的路径下
默认安装好OpenVPN的主配置路径/etc/openvpn/下是空的。
[root@VPNSRV01]# cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
察看/etc/openvpn/easy-rsa/下的文件
[root@VPNSRV01]# ll /etc/openvpn/easy-rsa/
total 88
drwxr-xr-x 2 root root 4096 Aug 27 10:20 2.0
-rw-r–r– 1 root root  242 Aug 27 10:20 build-ca
-rw-r–r– 1 root root  228 Aug 27 10:20 build-dh
-rw-r–r– 1 root root  529 Aug 27 10:20 build-inter
-rw-r–r– 1 root root  516 Aug 27 10:20 build-key
-rw-r–r– 1 root root  424 Aug 27 10:20 build-key-pass
-rw-r–r– 1 root root  695 Aug 27 10:20 build-key-pkcs12
-rw-r–r– 1 root root  662 Aug 27 10:20 build-key-server
-rw-r–r– 1 root root  466 Aug 27 10:20 build-req
-rw-r–r– 1 root root  402 Aug 27 10:20 build-req-pass
-rw-r–r– 1 root root  280 Aug 27 10:20 clean-all
-rw-r–r– 1 root root  264 Aug 27 10:20 list-crl
-rw-r–r– 1 root root  268 Aug 27 10:20 make-crl
-rw-r–r– 1 root root 7487 Aug 27 10:20 openssl.cnf
-rw-r–r– 1 root root 6075 Aug 27 10:20 README
-rw-r–r– 1 root root  268 Aug 27 10:20 revoke-crt
-rw-r–r– 1 root root  593 Aug 27 10:20 revoke-full
-rw-r–r– 1 root root  411 Aug 27 10:20 sign-req
-rw-r–r– 1 root root 1266 Aug 27 10:20 vars
drwxr-xr-x 2 root root 4096 Aug 27 10:20 Windows
这里有很多的是脚本文件,但是目前都是没有任何级别的执行权限,因此要用命令给与他们执行的权限
 
创造唯用户添加执行权限的命令ux
[root@VPNSRV01]# alias ux=’chmod u+x’
出于便利和安全性的考虑,并且将这个ux命令赋给root,使root今后一直具有这个命令
[root@VPNSRV01]# echo "alias ux=’chmod u+x’" >> /root/.bashrc
 
察看root的.bashrc文件,进行确认
[root@VPNSRV01]# cat /root/.bashrc
———————————————
# .bashrc
# User specific aliases and functions
alias rm=’rm -i’
alias cp=’cp -i’
alias mv=’mv -i’
# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi
alias ux=’chmod u+x’  (刚才添加进来的)
———————————————–
 
赋予vars脚本用户执行权
[root@VPNSRV01 easy-rsa]# ux vars
使用环境载入方式将vars载入系统环境之中。这里和简单的脚本运行不同,由于vars这个脚本里面定义了许多关键的变量和环境所以简单使用“./”运行是失败的,而必须使用载入的方法“. vars”(点 空格 vars)。
[root@VPNSRV01 easy-rsa]# . vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
载 入vars脚本后出现提示信息,提示下一步可以运行clean-all的脚本了。并且一旦运行这个文件就会清空/etc/openvpn/easy- rsa/keys/下的所有文件了。这里有2个问题:1.它怎么知道我的路径是/etc/openvpn呢?如果我换了的话,它提示出来的还是这个路径 么?答
案就在vars这个环境脚本当中,它是使用pwd来定义我们设置的openvpn配置文档路径的,这就能动态地捕获我们运行vars的任何 路径,也就是说我们现在正在忙着操作的当前路径,都是通过载入vars时的pwd来动态定义的。2.提示中提到的keys这个目录好像没有看到?对的,现 在是没有,接下来根据提示运行clean-all的时候就可以得到答案。另外需要注意的一点,这里通过执行脚本的方式载入变量和环境,而不是永久载入,重 启机器后就会丢失这些环境。建议考虑通过一些方法将vars内的环境永久载入系统,比如可以考虑将执行脚本的命令加入系统启动脚本当中。
 
