目錄表
OpenVPN 安裝與設定
- OpenVPN 官方網站 : http://openvpn.net/
- OpenVPN GUI for Windows 官方網站 : http://openvpn.se/
另外方案 n2n VPN 方案
1 Server 端
- CentOS 6.0 x86_64 + EPEL
1.1 下載安裝最新版 OpenVPN 與相關 Lib
su - root rpm -ivh http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm yum install kernel-devel openssl-devel gcc rpm-build yum install lzo-devel pam-devel pkcs11-helper-devel openvpn
1.2 設定虛擬網卡 tun0
mknod /dev/net/tun c 10 200 modprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward vi /etc/sysctl.conf
: # Controls IP packet forwarding net.ipv4.ip_forward = 1 :
1.3 準備好相關憑證檔案
- Root CA
cd /usr/share/openvpn/easy-rsa/2.0/ . ./vars ./clean-all ./build-ca
[root@rs100 2.0]# ./build-ca Generating a 1024 bit RSA private key ..............++++++ ..................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:TW State or Province Name (full name) [CA]:TW Locality Name (eg, city) [SanFrancisco]:Taipei Organization Name (eg, company) [Fort-Funston]:III Organizational Unit Name (eg, section) []:IDEAS Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:rs100 Name []: Email Address [me@myhost.mydomain]:jonathan@iii.org.tw
- Server CA
./build-key-server server[root@rs100 2.0]# ./build-key-server server Generating a 1024 bit RSA private key ................++++++ ..........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:TW State or Province Name (full name) [CA]:TW Locality Name (eg, city) [SanFrancisco]:Taipei Organization Name (eg, company) [Fort-Funston]:III Organizational Unit Name (eg, section) []:IDEAS Common Name (eg, your name or your server's hostname) [server]:server-rs100 Name []: Email Address [me@myhost.mydomain]:jonathan@iii.org.tw Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'TW' stateOrProvinceName :PRINTABLE:'TW' localityName :PRINTABLE:'Taipei' organizationName :PRINTABLE:'III' organizationalUnitName:PRINTABLE:'IDEAS' commonName :PRINTABLE:'server-rs100' emailAddress :IA5STRING:'jonathan@iii.org.tw' Certificate is to be certified until Aug 16 03:25:10 2021 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
- Client CA
./build-key client1 : : ./build-key clientn
[root@rs100 2.0]# ./build-key client1 Generating a 1024 bit RSA private key ....................................++++++ .......++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:TW State or Province Name (full name) [CA]:TW Locality Name (eg, city) [SanFrancisco]:Taipei Organization Name (eg, company) [Fort-Funston]:IDEAS Organizational Unit Name (eg, section) []:^C [root@rs100 2.0]# ./build-key client1 Generating a 1024 bit RSA private key ............++++++ ..++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:TW State or Province Name (full name) [CA]:TW Locality Name (eg, city) [SanFrancisco]:Taipei Organization Name (eg, company) [Fort-Funston]:III Organizational Unit Name (eg, section) []:IDEAS Common Name (eg, your name or your server's hostname) [client1]:Jonathan Tsai Name []: Email Address [me@myhost.mydomain]:jonathan@iii.org.tw Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'TW' stateOrProvinceName :PRINTABLE:'TW' localityName :PRINTABLE:'Taipei' organizationName :PRINTABLE:'III' organizationalUnitName:PRINTABLE:'IDEAS' commonName :PRINTABLE:'Jonathan Tsai' emailAddress :IA5STRING:'jonathan@iii.org.tw' Certificate is to be certified until Aug 16 03:27:58 2021 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
- 產生 Diffie Hellman 參數
./build-dh[root@rs100 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .....................................+............................+.+..........+......................................+.............+..+....+.........................................................+...........+......+.........................................................................+........................................................................................................+.........+...........+.............................................................................................+...............................+.+...............................................+.....................................................................+...+..................................................................................................+...+..................................+..................................................................................+............................+.......................................................................+.......+............................+..............................+.....+..................................................................................................................+............................................+...........................................+.............................................................................+..........................................................................................................................+.........................................................+................................................................................................................................................................................+.........................+.............+.........+...+..............................................+....+.+..................................+.....................................+.......................................+..++*++*++*
- 所有產生的 key file 都會存放在
/usr/share/openvpn/easy-rsa/2.0/keys/
1.4 設定與啟動 Server 端
cd /etc/openvpn cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/ vi server.conf
cd /etc/openvpn cp /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem . cp /usr/share/openvpn/easy-rsa/2.0/keys/server.crt . cp /usr/share/openvpn/easy-rsa/2.0/keys/server.key . cp /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt . service openvpn start
參考網址
