OpenVPN On CentOS 5 配置

jacknichao 2012-03-25

服务器端

1.下载openvpn源

[root@localhost opt]#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm

2.安装openvpn

[root@localhost opt]#sed --in-place "s/\\(.*enabled.*=\\).*/\1 0/" /etc/yum.repos.d/rpmforge.repo

[root@localhost opt]#yum --enablerepo rpmforge install  openvpn

[root@localhost opt]#mkdir -p /etc/openvpn/easy-rsa

[root@localhost opt]#cd /etc/openvpn/easy-rsa

[root@localhost easy-rsa]#cp -Rv /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* ./

[root@localhost easy-rsa]#chmod u+x clean-all build-ca whichopensslcnf build-dh build-key pkitool build-key-server

3.拷贝配置文件

[root@localhost easy-rsa]#cd ..

[root@localhost openvpn]#cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf  ./

[root@localhost easy-rsa]#cd /etc/easy-rsa
[root@localhost easy-rsa]#vim vars

修该为自己的信息

[root@localhost easy-rsa]#. ./vars  #使其生效

[root@localhost easy-rsa]# ./clean-all   #初始化

[root@localhost easy-rsa]# ./build-ca   #创建根证书
Generating a 1024 bit RSA private key
......++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CHINA]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [CSDN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [CSDN CA]:
Name []:
Email Address [[email protected]]:

[root@localhost easy-rsa]# ./build-key-server server   #创建服务器证书
Generating a 1024 bit RSA private key
................................................++++++
.............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CHINA]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [CSDN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:server
Name []:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'CHINA'
localityName          :PRINTABLE:'BEIJING'
organizationName      :PRINTABLE:'CSDN'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 10 02:45:38 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


[root@localhost easy-rsa]# ./build-key client   #创建客户端证书
Generating a 1024 bit RSA private key
......................++++++
........................................................++++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CHINA]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [CSDN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client]:
Name []:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'CHINA'
localityName          :PRINTABLE:'BEIJING'
organizationName      :PRINTABLE:'CSDN'
commonName            :PRINTABLE:'client'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 10 02:46:46 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


[root@localhost easy-rsa]# ./build-dh      #生成Diffie Hellman文件
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...................+.................................................................................................................................................+...................................................+.............................................+...................................+...................................................................................................................................+................................+...................................................................+........+..............................................................................+........................................+...........................................................................+...+................+.........+......................+........................................................................................+.............................+...............................+..+.......................+.................+............................+......................+....+............................................+...................+.......................................................................+........+.......................................................................................................................+...................................................................................................+........................+..................................+.................................................................+.................................+...+.........................................................................+.....................+.......................+........+.............................+.............+......................+....+.....++*++*++*
4.配置文件

[root@localhost openvpn]#vim server.conf

local 117.79.92.146
port 1194
proto udp
dev tap
ca ./easy-rsa/keys/ca.crt
cert ./easy-rsa/keys/server.crt
dh ./easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0

push "route 192.168.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 3

5.启动openvpn

[root@localhost openvpn]#/etc/init.d/openvpn start

Starting openvpn:                                          [  OK  ]
[root@localhost openvpn]# ifconfig                #多出的虚拟网卡
tap0      Link encap:Ethernet  HWaddr 66:78:46:2C:A8:8B
          inet addr:10.8.0.1  Bcast:10.8.0.255  Mask:255.255.255.0
          inet6 addr: fe80::6478:46ff:fe2c:a88b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:5728 (5.5 KiB)
客户端

安装方法和服务器一样,不同的是不用拷贝easy-rsa目录,拷贝配置文件的时候选择client.conf,把服务器的ca.crt,client.crt.client.key 拷贝到客户端

启动服务即可

注意事项:生成证书时一定要同步好时间,如果服务器端用nobody运行,别忘记赋予权限

相关推荐