赋予clean-all脚本的用户执行权限
[root@VPNSRV01 easy-rsa]# ux clean-all
执行clean-all脚本
[root@VPNSRV01 easy-rsa]# ./clean-all
察看现在/etc/openvpn/easy-rsa/下的文件
[root@VPNSRV01 easy-rsa]# ll /etc/openvpn/easy-rsa/
total 92
drwxr-xr-x 2 root root 4096 Aug 27 10:20 2.0
-rw-r–r– 1 root root  242 Aug 27 10:20 build-ca
-rw-r–r– 1 root root  228 Aug 27 10:20 build-dh
-rw-r–r– 1 root root  529 Aug 27 10:20 build-inter
-rw-r–r– 1 root root  516 Aug 27 10:20 build-key
-rw-r–r– 1 root root  424 Aug 27 10:20 build-key-pass
-rw-r–r– 1 root root  695 Aug 27 10:20 build-key-pkcs12
-rw-r–r– 1 root root  662 Aug 27 10:20 build-key-server
-rw-r–r– 1 root root  466 Aug 27 10:20 build-req
-rw-r–r– 1 root root  402 Aug 27 10:20 build-req-pass
-rwxr–r– 1 root root  280 Aug 27 10:20 clean-all
drwx—— 2 root root 4096 Aug 27 10:41 keys (多出来了这个keys目录)
-rw-r–r– 1 root root  264 Aug 27 10:20 list-crl
-rw-r–r– 1 root root  268 Aug 27 10:20 make-crl
-rw-r–r– 1 root root 7487 Aug 27 10:20 openssl.cnf
-rw-r–r– 1 root root 6075 Aug 27 10:20 README
-rw-r–r– 1 root root  268 Aug 27 10:20 revoke-crt
-rw-r–r– 1 root root  593 Aug 27 10:20 revoke-full
-rw-r–r– 1 root root  411 Aug 27 10:20 sign-req
-rwxr–r– 1 root root 1266 Aug 27 10:20 vars
drwxr-xr-x 2 root root 4096 Aug 27 10:20 Windows
这 里就回答了上面的第二个问题。keys这个目录好像之前没有的?对的,现在是没有,就是要运行接下来的clean-all脚本才会初始化生成的(如果以前 没有的话),如果以前就有这个目录的话(你可以尝试在运行clean-all之前自己mkdir一个keys并且在里面丢些杂七杂八的东西),那么当你运 行clean-all的时候,自动会把keys目录下的所有东西都清空一遍。事实上Keys这个目录就是我们之后生成并存放证书以及密钥的目录。Keys 这个具体生成的路径是由vars环境脚本中KEY_DIR来决定的。
 
建立CA证书
按我的理解来简单介绍下这里OpenVPN的概念证书和密钥的概念。
首 先需要的就是一张根证书和根密钥,根证书CA。OpenVPN的Server端和Client端都会有各自的证书和密钥,不过,一套Server和 Clients都使用同一个CA根证书,这个是他们成为一套的关键大前提,之后生成的Server证书和密钥以及Client的证书和密钥都是根据这个 CA
来签发的,因此会成为一套,因为他们通过CA而互相关联了起来。换句话说,能够成为一套OpenVPN的Server和Client的VPN 系统的话,他们的Server的证书和密钥以及Client的证书和密钥必须由同一个CA证书签发,并且在实际使用和连接的时候需要用同一个CA来验证。
赋予build-ca脚本用户执行权限,build-ca脚本就是生成根证书CA的脚本。
[root@VPNSRV01 easy-rsa]# ux build-ca
执行build-ca脚本
[root@VPNSRV01 easy-rsa]# ./build-ca
———————————————————————————-
Generating a 1024 bit RSA private key
…..++++++
……++++++
writing new private key to ‘ca.key’—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—– (在生成CA证书的过程中会有交互式的提问过程,主要是收集证书的信息)
Country Name (2 letter code) [KG]:CN  (这里提问国家,我填写CN表示中国)
State or Province Name (full name) [NA]:Shanghai   (这里提问省或州名)
Locality Name (eg, city) [BISHKEK]:Shanghai  (这里提问地点)
Organization Name (eg, company) [OpenVPN-TEST]:Center   (这里提问使用者的机构或者集团名称)
Organizational Unit Name (eg, section) []:Center   (这里提问部门单位)
Common Name (eg, your name or your server’s hostname) []:VPNSYS01   (这里提问通用名,注意,一套VPN服务端客户端系统使用同一个CA,共享同一个CA通用名CA Common Name)
Email Address [me@myhost.mydomain]:kanecruiseisgod@hotmail.com   (这里填写管理员的Email信箱)
———————————————————————————-
(注:如果这里发觉自己填错的话,干净回去执行clean-all脚本,清空keys下刚生成的密钥。然后使用build-ca重新做。如果到后面生成服务器和客户端的证书和密钥的时候想要返工就工作量大了。囧)
这个时候可以去keys目录下看看产生的CA根证书和根密钥啦
[root@VPNSRV01 easy-rsa]# ll keys
total 12
-rw-r–r– 1 root root 1233 Aug 27 11:39 ca.crt   (根证书生成)
-rw——- 1 root root  887 Aug 27 11:39 ca.key  (根密钥生成)
-rw-r–r– 1 root root    0 Aug 27 11:34 index.txt
-rw-r–r– 1 root root    3 Aug 27 11:34 serial
 
