RHEL5OpenVPN 安装和Windows OpenVPN GUI 安装笔记
yuhongchun
|
1#
yuhongchun 发表于 2008-06-13 17:11
RHEL5OpenVPN 安装和Windows OpenVPN GUI 安装笔记
RHEL5OpenVPN 安装和Windows OpenVPN GUI 安装笔记
----------------- 抚琴煮酒 网上少有RHEL5配置openVPN的资料,所以特将RHEL5下的配置过程写下来,其过程与RHEL4大同小异,希望能给大家带来帮助,转载请注明我的博客地址http://hi.baidu.com/yuhongchun027 一、 安装服务器 1、 到http://openvpn.net/上下载openvpn的最新版,时至今日是openvpn-2.0.9.tar.gz。 a) 网上都说还需要lzo这个压缩库。我没有安装,在编译程序的时候只需要加上--disable-lzo就可以了。这样所有要安装的就是一个包openvpn-2.0.9.tar.gz。 2、 上传到服务器gait.buaa.edu.cn上,解开成为/root/openvpn-2.0.9。 3、 cd /root/openvpn-2.0.9 4、 ./configure --disable-lzo。 1)建立CA 在OpenVPN源代码目录下有一个\easy-rsa\2.0目录,进入后修改vars文件最后部分的信息: export KEY_COUNTRY="CN" export KEY_PROVINCE="BJ" export KEY_CITY="Beijing" export KEY_ORG="PKU" export KEY_EMAIL=" xxxxxx@pku.edu.cn" 保存退出,再运行: source vars ./clean-all ./build-ca 然后就是一段提示,要求输入信息,大部分信息默认就是上述vars文件里的信息,自己只需要填写“Organizational Unit Name”一项,这个随便写一个就是了,也可以不写,我就没有写。 2)为服务器生成证书和密钥 ./build-key-server server 还是与上一步类似,自己只需要填写“Organizational Unit Name”一项,也可以不写,此步不写的话建立windows VPN client要能正确解析VPN服务器名,我更改的是c:\windows\system32/drivers/etc/hosts文件,将VPN服务器的域名解析文件写入此. 还会出现:“Sign the certificate? [y/n]”和“1 out of 1 certificate requests certified, commit? [y/n]”,都输入y然后回车。 ./build-key-server server ./build-key-server server Generating a 1024 bit RSA private key ......++++++ ....................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [BJ]: Organization Name (eg, company) [buaa]: Organizational Unit Name (eg, section) []:gait Common Name (eg, your name or your server's hostname) []:server Email Address [support@cooldvd.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:dvdmaster Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'dvdmaster' organizationalUnitName:PRINTABLE:'dvdmaster' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'support@cooldvd.com' Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 3)在openvpn中,这种配置方法是每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。下面建立2份,名称分别为client1和client2 ./build-key client1 Generating a 1024 bit RSA private key .....++++++ ......++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [BJ]: Organization Name (eg, company) [buaa]: Organizational Unit Name (eg, section) []:gait Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同. Email Address [support@cooldvd.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:gait Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'dvdmaster' organizationalUnitName:PRINTABLE:'dvdmaster' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'support@cooldvd.com' Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 3)为客户端生成证书和密钥 openvpn中,这种配置方法是每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。下面建立三份,名称分别为client1和client2 -key client1 Generating a 1024 bit RSA private key .....++++++ ......++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [BJ]: Organization Name (eg, company) [buaa]: Organizational Unit Name (eg, section) []:gait Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同. Email Address [support@cooldvd.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:gait Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'dvdmaster' organizationalUnitName:PRINTABLE:'dvdmaster' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'support@cooldvd.com' Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 依次类推生成其他客户端证书/key: ./build-key client2 ./build-dh 4)配置服务器VPN文件 a) cp /root/openvpn-2.0.9/sample-config-files/server.conf /usr/local/etc/server.conf b) vi /usr/local/etc/server.conf i. proto udp改成proto tcp ii. ca那四行改成 ca /root/openvpn-2.0.9/easy-rsa/keys/2.0/ca.crt cert /root/openvpn-2.0.9/easy-rsa/keys/2.0/server.crt key /root/openvpn-2.0.9/easy-rsa/keys/2.0/server.key dh /root/openvpn-2.0.9/easy-rsa/keys/2.0/dh1024.pem iii. server那行改成 server 10.0.0.0 255.255.255.0 iv. 注释掉comp-lzo v. 改成verb 5可以多查看一些调试信息 5) 启动服务: a) 关闭服务器、防火墙上所有对SSH(22)、openvpn(1194)的拦截。 b) echo 1> /proc/sys/net/ipv4/ip_forward c) /usr/local/sbin/openvpn --config /usr/local/etc/server.conf 二.安装WidnowsVPN客户端 4. 安装客户端 1、 从http://openvpn.se/上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows” a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe 2、 执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。 3、 将ca.crt、client1.crt、client1.key复制到C:\Program Files\OpenVPN\config。(不同用户使用不同的证书,每个证书包括.crt和.key两个文件,如client2.crt和client2.key) 4、 在/root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件,改名为C:\Program Files\OpenVPN\config\client.ovpn a) proto udp改成proto tcp b) remote那行改成 gait.buaa.edu.cn 1194 c) ca那3行改为 ca ca.crt cert client1.crt key client1.key d) 注释掉comp-lzo 5、 连接:在右下角的openvpn图标上右击,选择“Connect”。正常情况下应该能够连接成功,分配正常的IP。 |
