将设为首页浏览此站
开启辅助访问 天气与日历 收藏本站联系我们切换到窄版

易陆发现论坛

 找回密码
 开始注册
查看: 4003|回复: 4
收起左侧

linux下openvpn2.3.4服务器部署

[复制链接]
发表于 2019-9-5 17:00:01 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有帐号?开始注册

x
二、部署openvpn    本次部署openvpn服务器,因为使用了最新的openvpn2.3.4,而这个包里面没有包含最重要的证书制作部分:easy-rsa    openvpn官网也给出明确说明:Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages    所以,我们需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署    在部署openvpn之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!4 h7 Y# J0 ]( B7 _* f% D9 ]
1、安装lzo
3 t2 H7 s0 b4 V) T8 k; x; Q    lzo是致力于解压速度的一种数据压缩算法123[root@vpn ~]# tar xf lzo-2.08.tar.gz[root@vpn ~]# cd lzo-2.08[root@vpn lzo-2.08]# ./configure && make && make install2、安装openvpn1234567[root@vpn ~]# tar xf openvpn-2.3.4.tar.gz[root@vpn ~]# cd openvpn-2.3.4[root@vpn openvpn-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib[root@vpn openvpn-2.3.4]# make && make install[root@vpn openvpn-2.3.4]# [root@vpn openvpn-2.3.4]# which openvpn/usr/local/sbin/openvpn      #看到这里,说明安装openvpn成功3、配置easyrsa服务端    openvpn-2.3.4软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3    Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages(来源openvpn官网)123456789101112[root@vpn ~]# unzip easy-rsa-master.zip [root@vpn ~]# mv easy-rsa-master easy-rsa[root@vpn ~]# cp -R easy-rsa/ openvpn-2.3.4/[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/[root@vpn easyrsa3]# cp vars.example vars[root@vpn easyrsa3]# vim varsset_var EASYRSA_REQ_COUNTRY "CN"set_var EASYRSA_REQ_PROVINCE "Beijing"set_var EASYRSA_REQ_CITY "Beijing"set_var EASYRSA_REQ_ORG "nmshuishui Certificate"set_var EASYRSA_REQ_EMAIL "353025240@qq.com"set_var EASYRSA_REQ_OU "My OpenVPN"4、创建服务端证书及key(1)初始化123456789[root@vpn easyrsa3]# lseasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types[root@vpn easyrsa3]# [root@vpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki(2)创建根证书12345678910111213141516171819202122[root@vpn easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key.............................................+++........+++writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key'Enter PEM pass phrase:                      #输入密码,此密码用途证书签名Verifying - Enter PEM pass phrase:          #确认密码-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:nmshuishui  #输入一个Common Name CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt(3)创建服务器端证书1234567891011121314151617181920[root@vpn easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key................................+++......+++writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [server]:nmshuishui-BJ  #该Common Name一定不要与创建根证书时的                                                                          #Common Name一样,这是血与泪的教训  Keypair and certificate request completed. Your files are:req: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.reqkey: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key(4)签约服务器端证书123456789101112131415161718192021222324252627282930[root@vpn easyrsa3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars  You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject=    commonName                = nmshuishui  Type the word 'yes' to continue, or any other input to abort.  Confirm request details: yes        #输入yes继续Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnfEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入刚才创建根证书时的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName            :PRINTABLE:'nmshuishui'Certificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days) Write out database with 1 new entriesData Base Updated Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:12345678[root@vpn easyrsa3]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./varsGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time...................................................................................................................................................................................................................+..........................................................................................................................+..................................................+.....................................................+..................................................................................................................................+............+............................................................................................................+...+............+...............+..............................................+.........................+..................................+.................+............................................................+..................................+........................................................................................................................................+................................................................+.......................................+...................................................................................................................................................++*++* DH parameters of size 2048 created at /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem5、创建客户端证书(1)在根目录下建立client目录123[root@vpn easyrsa3]# cd[root@vpn ~]# mkdir client[root@vpn ~]# cp -R easy-rsa/ client/(2)初始化123456789[root@vpn ~]# cd client/easy-rsa/easyrsa3/[root@vpn easyrsa3]# lseasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types[root@vpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki(3)创建客户端key及生成证书12345678910111213141516171819202122[root@vpn easyrsa3]# ./easyrsa gen-req nmshuishui Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key....................................................+++.................................................................................................................................................................................+++writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key'Enter PEM pass phrase:            #输入密码Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [nmshuishui]:nmshuishui   #输入nmshuishui                      Keypair and certificate request completed. Your files are:req: /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.reqkey: /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key(4)将得到的nmshuishui.req导入并签约证书12345678910111213141516171819202122232425262728293031323334353637383940[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/[root@vpn easyrsa3]#   #导入req[root@vpn easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req nmshuishui Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: nmshuishuiYou may now use this name to perform signing operations on this request. [root@vpn easyrsa3]#     #签约证书[root@vpn easyrsa3]# ./easyrsa sign client nmshuishui Note: using Easy-RSA configuration from: ./vars  You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject=    commonName                = nmshuishui  Type the word 'yes' to continue, or any other input to abort.  Confirm request details: yes       #输入yesUsing configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnfEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入创建根证书时的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName            :PRINTABLE:'nmshuishui'Certificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days) Write out database with 1 new entriesData Base Updated Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt   #签约成功(5)服务端及客户端生成的文件
% j' a7 U' ~; B; W  I服务端:(/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki)文件夹12345678/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem客户端:(/root/client/easy-rsa)12/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key/root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key   #这个文件被我们导入到了服务端文件,所以那里也有(6)拷贝服务器密钥及证书等到openvpn目录1234[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem openvpn-2.3.4/(7)拷贝客户端密钥及证书等到client目录123[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client [root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt /root/client[root@vpn ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client(8)为服务端编写配置文件当安装好openvpn时候,它会提供一个server配置的文件例子1/root/openvpn-2.3.4/sample/sample-config-files/server.conf将此例子拷贝openvpn目录,然后配置123456789101112131415161718192021[root@vpn ~]# cp openvpn-2.3.4/sample/sample-config-files/server.conf openvpn-2.3.4/[root@vpn ~]# vim openvpn-2.3.4/server.conflocal 192.168.1.104    #(自己vps IP)port 1194proto udpdev tunca /root/openvpn-2.3.4/ca.crtcert /root/openvpn-2.3.4/server.crtkey /root/openvpn-2.3.4/server.key # This file should be kept secretdh /root/openvpn-2.3.4/dh.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 8.8.8.8"keepalive 10 120comp-lzomax-clients 100persist-keypersist-tunstatus openvpn-status.logverb 3(9)开启系统转发功能12345[root@vpn ~]# vim /etc/sysctl.confnet.ipv4.ip_forward = 0  改成 net.ipv4.ip_forward = 1[root@vpn ~]# sysctl -p[root@vpn ~]# sysctl -a | grep net.ipv4.ip_forwardnet.ipv4.ip_forward = 1(10)封装出去的数据包(eth0是你的vps外网的网卡):1/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE三、下载openvpn客户端,并进行配置1、将客户端密钥及证书等拷出到windows备用123[root@vpn ~]# cd client/[root@vpn client]# lsca.crt  easy-rsa  nmshuishui.crt  nmshuishui.key    #带后缀的这三个2、安装openvpn-gui工具
2 A0 Y" b# C8 d  a0 G5 d(1)将D:\Program Files (x86)\OpenVPN\sample-config\client.ovpn复制到D:\Program Files (x86)\OpenVPN\config(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下(3)编辑D:\Program Files (x86)\OpenVPN\config\client.ovpn,修改为12345678910111213clientdev tunproto udpremote 192.168.1.104 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crt //这里需要证书cert nmshuishui.crtkey nmshuishui.keycomp-lzoverb 3
 楼主| 发表于 2019-9-5 17:00:02 | 显示全部楼层
   1.2 准备 OpenVPN 安装目录+ [3 r; B9 h% ~. [0 G: f- P
# d3 J* d+ C9 I. p7 ]
        因为此文件是使用源码安装,所以选择的程序安装目录为: /usr/local/openvpn 目录, 配置文件目录为/etc/openvpn 目录
: s7 i+ ^9 T6 B$ @) l: a  D9 X: h3 ~0 Y* u  [+ i/ ?' _
        程序目录: /usr/local/openvpn) v5 h4 b8 {2 k

' `- o' q* \" D. \; f; m  H! ~        配置目录: /etc/openvpn
/ @- v7 `/ b9 E* {. @! O% j8 Y
3 _( ~- u. _+ U0 y+ H2. 开始安装 OpenVPN2 q7 V. z( d/ ~9 o6 M: `( P

