linux下配置openVPN服务器
首先声明下环境,服务器是suse,我用的是自带的openvpn-2.0.9-143.31.x86_64.rpm
/media/SLES-11-SP2-DVD-x86_6407551/suse/x86_64 # ls -l|grep openvpn -r--r--r-- 3 root root 72511 Apr 1 2011 NetworkManager-openvpn-0.7.1-3.5.1.x86_64.rpm -r--r--r-- 3 root root 46793 Apr 1 2011 NetworkManager-openvpn-gnome-0.7.1-3.5.1.x86_64.rpm -r--r--r-- 3 root root 39165 May 12 2010 NetworkManager-openvpn-kde4-0.9.svn1043876-1.1.97.x86_64.rpm -r--r--r-- 3 root root 339065 Feb 26 2009 openvpn-2.0.9-143.31.x86_64.rpm -r--r--r-- 3 root root 10665 Feb 26 2009 openvpn-auth-pam-plugin-2.0.9-143.31.x86_64.rpm
如果没有安装光盘的话就下载安装openvpn,有的话就直接rpm -Uvh openvpn-[version].rpm安装
下载链接:http://openvpn.net/index.php/open-source/downloads.html,
目前的版本是2.3.1:下载地址:http://swupdate.openvpn.org/community/releases/openvpn-2.3.1.tar.gz
tar xfz openvpn-[version].tar.gz ./configure make make install
susu默认安装在/usr/share/openvpn,如果各位不知道安装地址的话可以用命令whereis openvpn 查找openvpn安装路径。
安装完毕之后开始配置:
需要生成您自己的证书(ca)和openvpn服务器及客户端的证书和密钥
cd /usr/share/openvpn/easy-rsa文件夹
首先编辑vars文件
export D=`pwd` export KEY_CONFIG=$D/openssl.cnf export KEY_DIR=$D/keys export KEY_SIZE=1024 export KEY_COUNTRY=CN #国家 export KEY_PROVINCE=JS #省份 export KEY_CITY=NJ #城市 export KEY_ORG="eric.com.openvpn" #组织 export KEY_EMAIL="[email protected]" #邮箱
初始换PKI并生成主证书颁发机构(CA)证书和密钥
linux-root:/usr/share/openvpn/easy-rsa # . ./vars NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/openvpn/easy-rsa/keys #提示用户下一步会清空掉keys中的文件 linux-root:/usr/share/openvpn/easy-rsa # ./clean-all linux-root:/usr/share/openvpn/easy-rsa # ./build-ca
其中./build-ca之后会提示用户输入
linux-root:/usr/share/openvpn/easy-rsa # ./build-ca Generating a 1024 bit RSA private key ......++++++ .........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [JS]: Locality Name (eg, city) [NJ]: Organization Name (eg, company) [eric.com.openvpn]: Organizational Unit Name (eg, section) []:it #自己输入 Common Name (eg, your name or your server's hostname) []:www.ducaijun.com #自己输入 Email Address [[email protected]]:
a.生成服务器证书和密钥
具体命令如下:
linux-root:/usr/share/openvpn/easy-rsa # ./build-key-server server Generating a 1024 bit RSA private key ..........................++++++ .............................................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [JS]: Locality Name (eg, city) [NJ]: Organization Name (eg, company) [eric.com.openvpn]: Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:server Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'JS' localityName :PRINTABLE:'NJ' organizationName :PRINTABLE:'eric.com.openvpn' organizationalUnitName:PRINTABLE:'it' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Apr 12 06:22:09 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
其中CommonName 时请输入"server"
b.生成客户端证书和密钥
./build-key client1
./build-key client2
./build-key client3
同样其他默认输入就可以,但是Common Name时每个用户请输入不同的,如 "client1", "client2", 或"client3"等
生成的Diffie Hellman参数
./build-dh
具体命令如下:
linux-root:/usr/share/openvpn/easy-rsa # ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .......................+......+..................+..........................................................................................+..........+...+..............+.....+..................................................+...........................................................+..................................................+....................................................................................+...................................................+.............................................................................................................................................................................................................................+...............+.....................................+.............................................................+..............................................................+...............+.......................................................................................................................................................................+...........................+.....................+................................................................+.....+...........................................+.....................................................................................................................+...................................+.....................+................+.....+..................................+.......+..................................................................................................................................+......................................................................................................+..........................+........................................................................+.+...........................................................................+......................................................................................................+.............................................................................+.............................................+.............................+.........+.................................+......................................+........+..........................................+..+..........................................................................................................................................+................+........................................................................................................................................+...........................................................+................+....+....................................+.......+...........................+..........................+.....................................+...............................................................+...........................................................................................................+..........................+.........................