OpenVPN_配置案例

OpenVPN服务器搭建详解环境简介：服务器：CentOS5.2客户端：XPsp2其他软件：openvpn-2.0.9.tar.gzopenvpn-2.0.9-gui-1.0.3-install.exelzo-2.03.tar.gzopenssl为CentOS5.2自带NTRadPing.exeradius测试软件pam_mysql-0.7RC1.tar.gzradiusplugin_v2.0c.tar.gzlibgcrypt-1.2.4.tar.gzlibgpg-error-1.5.tar.bz2所有测试都是在VMwareWorkstation5.5.1上完成（一）搭建OpenVPNServer路由模式目的：搭建一台OpenVPNServer使出差的员工也可以方便的访问到公司局域网中的共享资料。网络环境：OpenVPNServer基本设定：连接方式采用路由方式，认证方式采用证书认证，虚拟设备使用tun（比tap更高效）1．安装CentOS这一步我就不详写了注意：关闭SELinux，iptables2．安装OpenVPNa)检测openssl是否已安装。（一般系统已自带）[root@localhost~]#Whereisopenssl如果你的系统没有OpenSSL库，你需要下载和安装它。b)安装lzo如果你想使用VPN连接的压缩特性，或者你想将OpenVPN安装为一个RPM包，安装LZOLibrary。下载：解压到/root/Scripts目录中，后面所有的软件到存放到这个目录gzip–cdlzo-2.03.tar.gz|tar–xvf-makemakeinstall如果你使用Linux2.2或更早版本，下载TUN/TAPdriver。对于Linux2.4.7及以上版本的用户TUN/TAP驱动已经捆绑到内核中。Linux2.4.0-2.4.6的用户需要留意INSTALL文件末尾的注意信息。c）tarball安装OpenVPN现在下载OpenVPN的昀新发布版：解压gzip-dcopenvpn-2.0.9.tar.gz|tarxvf-cdopenvpn-2.0.9./configuremakemakeinstall如果你未下载LZOLibrary，将--disable-lzo加入到configure命令中。也可以启用其他的选型，比如pthread(./configure--enable-pthread)用来提高SSL/TLS动态密钥交换的响应速度。命令./configure--help将显示所有的配置选型。d）配置TUN/TAP驱动仅需一次的配置如果你使用Linux2.4.7或更高版本，十分幸运TUN/TAP驱动已经捆绑到内核中。你可以通过如下命令确认：locateif_tun.h此命令产生类似这样的信息/usr/include/linux/if_tun.h。对于Linux2.4.7或更高版本，如果你通过tarball安装，输入如下命令配置TUN/TAP设备节点（如果你通过RPM安装可以忽略这一步，因为RPM为你自动创建该节点）：mknod/dev/net/tunc10200如果你使用Linux2.2，你需要获得版本1.1的TUN/TAPkernelmodule并按照安装说明进行操作。每次系统启动后需要执行一次的配置在Linux上使用OpenVPN或任何用到TUN/TAP设备的程序前需要载入TUN/TAPkernelmodule：modprobetun并且启用IP转发：echo1/proc/sys/net/ipv4/ip_forward3．配置OpenVPNa）生成证书Key设置环境变量[root@openvpn~]#vi/root/.bash_profile追加如下内容（依据情况改变相应值）D=/root/Scripts/openvpn-2.0.9/easy-rsaKEY_CONFIG=$D/openssl.cnfKEY_DIR=$D/keysKEY_SIZE=1024KEY_COUNTRY=CNKEY_PROVINCE=GDKEY_CITY=DGKEY_ORG=ldKEY_EMAIL=colin_xia@luckydragongroup.comexportKEY_CONFIGKEY_DIRKEY_SIZEKEY_COUNTRYKEY_PROVINCEKEY_CITYKEY_ORGKEY_EMAILD同时把以上内容直接粘贴到控制台。[root@openvpn~]#echo$D可以看到变量已生效[root@localhostlocal]#cd/root/Scripts/openvpn-2.0.9/easy-rsa/初始化PKIBuild:代码:./clean-all./build-caGeneratinga1024bitRSAprivatekey....................................................++++++...++++++writingnewprivatekeyto'ca.key'-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[CN]:StateorProvinceName(fullname)[GD]:LocalityName(eg,city)[DG]:OrganizationName(eg,company)[ld]:OrganizationalUnitName(eg,section)[]:itCommonName(eg,yournameoryourserver'shostname)[]:colinEmailAddress[colin_xia@luckydragongroup.com]:#建立serverkey代码:代码:./build-key-serverserverGeneratinga1024bitRSAprivatekey..................++++++..........++++++writingnewprivatekeyto'server.key'-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[CN]:StateorProvinceName(fullname)[GD]:LocalityName(eg,city)[DG]:OrganizationName(eg,company)[ld]:OrganizationalUnitName(eg,section)[]:itCommonName(eg,yournameoryourserver'shostname)[]:serverEmailAddress[colin_xia@luckydragongroup.com]:Pleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:Anoptionalcompanyname[]:Usingconfigurationfrom/root/Scripts/openvpn-2.0.9/easy-rsa/openssl.cnfCheckthattherequestmatchesthesignatureSignatureokTheSubject'sDistinguishedNameisasfollowscountryName:PRINTABLE:'CN'stateOrProvinceName:PRINTABLE:'GD'localityName:PRINTABLE:'DG'organizationName:PRINTABLE:'ld'organizationalUnitName:PRINTABLE:'it'commonName:PRINTABLE:'server'emailAddress:IA5STRING:'colin_xia@luckydragongroup.com'CertificateistobecertifieduntilNov618:18:132018GMT(3650days)Signthecertificate?[y/n]:y1outof1certificaterequestscertified,commit?[y/n]yWriteoutdatabasewith1newentriesDataBaseUpdated#生成客户端key代码:Generatinga1024bitRSAprivatekey......++++++...........................................................++++++writingnewprivatekeyto'client1.key'-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[CN]:StateorProvinceName(fullname)[GD]:LocalityName(eg,city)[DG]:OrganizationName(eg,company)[ld]:OrganizationalUnitName(eg,section)[]:itCommonName(eg,yournameoryourserver'shostname)[]:client1#重要:每个不同的client生成的证书,名字必须不同.EmailAddress[colin_xia@luckydragongroup.com]:Pleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:Anoptionalcompanyname[]:Usingconfiguratio