+ M9 {; U* @# o) B' D9 g, v   2.1 编译 OpenVPN
" c; t$ z5 a; B/ A! V
7 e5 z# X3 ^+ t4 d        [root@client ~]#cd /home/src/openvpn
' W9 o* n: S) f, U1 C
6 q* o6 c6 ^1 E        [root@client openvpn]#tar zxvf lzo-2.03.tar.gz
6 f3 |) u9 _% u+ T1 d6 u; _& j; t
2 e5 C! a1 D8 i4 ?. M, D        [root@client openvpn]#cd lzo-2.03
4 @, a# n" n% s1 T9 q7 U4 a( J! ?" L( l5 @6 x
        [root@client lzo-2.03]#./configure && make && make install* {/ y) h) i7 E# S  ~

1 A$ e0 t) r, }        编辑/etc/ld.so.conf
6 G+ X0 Q' F5 ?; z8 F% r1 l5 p2 H$ E3 W" s) _2 Z
        [root@client lzo-2.03]#cat >> /etc/ld.so.conf << EOF
8 y5 x0 v! l3 O% b' w/ ]# |- D- d, ]3 C4 c6 E& o5 J) M9 f
          /lib
! l' V5 @9 C; N$ v
& z4 G( @' I% E  z. x7 i2 K) r/ d          /lib647 ]$ y; Z2 p# m
$ n2 l  z2 {  w2 {3 x) j( T
          /usr/lib
! p* p0 H8 U0 a5 @0 U* l' E, E+ d+ w. G6 c3 W
          /usr/lib64
5 U; F: Z5 q' n5 [9 B4 O* t  {! ]5 X" ?- Y* l7 `
          /usr/local/lib7 o! ?# S9 M$ O
. l9 s7 W) e' X3 V6 u$ v
          /usr/local/lib64
7 n# ]1 Z* ]% v% l7 C, a* K- e( X- |4 o( c1 M) }8 {6 N
          EOF
/ {( a6 V  |! R5 E
* \+ b* q7 o- z        编辑完后运行) H' ?* W' u# N0 ?6 B
; T' N! m( L3 X# N: y5 I9 Q
        [root@client lzo-2.03]#ldconfig
: u9 g( E7 H# [% Y/ [% T# q0 X+ j
        使动态连接库文件生效,接下来编译 openvpn7 e, S1 s4 b7 S
* i& J( v, L5 V' J
        [root@client openvpn]# tar zxvf openvpn-2.0.9.tar.gz
5 u% K5 d8 V6 r% m  F( M! r! C/ e8 m* _1 {# E6 L
        [root@client openvpn]# cd openvpn-2.0.9
2 o& e1 C) p0 u1 y9 P" i: ~! Z
& {7 J8 u: m: O- ~" L6 j& l9 g        [root@client openvpn-2.0.9]# ./configure –prefix=/usr/local/openvpn && make && make install3 L* A7 \- h3 [  S

# ^" j9 N1 {4 H2 u! h& b5 T        [root@client openvpn-2.0.9]#tree /usr/local/openvpn/ t5 P8 f/ s% @

1 Y- O, v6 T* f1 i. ]) J# G        应该有以下输出
0 a, s2 V+ a/ L# }
) [- \  K- x/ C3 q        [root@client ~]# tree /usr/local/openvpn/7 [& x+ X0 C: Y$ t4 R2 C0 }+ J

. _; _2 c1 q* _$ |" _$ W" n+ {- E        /usr/local/openvpn/
% i' Z2 V! w; C; `; P( F. C, M$ D/ d+ f
        |-- man
* ^5 v" m! C" @
$ f$ j: W# v! \/ ]        | `-- man8
( n& ^& N; W3 s) z1 F
1 W& Y, ?1 X7 a        |      `-- openvpn.8
2 I7 Y$ ?4 x0 \# i- n
5 ~4 d( n# Q$ n. L        `-- sbin' R' A$ `5 m( N+ U+ f+ X' z. |% L6 D
& j. B6 ]: j  D! ~
        |-- key
. m$ t( P! z) t: a  J  X: b
% ?; L* h( n) |/ Y3 t        `-- openvpn
5 `, S- f* `% r' ?1 I: l' Y
/ T6 H% m' S/ x$ M5 ]% M  q        3 directories, 3 files
, c' S5 P. Q! d- e) t1 _5 ^5 Z: l3 L* W% {" G7 h, S
3. 配置的 OpenVPN Server
: _/ U- N9 e- E' {8 S6 H7 Z  O7 q) S9 d# i( |
   3.1 建立配置环境
; x8 l: N1 \! W& E$ l
/ \) B! c+ u' N/ A* T7 ^( }1 W2 S       [root@client ~]# mkdir -p /etc/openvpn
3 ^/ L! u. N. x
, P1 \* C) j, H+ K6 r2 b: w       [root@client ~]# cp -R /home/src/openvpn/openvpn-2.0.9/easy-rsa /etc/openvpn
6 b) G9 T2 C* D4 ~. K+ d  u2 V) l. V) m" |& H4 U3 ~* t5 t
       [root@client ~]# cd /etc/openvpn/easy-rsa/2.0/9 C# f3 Y  i7 f
8 m# {1 ?* u  ~8 ?8 s' E  \7 y
       此目录下以许多程序及脚本, 以下为使用到的程序及脚本说明9 a- @' ]  C* t/ |3 z% D% _& `
+ Q: _' R3 R9 ^  f  J
       vars                  脚本, 是用来创建环境变量,设置所需要要的变量的脚本
1 M' H! s* B% d/ u- M
6 D) y6 J. P( S# x' H       clean-all             脚本,是创建生成 ca 证书及密钥文件所需要的文件及目录
  L9 _0 u2 U9 ]; Z9 b. Q
! A; t4 l5 c2 _  ~    build-ca           脚本, 生成 ca 证书(交互)
+ ?& o2 ^6 F# A9 g7 U$ |5 U
( u/ D1 F  R% j0 ?. G, A3 A& b    build-dh           脚本, 生成 Diffie-Hellman 文件(交互): ?& i: z% g& H9 E( W% C/ t
2 z% l  t3 m7 B, _, l0 u- E
    build-key-server   脚本, 生成服务器端密钥(交互)
4 |! H' l7 E4 b, Q6 m$ \' e3 W4 W' R9 |3 l1 B- K
    build-key          脚本, 生成客户端密钥(交互)
) |4 A/ a- ?7 B# k0 @9 b0 s6 A8 ?8 r/ ]9 K- A( @5 E' `
    pkitool            脚本, 直接使用 vars 的环境变量设置, 直接生成证书(非交互)7 P, U! n$ p; N8 Y4 Q: v; b
/ Q" d, j" r1 D9 Y
3.2 生成 CA 证书及密钥[注意字符输入不要出错]' [8 j9 u  z1 D! ]- f5 F* i

, \6 u$ s! g( T4 _: ?% W# J- D, h    [root@client 2.0]# . ../vars8 J7 l! D% K( ?! g/ m9 X

8 D+ g# {5 t! s$ K# V7 V    [root@client 2.0]# chmod +rwx *% U& W" D! K% v/ \: P* g# z

2 M( w; S8 |: s& z4 o* [9 P    初始化 keys 目录,创建生成 ca 证书及密钥文件所需要的文件和目录
+ E" |$ d$ O8 f4 C
/ ^) I3 B$ ]! s. b+ J    [root@client 2.0]# ./clean-all3 G( c. E$ B# y% v

# C( J# v2 ~' ~& U  e- u3 i% f   编辑 vars 文件,生成环境变量, vars 里的参数根据自己需要改变.
, C3 S/ T- q9 i4 D5 I
* W; i7 _: P6 }. m7 {# u' p- o! l   export KEY_SIZE=1024                     #生成密钥的位数4 v+ i+ U- s+ V  d: X9 F7 s

' `  G1 x9 g7 {& E# x   export KEY_COUNTRY=CN                    #定义所在的国家编码, 2 个字符
7 {5 ~9 x3 d. X+ K& b; {; ]5 K' c0 v6 ?9 N8 s9 R
   export KEY_PROVINCE=BeiJing              #定义所在的省份  e7 J- P$ O7 e2 W5 I) E
9 a) N; H: T1 ^, Y. Q
   export KEY_CITY=BeiJing                  #定义所在的城市
& \! C/ f/ E0 l. N1 A
! N/ ?9 ?/ c( A) a8 a6 p+ W/ a   export KEY_ORG=”VPN Test org”            #定义所在的组织7 A2 \5 z1 ]$ n& J% e* E. D

/ w! A& T/ Q6 Q0 H+ S# {2 S2 b. v   export KEY_OU=”VPN COM”                  #定义所在的单位- A1 N# c- p; I6 m& f

! a7 g# I& T) L+ C9 V( o, I: \   export KEY_EMAIL=”china.client@gmail.com” #定义你的邮件地址
& n: h$ c3 X. N$ i
7 h7 H* L; `, ]) r! O: [2 X# |    修改好 vars 文件后就可以开始生成 ca 证书及密钥文件了!: a& L) N( v8 {) ~
& [: ~: n7 r  g* T& i
    [root@client 2.0]# source ./vars4 p. ~. l1 G' Z" o" ~0 b1 L

