|
OpenVPN服务器端安装和配置 1、安装lzo #tar -zxvf lzo-2.03.tar.gz #cd lzo-2.03 # ./configure --prefix=/usr/local/lzo #make #Make install 2、安装openvpn tar -zxvf openvpn-2.0.9.tar.gz cd openvpn-2.0.9 ./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib -- with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib make make install 3、生成证书和Key #cd easy-rsa/ #vi vars export D=`pwd` export KEY_CONFIG=$D/openssl.cnf export KEY_DIR=$D/keys echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export KEY_SIZE=1024 export KEY_COUNTRY=CN export KEY_PROVINCE=BJ export KEY_CITY=BJ export KEY_ORG="OpenVPN-TEST" export KEY_EMAIL=wjpheart@126.com #chmod a+x vars [root@localhost easy-rsa]# ./vars NOTE: when you run ./clean-all, I will be doing a rm -rf on /home/weijunping/openvpn-2.0.9/easy-rsa/keys [root@localhost easy-rsa]# ./clean-all you must define KEY_DIR [root@localhost easy-rsa]# export D=`pwd` [root@localhost easy-rsa]# export KEY_CONFIG=$D/openssl.cnf [root@localhost easy-rsa]# export KEY_DIR=$D/keys [root@localhost easy-rsa]# export KEY_SIZE=1024 [root@localhost easy-rsa]# export KEY_COUNTRY=CN [root@localhost easy-rsa]# export KEY_PROVINCE=BJ [root@localhost easy-rsa]# export KEY_CITY=BJ [root@localhost easy-rsa]# export KEY_ORG="OpenVPN-TEST" [root@localhost easy-rsa]# export KEY_EMAIL=wjpheart@126.com [root@localhost easy-rsa]# ./clean-all [root@localhost easy-rsa]# ./build-ca Generating a 1024 bit RSA private key ....++++++ ........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]:CN State or Province Name (full name) [BJ]:BJ Locality Name (eg, city) [BJ]:BJ Organization Name (eg, company) [OpenVPN-TEST]:bokee Organizational Unit Name (eg, section) []:blogchina Common Name (eg, your name or your server's hostname) []:bokee-inc.com Email Address [wjpheart@126.com]: [root@localhost easy-rsa]# ./build-key-server server Generating a 1024 bit RSA private key ..........++++++ ..........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]:CN State or Province Name (full name) [BJ]:BJ Locality Name (eg, city) [BJ]:BJ Organization Name (eg, company) [OpenVPN-TEST]:bokee Organizational Unit Name (eg, section) []:blogchina Common Name (eg, your name or your server's hostname) []:bokee-inc.com Email Address [wjpheart@126.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:wjpinrain An optional company name []:bokee Using configuration from /home/weijunping/openvpn-2.0.9/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'BJ' organizationName :PRINTABLE:'bokee' organizationalUnitName:PRINTABLE:'blogchina' commonName :PRINTABLE:'bokee-inc.com' emailAddress :IA5STRING:'wjpheart@126.com' Certificate is to be certified until Sep 12 03:40:48 2021 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost easy-rsa]# [root@localhost easy-rsa]# 建立 Diffie Hellman 参数 [root@localhost easy-rsa]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .......+...........................................................+...............................+..+..+................... .............+...........................................................................................+....................+...............................................................+..................+......................................+...................+.......................+......++*++*++* 4、创建服务端配置文件 #mkdir /usr/local/openvpn/etc/ [root@localhostopenvpn]#cd /home/weijunping/openvpn-2.9/sample-config-files/ [root@localhost sample-config-files]# cp server.conf /usr/local/openvpn/etc/ [root@localhost sample-config-files]# vi /usr/local/openvpn/etc/server.conf 编辑后的server.conf文件内容如下: port 1194 proto udp dev tun ca /home/weijunping/openvpn-2.0.9/easy-rsa/keys/ca.crt cert /home/weijunping/openvpn-2.0.9/easy-rsa/keys/server.crt key /home/weijunping/openvpn-2.0.9/easy-rsa/keys/server.key dh /home/weijunping/openvpn-2.0.9/easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway" push "dhcp-option DNS 202.106.0.20" (指定DNS服务器的地址) client-to-client keepalive 10 120 comp-lzo max-clients 100 user nobody group nobody persist-key persist-tun status /home/weijunping/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log verb 4 5、部署server端key文件 #mkdir /usr/local/openvpn/etc/keys #cd /home/weijunping/openvpn-2.0.9/easy-rsa/keys #cp ca.crt server.crt server.key dh1024.pem /usr/local/openvpn/etc/keys 6,启动openvpn server #/usr/local/openvpn/sbin/openvpn –daemon –config /usr/local/openvpn/etc/server.conf [root@localhost keys]# netstat -unlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 0.0.0.0:1194 0.0.0.0:* 28763/openvpn (责任编辑:IT) |