搭建OpenVpn服务端与客户端的记录

{style=”text-align: center;”}

更新记录 {style=”text-align: left;”}

2012-07-03 创建

一、环境 {style=”text-align: left;”}

服务端:操作系统CentOS release 5.5 32bit,OpenVpn版本OpenVPN 2.1.3

客户端:操作系统 Ubuntu 12.04 LTS 32bit,OpenVpn版本OpenVPN 2.2.1

二、准备 {style=”text-align: left;”}

系统内核

TUN/TAP支持

支持包

yum install openssl-devel

http://www.oberhumer.com/opensource/lzo/ 下载LZO

./configure&&make&&make install http://openvpn.net/release/ 下载openvpn ./configure&&make&&make install

三、服务端配置 {style=”text-align: left;”}

认证中最重要的是服务器和客户端的SSL证书管理,如果管理员之前没有SSL证书发布机制,那么可以使用OpenVPN附带的一组工具来完成所有的工作。

1.修改vars文件变量

[root@localhost openvpn-2.1.3]# cd easy-rsa/2.0/ [root@localhost 2.0]# grep -v “#” vars

export EASY_RSA=”pwd

export OPENSSL=”openssl” export PKCS11TOOL=”pkcs11-tool” export GREP=”grep”

export KEY_CONFIG=”$EASY_RSA/openssl.cnf” export KEY_DIR=”$EASY_RSA/keys”

echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

export PKCS11_MODULE_PATH=”dummy” export PKCS11_PIN=”dummy”

export KEY_SIZE=1024 export CA_EXPIRE=3650 export KEY_EXPIRE=3650

export KEY_COUNTRY=”CN” export KEY_PROVINCE=”SH” export KEY_CITY=”PD” export KEY_ORG=”Earth” export KEY_EMAIL=”**@**.com”

[root@localhost 2.0]# source vars

NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/src/openvpn-2.0.9/easy-rsa/keys  

提示可使用./clean-all清除所有包括CA在内的所有证书

2.clean-all

使用clean-all脚本清除包括CA在内的所有证书,再创建CA证书。 [root@localhost 2.0]# ./clean-all   #先清除证书,再创建证书 [root@localhost 2.0]# ./build-ca  #创建CA证书

Generating a 1024 bit RSA private key ……….++++++ …………….++++++ writing new private key to ‘ca.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) []: Organization Name (eg, company) [: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server’s hostname) []:   #服务器主机名 Email Address [**@**.com]: 

3.创建服务器密钥

[root@localhost 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key ……………………………………..++++++ ….++++++ writing new private key to ‘server.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server’s hostname) [Server]:  #服务器主机名 Email Address [tghfly222@126.com]: Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: Check that the request matches the signature Signature ok … Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

4.创建客户端密钥

[root@localhost 2.0]# ./build-key client

Generating a 1024 bit RSA private key …..++++++ …………………..++++++ writing new private key to ‘client.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– … Common Name (eg, your name or your server’s hostname) []:client  #不同客户端,命名绝不能一样 Email Address [**@**.com]: Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: … Certificate is to be certified until Jul 16 05:52:27 2021 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

5.build-dh

创建dhDiffie-Hellman密钥算法文件 [root@localhost 2.0]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time …+…….+…..+……………………+………………….+…..+……………………

…+……….+…….+………………………………………….+…………………+……… …+……………………………………….+……………………………………………….

…+…………………………+………………………+..+…..+……++++++*

6.生成  tls-auth 密钥

tls-auth密钥可以为点对点的VPN连接提供了进一步的安全验证,如果选择使用这一方式,服务器端和客户端都必须拥有该密钥文件。 [root@localhost 2.0]# openvpn –genkey –secret keys/ta.key

7.配置目录/etc/openvpn,复制key

OpenVPN的配置目录为/etc/openvpn,把服务器配置文件定义为/etc/openvpn/server.conf OpenVPN是一个SSL VPN实现。 [root@localhost 2.0]# mkdir -p /etc/openvpn [root@localhost 2.0]# cp -p sample-config-files/server.conf /etc/openvpn/   #将样本配置文件复制到/etc/openvpn/,后面再做修改 [root@localhost 2.0]# cp -rp keys/ /etc/openvpn/    #将证书文件复制到/etc/openvpn/

8.修改server.conf

[root@dic172 openvpn]# grep -v “#” server.conf

local 192.168.161.172     #服务器所使用的IP

port 1194                         #使用1194端口 proto tcp                           #使用TCP协议 dev tun                             #使用tun设备 ca keys/ca.crt                   #指定CA证书文件路径 cert keys/server.crt dh keys/dh1024.pem server 10.8.0.0 255.255.255.0    #VPN客户端拨入后,所获得的IP地址池 ifconfig-pool-persist ipp.txt push “redirect-gateway def1 bypass-dhcp” push “dhcp-option DNS 8.8.8.8”   #客户端所获得的DNS push “dhcp-option DNS 8.8.4.4”   #客户端所获得的备用DNS

;tls-auth /etc/openvpn/keys/ta.key 0 keepalive 10 120 comp-lzo max-clients 10 persist-key persist-tun status openvpn-status.log verb 6

9.网络配置

开启IP转发功能 [root@dic172 openvpn]# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

[root@dic172 openvpn]# sysctl -p 或 [root@dic172 openvpn]# echo “1” > /proc/sys/net/ipv4/ip_forward 开1149端口 [root@dic172 openvpn]# IPTABLES -A INPUT -p udp –dport 1194 -j ACCEPT 还有一个不懂的 [root@dic172 openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE

10.服务启动与维护

[root@localhost 2.0]# cp -p sample-scripts/openvpn.init /etc/init.d/openvpn [root@localhost 2.0]# chkconfig –add openvpn [root@localhost 2.0]# service openvpn status  #查看服务状态

openvpn: service not started

[root@localhost 2.0]# chkconfig –level 235 openvpn on [root@localhost 2.0]# chkconfig –list openvpn openvpn         0:off   1:off   2:on    3:on    4:on    5:on    6:off 启动openvpn [root@dic172 openvpn]# service openvpn start

Starting openvpn: [  OK  ]

[root@dic172 openvpn]# netstat -anp grep :1194

udp  0  0 192.168.161.172:1194  0.0.0.0:*  25162/openvpn

四、客户端配置 {style=”text-align: left;”}

安装见参考文献。

client.cnf配置文件如下:

client dev tun proto tcp remote xxxxx.xxx.xxxx 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/xxxxxx.crt key /etc/openvpn/keys/xxxxxxx.key tls-auth /etc/openvpn/keys/ta.key 1 comp-lzo verb 6

启动命令: openvpn –config /etc/openvpn/client.cnf &

五、常见错误 {style=”text-align: left;”}

见参考文献4.

六、参考文献 {style=”text-align: left;”}

  1. Linux为企业搭建稳固的SSL VPN服务
  2. 实践出真知 布署openvpn环境应注意的事
  3. RAMHOST的VPS小攻略之SSH和OpenVPN安装配置》 
  4. OpenVPN: TLS Error: reading acknowledgement record from packet
  5. http://www.f15ijp.com/tag/openvpn/
Written on July 3, 2012