西部数码主机 | 阿里云主机| 虚拟主机 | 服务器 | 返回乐道官网
当前位置: 主页 > 开发教程 > linux教程 >

OpenVPN (base CentOS6.6)

时间:2016-09-28 18:33来源:未知 作者:好模板编辑 点击:
VPN基本概念 虚拟专用网VPN 功能:在不安全的公共网络上建立安全的专用网络,进行数据加密传输 VPN与隧道技术 隧道协议包括 乘客协议:被封装的协议,如PPP,SLIP 封装协议:隧道的建
VPN基本概念
 
    虚拟专用网VPN
 
    功能:在不安全的公共网络上建立安全的专用网络,进行数据加密传输
 
VPN与隧道技术
 
    隧道协议包括
 
        乘客协议:被封装的协议,如PPP,SLIP
 
        封装协议:隧道的建立、维持及断开,如L2TP、IPSec
 
        承载协议:承载经过封装后的数据包的协议,如IP
 
实例部署
 
一、环境部署
 
    内网主机(slave1) vpnserver(master)       vpnclient(slave2)
 
    192.168.1.0/24      192.168.1.1         202.102.1.2
 
          202.102.1.1
 
在内网主机上指定网关:
 
    [root@slave1 ~]# ip route 
 
    192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2 
 
    169.254.0.0/16 dev eth0  scope link  metric 1002 
 
    default via 192.168.1.1 dev eth0 
 
添加内、外网接口地址
 
    [root@master ~]# ip addr show eth0 
 
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 
        link/ether 00:0c:29:1f:e0:45 brd ff:ff:ff:ff:ff:ff
 
        inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
 
        inet6 fe80::20c:29ff:fe1f:e045/64 scope link 
 
           valid_lft forever preferred_lft forever
 
    [root@master ~]# ip addr show eth1
 
    3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 
        link/ether 00:0c:29:1f:e0:4f brd ff:ff:ff:ff:ff:ff
 
        inet 202.102.1.1/24 brd 202.102.1.255 scope global eth1
 
        inet6 fe80::20c:29ff:fe1f:e04f/64 scope link 
 
           valid_lft forever preferred_lft forever
 
    [root@master ~]# ip route 
 
    202.102.1.0/24 dev eth1  proto kernel  scope link  src 202.102.1.1 
 
    192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1 
 
    169.254.0.0/16 dev eth0  scope link  metric 1002 
 
    169.254.0.0/16 dev eth1  scope link  metric 1003 
 
    [root@master ~]# echo 1 > /proc/sys/net/ipv4/ip_forward 
 
二、CA证书签发
 
    流程如下:创建CA / 为VPN Server签发证书 / 为VPN Client签发证书 / 生成密钥交换参数文件
 
1、CA配置 并为vpnserver和vpnclient生成私钥及签名证书 (在vpnserver端完成)
 
    安装openvpn相关软件
 
    [root@vpnserver OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm    //用于数据压缩
 
    [root@vpnserver OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm
 
    生成CA私钥和证书文件:
 
    [root@vpnserver OpenVPN]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/
 
    [root@vpnserver easy-rsa]# ls
 
    2.0          build-key         build-req       make-crl     revoke-full
 
    build-ca     build-key-pass    build-req-pass  openssl.cnf  sign-req
 
    build-dh     build-key-pkcs12  clean-all       README       vars
 
    build-inter  build-key-server  list-crl        revoke-crt   Windows
 
    [root@vpnserver easy-rsa]# chmod +x *
 
    [root@vpnserver easy-rsa]# vim vars  
 
    export KEY_COUNTRY=CN
 
    export KEY_PROVINCE=BJ
 
    export KEY_CITY=BJ
 
    export KEY_ORG="uplooking"          
 
    export KEY_EMAIL="ca@example.com"
 
 
 
    [root@vpnserver easy-rsa]# source vars 
 
    NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.0.9/easy-rsa/keys
 
 
 
    [root@vpnserver easy-rsa]# ./clean-all      #清除keys目录下以前的证书文件
 
    [root@vpnserver easy-rsa]# ./build-ca     #生成ca私钥和证书
 
    Generating a 1024 bit RSA private key
 
    ..........................++++++
 
    ...........++++++
 
    writing new private key to 'ca.key'
 
    -----
 
    You are about to be asked to enter information that will be incorporated
 
    into your certificate request.
 
    What you are about to enter is what is called a Distinguished Name or a DN.
 
    There are quite a few fields but you can leave some blank
 
    For some fields there will be a default value,
 
    If you enter '.', the field will be left blank.
 