5 m( H# D& _0 ?/ D* \$ M    生成 Root Ca 证书, 用于签发 Server 和 Client 证书; K, m, n- M5 ^1 V* f* N+ d
9 X" N7 V. d. C# a3 g
    [root@client 2.0]#./build-ca- g. B% \5 L7 C& O4 C0 g

3 p4 C. ~  Q/ R0 M* C/ D/ q  l* N    [root@client 2.0]# ls keys
7 z4 ]5 \: N9 V( l9 k0 k, M# j2 C1 m  A
    可以看到已经生成了 ca.crt ca.key 文件
5 _0 V$ t( O0 }6 E) v- @% {9 p9 \1 w
    生成 Diffie-Hellman 文件9 H% z. z! w2 l5 c
% s: h% C9 m4 b8 u
    [root@client 2.0]#./build_dh; T; L* h& q' n

, b- p1 @2 N- X* z. A* H    [root@client 2.0]#ls -l keys/dh2048.pem
0 W1 ~8 r2 o) Q0 ?( W/ v0 z7 T( U; n9 |2 e& o' i( X% g
    可以看到生成了 2048 位的 Diffie-Hellman 文件
3 o3 r- i5 P  l% B$ A& K
- x9 G" K/ t- Z* \- o0 a/ E    生成服务器使用的 VPN server Ca 证书
- H; p% ^* @! f
2 @4 Q2 B1 V! h1 m8 T    [root@client 2.0]#./build-key-server server
" h( x& j' ?9 N7 d/ g: n
2 z1 i$ V! u% p$ C6 r( f    server 是你为 CA 证书起的一个名字, 以 server 名字为例,生成的服务器使用的 CA 证书文件为: server.crt server.key3 l0 v- L* W8 ~, }( _* g, p+ a

4 V; k1 z7 A) K$ \8 S    将生成的 CA 证书及密钥拷贝到/etc/openvpn 下6 r( D- W$ y  B# Y
! {1 N) r0 I2 \+ c; I
    [root@client 2.0]#cp keys/{ca.crt,ca.key,server.crt, server.key, dh2048.pem} /etc/openvpn/0 N, f4 H4 A+ F" z" t4 c, k: u7 u

* W/ @9 i4 H! j2 `& {4 U8 N3.3 生成客户端 CA 证书及密钥" O1 r1 u; i* z0 v0 P& F9 k
. B2 G$ z9 ]; Z+ J) m
    生成客户端 CA 证书及密钥使用:build-key 程序即可
/ ?/ {( E( v- Q! ?
# `2 d5 t/ @  f    [root@client 2.0]#./build-key client5 \" c2 D; h: k5 z+ C
7 F3 T" ^( E# n* ]& @
    将在 keys 目录下生成 client.crt client.csr client.key 三个客户端证书* T# J& x" u# S2 G. p8 J

* i: |! z7 U& e1 W/ E    将 ca.crt ca.key client.crt client.csr client.key 五个文件打包,以备客户端 vpn 使用; B0 D0 S9 v+ X" ]

& F9 @' n3 G: v; O  W- V2 V* C+ q. I    [root@client2.0]#tar zcvf client.vpn.key.tar.gz keys/{ca.crt,ca.key,client.crt,client.csr,client.key}
  M  H* i1 T0 C$ Y; G  n2 a- }& Q( _
3.4 生成 openvpn 配置文件% L' m- Y  L6 O$ A
( X3 \/ ?8 N# @
    创建 openvpn 配置文件最好的方法是先看 openvpn 的样例文件,在源码目录下的 sample-config-files 下,本例为% \3 ?8 q  i' f7 }; B
3 Q7 a( Y2 {) B6 W& {
    /home/src/openvpn/openvpn-2.0.9/sample-config-files' E8 U4 }# i9 n
- K" c$ [& ^# w. j! Y
    服务器端配置文件名: server.conf
0 q# o" r6 L- y3 D( U) Y
8 [" Q- \, C0 \) j$ i1 d    客户端配置文件名为: client.conf
6 B4 x" X. Y4 N, B' {0 Q+ h
( l0 j5 ~7 I$ a( }# W1 N! R8 k    可以根据需要修改.9 B6 e4 d) T9 W# q- J; J: u' G, v
9 D& H3 d1 W5 x
    本例的配置文件 为:/etc/openvpn/openvpn.conf# h! N8 z" j) d9 N. s
' m' A. w+ V4 K$ ?
     #########################################################################( i8 Y; E" K% v/ _

+ X7 ]1 e# c! U( T' O$ S$ ~     port 1723 #openvpn 默认端口为 1194* I* M/ p- l9 `0 q

$ s: O' V& T. R9 {, y5 s) K     proto tcp4 }+ l. H/ V+ E/ B6 _: p

% ?; E. L0 F7 N% K       dev tun
: N8 G2 f# l* O: J$ \" M) m: S  Q& F% F. K5 c( }
       #########################################################################
* l, Y& N' ?! U  U/ d( {( \: g; K9 R& {# ?6 Z+ [  `4 Y% _
       # ca 证书及服务器证书以所在的文件目录为准,本例是放在了/etc/openvpn 目录下,与配置文件相同目录
- V5 |! U. }0 Y) Q+ y. W
0 u7 r+ u0 q) ]4 T       #########################################################################8 K- ], s6 b- V) B
: r: v+ c7 b) u7 h
       ca ca.crt
' F1 e8 W* v6 {% D3 j) j
) m! l; Q; J; B( g       cert server.crt# }9 \& z2 j; [2 ^7 ?4 |' Y* p
0 X1 _+ ~. f3 k6 S  K- b
       key server.key
- W) Y' z( |# Y' g! y4 `% v6 M/ S: q( k+ r8 i
       dh dh2048.pem" |4 Y7 p7 l& N. \9 m% _0 U

1 B5 c. D! E1 ?- L. d; \       server 172.16.0.0 255.255.0.09 i( Y% b; ^2 Y% x+ m. ^
# u2 L" _7 q! T1 O! T3 d
       push "dhcp-option DNS 202.106.0.20"
/ H  F0 t& s/ b) S. Y9 P# C; ]# t! w+ o7 N6 }
       push "dhcp-option DNS 168.210.2.2"% H$ L* j2 N( x6 P( b

* m# V+ X# G0 H7 D& b& ?) I, d- c       push "route 172.16.0.0 255.255.0.0"
( L" V3 X0 O' H% h# f1 ]" \2 w) y: |: c, ?, P# Y& ^: ]
       ifconfig-pool-persist ipp.txt
: S" a% E( l, U- Q! J  D9 f* z5 C+ }' t& K" |" G. W
       keepalive 10 120$ @2 s- E: m! f; t2 h. a/ C4 N/ X7 y
9 c# O( n( g* a+ o1 H. K7 D
       comp-lzo
; F5 f  E% ~% P( M& w9 b0 ^, A3 c/ U1 m
       user nobody) e! ~; I: q% }

5 M% K( o; e  z1 R- f: E       group nobody
6 c2 B; s2 s  M# k$ q) ]1 \" M1 M  e) f9 I, n+ a  w2 I  O$ J/ |
       persist-key! @0 o/ N2 N4 D  ?" ~" W6 @; t
+ z, ^# `3 E8 J! U9 x; F& V9 h+ S
       persist-tun% E% ]$ y& Q7 n! B
" C: M  _$ [9 b- G
       status /var/log/openvpn-status.log
( B7 n1 A; O6 h4 P: S) K8 B8 L6 h( f& \/ w
       verb 3
8 _* k3 |7 J" |& Q( f3 x
& P( ?7 g; ]5 y. l       #Client 之间可以相互访问
* B& o* e  v! o# S; Z- N) n( d
       client-to-client
+ Y. g) `# ^" s0 C2 ^# S" c5 e1 N% {; m+ ]2 |0 L9 A
       #允许一个用户多次访问
* |: L' Z2 |% T1 ~. h; M  {5 A
. P) H% @2 [5 M) f5 |8 ^       duplicate-cn3 d) T7 A/ `7 A
3 {2 w/ ]1 E$ U* @) M  g: I
       log /var/log/openvpn.log( |7 q$ h, c& _  G. e
! @) z/ _' k3 O. F& z
       log-append /var/log/openvpn.log
4 f8 s) C3 J+ b. i; y9 D0 u6 R$ _! G+ L& F: b0 Z
       #########################################################################
8 V- h# ^' c. d7 |& M8 p9 ~+ }% E, M3 K' e+ H  ^8 A4 l3 v
  3.5 创建 openvpn 的启动脚本" y( Z  a' E5 F& _
9 p7 d; e5 a: K* j" @+ r
      openvpn 的启动脚本在源码目录: sample-scripts 目录下
  \5 x, G4 X: q4 H( b* ~0 P$ L1 t3 \% I
      文件名为: openvpn.init  M& w' s9 j- ^. y
/ [( }# U+ P/ d# J- S
      将 openvpn.ini 拷贝到/etc/init.d 下,并重新命名为 openvpn
& H+ _- W. Z- W3 y: r5 R. I# n& M3 h* a9 B
      [root@client ~]#cp -f /home/src/openvpn/openvpn-2.0.9/sample-scripts/openvpn.init /etc/init.d/openvpn2 h0 X! ]* W4 [& _

