OpenVPN On CentOS5 配置
OpenVPN On CentOS5 配置
伺服器端
1.下載openvpn源#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm2.安裝openvpn
#sed --in-place "s/\\(.*enabled.*=\\).*/\1 0/" /etc/yum.repos.d/rpmforge.repo
#yum --enablerepo rpmforge install openvpn
#mkdir -p /etc/openvpn/easy-rsa
#cd /etc/openvpn/easy-rsa
#cp -Rv /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* ./
#chmod u+x clean-all build-ca whichopensslcnf build-dh build-key pkitool build-key-server
3.拷貝配置文件#cd ..
#cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf ./
#cd /etc/easy-rsa
#vim vars
修該為自己的信息
export KEY_COUNTRY="CN"
export KEY_PROVINCE="CHINA"
export KEY_CITY="BEIJING"
export KEY_ORG="CSDN"
export KEY_EMAIL="gaoming@dev.csdn.net"
#. ./vars #使其生效
# ./clean-all #初始化
# ./build-ca #創建根證書
Generating a 1024 bit RSA private key
......++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) :
Name []:
Email Address :
# ./build-key-server server #創建伺服器證書
Generating a 1024 bit RSA private key
................................................++++++
.............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) :server
Name []:
Email Address :
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'CHINA'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'CSDN'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'gaoming@dev.csdn.net'
Certificate is to be certified until Mar 10 02:45:38 2022 GMT (3650 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
# ./build-key client #創建客戶端證書
Generating a 1024 bit RSA private key
......................++++++
........................................................++++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) :
Name []:
Email Address :
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'CHINA'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'CSDN'
commonName :PRINTABLE:'client'
emailAddress :IA5STRING:'gaoming@dev.csdn.net'
Certificate is to be certified until Mar 10 02:46:46 2022 GMT (3650 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
# ./build-dh #生成Diffie Hellman文件
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...................+.................................................................................................................................................+...................................................+.............................................+...................................+...................................................................................................................................+................................+...................................................................+........+..............................................................................+........................................+...........................................................................+...+................+.........+......................+........................................................................................+.............................+...............................+..+.......................+.................+............................+......................+....+............................................+...................+.......................................................................+........+.......................................................................................................................+...................................................................................................+........................+..................................+.................................................................+.................................+...+.........................................................................+.....................+.......................+........+.............................+.............+......................+....+.....++*++*++*4.配置文件
#vim server.conf
local 117.79.92.146
port 1194
proto udp
dev tap
ca ./easy-rsa/keys/ca.crt
cert ./easy-rsa/keys/server.crt
dh ./easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
5.啟動openvpn#/etc/init.d/openvpn start
Starting openvpn: [ OK ]
# ifconfig #多出的虛擬網卡
tap0 Link encap:Ethernet HWaddr 66:78:46:2C:A8:8B
inet addr:10.8.0.1 Bcast:10.8.0.255 Mask:255.255.255.0
inet6 addr: fe80::6478:46ff:fe2c:a88b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:5728 (5.5 KiB)
客戶端安裝方法和伺服器一樣,不同的是不用拷貝easy-rsa目錄,拷貝配置文件的時候選擇client.conf,把伺服器的ca.crt,client.crt.client.key 拷貝到客戶端
啟動服務即可
注意事項:生成證書時一定要同步好時間,如果伺服器端用nobody運行,別忘記賦予許可權
《解決方案》
謝謝分享