建立DH参数文件
按照OpenVPN的手册中提到,Diffie-Hellman参数文件(dh-pem文件)的作用是:在一个SSL/TLS连接中,服务端必须要有的。通过build-dh这个脚本来生成dh-pem文件,首先要赋予它用户执行权限
[root@VPNSRV01 easy-rsa]# ux build-dh
执行build-dh脚本,来生成dh文件
[root@VPNSRV01 easy-rsa]# ./build-dh
————————————————————————————–
Generating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time
……………+……………………………………………….+…………………………………………………………………………..
………………..+….+……+………………………+…………+…………………+…………….+……………………………………+..
…+………..+……………………………………+………..+…………………………+……………………………+………………..
……+………………………+….+…+………………………….+……………………………………………………………………….
……………+…………………………………………….+………………………………………………………………….+…………
………………+………………………………..+.+………………………++*++*++*
(这里它提示说会需要很长时间,但是基本上会很短,因为这里我使用了默认安装长度1024bit)
————————————————————————————–
这个时候可以去keys目录下看看产生的dh-pem文件啦
[root@VPNSRV01 easy-rsa]# ll keys
total 16
-rw-r–r– 1 root root 1233 Aug 27 11:39 ca.crt
-rw——- 1 root root  887 Aug 27 11:39 ca.key
-rw-r–r– 1 root root  245 Aug 27 11:56 dh1024.pem   (dh-pem文件生成)
-rw-r–r– 1 root root    0 Aug 27 11:34 index.txt
-rw-r–r– 1 root root    3 Aug 27 11:34 serial
 
建立OpenVPN Server端的证书和密钥
每台OpenVPN Server都需要生成自己的证书和密钥,当然这都是根据之前的CA根证书签发的,使用build-key-server执行脚本来生成。赋予脚本build-key-servers的用户执行权限
[root@VPNSRV01 easy-rsa]# ux build-key-server
生成Server的证书和密钥。注意,这里执行build-key-server脚本后面要跟参数,参数就是Server证书生成的文件名。
[root@VPNSRV01 easy-rsa]# ./build-key-server vpnsrv01
————————————————————————————
Generating a 1024 bit RSA private key
.++++++………………………………++++++
writing new private key to ‘vpnsrv01.key’—–
You are about to be asked to enter information that will be incorporatedinto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–
Country Name (2 letter code) [KG]:CN   (提问国家)
State or Province Name (full name) [NA]:Shanghai  (提问州或省市名)
Locality Name (eg, city) [BISHKEK]:Shanghai  (提问所在地名)
Organization Name (eg, company) [OpenVPN-TEST]:Center  (提问组织名)
Organizational Unit Name (eg, section) []:Center  (提问组织单位名)
Common Name (eg, your name or your server’s hostname) []:VPNSRV01  (给出Server的名称)
Email Address [me@myhost.mydomain]:kanecruiseisgod@hotmail.com  (给出管理员的信箱地址)
(在Server的证书签发过程中,会有需要提供一些Exatra“额外”的信息)
Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []:123456  (需要提供挑战式握手的密码)
An optional company name []:Center   (提供一个可选的公司名)
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’CN’
stateOrProvinceName   :PRINTABLE:’Shanghai’
localityName          :PRINTABLE:’Shanghai’
organizationName      :PRINTABLE:’Center’
organizationalUnitName:PRINTABLE:’Center’
commonName            :PRINTABLE:’VPNSRV01′
emailAddress          :IA5STRING:’kanecruiseisgod@hotmail.com’
Certificate is to be certified until Aug 24 04:43:37 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(使用CA根证书将这个Server的证书签发了)
————————————————————————————-
(那么这些在Server证书签发过程中提问到的内容有些什么要求吗?答案是有的,我之前做了一张服务器证书就废掉的,理由就是地址信息与CA的不符合,也就是说尽量将一些基本信息与CA证书上回答的基本吻合。)
然后再看下keys下面又多了些什么东西
[root@VPNSRV01 easy-rsa]# ll keys
total 44
-rw-r–r– 1 root root 3636 Aug 27 12:43 01.pem        (多了一个dh-pem文件)
-rw-r–r– 1 root root 1233 Aug 27 11:39 ca.crt
-rw——- 1 root root  887 Aug 27 11:39 ca.key
-rw-r–r– 1 root root  245 Aug 27 11:56 dh1024.pem
-rw-r–r– 1 root root   99 Aug 27 12:43 index.txt
-rw-r–r– 1 root root   21 Aug 27 12:43 index.txt.attr
-rw-r–r– 1 root root    0 Aug 27 11:34 index.txt.old
-rw-r–r– 1 root root    3 Aug 27 12:43 serial
-rw-r–r– 1 root root    3 Aug 27 11:34 serial.old
-rw-r–r– 1 root root 3636 Aug 27 12:43 vpnsrv01.crt  (Server的证书文件)
-rw-r–r– 1 root root  753 Aug 27 12:43 vpnsrv01.csr  (Server的SSL请求请求文件)
-rw——- 1 root root  887 Aug 27 12:43 vpnsrv01.key  (Server的密钥文件)
 
