然後就是一段提示,要求輸入信息,大部分信息默認就是上述vars文件里的信息,自己只需要填寫「Organizational Unit Name」一項,這個隨便寫一個就是了,也可以不寫,我就沒有寫。
2)為伺服器生成證書和密鑰
./build-key-server server
還是與上一步類似,自己只需要填寫「Organizational Unit Name」一項,也可以不寫,此步不寫的話建立windows VPN client要能正確解析VPN伺服器名,我更改的是c:\windows\system32/drivers/etc/hosts文件,將VPN伺服器的域名解析文件寫入此.
還會出現:「Sign the certificate? 」和「1 out of 1 certificate requests certified, commit? 」,都輸入y然後回車。
./build-key-server server ./build-key-server server
Generating a 1024 bit RSA private key ......++++++ ....................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) : State or Province Name (full name) : Locality Name (eg, city) : Organization Name (eg, company) : Organizational Unit Name (eg, section) []:gait Common Name (eg, your name or your server's hostname) []:server Email Address [support@cooldvd.com]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:dvdmaster Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'dvdmaster' organizationalUnitName:PRINTABLE:'dvdmaster' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'support@cooldvd.com' Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y Write out database with 1 new entries Data Base Updated
3)在openvpn中,這種配置方法是每一個登陸的VPN客戶端需要有一個證書,每個證書在同一時刻只能供一個客戶端連接(如果有兩個機器安裝相同證書,同時撥伺服器,都能撥上,但是只有第一個撥上的才能連通網路)。所以需要建立許多份證書。下面建立2份,名稱分別為client1和client2 ./build-key client1 Generating a 1024 bit RSA private key .....++++++ ......++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) : State or Province Name (full name) : Locality Name (eg, city) : Organization Name (eg, company) : Organizational Unit Name (eg, section) []:gait Common Name (eg, your name or your server's hostname) []:client1 #重要: 每個不同的 client 生成的證書, 名字必須不同. Email Address [support@cooldvd.com]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:gait Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'dvdmaster' organizationalUnitName:PRINTABLE:'dvdmaster' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'support@cooldvd.com' Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y Write out database with 1 new entries Data Base Updated
依次類推生成其他客戶端證書/key: ./build-key client2
4)./build-dh
生成的證書文件均在/root/openvpn-2.0.9/easy-rsa/2.0/keys下
5)配置伺服器VPN文件 a) cp /root/openvpn-2.0.9/sample-config-files/server.conf /usr/local/etc/server.conf b) vi /usr/local/etc/server.conf i. proto udp改成proto tcp ii. ca那四行改成 ca /root/openvpn-2.0.9/easy-rsa/2.0/keys/ca.crt cert /root/openvpn-2.0.9/easy-rsa/2.0/keys/server.crt key /root/openvpn-2.0.9/easy-rsa/2.0/keys/server.key dh /root/openvpn-2.0.9/easy-rsa/2.0/keys/dh1024.pem iii. server那行改成 server 10.0.0.0 255.255.255.0 iv. 註釋掉comp-lzo v. 改成verb 5可以多查看一些調試信息
5) 啟動服務: a) 關閉伺服器、防火牆上所有對SSH(22)、openvpn(1194)的攔截。 b) echo "1" > /proc/sys/net/ipv4/ip_forward c) /usr/local/sbin/openvpn --config /usr/local/etc/server.conf
二.安裝WidnowsVPN客戶端
4. 安裝客戶端 1、 從http://openvpn.se/files/上下載與openvpn伺服器版本一致的Windows客戶端「OpenVPN GUI For Windows」 a) 例如, 伺服器裝的是 OpenVPN 2.09, 那麼下載的 OpenVPN GUI fow windows應該是: openvpn-2.0.9-gui-1.0.3-install.exe 2、 執行openvpn-2.0.9-gui-1.0.3-install.exe。一切採用默認設置。 3、 將ca.crt、client1.crt、client1.key複製到C:\Program Files\OpenVPN\config。(不同用戶使用不同的證書,每個證書包括.crt和.key兩個文件,如client2.crt和client2.key) 4、 在/root/openvpn-2.0.9/sample-config-files/client.conf 的基礎上建立客戶端配置文件,改名為C:\Program Files\OpenVPN\config\client.ovpn a) proto udp改成proto tcp b) remote那行改成 gait.buaa.edu.cn 1194 //感覺直接寫成VPN的IP地址好像也行 c) ca那3行改為 ca ca.crt cert client1.crt key client1.key d) 註釋掉comp-lzo 5、 連接:在右下角的openvpn圖標上右擊,選擇「Connect」。正常情況下應該能夠連接成功,分配正常的IP。