    -----
 
    Country Name (2 letter code) [CN]:
 
    State or Province Name (full name) [BJ]:
 
    Locality Name (eg, city) [BJ]:
 
    Organization Name (eg, company) [uplooking]:
 
    Organizational Unit Name (eg, section) []:jiaoxue
 
    Common Name (eg, your name or your server's hostname) []: ca.example.com
 
    Email Address [ca@example.com]:
 
 
 
    [root@vpnserver easy-rsa]# ls//查看生成了keys目录
 
    2.0          build-key-pass    clean-all    README       Windows
 
    build-ca     build-key-pkcs12  keys         revoke-crt
 
    build-dh     build-key-server  list-crl     revoke-full
 
    build-inter  build-req         make-crl     sign-req
 
    build-key    build-req-pass    openssl.cnf  vars
 
 
 
    [root@vpnserver easy-rsa]# ls keys/
 
    ca.crt  ca.key  index.txt  serial
 
 
 
2、生成vpnserver的私钥和证书:
 
    [root@vpnserver easy-rsa]# ./build-key-server vpnserver
 
    Generating a 1024 bit RSA private key
 
    ..................................................++++++
 
    .........................++++++
 
    writing new private key to 'vpnserver.key'
 
    -----
 
    You are about to be asked to enter information that will be incorporated
 
    into your certificate request.
 
    What you are about to enter is what is called a Distinguished Name or a DN.
 
    There are quite a few fields but you can leave some blank
 
    For some fields there will be a default value,
 
    If you enter '.', the field will be left blank.
 
    -----
 
    Country Name (2 letter code) [CN]:
 
    State or Province Name (full name) [BJ]:
 
    Locality Name (eg, city) [BJ]:
 
    Organization Name (eg, company) [uplooking]:
 
    Organizational Unit Name (eg, section) []:jiaoxue
 
    Common Name (eg, your name or your server's hostname) []:vpnserver.example.com
 
    Email Address [ca@example.com]:
 
 
 
    Please enter the following 'extra' attributes
 
    to be sent with your certificate request
 
    A challenge password []:
 
    An optional company name []:
 
    Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
 
    Check that the request matches the signature
 
    Signature ok
 
    The Subject's Distinguished Name is as follows
 
    countryName           :PRINTABLE:'CN'
 
    stateOrProvinceName   :PRINTABLE:'BJ'
 
    localityName          :PRINTABLE:'BJ'
 
    organizationName      :PRINTABLE:'uplooking'
 
    commonName            :PRINTABLE:'vpnserver.example.com'
 
    emailAddress          :IA5STRING:'ca@example.com'
 
    Certificate is to be certified until Jun 29 04:03:05 2023 GMT (3650 days)
 
    Sign the certificate? [y/n]:y
 
 
 
    1 out of 1 certificate requests certified, commit? [y/n]y
 
    Write out database with 1 new entries
 
    Data Base Updated
 
 
 
    [root@vpnserver easy-rsa]# ls keys/
 
    01.pem  index.txt       serial            vicvpnserver.csr
 
    ca.crt  index.txt.attr  serial.old        vicvpnserver.key
 
    ca.key  index.txt.old   vicvpnserver.crt
 
 
 
3、为每一个client生成的私钥和证书:
 
    [root@vpnserver easy-rsa]# ./build-key client1
 
    Generating a 1024 bit RSA private key
 
    ............................++++++
 
    ...................++++++
 
    writing new private key to 'client1.key'
 
    -----
 
    You are about to be asked to enter information that will be incorporated
 
    into your certificate request.
 
    What you are about to enter is what is called a Distinguished Name or a DN.
 
    There are quite a few fields but you can leave some blank
 
    For some fields there will be a default value,
 
    If you enter '.', the field will be left blank.
 
    -----
 
    Country Name (2 letter code) [CN]:
 
    State or Province Name (full name) [BJ]:
 
    Locality Name (eg, city) [BJ]:
 
    Organization Name (eg, company) [uplooking]:
 
    Organizational Unit Name (eg, section) []:jiaoxue
 
    Common Name (eg, your name or your server's hostname) []: client1.example.com
 
    Email Address [ca@example.com]:
 
 
 
    Please enter the following 'extra' attributes
 
    to be sent with your certificate request
 
    A challenge password []:
 
    An optional company name []:
 
    Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
 
    Check that the request matches the signature
 
    Signature ok
 
    The Subject's Distinguished Name is as follows
 
    countryName           :PRINTABLE:'CN'
 
    stateOrProvinceName   :PRINTABLE:'BJ'
 
    localityName          :PRINTABLE:'BJ'
 
    organizationName      :PRINTABLE:'uplooking'
 
    commonName            :PRINTABLE:'client1.example.com'
 
    emailAddress          :IA5STRING:'ca@example.com'
 
    Certificate is to be certified until Nov  6 11:38:59 2022 GMT (3650 days)
 
    Sign the certificate? [y/n]:y
 
 
 
    1 out of 1 certificate requests certified, commit? [y/n]y
 
    Write out database with 1 new entries
 
    Data Base Updated
 
 
 
4、查看相关的证书和私钥
 
    [root@vpnserver easy-rsa]# ls keys/
 
    01.pem  client1.crt  index.txt.attr      serial.old
 
    02.pem  client1.csr  index.txt.attr.old  vicvpnserver.crt
 
    ca.crt  client1.key  index.txt.old       vicvpnserver.csr
 
    ca.key  index.txt    serial              vicvpnserver.key

(责任编辑:好模板)
顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
栏目列表
热点内容