: n0 S: b4 v" n  S4 I: R1 Q8 t8 i9 H      因为是用源码编译安装并指定了目录,所以需要修改/etc/init.d/openvpn 的 69 行
9 T+ C. E; u6 i7 s7 g
* ~4 _. A" G4 d# h       openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"* d% A9 m6 F1 `' R$ x) b
& o$ c7 j+ H# j; r& x& p
      修改为:6 i$ h% I: [7 M

# t/ e1 Q. {$ @# G4 K5 h+ z7 \9 y9 ?        openvpn_locations="/usr/local/openvpn/sbin/openvpn /usr/sbin/openvpn /usr/local/sbin/openvpn"
9 f4 T- |' v+ n. k: E" z6 l8 v4 F8 L" v6 A  ]
  3.6 将 openvpn 添加到系统自启动$ i+ p0 H" |3 R$ q8 m$ h
( f2 q4 ^# L0 J$ z, p2 T
      [root@client ~]# chkconfig –add openvpn
2 E6 o* o( R3 q/ I" R3 s- A
) [4 b1 B$ b/ O. }3 x7 b  3.7 启动/停止 openvpn 服务
$ X/ I+ ^, N( W( l0 M
0 z9 V; h0 o! ~         启动 openvpn 服务4 A6 [: r( y* g; K1 b! M0 T
9 j6 w2 m2 [  x3 k  a: i
         [root@client ~]#service openvpn start2 l; z$ a. s+ D

/ E1 C9 ]. @5 K' S0 @6 H         停止 openvpn 服务
% a, a: M# I7 ?) h. m) S- {5 O! N' L( |3 a
         [root@client ~]#service openvpn stop
 楼主| 发表于 2019-9-5 17:00:03 | 显示全部楼层
安装 LZO 代码:
9 l! O1 i4 p3 ^7 Gcd /lzo-2.02 # a7 |& ?- ?' h( `% G# u# S( m
./configure
+ V) `# z" T& A2 Lmake / Z6 N5 Y1 w" i, K8 [5 p3 S
make check
  y+ \) `+ O( q2 l: z" ~) nmake install
3 N0 A8 h& W, A, @& Y; z6 x安装 OpenVPN
' `2 r/ ^3 |% V$ j& e代码:
2 P3 \+ ?9 Z7 q8 [! |) b' k- `0 a- p, q! b* v) W
cd /openvpn-2.0.5' \; e) F2 D; V/ j# b( G
./configure % s8 X3 L' Q1 p. i" ^0 p
# 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行)- g8 A: |* E8 ]( U+ e
# ./configure --with-lzo-headers=/usr/local/include
7 U5 r, J8 D: `" p9 H7 E#  --with-lzo-lib=/usr/local/lib
& i' Q8 f+ K$ r# k0 z+ z' ]- Z#  --with-ssl-headers=/usr/local/include/openssl
+ Y4 [. l1 S1 ]5 N#  --with-ssl-lib=/usr/local/lib ' {. l. u9 D8 L3 v& l* ]
make + z$ e, X$ i$ [0 q; i/ q' y
make install
3 K2 s$ v* u  n& f" y6 s4 A" _" A生成证书Key! l! P# z9 }) e5 J! `" ?
初始化 PKI8 ?9 k; k/ Z9 D5 ^' ?

1 P4 x: g2 i! I8 D" |(如果没有 export 命令也可以用 setenv [name] [value] 命令)# b2 ~( z2 t! l) Q/ V
9 r: q! Q  y: P: P3 X$ K# p8 l9 b
代码:8 q8 J. v" q- o5 `
( R6 y3 }( f8 u  a+ v' w
cd /openvpn-2.0.5/easy-rsa
) n2 G+ W, S( m- d4 H' Gexport D=`pwd`
4 r9 Y" o. z$ s# U7 }0 L, gexport KEY_CONFIG=$D/openssl.cnf 5 p8 R6 ~) M- t' G) t& L3 W1 w2 t  S
export KEY_DIR=$D/keys , ?) t! X4 n& O
export KEY_SIZE=1024 ' K/ ?$ g2 u# c" f7 U
export KEY_COUNTRY=CN
* |0 A" Q2 A4 E- uexport KEY_PROVINCE=GD # s% N' Z) m" w, L) ]  Y! G- {
export KEY_CITY=SZ
6 K/ A. j/ o# ~; s4 J3 aexport KEY_ORG="xiaohui.com" 7 J/ A1 [+ j* N+ G  ^
export KEY_EMAIL="your-email [at] xiaohui.com" : ~1 |9 O( Y* a8 {3 @4 l
Build:
! v7 B3 ]: U2 _; a9 {. y代码:! K- P. s! x% x% D5 s$ k# Y* ^

5 r, s4 a# t, K; [! c9 _7 o& m./clean-all
" b* M1 P( B7 H4 s./build-ca
; Y2 W: e6 c5 l5 m0 i' r' C. |# _: \
Generating a 1024 bit RSA private key
- t  t  l2 b. \2 [2 F' x; X; T  h................++++++ 0 w9 A7 ]* m8 p  U
........++++++ + x2 ~5 y& F& _3 z) d! G! i
writing new private key to 'ca.key' 4 e6 _/ R+ e8 d" v1 v! W
----- 6 ]9 }" E$ R; P( z' ^$ ~5 d( ?9 u6 r
You are about to be asked to enter information that will be incorporated
. W. B4 p+ z/ l* E3 E% r: Finto your certificate request. 6 V* s/ j& d1 q. B+ |, @5 o
What you are about to enter is what is called a Distinguished Name or a DN. # s" @7 {- t8 H% }% @* u' u3 \( r
There are quite a few fields but you can leave some blank
3 J8 \/ u# j" e$ gFor some fields there will be a default value, ' W/ M/ k) H/ R1 l
If you enter '.', the field will be left blank.
# E  x$ o* q4 m, W3 ]----- + l: s+ t6 c' c& O2 P6 o) d  ?
Country Name (2 letter code) [CN]: 6 N3 D0 U( T" i+ W  w) \
State or Province Name (full name) [GD]:
! U; k3 L% ~! f) B9 VLocality Name (eg, city) [SZ]:
1 h$ L( s) \" _; ?0 u/ UOrganization Name (eg, company) [xiaohui.com]: ) O6 T* m$ b5 G# w
Organizational Unit Name (eg, section) []:xiaohui.com . ?# }4 D9 S4 m* ]
Common Name (eg, your name or your server's hostname) []:server
4 }4 b: S: b$ u9 S8 p: u% A& w) CEmail Address [your-email [at] xiaohui.com]:
- m) c2 y/ y9 [5 n. ^9 t3 C# 建立 server key 代码: 代码:' f$ u: V. {, t+ u
./build-key-server server
* y8 c$ a" {, j, Y! L# b$ a/ d4 ~: B
Generating a 1024 bit RSA private key 0 s5 `+ [' L( {
......++++++ % K! E' Q( v& V% I- |8 V
....................++++++
4 z$ @: ~$ T/ g. v4 Wwriting new private key to 'server.key' . \, H- G; r; L7 z; w% z
-----
6 a/ D, m$ B3 `  j9 h1 U& b) m3 sYou are about to be asked to enter information that will be incorporated
! y: K) K2 }; F! U6 P( R) ?8 q4 `into your certificate request.
+ d* K9 ~5 Z3 }$ e9 G0 VWhat you are about to enter is what is called a Distinguished Name or a DN. # u4 E7 @* Q! J/ J. \( ]0 v
There are quite a few fields but you can leave some blank
+ ~. h- i& |8 FFor some fields there will be a default value,
5 B. U5 f, @: {- B/ Y! }- X3 @9 @If you enter '.', the field will be left blank. ; S. x" U% f' B0 s2 U$ `/ P
----- ; }4 O& _  w( G# w9 J
Country Name (2 letter code) [CN]:
) d0 d2 u8 t0 ?1 ZState or Province Name (full name) [GD]:
) n) t, X# h, y- ^& C! jLocality Name (eg, city) [SZ]:
) e8 @) n  h% k8 i- HOrganization Name (eg, company) [xiaohui.com]:
! i+ h: p7 O# r$ y4 J+ B$ ~5 cOrganizational Unit Name (eg, section) []:xiaohui.com : {, R. a9 k/ F# F1 r5 j
Common Name (eg, your name or your server's hostname) []:server * s; l" L- B- l" m7 u
Email Address [your-email [at] xiaohui.com]: & R8 ?3 _5 ]8 `+ l- D; ]

