linux下架设openvpn.doc

/thread-1924227-1-1.html通过1个多周的学习，反复搭建openvpn服务器，经长达8次的实验，终于将openvpn服务器架设成功，经过在网上找的很多文档发现有很多细节的东西文档中交代的不是很清楚，对于高手来说似乎能看出所以然来，但对于新手来说，或许文档中有些一带而过的说明，肯定在假设中带来不少的麻烦，所以经过这次的亲身架设，并总结容易出问题的地方在这里把详细架设文档写出来，作为新手第一次架设过程中的参照；（ps：该文档仅提供服务器对客户端的成功连接，如有新的需求请根据自身环境进行设置。#为注释说明） 搭建环境: server端：centos 5.4 kernel版本：2.6.18-164.el5xen ip：3 （vm虚拟机作为server端） openvpn软件版本2.0.5 openvpn安装时需要安装Lzo软件包，这个软件包是一个解压缩库文件,openvpn所使用的一个软件包, 如在configure时没有发现此包将会configure错误；OpenSSL：如果需要启用 SSL 连接，则需要先安装 OpenSSL。CentOS 下可以用 yum install 进行安装如下：yum install openssl openssl-develClient 端: Windows XP PRO SP3 OpenVPN GUI For windows 1.0.3 , 可在 openvpn.se中下载 注意: OpenVPN GUI for windows 的版本要和 OpenVPN Server 的版本配套. 例如, 服务器装的是 OpenVPN 2.0.5, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe OpenVPN GUI的所有历史版本: http:/openvpn.se/files/install_packages/一、 OpenVPN 服务端安装过程1、下载 LZO，解压到lzo-2.02：# wget /opensource/lzo/download/lzo-2.02.tar.gz2、下载 OpenVPN, 解压到openvpn-2.0.5：#wget /release/openvpn-2.0.5.tar.gz3、安装LZO：#cd lzo-2.02#./configure make make check make install #注意：在编译过程中不能出现erro报错，如在编译过程中出现错误，请删除解压后的文件并重新解压，如还出现报错可能在下载软件包时出现问题，重新下载，或检查操作系统环境，关联软件或lib是否安装完全；4、安装 OpenVPN：#cd openvpn-2.0.5# ./configure-with-lzo-headers=/usr/local/include-with-lzo-lib=/usr/local/lib-with-ssl-headers=/usr/include/openssl-with-ssl-lib=/usr/local/lib make make install #注意configure中的每一个-with参数前都是有空格分隔的，加粗部分需要在安装openssl步骤时 whereis openssl一下看openssl的安装路径，一般yum默认安装openssl时，在/usr/include/下，路径不要搞错；5、生成证书Key 初始化PKI在安装完openvpn软件包后在安装目录openvpn-2.0.5中进入easy-rsa 目录进行变量的设置#cd easy-rsa#export D=pwd #注意pwd两边的单引号是键盘数字1左边的而不是键盘回车键左边的，注意别写反了export KEY_CONFIG=$D/f export KEY_DIR=$D/keys export KEY_SIZE=1024 export KEY_COUNTRY=CN export KEY_PROVINCE=BJ export KEY_CITY=BJS export KEY_ORG=自定义单位名称 export KEY_EMAIL=自定义你的邮箱# 附属：在easy-rsa 目录下有一下脚本及程序，说明如下 vars 脚本, 是用来创建环境变量,设置所需要要的变量的脚本 clean-all 脚本,是创建生成ca证书及密钥文件所需要的文件及目录 build-ca 脚本, 生成ca证书(交互) build-dh 脚本, 生成Diffie-Hellman文件(交互) build-key-server 脚本, 生成服务器端密钥(交互) build-key 脚本, 生成客户端密钥(交互) pkitool 脚本, 直接使用vars的环境变量设置, 直接生成证书(非交互)#在easy-rsa 目录下运行 ./clean-all#./build-ca 过程如下：Generating a 1024 bit RSA private key .+ .+ writing new private key to ca.key - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. - Country Name (2 letter code) CN: #以下这些直接按回车确认 除了空的位置要手动输入，可以看出这些信息是你之前变量设置时的内容，最好一致。State or Province Name (full name) BJ: Locality Name (eg, city) BJS: Organization Name (eg, company) 自定义: Organizational Unit Name (eg, section) :同上名字可手动输入Common Name (eg, your name or your servers hostname) :server Email Address 个人邮箱: #建立server key./build-key-server server #最后面的server名字可以自己定义，只要你能记清楚，在这里姑且叫做server过程如下：Generating a 1024 bit RSA private key .+ .+ writing new private key to server.key - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. - Country Name (2 letter code) CN: #这些也是确认的信息 直接回车就可以 除了需要手动填写的内容与上面那些信息一致State or Province Name (full name) BJ: Locality Name (eg, city) BJS: Organization Name (eg, company) 原来自定义时的名字: Organizational Unit Name (eg, section) :同上 可手动输入Common Name (eg, your name or your servers hostname) :server #这个可以注释为你本机的主机名最好一致 本例就以server为准Email Address 个人邮箱: Please enter the following extra attributes to be sent with your certificate request