whechuan00 2012-05-12
话说,最近在学校做毕设,寝室的ChinaNet被学校水产了,说是要登记才能使用。自己试验的时候发现,登录成功后,几十秒内还可访问网页,之后网页就上不去了,显示连接被重置(是不是像某墙?),但是QQ神马的依然可以正常使用,而且已经建立的TCP长连接不会被中断。于是考虑服务器端针对TCP的三次握手进行了攻击,导致无法正常访问网页。之前记得VPN常用的拨号方式主要有PPTP、L2TP和OpenVPN,后两种方式支持底层使用UDP方式通讯。在Linux上,开源社区的OpenVPN自然是不二的选择。
配置OpenVPN的步骤,大致包括两部分,首先是服务器端的OpenVPN服务,其次是客户端的OpenVPN软件。首先我们在Ubuntu 10.04 TLS上配置OpenVPN服务器端。
首先请使用root账户登录系统,若没有开启root,请使用sudo暂转为root模式:
sudo -i
从软件仓库安装openvpn及其相关软件包:
apt-get install openvpn udev lzop -y
完成安装后,复制证书配置模板信息:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/<br>cd /etc/openvpn/easy-rsa/2.0/<br>source vars
先清除已有的证书信息:
./clean-all
创建CA根证书:
#./build-ca<br>Generating a 1024 bit RSA private key<br>................++++++<br>........++++++<br>writing new private key to 'ca.key'<br>-----<br>You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>If you enter '.', the field will be left blank.<br>-----<br>Country Name (2 letter code) [CN]:<br>State or Province Name (full name) [GD]:<br>Locality Name (eg, city) [SZ]:<br>Organization Name (eg, company) []:<br>Organizational Unit Name (eg, section) []:soa<br>Common Name (eg, your name or your server's hostname) []:starlight36.com<br>Email Address [your-email [at] starlight36.com]:
创建服务器端key:
#./build-key-server server<br>Generating a 1024 bit RSA private key<br>......++++++<br>....................++++++<br>writing new private key to 'server.key'<br>-----<br>You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>If you enter '.', the field will be left blank.<br>-----<br>Country Name (2 letter code) [CN]:<br>State or Province Name (full name) [LN]:<br>Locality Name (eg, city) [DL]:<br>Organization Name (eg, company) [starlight36.com]:<br>Organizational Unit Name (eg, section) []:starlight36.com<br>Common Name (eg, your name or your server's hostname) []:server<br>Email Address [your-email [at] starlight36.com]:<br>... ...
创建客户端key
#./build-key client<br>Generating a 1024 bit RSA private key<br>......++++++<br>....................++++++<br>writing new private key to 'server.key'<br>-----<br>You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>If you enter '.', the field will be left blank.<br>-----<br>Country Name (2 letter code) [CN]:<br>State or Province Name (full name) [LN]:<br>Locality Name (eg, city) [DL]:<br>Organization Name (eg, company) [starlight36.com]:<br>Organizational Unit Name (eg, section) []:starlight36.com<br>Common Name (eg, your name or your server's hostname) []:client<br>Email Address [your-email [at] starlight36.com]:<br>... ...
过程和创建服务器端Key基本一致,但是需要注意的是,Common Name (eg, your name or your server’s hostname)这一项每个客户端key之间不能重名,和server key的设置也不能重名,否则会导致生成失败。
生成 Diffie Hellman信息:
./build-dh
这时,服务器证书的配置就完成了,我们需要把服务器上刚才生成的ca.crt client.crt client.key三个文件下载下来,客户端连接时需要用到。