+ Z. e, \5 _1 @  ]( s5 LPlease enter the following 'extra' attributes
2 D, H! a4 `' Sto be sent with your certificate request 1 D9 s7 X4 M- c4 H# A7 `
A challenge password []:abcd1234 / }. g/ y- y& {. u+ B. J  c
An optional company name []:xiaohui.com / P6 r) V* b$ l0 W% s
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf 1 ?6 `7 O. e" c3 P
Check that the request matches the signature 6 g; t+ A" t9 {! s0 `* K7 E
Signature ok * o9 f$ M% m0 @5 c- d  g7 y6 x
The Subject's Distinguished Name is as follows # ?: N* A6 {2 p- T* Z9 T: w( j
countryName           :PRINTABLE:'CN'
( u' k+ X( e3 ystateOrProvinceName   :PRINTABLE:'GD' 9 ~) T1 A" b7 _: C: L1 j% H7 P* w
localityName          :PRINTABLE:'SZ'
, w& T3 N( }  i4 l/ k  CorganizationName      :PRINTABLE:'xiaohui.com'
  d: ]- w+ A; V; ~& r5 ], Y+ vorganizationalUnitName:PRINTABLE:'xiaohui.com' ' G; ?  F) H) y2 C1 x4 }) L! F# V% y
commonName            :PRINTABLE:'server' " J6 V5 r  S. p( |! ^
emailAddress          :IA5STRING:'your-email [at] xiaohui.com'
+ z  x/ `- d6 vCertificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
# Z0 h& l& `0 x: V- T; y+ MSign the certificate? [y/n]:y 3 U0 I- j+ z9 p! I( T* u
; Y  K3 o6 o, h$ H

& ^. m+ `" E, Y) O4 N( S  C' E1 out of 1 certificate requests certified, commit? [y/n]y
5 v6 M0 ~4 B. {/ a# tWrite out database with 1 new entries
0 C' {3 j: R2 F. s6 j% dData Base Updated
. J7 h7 Y0 ?5 @6 M#生成客户端 key/ A/ \- ?8 x* a5 h3 C

) ]6 m5 l8 n( j8 m# v4 c* E7 B# \代码:
5 E; ^8 v/ {, k8 K6 h; a' ~
$ ?$ V6 e; N7 F1 ]3 D./build-key client1
% A1 O* [8 \! TGenerating a 1024 bit RSA private key
; [( x) x0 J% [# X* G# D.....++++++
- P, X( R* y' X- B& C; h) C5 M......++++++ 7 J" z8 b8 Y5 Q
writing new private key to 'client1.key' , S1 n: W( H" m  z9 U/ p
-----
  z) q( d0 C& k7 o: [You are about to be asked to enter information that will be incorporated $ o! g' X& X& y$ A0 @
into your certificate request. ) r: O, a0 G+ I% A7 |
What you are about to enter is what is called a Distinguished Name or a DN.
" e% f; m# l- n* F  |' g0 @5 XThere are quite a few fields but you can leave some blank " U1 K  Z/ l! T6 ]7 D9 Q
For some fields there will be a default value,
) j3 s# {- O! z) r7 mIf you enter '.', the field will be left blank. 2 L' h! ~5 g9 V! `2 p
----- 8 }" q4 v) H& @4 n2 l
Country Name (2 letter code) [CN]: $ N% l1 u+ l& l" w# K. v' o# [
State or Province Name (full name) [GD]:
4 d3 N) K/ S. @  ZLocality Name (eg, city) [SZ]:   S, t6 B/ o; j- g0 P
Organization Name (eg, company) [xiaohui.com]:   }) _5 B; Q3 X
Organizational Unit Name (eg, section) []:xiaohui.com
2 I; |1 s9 A4 ^, t6 v, o) o0 ^Common Name (eg, your name or your server's hostname) []:client1    #重要: 每个不同的 client 生成的证书, 名字必须不同. - I" y+ O$ k- H$ Q) e' x
Email Address [your-email [at] xiaohui.com]: , T/ E! v2 u# A9 l+ z6 J

  |9 i  e1 ^( z# B( s! pPlease enter the following 'extra' attributes $ Q1 A0 t' w" k% A
to be sent with your certificate request 2 w/ U2 R) R9 K7 K
A challenge password []:abcd1234 6 v1 [- T  y9 J" i5 x
An optional company name []:xiaohui.com 5 R: _+ S5 b- _, o
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
  s. l: w: g* X: j! {4 d8 YCheck that the request matches the signature ' d4 c; `4 ]) y5 [, a% S" J
Signature ok ! p$ B5 Z; b( \
The Subject's Distinguished Name is as follows
' R% B: Y2 l" y$ ], O% o) v4 }countryName           :PRINTABLE:'CN'
2 z+ E9 w/ R. m$ ^) g  u1 ~$ D3 wstateOrProvinceName   :PRINTABLE:'GD'
" f5 B* l, M7 t) c# a& mlocalityName          :PRINTABLE:'SZ' # u  X/ ?2 o8 h8 Y/ U& N7 m
organizationName      :PRINTABLE:'xiaohui.com'
2 W: e( Z  X9 n. VorganizationalUnitName:PRINTABLE:'xiaohui.com'
3 l3 N1 b8 s6 G: s3 YcommonName            :PRINTABLE:'client1'
- l# z4 M5 q; i" b$ X0 ]3 N. |emailAddress          :IA5STRING:'your-email [at] xiaohui.com' . o" x* @3 f, |8 u: l
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) 9 q1 h: P7 ]5 l0 T5 L
Sign the certificate? [y/n]:y 2 g" ?4 m+ o0 m/ r* c4 N# ]! ~

7 Y! ^0 U1 g% E( o. V& d) w0 a" ]7 n
1 out of 1 certificate requests certified, commit? [y/n]y
8 ?8 a6 R% p  {% d4 N  l5 x$ K9 PWrite out database with 1 new entries
; @- l0 U( {/ Z& \- l7 B/ w9 M8 [Data Base Updated
# S& }2 P+ C) i3 e7 Y依次类推生成其他客户端证书/key" g. `  r9 _! F9 ]/ M- o" Q

$ d+ D$ M  v& r' ]8 r. S+ R0 l" g代码:/ z! p7 A& @1 k1 i

! T1 L. \; I. R0 Y" N& F, g./build-key client2
( ]5 O/ N- Z' F" j+ E" Q( T, o./build-key client3 9 V2 b3 t6 R. v& \
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.* b; Q' C! ], m' z5 H8 d! H0 E" v# i
生成 Diffie Hellman 参数 。代码:5 q( e5 m/ J* V; _
./build-dh
3 a- [6 x- F7 X* I) |+ ]8 ]将 keys 下的所有文件打包下载到本地) V3 }* F5 k4 I
代码:' ^( b- h! [( h

; i7 A# {! Z) X- Z/ _9 ]tar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys
  O' U7 O0 v. R6 u1 _$ kcp mykeys.tar /home/xiaohui.comsys/public_html/mykeys.tar
0 F  B2 U* f8 z( @将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 http://www.a.com/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除: 代码:
, c3 |0 b7 k  }rm /home/xiaohui.comsys/public_html/mykeys.tar 1 p# h7 J6 Q/ z+ V  {
也可以用其他方法把 key file搞到本地,例如 ftp.0 Q2 Q# D6 {: y' M2 ~1 J9 _
创建服务端配置文件
0 S" J: d% ~6 Z4 J! l" c从样例文件创建:. p1 z' e/ ?& s, ?

