jacknichao 2012-03-25
服务器端
1.下载openvpn源
[root@localhost opt]#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
2.安装openvpn
[root@localhost opt]#sed --in-place "s/\\(.*enabled.*=\\).*/\1 0/" /etc/yum.repos.d/rpmforge.repo
[root@localhost opt]#yum --enablerepo rpmforge install openvpn
[root@localhost opt]#mkdir -p /etc/openvpn/easy-rsa
[root@localhost opt]#cd /etc/openvpn/easy-rsa
[root@localhost easy-rsa]#cp -Rv /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* ./
[root@localhost easy-rsa]#chmod u+x clean-all build-ca whichopensslcnf build-dh build-key pkitool build-key-server
3.拷贝配置文件
[root@localhost easy-rsa]#cd ..
[root@localhost openvpn]#cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf ./
[root@localhost easy-rsa]#cd /etc/easy-rsa
[root@localhost easy-rsa]#vim vars
修该为自己的信息
[root@localhost easy-rsa]#. ./vars #使其生效
[root@localhost easy-rsa]# ./clean-all #初始化
[root@localhost easy-rsa]# ./build-ca #创建根证书
Generating a 1024 bit RSA private key
......++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CHINA]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [CSDN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [CSDN CA]:
Name []:
Email Address [[email protected]]:
[root@localhost easy-rsa]# ./build-key-server server #创建服务器证书
Generating a 1024 bit RSA private key
................................................++++++
.............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CHINA]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [CSDN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:server
Name []:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'CHINA'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'CSDN'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 10 02:45:38 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost easy-rsa]# ./build-key client #创建客户端证书
Generating a 1024 bit RSA private key
......................++++++
........................................................++++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CHINA]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [CSDN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client]:
Name []:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'CHINA'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'CSDN'
commonName :PRINTABLE:'client'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 10 02:46:46 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost easy-rsa]# ./build-dh #生成Diffie Hellman文件
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...................+.................................................................................................................................................+...................................................+.............................................+...................................+...................................................................................................................................+................................+...................................................................+........+..............................................................................+........................................+...........................................................................+...+................+.........+......................+........................................................................................+.............................+...............................+..+.......................+.................+............................+......................+....+............................................+...................+.......................................................................+........+.......................................................................................................................+...................................................................................................+........................+..................................+.................................................................+.................................+...+.........................................................................+.....................+.......................+........+.............................+.............+......................+....+.....++*++*++*
4.配置文件
[root@localhost openvpn]#vim server.conf
local 117.79.92.146
port 1194
proto udp
dev tap
ca ./easy-rsa/keys/ca.crt
cert ./easy-rsa/keys/server.crt
dh ./easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
5.启动openvpn
[root@localhost openvpn]#/etc/init.d/openvpn start
Starting openvpn: [ OK ]
[root@localhost openvpn]# ifconfig #多出的虚拟网卡
tap0 Link encap:Ethernet HWaddr 66:78:46:2C:A8:8B
inet addr:10.8.0.1 Bcast:10.8.0.255 Mask:255.255.255.0
inet6 addr: fe80::6478:46ff:fe2c:a88b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:5728 (5.5 KiB)
客户端
安装方法和服务器一样,不同的是不用拷贝easy-rsa目录,拷贝配置文件的时候选择client.conf,把服务器的ca.crt,client.crt.client.key 拷贝到客户端
启动服务即可
注意事项:生成证书时一定要同步好时间,如果服务器端用nobody运行,别忘记赋予权限