====== OpenVPN 安裝與設定 ======
  * OpenVPN 官方網站 : http://openvpn.net/
  * OpenVPN GUI for Windows 官方網站 : http://openvpn.se/
<note>
另外方案 **[[tech/n2nvpn|n2n VPN 方案]]**
</note>

===== - Server 端 =====
  * CentOS 6.0 x86_64 + EPEL

==== - 下載安裝最新版 OpenVPN 與相關 Lib ====
<code sh>
su - root
rpm -ivh http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
yum install kernel-devel openssl-devel gcc rpm-build
yum install lzo-devel pam-devel pkcs11-helper-devel openvpn
</code>

==== - 設定虛擬網卡 tun0 ====
<code sh>
mknod /dev/net/tun c 10 200
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf
</code><file>
:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
:
</file>

==== - 準備好相關憑證檔案 ====
  * Root CA <code sh>
cd /usr/share/openvpn/easy-rsa/2.0/
. ./vars
./clean-all
./build-ca
</code><file>
[root@rs100 2.0]# ./build-ca
Generating a 1024 bit RSA private key
..............++++++
..................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:TW
State or Province Name (full name) [CA]:TW
Locality Name (eg, city) [SanFrancisco]:Taipei
Organization Name (eg, company) [Fort-Funston]:III
Organizational Unit Name (eg, section) []:IDEAS
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:rs100
Name []:
Email Address [me@myhost.mydomain]:jonathan@iii.org.tw
</file>
  * Server CA <code sh>
./build-key-server server
</code><file>
[root@rs100 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
................++++++
..........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:TW
State or Province Name (full name) [CA]:TW
Locality Name (eg, city) [SanFrancisco]:Taipei
Organization Name (eg, company) [Fort-Funston]:III
Organizational Unit Name (eg, section) []:IDEAS
Common Name (eg, your name or your server's hostname) [server]:server-rs100
Name []:
Email Address [me@myhost.mydomain]:jonathan@iii.org.tw

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'TW'
stateOrProvinceName   :PRINTABLE:'TW'
localityName          :PRINTABLE:'Taipei'
organizationName      :PRINTABLE:'III'
organizationalUnitName:PRINTABLE:'IDEAS'
commonName            :PRINTABLE:'server-rs100'
emailAddress          :IA5STRING:'jonathan@iii.org.tw'
Certificate is to be certified until Aug 16 03:25:10 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
</file>
  * Client CA <code sh>
./build-key client1
:
:
./build-key clientn
</code><file>
[root@rs100 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
....................................++++++
.......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:TW
State or Province Name (full name) [CA]:TW
Locality Name (eg, city) [SanFrancisco]:Taipei
Organization Name (eg, company) [Fort-Funston]:IDEAS
Organizational Unit Name (eg, section) []:^C
[root@rs100 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
............++++++
..++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:TW
State or Province Name (full name) [CA]:TW
Locality Name (eg, city) [SanFrancisco]:Taipei
Organization Name (eg, company) [Fort-Funston]:III
Organizational Unit Name (eg, section) []:IDEAS
Common Name (eg, your name or your server's hostname) [client1]:Jonathan Tsai
Name []:
Email Address [me@myhost.mydomain]:jonathan@iii.org.tw

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'TW'
stateOrProvinceName   :PRINTABLE:'TW'
localityName          :PRINTABLE:'Taipei'
organizationName      :PRINTABLE:'III'
organizationalUnitName:PRINTABLE:'IDEAS'
commonName            :PRINTABLE:'Jonathan Tsai'
emailAddress          :IA5STRING:'jonathan@iii.org.tw'
Certificate is to be certified until Aug 16 03:27:58 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
</file>
  * 產生 Diffie Hellman 參數 <code sh>
./build-dh
</code><file>
[root@rs100 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....................................+............................+.+..........+......................................+.............+..+....+.........................................................+...........+......+.........................................................................+........................................................................................................+.........+...........+.............................................................................................+...............................+.+...............................................+.....................................................................+...+..................................................................................................+...+..................................+..................................................................................+............................+.......................................................................+.......+............................+..............................+.....+..................................................................................................................+............................................+...........................................+.............................................................................+..........................................................................................................................+.........................................................+................................................................................................................................................................................+.........................+.............+.........+...+..............................................+....+.+..................................+.....................................+.......................................+..++*++*++*
</file>
  * 所有產生的 key file 都會存放在 <code>
/usr/share/openvpn/easy-rsa/2.0/keys/
</code>

==== - 設定與啟動 Server 端 ====
<code sh>
cd /etc/openvpn
cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
vi server.conf
</code><file>
</file><code sh>
cd /etc/openvpn
cp /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem .
cp /usr/share/openvpn/easy-rsa/2.0/keys/server.crt .
cp /usr/share/openvpn/easy-rsa/2.0/keys/server.key .
cp /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt .
service openvpn start
</code>




===== 參考網址 =====
  * http://www.openvpn.net/index.php/open-source/documentation/howto.html#install
  * http://www.openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html

{{tag>openvpn vpn ssl draft}}