建立OpenVPN Client端的证书和密钥
每台OpenVPN Client都要有自己的证书和密钥,当然这些也是根据之前的CA证书来签发的,使用build-key执行脚本来生成
赋予脚本build-key用户执行权限
[root@VPNSRV01 easy-rsa]# ux build-key
生成Client的证书和密钥。注意,这里执行build-key脚本后面要跟参数,参数就是Client证书生成的文件名。
[root@VPNSRV01 easy-rsa]# ./build-key vpnclnt00  (编号00表示测试用,我的习惯)
————————————————————————————-
Generating a 1024 bit RSA private key
……++++++…………..++++++
writing new private key to ‘vpnclnt00.key’—–
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [KG]:CN  (提问国家)
State or Province Name (full name) [NA]:Shanghai  (提问州或省市名)
Locality Name (eg, city) [BISHKEK]:Shanghai  (提问所在地名)
Organization Name (eg, company) [OpenVPN-TEST]:Center  (提问组织名)
Organizational Unit Name (eg, section) []:Center  (提问组织单位名)
Common Name (eg, your name or your server’s hostname) []:VPNCLNT00  (给出Client的名称)
Email Address [me@myhost.mydomain]:kanecruiseisgod@hotmail.com  (管理员的Email地址)
(在Client的证书签发过程中,也需要提供一些Exatra“额外”的信息)
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456  (挑战式验证口令)
An optional company name []:Center  (一个可选的公司名称)
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’CN’
stateOrProvinceName   :PRINTABLE:’Shanghai’
localityName          :PRINTABLE:’Shanghai’
organizationName      :PRINTABLE:’Center’
organizationalUnitName:PRINTABLE:’Center’
commonName            :PRINTABLE:’VPNCLNT00′
emailAddress          :IA5STRING:’kanecruiseisgod@hotmail.com’
Certificate is to be certified until Aug 24 05:00:46 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(使用CA根证书将这个Client的证书签发了)
————————————————————————————-
(和生成Server的证书一样,Client证书签发过程中使用的基本信息请尽量与CA根证书当中的一致)
然后再看下keys下面又多了些什么东西
[root@VPNSRV01 easy-rsa]# ll keys
total 68
-rw-r–r– 1 root root 3636 Aug 27 12:43 01.pem
-rw-r–r– 1 root root 3537 Aug 27 13:00 02.pem       (又多了一个dh-pem文件)
-rw-r–r– 1 root root 1233 Aug 27 11:39 ca.crt
-rw——- 1 root root  887 Aug 27 11:39 ca.key
-rw-r–r– 1 root root  245 Aug 27 11:56 dh1024.pem
-rw-r–r– 1 root root  199 Aug 27 13:00 index.txt
-rw-r–r– 1 root root   20 Aug 27 13:00 index.txt.attr
-rw-r–r– 1 root root   21 Aug 27 12:43 index.txt.attr.old
-rw-r–r– 1 root root   99 Aug 27 12:43 index.txt.old
-rw-r–r– 1 root root    3 Aug 27 13:00 serial
-rw-r–r– 1 root root    3 Aug 27 12:43 serial.old
-rw-r–r– 1 root root 3537 Aug 27 13:00 vpnclnt00.crt   (Client的证书文件)
-rw-r–r– 1 root root  753 Aug 27 13:00 vpnclnt00.csr   (Client的SSL请求证书文件)
-rw——- 1 root root  887 Aug 27 13:00 vpnclnt00.key   (Client的密钥文件)
-rw-r–r– 1 root root 3636 Aug 27 12:43 vpnsrv01.crt 
-rw-r–r– 1 root root  753 Aug 27 12:43 vpnsrv01.csr
-rw——- 1 root root  887 Aug 27 12:43 vpnsrv01.key
 
