OPenvpn配置说明

来源:本站原创 服务器技术 超过728 views围观 0条评论

1.软件包:lzo openvpn openssl

2.系统环境:Vps centos5

3.采用编译方式进行安装

tar xzvf openssl-version.tar.gz

tar xzvf lzo-version.tat.gz

tar xzvf openvpn-version.tar.gz

cd /openssl

./configure –prefix=/usr/local/openssl

make;make install

cd ..

cd /lzo

./config

make;make install

cd ..

cd openvpn

./configure –with-lzo-headers=/usr/local/lzo/inlcude –with-lzo-lib=/usr/local/lzo/lib

make;make install

4.生成证书:

cd /root/openvpn-2.0.9/easy-rsa

i. export D=`pwd`

ii. export KEY_CONFIG=$D/openssl.cnf

iii. export KEY_DIR=$D/keys

iv. export KEY_SIZE=1024

v. export KEY_COUNTRY=CN

vi. export KEY_PROVINCE=BJ

vii. export KEY_CITY=BJ

viii. export KEY_ORG="buaa"

ix. export KEY_EMAIL=liang3391@126.com

b) ./clean-all

c) ./build-ca

./clean-all

./build-ca

Generating a 1024 bit RSA private key

…………….++++++

……..++++++

writing new private key to ‘ca.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [dvdmaster]: buaa

Organizational Unit Name (eg, section) []:gait

Common Name (eg, your name or your server’s hostname) []:server

Email Address [liang3391@126.com]:

d) ./build-key-server server

./build-key-server server

Generating a 1024 bit RSA private key

……++++++

………………..++++++

writing new private key to ‘server.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [buaa]:

Organizational Unit Name (eg, section) []:gait

Common Name (eg, your name or your server’s hostname) []:server

Email Address [support@cooldvd.com]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:abcd1234

An optional company name []:dvdmaster

Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName RINTABLE:’CN’

stateOrProvinceName RINTABLE:’GD’

localityName RINTABLE:’SZ’

organizationName RINTABLE:’dvdmaster’

organizationalUnitNameRINTABLE:’dvdmaster’

commonName RINTABLE:’server’

emailAddress :IA5STRING:’support@cooldvd.com’

Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

5.客户端证书

在openvpn中,这种配置方法是每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。下面建立三份,名称分别为client1 – client3。

./build-key client1

Generating a 1024 bit RSA private key

…..++++++

……++++++

writing new private key to ‘client1.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [buaa]:

Organizational Unit Name (eg, section) []:gait

Common Name (eg, your name or your server’s hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.

Email Address [support@cooldvd.com]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:abcd1234

An optional company name []:gait

Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName RINTABLE:’CN’

stateOrProvinceName RINTABLE:’GD’

localityName RINTABLE:’SZ’

organizationName RINTABLE:’dvdmaster’

organizationalUnitName:PRINTABLE:’dvdmaster’

commonName :PRINTABLE:’client1′

emailAddress :IA5STRING:’support@cooldvd.com’

Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

) 依次类推生成其他客户端证书/key:

./build-key client2

./build-key client3

注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.

g) 执行./build-dh

h) 生成的所有证书在/root/openvpn-2.0.9/easy-rsa/keys下。

i. 其中服务器需要的是ca.crt、server.crt、server.key、dh1024.pem,每个客户端需要的是ca.crt、client1-3.crt、client1-3.key。

7、 配置文件

a) cp /root/openvpn-2.0.9/sample-config-files/server.conf /usr/local/etc/server.conf

b) vi /usr/local/etc/server.conf

i. proto udp改成proto tcp

ii. ca那四行改成

ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt

cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt

key /root/openvpn-2.0.9/easy-rsa/keys/server.key

dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem

iii. server.conf 配置文件见(参考文件server.conf)

8、 启动服务:

a) 关闭服务器、防火墙上所有对SSH(22)、openvpn(1194)的拦截。

b) echo 1 > /proc/sys/net/ipv4/ip_forward

c) /usr/local/sbin/openvpn –config /usr/local/etc/server.conf

d) 为了实现开机启动,在/etc/rc.local后面添加

/usr/local/sbin/openvpn –config /usr/local/etc/server.conf > /dev/null 2>&1 &

4. 安装客户端

1、 从http://openvpn.se/上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows”

a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe

2、 执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。

3、 将ca.crt、client1.crt、client1.key复制到C:\Program Files\OpenVPN\config。(不同用户使用不同的证书,每个证书包括.crt和.key两个文件,如client2.crt和client2.key)

4、 在/root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件,改名为C:\Program Files\OpenVPN\config\client.ovpn

a) proto udp改成proto tcp

b) remote那行改成

这里填写vpn服务器公网ip 1194(端口号)

c) ca那3行改为

ca ca.crt

cert client1.crt

key client1.key

d) 注释掉comp-lzo

server.conf 配置文件见(参考文件client.ovpn)

四,问题总结:

1. 在sever.conf/client.conf 里的证书keys相关的文件要写编对路径.

2. proto udp改成proto tcp

3. ./build-key client ..不同的client不一样的common name 不能和上面的

common name一样

4. 考虑证书生效时间问题,要考虑服务端和客户端的时间同步问题,具体设置时方法:

Eg: date -s 20:30:30 #设置系统时间为20:30:30, clock –w #将系统时间(如由date设置的时间)写入Bios;利用网络时间同步时间: ntpdate pool.ntp.org

5.在 openvz vps 上搭建openvpnv之前先执行以下过程:

vzctl set 120 --devices c:10:200:rw --save
vzctl exec 120 mkdir -p /dev/net
vzctl exec 120 mknod /dev/net/tun c 10 200
vzctl exec 120 chmod 600 /dev/net/tun

否则会不能开启 TUN

6.在 vi ./etc/vz/vz.conf 里找到

## IPv4 iptables kernel modules

IPTABLES="iptable_nat ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"

将这里的模块加到 vi /etc/vz/conf/120.conf

# CPU fair sheduler parameter

CPUUNITS="1000"

VE_ROOT="/vz/root/$VEID"

VE_PRIVATE="/vz/private/$VEID"

OSTEMPLATE="centos-4-i386-default"

ORIGIN_SAMPLE="vps.basic"

IP_ADDRESS="61.191.20.26"

HOSTNAME="vps120"

NAMESERVER="202.102.192.68"

DEVICES="c:10:200:rw "

IPTABLES="ip_tables iptable_nat iptable_filter iptable_mangle ipt_limit ipt_REJECT ipt_length "

CAPABILITY="NET_ADMIN:on "

否则会报 nat filter模块不存在需要重新编译内核。

再执行vzctl set 120 –iptables iptable_filter –iptables ipt_length –iptables ipt_limit –iptables iptable_mangle –iptables ipt_REJECT –save

重启openvz 宿机。

最后在iptables里开 NAT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -j SNAT –to-source 61.191.20.26

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文标题:OPenvpn配置说明
本文链接:http://www.jdccie.com/?p=3334转载请注明转自CCIE那点事
如果喜欢:点此订阅本站
  • 相关文章
  • 为您推荐
  • 各种观点

暂时还木有人评论,坐等沙发!
发表评论

您必须 [ 登录 ] 才能发表留言!