3 m+ y- m, U4 ^! a) [( Z0 K代码:
$ d. x& _5 H* e
2 c0 J, ]0 C8 i, }; P( D# W, e9 b: ycd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
. k# R+ j7 w1 ncp server.conf /usr/local/etc  # cp服务器配置文件到/usr/local/etc
' Y! O) \0 p: i/ }8 G5 T8 lvi /usr/local/etc/server.conf / b' j& M# ?1 g& c; Q& @
我建立的server.conf 的内容稍后另附.0 W0 P8 w/ W( J8 g/ e) U) q. s
创建客户端配置文件; @9 e1 l- z& ?& A8 Q! i
代码:4 d( C% o7 u  ?* ?
1 k" |; W/ b# L) f5 Q+ ?9 o
cd $dir/sample-config-files/  #进入源代码解压目录下的sample-config-files子目录
' V( D  w: T, X8 e. }8 ?cp client.conf /usr/local/etc  #cp客户端配置文件到/usr/local/etc
# G, ]0 H7 }  w( I( S7 |% rvi /usr/local/etc/client.conf
0 \5 g3 l& V+ o4 |- [6 [" }: X我建立的client.conf 的内容稍后另附.0 G1 M4 ~# Y7 ^# r$ |+ Y2 h
启动Openvpn: openvpn [server config file] 代码:$ u: M  u: {$ N
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf
0 Z( k7 n9 Q$ H& u( a
 楼主| 发表于 2019-9-6 10:55:09 | 显示全部楼层
二、部署openvpn
7 Q  S0 g' G" G1 X! ~7 m) M. H3 @% b' @# a4 c1 j4 u' H: k
    本次部署openvpn服务器,因为使用了最新的openvpn2.3.4,而这个包里面没有包含最重要的证书制作部分:easy-rsa
8 q8 e& v, b1 t8 L+ u6 a$ B1 g! _# v0 _( D
    openvpn官网也给出明确说明:Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages
. n. F  x# D# q! {- b' d, r- k
' _( Y, l% c2 u& H# i+ ], L    所以,我们需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署
7 }4 V- T3 u& F7 O9 G
% E+ F1 ]. s( e# A9 D5 Z* w2 ~6 s    在部署openvpn之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!
: n: G0 Q& f3 }$ {! g
$ N! S' _  ?7 i( [, H) A1 a5 f1、安装lzo
4 k% z) j( M# j7 [! x% C* B( E
& f& {% \# ?7 r# |. U    lzo是致力于解压速度的一种数据压缩算法% t) ?7 l1 }0 Y4 H  R6 }- M
  g: j6 b4 w0 J
8 K( o! X' R% D8 `4 y, v
[root@vpn ~]# tar xf lzo-2.08.tar.gz
# ]) X  u. S2 ]$ |& v[root@vpn ~]# cd lzo-2.08
# I' u, ^$ Y5 P[root@vpn lzo-2.08]# ./configure && make && make install$ r! A1 Z$ v  j& j) M
2、安装openvpn
7 A2 m+ W5 l5 Z# R3 N& n( j8 I. g1 b% Y9 Y! M' t8 _
# D; `- [: O$ A  W% \: ^6 p
[root@vpn ~]# tar xf openvpn-2.3.4.tar.gz8 q, L2 X5 D! Z; L
[root@vpn ~]# cd openvpn-2.3.42 e) K5 d# k! I+ d' A% M3 ~
[root@vpn openvpn-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib
0 H* c1 \) e# z0 n0 A[root@vpn openvpn-2.3.4]# make && make install
+ B% P, |' S+ @[root@vpn openvpn-2.3.4]# 6 s7 V" K7 y6 c9 e0 N& H+ R5 k# k
[root@vpn openvpn-2.3.4]# which openvpn" m5 |0 ~& F0 W' k1 i" g
/usr/local/sbin/openvpn      #看到这里,说明安装openvpn成功
! O( m: q: A' K* B7 U3、配置easyrsa服务端' @5 y$ ]5 ~" L
  p3 z7 _% G6 o1 E( l$ J
    openvpn-2.3.4软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3
9 }; K6 ^/ }! k( `1 J, F; Z, z5 J
7 y6 x. N* V" i3 J6 F6 t    Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages(来源openvpn官网)4 E% E; w7 W3 r, l2 |7 z/ ]/ i' A0 Y

2 p# R* T/ W9 M6 M, v, g- F+ x' M. _+ G  m, R, W- O0 J
[root@vpn ~]# unzip easy-rsa-master.zip
! W/ w$ z8 _' O! K4 W5 d% L[root@vpn ~]# mv easy-rsa-master easy-rsa
2 Q2 c6 }+ n0 g+ {6 r, L9 j* n, X[root@vpn ~]# cp -R easy-rsa/ openvpn-2.3.4/0 z! H- l. D. V0 _+ B
[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/) k2 F+ ?( p9 h; P" X$ f
[root@vpn easyrsa3]# cp vars.example vars$ D+ s, u" B) ]  d
[root@vpn easyrsa3]# vim vars! z- M: l/ ]2 l& i8 \: P" w* }1 t
set_var EASYRSA_REQ_COUNTRY "CN"# m5 r" v6 K( B: ]
set_var EASYRSA_REQ_PROVINCE "Beijing"
1 n9 U6 v5 ^5 |# F8 M0 o2 M6 nset_var EASYRSA_REQ_CITY "Beijing"
# a/ k/ |& y( l8 {set_var EASYRSA_REQ_ORG "nmshuishui Certificate"
$ n; G0 r8 i8 }2 H. Wset_var EASYRSA_REQ_EMAIL "353025240@qq.com"
2 ^$ V, C6 b. a2 q/ }set_var EASYRSA_REQ_OU "My OpenVPN"
& }/ u, q, _, ~/ d# S! C4 T4、创建服务端证书及key
4 B+ u+ T6 N$ K, \; c# M" u7 W6 F( Y& \* P
(1)初始化
0 H* O) i5 M+ x- P/ y# [9 b7 ^! {. j3 d0 X8 H0 _3 a
( q6 Z1 [0 w+ I2 d' P# g
[root@vpn easyrsa3]# ls
8 Y( C* ?* l9 a0 l% }! ~. [) Yeasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types
1 w6 ?% D) W# }! P# P1 j; ^[root@vpn easyrsa3]#
; s: |9 w3 c) i4 `! O$ {1 J[root@vpn easyrsa3]# ./easyrsa init-pki2 e- ~& r0 Z; @, {% c

4 F0 o$ @1 X' JNote: using Easy-RSA configuration from: ./vars
0 H3 Z  V7 n; |2 x
: I- a' V. ~3 U5 Vinit-pki complete; you may now create a CA or requests.  u- i' q; \, X& p0 U# ?7 M
Your newly created PKI dir is: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki
0 s5 E" I6 R, q. w" T, K- X: S(2)创建根证书
* L/ d& D( _7 b8 O! g( X* Z/ \5 C6 `  T- q- L5 N

: A6 r" {% f; ~* x
' p/ u5 j/ ^) A( s. J[root@vpn easyrsa3]# ./easyrsa build-ca. Y3 |* ]/ A8 C! D. W% R
* E4 m9 Q5 N6 }* t
Note: using Easy-RSA configuration from: ./vars) n* S+ s7 y$ j" F4 G( o
Generating a 2048 bit RSA private key- i3 I3 `- n2 A$ T
.............................................+++$ E  z: B% `( _# [; Q
........+++. F) m2 p  _+ [9 V
writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key'
5 N. h& P% r0 y9 aEnter PEM pass phrase:                      #输入密码,此密码用途证书签名
% u( I$ c- j/ ~0 L4 F9 S3 j8 lVerifying - Enter PEM pass phrase:          #确认密码
# m5 L8 f) ?: Y" e- H4 j-----' w( H0 w$ `' l4 {7 q
You are about to be asked to enter information that will be incorporated
: k( S/ l) o! ]7 B- C+ ~into your certificate request., l, p; G4 |/ q% e2 S% g
What you are about to enter is what is called a Distinguished Name or a DN.
" }8 C+ _+ W+ S, NThere are quite a few fields but you can leave some blank5 a$ G% n- k2 J8 z* r; k
For some fields there will be a default value,- }8 V" U' b0 n
If you enter '.', the field will be left blank.
5 Q: ~: o4 |% j; k& _9 h-----2 @( r% Q5 e- d- h9 g$ k# ~+ J
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:nmshuishui  #输入一个Common Name4 g! z5 \! A4 K8 j/ i
2 {* r2 A  |) W  d$ k5 Z
CA creation complete and you may now import and sign cert requests.; L* a% P! n. N+ m
Your new CA certificate file for publishing is at:) G7 X/ I7 h: q8 k" }3 d/ k
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt+ M; D. g# Q! D( r* y
(3)创建服务器端证书. x! f8 F( {) f( Q  V  J

% E+ w; @& w7 J; k( V# V& }3 i/ X! q% ~% a; j, |8 P
[root@vpn easyrsa3]# ./easyrsa gen-req server nopass8 u; _: W5 x/ Q9 T  q

7 K) s! f* s0 A0 N( `: _: D+ ENote: using Easy-RSA configuration from: ./vars
, V; M! j! u( b* X1 V4 jGenerating a 2048 bit RSA private key
# g0 f9 @4 Y" k+ h................................+++
5 A' w9 R$ r8 m) F0 J4 b2 r......+++
0 n, l7 G/ c( V- Lwriting new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key'6 ~) m$ _$ Q# Y- O- U
-----  _- T* q; s/ j7 H& h9 P6 [
You are about to be asked to enter information that will be incorporated
. r7 Z, @% W% \1 Q6 Z) A4 t4 einto your certificate request.
( L, T3 N' C9 ~* s. iWhat you are about to enter is what is called a Distinguished Name or a DN.# i, t! U. I6 p: p5 n9 h
There are quite a few fields but you can leave some blank
" V4 A( A# q% A2 q  W4 h0 aFor some fields there will be a default value,$ e4 e% d) M# L; ]) f2 e
If you enter '.', the field will be left blank.6 _4 Z/ p, v5 M# Q5 c! n: y9 t
-----! Z& ~/ L- d5 i% H' m( V' F
Common Name (eg: your user, host, or server name) [server]:nmshuishui-BJ  #该Common Name一定不要与创建根证书时的6 [' K$ U4 b  S+ z8 L! S3 B3 n
                                                                          #Common Name一样,这是血与泪的教训  - ^% X( ~( A. F2 K# F0 }% O5 ]
Keypair and certificate request completed. Your files are:. S" v' C7 M: G+ L) O# P
req: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req5 `9 t1 D4 v3 g9 \! L
key: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key: K: F. z2 Q2 J; \1 s
(4)签约服务器端证书  |1 Z* M# r# e9 D" u# ^
7 l5 F' p3 Z+ B' j! i