为防止恶意攻击(如DOS、UDP port flooding),生成一个"HMAC firewall"
[root@VPNSRV01 easy-rsa]# openvpn –genkey –secret /etc/openvpn/easy-rsa/keys/ta.key
察看keys下生成ta文件
[root@VPNSRV01 easy-rsa]# ll keys
total 72
-rw-r–r– 1 root root 3636 Aug 27 12:43 01.pem
-rw-r–r– 1 root root 3537 Aug 27 13:00 02.pem
-rw-r–r– 1 root root 1233 Aug 27 11:39 ca.crt
-rw——- 1 root root  887 Aug 27 11:39 ca.key
-rw-r–r– 1 root root  245 Aug 27 11:56 dh1024.pem
-rw-r–r– 1 root root  199 Aug 27 13:00 index.txt
-rw-r–r– 1 root root   20 Aug 27 13:00 index.txt.attr
-rw-r–r– 1 root root   21 Aug 27 12:43 index.txt.attr.old
-rw-r–r– 1 root root   99 Aug 27 12:43 index.txt.old
-rw-r–r– 1 root root    3 Aug 27 13:00 serial
-rw-r–r– 1 root root    3 Aug 27 12:43 serial.old
-rw——- 1 root root  636 Aug 27 13:21 ta.key          (ta的密钥文件)
-rw-r–r– 1 root root 3537 Aug 27 13:00 vpnclnt00.crt
-rw-r–r– 1 root root  753 Aug 27 13:00 vpnclnt00.csr
-rw——- 1 root root  887 Aug 27 13:00 vpnclnt00.key
-rw-r–r– 1 root root 3636 Aug 27 12:43 vpnsrv01.crt
-rw-r–r– 1 root root  753 Aug 27 12:43 vpnsrv01.csr
-rw——- 1 root root  887 Aug 27 12:43 vpnsrv01.key
 
生成一个吊销证书链文件
如果证书文件不幸由于各种原因丢失,那么持有丢失证书的人将仍然可以使用进行接入。不用销毁整个系统,可以吊销丢失的证书。执行脚本make-crl先生成吊销证书链文件。
赋予make-crl脚本用户执行权限
[root@VPNSRV01 easy-rsa]# ux make-crl
执行make-crl脚本生成吊销证书链文件
[root@VPNSRV01 easy-rsa]# ./make-crl vpncrl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
察看keys下的文件
[root@VPNSRV01 easy-rsa]# ll keys
total 76
-rw-r–r– 1 root root 3636 Aug 27 12:43 01.pem
-rw-r–r– 1 root root 3537 Aug 27 13:00 02.pem
-rw-r–r– 1 root root 1233 Aug 27 11:39 ca.crt
-rw——- 1 root root  887 Aug 27 11:39 ca.key
-rw-r–r– 1 root root  245 Aug 27 11:56 dh1024.pem
-rw-r–r– 1 root root  199 Aug 27 13:00 index.txt
-rw-r–r– 1 root root   20 Aug 27 13:00 index.txt.attr
-rw-r–r– 1 root root   21 Aug 27 12:43 index.txt.attr.old
-rw-r–r– 1 root root   99 Aug 27 12:43 index.txt.old
-rw-r–r– 1 root root    3 Aug 27 13:00 serial
-rw-r–r– 1 root root    3 Aug 27 12:43 serial.old
-rw——- 1 root root  636 Aug 27 13:21 ta.key
-rw-r–r– 1 root root 3537 Aug 27 13:00 vpnclnt00.crt
-rw-r–r– 1 root root  753 Aug 27 13:00 vpnclnt00.csr
-rw——- 1 root root  887 Aug 27 13:00 vpnclnt00.key
-rw-r–r– 1 root root  491 Aug 27 13:28 vpncrl.pem      (证书吊销链文件)
-rw-r–r– 1 root root 3636 Aug 27 12:43 vpnsrv01.crt
-rw-r–r– 1 root root  753 Aug 27 12:43 vpnsrv01.csr
-rw——- 1 root root  887 Aug 27 12:43 vpnsrv01.key

由于MSN空间的字数限制= =
我那华丽的第18集伪系统工程师的故事硬是被划分了上下两集。郁闷…继续上集内容
 
 
整备OpenVPN的Server和Client的主配置文件
之前locate出来的列表当中,有Server和Client的主配置文件模版
/usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf
/usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf
 
OpnVPN Server端的主配置文件
主配置文件的路径为/etc/openvpn/下,因此先将模版配置文件复制到这个路径下再作修改
[root@VPNSRV01 easy-rsa]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
然后配置服务端的主配置文件server.conf
[root@VPNSRV01 openvpn]# vi server.conf
——————————————————————————-
# listen on? (optional)
;local a.b.c.d  (设定监听在本机的哪个网络接口上,这里使用默认注释,表示监听所有本机上的网络接口)
port 9988   (这里设定的监听端口,默认是1194,我这里修改为9988)
  
