linux下OPENVPN安裝詳解

安裝openvpn
3.1 server
# 安裝 lzo
在網站上下載lzo*.tar.gz的包
tar -zxvf lzo*.tar.gz
cd lzo*
./configure
make && make install

# 安裝 openvpn
cd /usr/local/src
wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
tar -zxvf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9
./configure
make && make install

# 複製設定規範
cp -r /usr/local/src/openvpn-2.0.9/ /etc/openvpn/
cp -r /usr/local/src/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
# 設定 CA 環境
cd /etc/openvpn/easy-rsa/ //當然你也可以不寫
vi vars
export KEY_COUNTRY=TW
export KEY_PROVINCE=Taiwan
export KEY_CITY=Tainan
export KEY_ORG="Study-Area"
export KEY_EMAIL="netman@study-area.org"
. ./vars
./clean-all

# 建立 root CA
./build-ca
Generating a 1024 bit RSA private key
......
................
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Taiwan]:
Locality Name (eg, city) [Tainan]:
Organization Name (eg, company) [Study-Area]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:CA
Email Address [netman@study-area.org]:

# 建立 server key 及 crt

./build-key-server S1
Generating a 1024 bit RSA private key
............................
....
writing new private key to 'ovpnsrv1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Taiwan]:
Locality Name (eg, city) [Tainan]:
Organization Name (eg, company) [Study-Area]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:ovpnsrv1
Email Address [netman@study-area.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'TW'
stateOrProvinceName :PRINTABLE:'Taiwan'
localityName :PRINTABLE:'Tainan'
organizationName :PRINTABLE:'Study-Area'
organizationalUnitName:PRINTABLE:'test'
commonName :PRINTABLE:'ovpnsrv1'
emailAddress :IA5STRING:'netman@study-area.org'
Certificate is to be certified until Sep 7 20:36:58 2015 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries

Data Base Updated

# 建立 Diffie Hellman 參數
./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................................. ............................................
.. ............................................................................
................... .................................... ......................
....................... ...

# 安裝 server 所需的 CA 文件
cp keys/ca.crt ../
cp keys/dh1024.pem ../
cp keys/S1.key ../
cp keys/S1.crt ../

# 配置 server.conf(沒提及的請保持原樣)
cd ../
vi server.conf
dev tap
;dev tun
ca ca.crt
cert ovpnsrv1.crt
key ovpnsrv1.key # This file should be kept secret

# 啟動openvpn server
//把/etc/openvpn/sample-scripts/openvpn.init 複製到/etc/init.d/openvpn
chmod 755 /etc/init.d/openvpn
service openvpn restart
chkconfig openvpn on

--------------------------
3.2 Client

# 下載並安裝 openvpn (GUI 版本)
http://openvpn.se/files/install_packages/openvpn-2.1_beta7-gui-1.0.3-install.exe

# 設定環境
cmd.exe
cd "c:Program FilesOpenVPNeasy-rsa"
copy openssl.cnf.sample openssl.cnf
copy vars.bat.sample vars.bat
edit vars.bat
(內容必須與server 一至, 尤其 KEY_ORG 項目.)

# 建立 CA 環境（client）

vars

#為vpn clients 生成證書與密匙在server上操作

./build-key client1
./build-key client2
./build-key client3
Common Name 處分別填client1 client2 client3,別的同vpn server 設置

# 安裝 CA 文件 //在客戶端操作
cd ..config
把伺服器上的C1.crt和ca.crt 下載到本地的OpenVPN的config目錄 //winscp

copy ..easy-rsakeysovpnclt1.key . //config目錄

# 複制 sample 設定檔:
copy ..sample-configclient.ovpn . //config目錄

# 配置 client 端設定檔
右下角(OpenVPN GUI)
右鍵--> Edit Config (沒提及的, 請保持原貌)
dev tap
;dev tun
remote 192.168.100.151 1194
ca C:\keys\ca.crt
cert C:\keys\C1.crt
key C:\keys\C1.key

# 設定 openvpn TAP 界面
控制台-->網路連線-->TAP-Win32#(#)
右鍵-->重新命名-->OpenVPN_Tap

# 啟動 openvpn client
右下角(OpenVPN GUI)
右鍵--> Connect

# 測試
ping 10.8.0.1

C:Program FilesOpenVPNeasy-rsa>ping 10.8.0.1

Pinging 10.8.0.1 with 32 bytes of data:

Reply from 10.8.0.1: bytes=32 time=1ms TTL=64
Reply from 10.8.0.1: bytes=32 time<1ms TTL=64
Reply from 10.8.0.1: bytes=32 time<1ms TTL=64
Reply from 10.8.0.1: bytes=32 time<1ms TTL=64

Ping statistics for 10.8.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:Program FilesOpenVPNeasy-rsa>

四, 注意:

4.1 要允許多個 client 相互連線, 須在 server 端打開:
client-to-client

4.2 若想隱藏 server IP, 但純作 bridge 來用:
;server 10.3.0.0 255.255.255.0
server-bridge 10.8.0.1 255.255.255.0 10.8.0.129 10.8.0.246

4.3 若由其它 CA 建的 csr , Organization(KEY_ORG=)必需要一至.
否則, 不能簽署.

4.4 CA 文件分佈:
server:
ca.crt
dh1024.pem
server.crt
server.key # 必須保密
client:
ca.crt
client.crt
client.key # 必須保密

CA server:
ca.crt
ca.key # 必須保密

Tags: linux system 系統