5、创建密钥协商参数文件
[root@vpnserver easy-rsa]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa
[root@vpnserver easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........+...+.........................+.........+........................+.........................+..........+....................+........................+
...........................+..................................+................................................+.............+............................+............
.....................+..+............+................................................................+.........................+...........................+.........
...........+.......................+.....................................+.................................................+...........................+.................
.......................+...........+..............................+....................................+......+..........................................................
.............................................+..............................................+.................+....................................+.......................
................................++*++*++*
三、VPN Server配置
前提:开启VPNServer 的ip_forward功能
1、检查相应的密钥文件
[root@master keys]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[root@master keys]# cp ca.crt vpnserver.crt vpnserver.key /etc/openvpn/
[root@master keys]# ls /etc/openvpn/
ca.crt vpnserver.crt vpnserver.key
[root@master easy-rsa]# cp keys/dh1024.pem /etc/openvpn/
2、配置VPN Server
[root@master ~]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
//openvpn server配置文件
[root@master ~]# vim /etc/openvpn/server.conf
[root@master ~]# grep -P -v "^(#|;|$)" server.conf
local 202.102.1.1
port 1194
proto udp
dev tap
ca ca.crt
cert vpnserver.crt
key vpnserver.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
3、启动VPN服务器
[root@master ~]# service openvpn start
[root@master ~]# chkconfig openvpn on
[root@master ~]# ip addr sh tap0
13: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/ether 12:31:8b:9a:e3:02 brd ff:ff:ff:ff:ff:ff
inet 10.8.0.1/24 brd 10.8.0.255 scope global tap0
inet6 fe80::1031:8bff:fe9a:e302/64 scope link
valid_lft forever preferred_lft forever
[root@master ~]# ip route
202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1
10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
四、VPN Client配置
1、基本环境准备
[root@slave2 ~]# ip addr show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff
inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1
inet6 fe80::20c:29ff:fe77:2aa6/64 scope link
valid_lft forever preferred_lft forever
[root@slave2 ~]# ip route
202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
[root@slave2 OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm
[root@slave2 OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm
2、从vpnserver复制相应的密钥
[root@slave2 openvpn]# cd /etc/openvpn/
[root@slave2 openvpn]# ls c*
ca.crt client1.crt client1.key
3、配置vpnserver
[root@slave2 openvpn]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/
[root@slave2 openvpn]# vi /etc/openvpn/client.conf
[root@slave2 openvpn]# grep -P -v "^(;|#|$)" client.conf
client
dev tap
proto udp
remote vpn.example.com 1194 #此FQDN必须对应vpnserver外网网卡的IP
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
4、启动并测试
[root@slave2 ~]# service openvpn restart
[root@slave2 ~]# chkconfig openvpn on
[root@slave2 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:77:2a:9c brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global eth0
inet6 fe80::20c:29ff:fe77:2a9c/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff
inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1
inet 172.16.80.58/24 scope global eth1
inet6 fe80::20c:29ff:fe77:2aa6/64 scope link
valid_lft forever preferred_lft forever
10: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/ether c6:b9:f9:45:99:3a brd ff:ff:ff:ff:ff:ff
inet 10.8.0.2/24 brd 10.8.0.255 scope global tap0
inet6 fe80::c4b9:f9ff:fe45:993a/64 scope link
valid_lft forever preferred_lft forever
[root@slave2 ~]# ip route
202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3
192.168.1.0/24 via 10.8.0.1 dev tap0
10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.2
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
五、VPN 技术扩展
1、基于帐号方式验证
1). vim /etc/openvpn/server.conf 添加以下内容
#########auth password########
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
#client-cert-not-required
username-as-common-name
##############################
以上三行的内容分别表示:指定用户的认证脚本;不请求客户的CA证书,使用User/Pass验证,如果同时启用证书和密码认证,注释掉该行;使用客户提供的UserName作为Common Name
2). vim /etc/openvpn/checkpsw.sh 添加以下内容
#!/bin/sh
########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
[root@node4 openvpn]# ll checkpsw.sh
-rwxr--r-- 1 root root 1191 Sep 17 23:52 checkpsw.sh
[root@node4 openvpn]# chown nobody.nobody checkpsw.sh
3). 建立用户名、密码的列表文件:/etc/openvpn/psw-file
文件的格式:用户名<Tab>密码
user1 pass
user2 pass
[root@node4 openvpn]#chmod 400 /etc/openvpn/psw-file
[root@node4 openvpn]#chown nobody.nobody /etc/openvpn/psw-file
4). 修改vpn客户端的配置文件
一是注释掉 (当然也可以不注释证书加密)
;cert client1.crt
;key client1.key
二是增加验证时询问用户名和密码
auth-user-pass
2、安装WidnowsVPN客户端
1). 从http://openvpn.se/files/上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows”
a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe
2). 执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。
3). 将ca.crt、client1.crt、client1.key复制到C:\Program Files\OpenVPN\config。(不同用户使用不同的证书,每个证书包括.crt和.key两个文件,如client2.crt和client2.key)
4). 在/root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件,改名为C:\Program Files\OpenVPN\config\client.ovpn,即先在服务器上建立配置文件,然后再上传改名到客户机上。
a) proto udp改成proto tcp
b) remote那行改成
192.168.1.103 1194
c) ca那3行改为
ca ca.crt
cert client1.crt
key client1.key
d) 注释掉comp-lzo
连接:在右下角的openvpn图标上右击,选择“Connect”。正常情况下应该能够连接成功,分配正常的IP
(责任编辑:好模板) |