# TCP or UDP server?
;proto tcp
proto udp
(设定在传输层使用的协议,这里设定为默认的UDP协议)
 
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
;dev tap
dev tun
(设定传输设备节点。如提示信息,tun是一个三层设备,tap是一个二层设备。而这里我们要的是IP路由,是三层的方式,因此选择tun)
 
# Non-Windows systems usually don’t need this.
;dev-node MyTap
(设定传输设备节点名。如提示信息,非Windows系统不需要设定这项,目前这台Server的操作系统是CentOS5,保留注释)
 
ca /etc/openvpn/vpnkeys/ca.crt
cert /etc/openvpn/vpnkeys/vpnsrv01.crt
key /etc/openvpn/vpnkeys/vpnsrv01.key  # This file should be kept secret
(设定根证书CA、服务器证书、以及服务器密钥文件的位置。注意,这里我都是写上了绝对路径,那是因为我更动了它们的位置。这里也可以直接写文件名而不写绝对路径,表示使用默认路径,默认为/etc/openvpn/下)
 
dh /etc/openvpn/vpnkeys/dh1024.pem
(设定Diffie Hellman参数文件的路径。同上,我也是输入了绝对路径,也可以直接输入文件名使用默认路径。默认路径为/etc/openvpn/下)
 
# Configure server mode and supply a VPN subnet
server 10.99.0.0 255.255.255.0
(设定Server端虚拟出来的VPN网段)
 
ifconfig-pool-persist ipp.txt
(设定虚拟地址租约文件,用于记录某个Client获得的IP地址,类似于dhcpd.lease文件,防止openvpn重新启动后“忘记”Client曾经使用过的IP地址)
 
push "route 111.111.111.0 255.255.255.0"  #For Net1
push "route 222.222.0.0 255.255.0.0"  #For Net2
push "route 123.123.123.234 255.255.255.255"  #For HostX
(设 定Push路由。当Client连接Server的时候,自动会得到这些路由条目并添加到它们的路由表中,由于是Server那里传过来的,因此叫 Push路由。当Client从Server处断开的时候这些Push路由将自动在Client的路由表中删除。一个需要提醒注意的地方就是既然是加入路 由,那么必须要填写的是"route 网段 子网掩码"的格式,如果不是像第三条那样是添加针对某一个主机的路由的话,那么一定要写的是网段!如果要针对一个目的网段的路由,而却写的是主机地址的 话,那么这个Push路由将失败)
 
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
(设 定其他的Push信息。redirect-gateway为接入Client重新指定出口网关,如果不设定的话则是使用Server路由表当中的默认出口 网关。dhcp-option下的DNS和WIN则是为接入Client重新分配域名服务器和名称服务器的IP地址。除非特殊的规划,一般这里没有设定的 必要,保持注释)
 
client-to-client
(设定接入的Client之间能够被允许互相访问,默认情况下接入的Client是不能互相访问的。如果需要使它们互相访问的话请去掉默认的注释)
 
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
(设 定是否允许单证书多连接。如果有多个Client使用相同的证书接入Server,亦或Client使用的CA的Common Name有重复了,或者说客户都使用相同的CA和keys连接VPN,一定要打开这个选项,否则只允许一个人连接VPN。但是如果出于安全考虑,比如一个 证书只能由一个Client对应的情况,这里就建议关闭而保留注释)
 
keepalive 10 120
(设定保活参数。这里的意思是每10秒钟通过Ping来确定Client是否存活,当然这个Ping的进行是在虚拟通道中而不是在真实外部链路上的,超过120秒无反馈表示丢失该Client)
 
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn –genkey –secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be ‘0’
# on the server and ‘1’ on the clients.
tls-auth /etc/openvpn/vpnkeys/ta.key 0 # This file is secret
(设定ta密钥的路径。之前提到的HMAC防火墙,防止DOS攻击,对于所有的控制信息,都使用HMAC signature,没有HMAC signature的控制信息不予处理,注意server端后面的数字肯定使用0,client使用1)
 
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
(使用Lzo功能对虚拟链路进行压缩。另外要提的一点,如果Server端开启的话,那么连接它的Client端也要在配置文件中开启)
 