A challenge password :abcd1234 An optional company name :自定义名字同以上名字一致Using configuration from /openvpn-2.0.5/easy-rsa/f Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName RINTABLE:CN stateOrProvinceName RINTABLE:BJ localityName RINTABLE:BJS organizationName RINTABLE:上面自定义的内容 organizationalUnitNameRINTABLE:同上 commonName RINTABLE:server emailAddress :IA5STRING:个人邮箱 Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) Sign the certificate? y/n:y 1 out of 1 certificate requests certified, commit? y/ny Write out database with 1 new entries Data Base Updated #生成客户端 key ./build-key client1 #客户端名字可以自定义 但一定要记住，因为会牵扯到以后认证的一致性过程如下：Generating a 1024 bit RSA private key .+ .+ writing new private key to client1.key - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. - Country Name (2 letter code) CN: State or Province Name (full name) BJ: Locality Name (eg, city) BJS: Organization Name (eg, company) 自定义 通最初的名字一致: Organizational Unit Name (eg, section) :同上，可以手动输入Common Name (eg, your name or your servers hostname) :client1 #重要: 每个不同的 client 生成的证书, 名字必须不同. Email Address 个人邮箱: Please enter the following extra attributes to be sent with your certificate request A challenge password :abcd1234 An optional company name :自定义Using configuration from /openvpn-2.0.5/easy-rsa/f Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName RINTABLE:CN stateOrProvinceName RINTABLE:BJ localityName RINTABLE:BJS organizationName RINTABLE:自定义名字和原来设置一致 organizationalUnitName:PRINTABLE:同上 commonName :PRINTABLE:client1 emailAddress :IA5STRING:个人邮箱 Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) Sign the certificate? y/n:y 1 out of 1 certificate requests certified, commit? y/ny Write out database with 1 new entries Data Base Updated 注意在进入 Common Name (eg, your name or your servers hostname) : 的输入时, 每个证书输入的名字必须不#生成 Diffie Hellman 参数./build-dh#以上脚本运行完成后 会在安装目录openvpn-2.0.5/easy-rsa/ 下生成一个keys目录，以上运行后生成的密钥及证书均在该目录内可使用winscp软件把keys目录从server服务器中复制到客户端本地保存6、创建服务端配置及客户端文件进入源码目录，在安装文件openvpn-2.0.5下有个sample-config-files目录，在此目录下把server.conf 和client.conf复制到/usr/local/etc下#cp server.conf /usr/local/etccp client.conf /usr/local/etc分别编辑两个配置文件server.conf如下内容配置，注意文件内；为取消掉的意思 #为注释说明local 3 #服务器地址port 1194 proto udp dev tun ca /root/openvpn-2.0.5/easy-rsa/keys/ca.crt cert /root/openvpn-2.0.5/easy-rsa/keys/server.crt key /root/openvpn-2.0.5/easy-rsa/keys/server.key# This file should be kept secret #证书的路径要写全dh /root/openvpn-2.0.5/easy-rsa/keys/dh1024.pem server #服务端tun虚拟地址client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status /openvpn-2.0.5/easy-rsa/keys/openvpn-status.log verb 4 push dhcp-option DNS OpenVPN 客户端: client.ovpn client.conf配置内容如下：client dev tun proto udp remote 3 1194 openvpn服务器地址persist-key persist-tun ca ca.crt cert client1.crt #注意客户端密钥及证书名字要与上面生成的一致key client1.key ns-cert-type server comp-lzo verb 3 redirect-gateway def1 #以上两个配置文件中内容说明可参考：/13185/348807、启动Openvpn: #运行/usr/local/sbin/openvpn -config /usr/local/etc/server.conf #此时运行netstat -an | grep 1194 我们可以侦听到1194端口，这表示openvpn运行起来了但由于我们是以编译的方式来安装的openvpn所以可以给它做个启动脚本：将安装目录openvpn-2.0.5/sample-scripts目录下的openvpn.init 考入/etc/init.d/并命名为openvpn产看/etc/init.d/openvpn 文件内第69行，路径要与你实际路径相符 本例为该文件内的路径将openvpn添