+.............................................+.......................................................+....+......+.......+..................+..............+........................................+.................+..+...................+..........+..........+.....................+............................................................................................+...........................................................................................................................................................................................................................................................+..........................................................................................+.........+.......................+.+....................................................................+.........................................................................+..........+......+.................+......................................................................................................................................................................................................+............+.............+...........................+........................................................................+...+..................................................+....................+.............+............................+.................................................+...........................................................................+......................+.............................................................................................+..............................+................................................................+.......................................................................+..................................+...............................................+....+.....................+...................................................................+....................+.....................................+.................+......................................+.......................................................................+...................................................................................................+......................................+.............................................................................................................................................................+............................................................+...+.......+......................................................................+...........................................+..................+..............+...........................................+....+.......................................+...........................................................+........................+..............................................................................+...........................................+........................................................+.......................................+.......................................................+.....+........................................................................................................+..............+............+.........................+.......................................................................++*++*++*
这里需要稍等一会啊,如果vars里面的KEY_SIZE=1024的值更大时花的时间会更多,完成后会生成dh1024.pem文件
查看一下keys文件列表及用处:
Filename Needed By Purpose Secret ca.crt server + all clients Root CA certificate NO ca.key key signing machine only Root CA key YES dh{n}.pem server only Diffie Hellman parameters NO server.crt server only Server Certificate NO server.key server only Server Key YES client1.crt client1 only Client1 Certificate NO client1.key client1 only Client1 Key YES client2.crt client2 only Client2 Certificate NO client2.key client2 only Client2 Key YES client3.crt client3 only Client3 Certificate NO client3.key client3 only Client3 Key YES
创建服务器和客户端的配置文件
最好使用OpenVPN的示例配置文件作为自己的配置的一个基础。 这些文件也可以在下面的文件夹下:
如果你安装一个RPM或DEB包,sample-config-files在目录/usr/share/doc/packages/openvpn或/usr/share/doc/openvpn
在Windows操作系统sample-config-files在开始菜单- >所有程序- > OpenVPN- > OpenVPN Sample Configuration Files
需要注意的是,在Linux,BSD,或unix-like的操作系统,示例配置文件被命名为server.conf和client.conf 在Windows被命名为server.ovpn的client.ovpn
命令运行如下:
linux-root:/etc/openvpn # cp /usr/share/doc/packages/openvpn/sample-config-files/server.conf /etc/openvpn/
把ca.crt、dh{n}.pem、server.crt和server.key移到server.conf配置制定路径,默认与server.conf同级
linux-root:/usr/share/openvpn/easy-rsa/keys # cp ca.crt /etc/openvpn/ linux-root:/usr/share/openvpn/easy-rsa/keys # cp server.crt /etc/openvpn/ linux-root:/usr/share/openvpn/easy-rsa/keys # cp server.key /etc/openvpn/ linux-root:/usr/share/openvpn/easy-rsa/keys # cp dh1024.pem /etc/openvpn/
编辑server.conf文件
如无特殊要求则全部安装默认即可,端口是1194、协议是udp、路由模式,分配的ip是10.8.0.0网段,
因为装openvpn的linux网段是192.168.1.0,把server.conf的124行;push "route 192.168.10.0 255.255.255.0"改为push "route 192.168.10.0 255.255.255.0",注意需要去掉全面的“;”
push "route 192.168.10.0 255.255.255.0" #124行 push "dhcp-option DNS 10.8.0.1" #187行 push "dhcp-option WINS 10.8.0.1" #188行 log /etc/openvpn/openvpn.log #276行 log-append /etc/openvpn/openvpn.log #277行
然后安装openvpn-client,下载地址是http://swupdate.openvpn.net/downloads/openvpn-client.msi,win7默认安装在C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client
然后把/usr/share/doc/packages/openvpn/sample-config-files/client.conf下载到本地,修改后缀名为.ovpn,然后把修改后的client.ovpn和用户证书文件还有ca文件一起拷贝到C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\etc\profile文件夹下,以client1为例子:
需要编辑client.ovpn文件,更改第89及90行,修改为cert client1.crt 和key client1.key 即可.
在C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\etc\profile文件夹下的文件列表如下:
ca.crt client.ovpn client1.crt client1.key
然后启动OpenVPN Client客户端,点击添加连接配置,选择本地文件导入,然后导入刚刚创建的client.opvn文件.
默认名称点击save,然后界面上会出现一个Client1选项,点击即可登录
登录成功后,ping一下10.8.0.1如果能通表示openvpn搭建完毕,最好看看能不能ping通192.168.1.0网段,为了的是验证server.conf配置124行push "route 192.168.10.0 255.255.255.0"是否有效。
至此,整个OpenVPN的安装过程就已经完成了。