;max-clients 100
(设定并发最大Client接入数)
 
user nobody
group nobody
(设 定OpenVPN服务的宿主用户,这里设定nobody。使用vipw来快速查看/etc/passwd文件,可以发现nobody是系统内置的,并且 UID和GID分别为99。另外要注意的是,既然将OpenVPN服务的宿主用户设定为nobody,那么凡是关于OpenVPN服务进程相关或者需要读 写的文件,请都要赋予nobody权限)
 
persist-key
(设定连接保持密钥功能。在由于keepalive检测超时后而重新启动VPN的情况,不重新读取keys,而保留第一次使用的keys)
persist-tun
(设定连接保持在线功能。在由于keepalive检测超时后而重新启动VPN的情况,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup)
 
status /var/log/openvpn-status.log
(设定状态记录日志路径。状态记录日志会定期把openvpn的一些状态信息写到文件中,以便自己写程序计费或者进行其他操作。注意,如果更改过OpenVPN服务宿主用户的话,请记得这里将此文件赋予宿主用户一定的权限)
 
log         /var/log/openvpn.log
(设定OpenVPN的服务日志路径。注意,如果更改过OpenVPN服务宿主用户的话,请记得这里将此文件赋予宿主用户一定的权限)
log-append  /var/log/openvpn.log
(此项和log项配合使用,每次重新启动openvpn后保留原有的log信息,新信息追加到文件最后)
 
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
(设定OpenVPN的dubug等级。使用默认3级。)
 
# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
(设定日志信息的冗余程度。默认值为20,当相同的信息连续反复出现时,系统会去掉相同的20条)
——————————————————————————-
注意:如果不采用OpenVPN的默认路径而要定制路径的话,必须要严格确定每个配置项的路径是否设定正确。
 
在启动OpenVPN服务进程前的需要确定的工作:
1.建立配置文件中指定的日志文件,并赋予正确的权限
[root@VPNSRV01 easy-rsa]# touch /var/log/openvpn.log
[root@VPNSRV01 easy-rsa]# touch /var/log/openvpn-status.log
[root@VPNSRV01 easy-rsa]# chown nobody.nobody /var/log/openvpn.log
[root@VPNSRV01 easy-rsa]# chown nobody.nobody /var/log/openvpn-status.log
2.确定配置文件中的配置项指定的路径
例如:
比如我第一次配置完Server端启动时就失败了
[root@VPNSRV01 easy-rsa]# service openvpn start
Starting openvpn:                                          [FAILED]
查看日志寻找原因原因
[root@VPNSRV01 easy-rsa]# tail -n 10 /var/log/openvpn.log
Mon Aug 27 16:00:03 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Mon Aug 27 16:00:03 2007 Diffie-Hellman initialized with 1024 bit key
Mon Aug 27 16:00:03 2007 Cannot open file key file ‘ta.key’: No such file or directory (errno=2)
Mon Aug 27 16:00:03 2007 Exiting
原来ta密钥的路径没有写对,服务进程找不不到ta.key。因此整个服务启动失败。修正了正确的ta路径后再启动服务进程就正常了。因此,如果定制一些关键文件的路径时,一定要仔细根据定制情况正确编辑配置文件。
3.检查系统防火墙,是否为VPN开启了。
[root@VPNSRV01 easy-rsa]# iptables -A INPUT -p udp –dport 9988 -j ACCEPT
[root@VPNSRV01 easy-rsa]# iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
检查防火墙
[root@VPNSRV01 easy-rsa]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     udp  —  anywhere             anywhere            udp dpt:9988
ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED
4.转发开关是否打开,打开这个路由转发开关
[root@VPNSRV01 vpnkeys]# echo 1 > /proc/sys/net/ipv4/ip_forward
并且顺带将这个命令添加到启动脚本当中,使得每次系统启动的时候都会打开这个开关
[root@VPNSRV01 vpnkeys]# echo ‘echo 1 > /proc/sys/net/ipv4/ip_forward’ >> /etc/rc.d/rc.local
 
启动OpenVPN Server端的程序
[root@VPNSRV01 easy-rsa]# service openvpn start
Starting openvpn:                                          [  OK  ]
查看Server现在的网卡情况
[root@VPNSRV01 easy-rsa]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3E:4A:C2:28 
          inet addr:123.123.123.233  Bcast:123.123.123.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe4a:c228/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2059473 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1258577 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:159571429 (152.1 MiB)  TX bytes:98975611 (94.3 MiB)
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:273 errors:0 dropped:0 overruns:0 frame:0
          TX packets:273 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:40479 (39.5 KiB)  TX bytes:40479 (39.5 KiB)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.99.0.1  P-t-P:10.99.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
(这 个tun0设备就是OpenVPN虚拟出来的网络接口。另外需要提到的一点是,这个设备会被初始化,但是只有在OpenVPN的服务进程成功运行起来的时 候才会有这个设备,如果运行OpenVPN进程失败的话,是看不到这个设备的。也所以,当要使用OpenVPN的时候,切记要为它的网络接口开放特定的防 火墙,或者干脆关闭防火墙。否则Client是无法接入的,这里需要特别提醒。因为本人曾经卡在过这个问题上,当分析出来是防火墙的时候,比较让人感到崩 溃= =)
 