$ _5 I0 d& p) l1 [6 {0 q
- X7 t4 x1 H. J( i: p! O; Z/ D" F8 j[root@vpn easyrsa3]# ./easyrsa sign server server
* o" G+ c9 v5 }( }" ] 8 `4 e3 {/ j9 g/ u: U5 Q# d
Note: using Easy-RSA configuration from: ./vars
2 c- w, N. M4 z% H" L  x
) e- N' t, j& l/ c' S  v* g
4 A. E! T) v& f; X- d: s' |You are about to sign the following certificate.
% H. y3 J; x8 f+ QPlease check over the details shown below for accuracy. Note that this request3 C  J6 S6 @5 |* F: Q  D% F
has not been cryptographically verified. Please be sure it came from a trusted
' T1 L  ^  C% N( z9 Ssource or that you have verified the request checksum with the sender.$ `+ P& D+ P* [6 l
& _: n( c) y! H  E& B# B/ }5 e- M
Request subject, to be signed as a server certificate for 3650 days:9 ?" m5 p% V$ T
1 P7 h: y8 l5 y6 A4 B" U$ @) v
subject=
" r5 ~7 a9 J8 h" C    commonName                = nmshuishui
2 `# c6 _  u$ K ; v2 S3 m9 c% E
  T; _- }4 `# M3 B# K# x
Type the word 'yes' to continue, or any other input to abort.& P- K) a3 u9 G; X( k5 @3 ]
  Confirm request details: yes        #输入yes继续6 n* y9 n3 k. z
Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf
% }7 C. m6 ^, c( s- wEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入刚才创建根证书时的密码
6 r0 P" y  h7 q5 [Check that the request matches the signature; c$ T2 L5 _' h3 ^& @1 G* h9 @# h
Signature ok
! Q8 [% C% O1 V& m* o8 Z! m% H! FThe Subject's Distinguished Name is as follows5 B+ X) m' [4 i- L. z
commonName            :PRINTABLE:'nmshuishui') ^" Y& ~; a$ P7 M# ?7 I
Certificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days)( d0 X* |9 i; _1 C0 Z. h8 @

$ G. e) O4 z) W0 {1 m, [: EWrite out database with 1 new entries: {9 w2 e9 }- i2 r. M
Data Base Updated
  B8 [" J2 P/ D3 b, }' { 5 Y4 q, O& U. F
Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt
; F, \' F+ d. n7 b1 M(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:6 i0 j6 D) T& @9 {! k$ f. b
2 r- Y& {% |5 I7 E! @
; `3 `9 b1 D0 i" L8 o( [

. B5 u  ?# G7 k# t: ^' c: _: V[root@vpn easyrsa3]# ./easyrsa gen-dh
4 G3 f: ~, L/ Y) H- B
" ~3 f5 Q$ d" O; F% V9 B+ r9 PNote: using Easy-RSA configuration from: ./vars/ ?6 i' W5 x' _; K8 N8 C3 J
Generating DH parameters, 2048 bit long safe prime, generator 2( z/ C2 A' B* I& L2 {4 `
This is going to take a long time
7 j: p3 B# N8 {" p+ h...................................................................................................................................................................................................................+..........................................................................................................................+..................................................+.....................................................+..................................................................................................................................+............+............................................................................................................+...+............+...............+..............................................+.........................+..................................+.................+............................................................+..................................+........................................................................................................................................+................................................................+.......................................+...................................................................................................................................................++*++*5 {4 K- Z- W: e! m( ?6 N
! v! F, O* |* ~9 N/ u
DH parameters of size 2048 created at /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem
! u0 Z" [" z$ ^6 w5、创建客户端证书
  o( r7 F* s0 p: C0 T# W6 i, ~6 V' C& _; T: N8 S! l) Z* U
(1)在根目录下建立client目录+ a$ M5 _0 a: V/ U5 s1 O3 _
- V/ n, ]! `: s5 s: r8 P$ ?$ _

3 r! r! O! k. J$ o$ W[root@vpn easyrsa3]# cd- g2 ~3 R+ Y9 x6 O
[root@vpn ~]# mkdir client  {, g3 c% o6 ]5 ?  R# u5 A
[root@vpn ~]# cp -R easy-rsa/ client/& u" r6 K5 e" W  j3 {
(2)初始化
4 H+ e0 F9 u% B. v( B% z5 Z; j& T

  s: t& s% u6 ]9 i! b. E9 z) l% N[root@vpn ~]# cd client/easy-rsa/easyrsa3/+ r. i' w" m& P  ?
[root@vpn easyrsa3]# ls
, x  R; X1 r. K" x# O7 c) k" y. ]( C* neasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types$ T, X+ b" x& J$ T) U
[root@vpn easyrsa3]# ./easyrsa init-pki' v( F, [9 B; t# c8 C

3 [) M  b5 F% V. }2 dNote: using Easy-RSA configuration from: ./vars1 i! N+ k7 Z8 I1 x

6 \2 }  R. G9 H7 Oinit-pki complete; you may now create a CA or requests.
$ S1 F4 [4 K* _- S; A! z5 oYour newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
. {; B" y! H& H% |# o2 a7 H: \(3)创建客户端key及生成证书
. ?/ m3 c+ N3 x7 w
' {8 T7 a0 n% }4 `& n# B. l7 _: q* y# j7 V$ F: C; E

5 P* n# `3 B; P* i( U0 [[root@vpn easyrsa3]# ./easyrsa gen-req nmshuishui
- m* ]9 N- |0 C 0 Y2 O6 T3 Z9 @! Z0 D- X0 W  R! z
Note: using Easy-RSA configuration from: ./vars
' f  ~6 k1 b" M: PGenerating a 2048 bit RSA private key
" X  E8 R: ?& {  O7 I....................................................+++0 B+ _9 R$ w/ W
.................................................................................................................................................................................+++
4 t+ B4 B5 k. P. h& P- z' J$ awriting new private key to '/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key'
( H& i  F9 e0 A' EEnter PEM pass phrase:            #输入密码2 h) ^& s" [: T
Verifying - Enter PEM pass phrase:
+ E7 v' w" V0 f- G0 W1 x: h-----0 f, ?" o" W5 M) f
You are about to be asked to enter information that will be incorporated  @& n4 j# N' ?! G
into your certificate request.! k' S5 k% Z/ E3 `' c( m. x" P+ A
What you are about to enter is what is called a Distinguished Name or a DN.
, i& \' c4 Z5 z! H) AThere are quite a few fields but you can leave some blank
7 v3 \& C( m$ Y; ~, gFor some fields there will be a default value,
. }9 a" t& L3 G6 z8 {8 L2 h# [If you enter '.', the field will be left blank.* V! Z3 {, B6 h8 N2 B" k' X( _3 Q9 _
-----: V/ l5 V* D& K2 u0 a- E3 E
Common Name (eg: your user, host, or server name) [nmshuishui]:nmshuishui   #输入nmshuishui                     ! v0 u* J! m% N, t

0 F/ I- R: q8 d; iKeypair and certificate request completed. Your files are:
& k: f9 |: z* ereq: /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req
4 c- w+ {( _" m' S2 D8 Tkey: /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key
9 z! D- L/ a/ r# j' f: b3 g(4)将得到的nmshuishui.req导入并签约证书
' {, b' F: R0 H+ G7 ]- S* C' I- @% V- a
  _; Y- U) ]1 p( n. q; r( ~9 T/ Z3 h6 u
[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/
4 b+ G* q9 n& G$ r" ?[root@vpn easyrsa3]#   #导入req% M5 V# ^* _9 Q, k" e" N- A
[root@vpn easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req nmshuishui
% F4 N! x1 F" v9 ~ & x0 D" T4 M. ], C
Note: using Easy-RSA configuration from: ./vars  p6 R$ C6 p3 ?' o, |8 Z" z
2 o* d5 c4 M. I3 \0 Q5 y( u0 K: n
The request has been successfully imported with a short name of: nmshuishui
/ W# ^$ _5 R7 a) b9 l  d) m" r8 F+ U& pYou may now use this name to perform signing operations on this request.
0 }7 f+ z3 ~# f. Y+ z2 M% j' a / U# l, J* K3 `- F, S2 i
[root@vpn easyrsa3]#     #签约证书) s3 |) n6 f! v: F: ~
[root@vpn easyrsa3]# ./easyrsa sign client nmshuishui
$ @3 J% E* E$ {- b& L  l5 t8 v
4 J8 {; V" S7 I( u) lNote: using Easy-RSA configuration from: ./vars8 b' t6 N. d* Y  Y0 b# B

% n4 a  S/ z! Z8 s) w  ] - ?* S: x1 Y$ B4 X9 x
You are about to sign the following certificate.$ Q; U6 b( n+ u6 w. e' {
Please check over the details shown below for accuracy. Note that this request
8 Z1 q. W3 {* N7 [. E7 Phas not been cryptographically verified. Please be sure it came from a trusted. u+ M# K7 k& M  _* [3 {
source or that you have verified the request checksum with the sender.
8 l& u/ X0 P/ o4 T! G
3 E: w6 i% W0 W% p0 N* f( e( L9 N0 |Request subject, to be signed as a client certificate for 3650 days:- U. y3 E& u0 ]! B