查看Server的路由
[root@VPNSRV01 easy-rsa]# route
Kernel IP routing table
Destination       Gateway         Genmask             Flags   Metric    Ref    Use Iface
10.99.0.2         *                   255.255.255.255   UH      0          0        0 tun0
123.123.123.0   *                   255.255.255.0      U       0           0        0 eth0
10.99.0.0         10.99.0.2        255.255.255.0      UG      0          0        0 tun0
169.254.0.0      *                   255.255.0.0         U       0           0        0 eth0
default            123.123.123.1   0.0.0.0               UG     0           0        0 eth0
其中10.99.0.0部分就是虚拟网络的路由。到此,OpenVPN的Server端已经基本完成。
 
将Server上之前为测试Client生成的证书密钥以及一些相关文件复制到Client端的/etc/openvpn/目录下这里,Client需要向Server得到五个重要的文件
CA证书文件               (我这里是ca.crt)
Client证书文件           (我这里是vpnclnt00.crt)
Client密钥文件            (我这里是vpnclnt00.key) 
Client的SSL证书请求文件  (我这里是vpnclnt00.csr)
ta密钥文件               (我这里是ta.key)
配置Client端的主配置文件
Client上也安装了OpenVPN的包,所以也有模版文件
/usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf
这里将Client的主配置模版文件复制到OpenVPN的主配置路径下
[root@VPNCLNT00 ~]# ll /etc/openvpn/
total 48
-rw-r–r– 1 root root 1233 Aug 27 14:09 ca.crt
-rw-r–r– 1 root root  254 Aug 28 02:29 client.conf
-rw-r–r– 1 root root  636 Aug 27 14:09 ta.key
-rw-r–r– 1 root root 3537 Aug 27 14:09 vpnclnt00.crt
-rw-r–r– 1 root root  753 Aug 27 14:09 vpnclnt00.csr
-rw-r–r– 1 root root  887 Aug 27 14:09 vpnclnt00.key
可以看到在Client的主配置路径下一共有6个文件。5个是证书密钥,1个是Client端的主配置文件client.conf
现在我们来编辑客户端主配置文件client.conf
[root@VPNCLNT00 ~]# vi /etc/openvpn/client.conf
—————————————————————————-
client
(声明这个配置文件作用于客户端)
 
dev tun
(使用tun三层虚拟连接设备)
 
proto udp
(使用UDP协议)
 
remote 123.123.123.233 9988
(设定远程Server的IP地址和端口,这里要和Server对应起来。如果有多个Server可以连接的话可以配置多条remote,一行一条)
 
resolv-retry infinite
(始终重新解析Server的IP地址,如果remote后面跟的是域名,保证Server IP地址是动态的使用DDNS动态更新DNS后,Client在自动重新连接时重新解析Server的IP地址,这样无需人为重新启动,即可重新接入VPN)
 
nobind
(表示Client端不像Server端那样需要开放特定的端口,nobind的意思就是Client的不绑定特定的监听端口)
 
user nobody
group nobody
(指定OpenVPN服务进程的宿主用户)
 
persist-key
(设定连接保持密钥功能。在由于keepalive检测超时后而重新启动VPN的情况,不重新读取keys,而保留第一次使用的keys)

persist-tun
(设定连接保持在线功能。在由于keepalive检测超时后而重新启动VPN的情况,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup)
 
ca ca.crt
cert vpnclnt00.crt
key vpnclnt00.key
(设 定CA证书、Client证书以及Client密钥文件的路径。与之前我Server端的配置不同,这里我没有写绝对路径而只是写了一些文件名。这是因为 我使用了默认的OpenVPN的主路径/etc/openvpn/。如果不是使用默认路径而是定制更改了这些文件的位置的话,那么就需要注上详细的绝对路 径了)
 
ns-cert-type server
(这一项是Server配置文件server.conf当中没有的。 Server使用build-key-server脚本什成的,在x509 v3扩展中加入了ns-cert-type选项,为的是防止黑客操纵他们的VPN Client模拟成VPN Server,然后使用他们的keys + DNS欺骗其他的Client连接他们假冒的VPN Server。因为他们的CA里没有这个扩展)
 
tls-auth ta.key 1
(设 定ta密钥的路径。

Write a comment

You must be logged in to post a comment.