5 ~6 a, x; u: r/ a/ p# q$ nsubject=, Q6 n1 w7 J9 O. C; ~- ]1 W
    commonName                = nmshuishui
$ G, C3 D4 v8 L* s/ G
2 s* ]5 a8 c" H/ C' P- _ , N' W4 X) ?8 i3 ^
Type the word 'yes' to continue, or any other input to abort.$ e' |4 c% V. t0 G2 b. W
  Confirm request details: yes       #输入yes
- O) W1 P% }: ?& g. h1 PUsing configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf
* w/ l7 q1 m3 r) v4 r7 pEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入创建根证书时的密码
+ ]7 a0 a9 q* t2 u' I' f2 OCheck that the request matches the signature0 C% t! D) t0 z6 M' o( y/ J$ I) q
Signature ok
% x  {. y6 z6 X- r! TThe Subject's Distinguished Name is as follows' q# k! e, o: i/ {9 A, P+ N! `5 z
commonName            :PRINTABLE:'nmshuishui'
4 v, I' w. Z5 c; _Certificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days)
; v4 s7 h) b( X5 i
5 @$ h# ?& z2 T4 ^; O) c! TWrite out database with 1 new entries( b( R+ l" D, G; O- M9 g# C1 [
Data Base Updated
4 E+ R* }# s7 l2 ~3 M4 v8 R: b0 c 2 D* }7 O4 h1 z: Y8 x
Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt   #签约成功
, W/ K2 |- W0 Y  S( E(5)服务端及客户端生成的文件
6 A3 H: h6 d" Q9 O2 t
$ f7 i' F) T) f1 I) v  j- m" {服务端:(/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki)文件夹/ s8 I+ s; m; w9 L

( x' i2 N6 X8 N, _
* d. G2 x4 B4 G, B2 [+ H' D/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt- G) g8 x! r- C  ~
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req
$ i- y" E4 H9 ]3 Y3 [/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req
( \: q7 S* l8 {4 f/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key% _$ ?2 Q1 A9 l& x
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key
: ~9 m, h& x& t% H4 w( A/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt
) e" j- y" R4 o& C! f) S2 c/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt: D7 ?% y& @" I* ~3 t, ]% |2 J2 x8 h$ t
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem3 X0 `+ V# K: ^8 M
客户端:(/root/client/easy-rsa)
+ w, z5 i4 ^8 H5 G4 M/ r6 V# q1 x& E4 O
4 j  }6 [& j, N% S2 E# h# d0 G
/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key- E5 T# d8 H+ ?3 ?0 r9 U
/root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key   #这个文件被我们导入到了服务端文件,所以那里也有" D8 |$ H$ h" ]4 Z
(6)拷贝服务器密钥及证书等到openvpn目录
: y$ e! V4 W) A" E5 A
0 p4 |! i1 F0 F6 c. K% h6 o* l+ q' R: X5 r
[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt openvpn-2.3.4/
$ y7 a/ L; F( B[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key openvpn-2.3.4/7 |) K4 n5 H- w- B" p6 F; \. E! R
[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt openvpn-2.3.4/
, p% n% E3 e, |: n" ^! o2 U[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem openvpn-2.3.4/2 ~' v7 W- I( v3 {. ^! M
(7)拷贝客户端密钥及证书等到client目录: ?4 S4 Z+ @3 X3 [4 s
7 Q. R4 {! \) V! N( @- x, L
; N0 `5 L  X& o7 c( t/ F3 |
[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client * F/ w" V) p1 W
[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt /root/client
; Q2 p  @, U1 z4 l' Y[root@vpn ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client
2 j- E. q- [8 a( [( ?6 w- \; K8 u(8)为服务端编写配置文件
' i4 D9 K$ y7 R0 W# S0 T
+ a9 w1 n. K) n9 Q, e/ @" e# ]( K; U- c当安装好openvpn时候,它会提供一个server配置的文件例子; B/ Q+ U9 c* d/ |& K
% {- r6 F  C7 O& c9 `& m* s0 F
1
; B) W2 k# B6 K/root/openvpn-2.3.4/sample/sample-config-files/server.conf; E  B6 A; f3 k. ]7 T
将此例子拷贝openvpn目录,然后配置
/ ]9 ?/ r/ x; M
6 R; B5 L2 y# i- p" }# d
# m$ B5 j& }1 R% i  X3 I[root@vpn ~]# cp openvpn-2.3.4/sample/sample-config-files/server.conf openvpn-2.3.4/6 \# x+ @* H, b5 v% X# n9 ~0 l
[root@vpn ~]# vim openvpn-2.3.4/server.conf' S+ T8 @$ F3 V; {
local 192.168.1.104    #(自己vps IP)
/ h) R- |. r  \. u; zport 1194
' W  e, q6 M0 S. ]/ w! tproto udp
( o5 R, A; q/ K5 ]0 S+ B+ Adev tun6 I& R! _' D* m$ g, q1 Y+ N
ca /root/openvpn-2.3.4/ca.crt
2 b& k/ `4 K& O  R& B$ k, ~) tcert /root/openvpn-2.3.4/server.crt
3 X5 c) C5 a1 I% k1 ]key /root/openvpn-2.3.4/server.key # This file should be kept secret
3 l8 q. m1 M- E3 c7 c/ z- O# \dh /root/openvpn-2.3.4/dh.pem
8 h3 p, z# D. r2 b- ~. S7 Tserver 10.8.0.0 255.255.255.0% q7 q0 @/ f, o# I6 H9 [
ifconfig-pool-persist ipp.txt5 X4 q  `2 u3 T/ |# ?0 ]9 a& ?
push "redirect-gateway def1 bypass-dhcp"
2 }6 A9 ]! w% q5 p( Cpush "dhcp-option DNS 8.8.8.8"
9 B! l9 W: U# R& dkeepalive 10 120
% s9 t- [9 G2 v  F  Gcomp-lzo% C" z7 H" c" q3 {7 c
max-clients 100
# N" G- G0 h; \: K2 Q9 |' v2 \4 cpersist-key
2 z: y# F' W/ P: _5 l- spersist-tun0 j' o/ K% O( z, Q& F+ t6 `
status openvpn-status.log" ^( [4 u0 y& ^0 i
verb 31 n" C  x2 H; x7 z0 r
(9)开启系统转发功能# P+ ]8 Z2 v( q9 u, d! I

' N2 p8 Z9 O6 U  d: A& w4 U. j! G) x6 m7 K
[root@vpn ~]# vim /etc/sysctl.conf
: K: q) ~' m1 v8 e: o8 c8 l& o/ h- \net.ipv4.ip_forward = 0  改成 net.ipv4.ip_forward = 13 \0 _: z. \' H; K) O- ?* C1 @
[root@vpn ~]# sysctl -p
: ]+ e: g) x0 M8 a[root@vpn ~]# sysctl -a | grep net.ipv4.ip_forward
% }! l7 X/ N. }! Znet.ipv4.ip_forward = 19 f/ V2 O" ~' R. g
(10)封装出去的数据包(eth0是你的vps外网的网卡):
! F  M7 b% }1 K* H( H% @: B! |7 @/ j' ?
& ^; F! b& O( K% v
( f: a! W9 F; L- _8 y+ F4 D/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE
 楼主| 发表于 2019-9-6 11:00:54 | 显示全部楼层
下载openvpn客户端,并进行配置$ r4 b4 S$ g3 J& r: j

, O# h& e# f) ~' L. s2 f. g- E1、将客户端密钥及证书等拷出到windows备用  v; Y4 [4 O7 M4 ^

. x; I: [) F% Z6 x& V6 Q5 K0 W& z* Q, W; l* u
[root@vpn ~]# cd client/6 ]) z7 j8 U8 H8 K
[root@vpn client]# ls' r) v3 K) j/ |+ R" z- j
ca.crt  easy-rsa  nmshuishui.crt  nmshuishui.key    #带后缀的这三个; b1 w9 r7 P) d9 ?8 V
4 U, d3 j; n( _2 _
2、安装openvpn-gui工具% G, _& B  `; o

8 _0 l: g, G; t) L(1)将D:\Program Files (x86)\OpenVPN\sample-config\client.ovpn复制到D:\Program Files (x86)\OpenVPN\config
& i. L3 g: d% f" D* \' J" [4 ]+ u4 S- U$ u; \" c5 i( |/ x, d
(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下
您需要登录后才可以回帖 登录 | 开始注册

本版积分规则

关闭

站长推荐上一条 /4 下一条

如有购买积分卡请联系497906712

QQ|返回首页|Archiver|手机版|小黑屋|易陆发现 点击这里给我发消息

GMT+8, 2022-5-26 00:05 , Processed in 0.053241 second(s), 21 queries .

Powered by LR.LINUX.cloud bbs168x X3.2 Licensed

© 2012-2022 Comsenz Inc.

快速回复 返回顶部 返回列表