西部数码主机 | 阿里云主机| 虚拟主机 | 服务器 | 返回乐道官网
当前位置: 主页 > 开发教程 > linux教程 >

OpenVPN (base CentOS6.6)(2)

时间:2016-09-28 18:33来源:未知 作者:好模板编辑 点击:
5、创建密钥协商参数文件 [root@vpnserver easy-rsa]# pwd /usr/share/doc/openvpn-2.0.9/easy-rsa [root@vpnserver easy-rsa]# ./build-dh Generating DH parameters, 1024 bit long safe prime, genera
 
 
5、创建密钥协商参数文件
 
    [root@vpnserver easy-rsa]# pwd
 
    /usr/share/doc/openvpn-2.0.9/easy-rsa
 
    [root@vpnserver easy-rsa]# ./build-dh 
 
    Generating DH parameters, 1024 bit long safe prime, generator 2
 
    This is going to take a long time
 
    ...........+...+.........................+.........+........................+.........................+..........+....................+........................+
 
    ...........................+..................................+................................................+.............+............................+............
 
    .....................+..+............+................................................................+.........................+...........................+.........
 
    ...........+.......................+.....................................+.................................................+...........................+.................
 
    .......................+...........+..............................+....................................+......+..........................................................
 
    .............................................+..............................................+.................+....................................+.......................
 
    ................................++*++*++*
 
 
 
三、VPN Server配置
 
    前提:开启VPNServer 的ip_forward功能
 
1、检查相应的密钥文件
 
    [root@master keys]# pwd
 
    /usr/share/doc/openvpn-2.0.9/easy-rsa/keys
 
    [root@master keys]# cp ca.crt vpnserver.crt vpnserver.key /etc/openvpn/
 
    [root@master keys]# ls /etc/openvpn/
 
    ca.crt  vpnserver.crt  vpnserver.key
 
    [root@master easy-rsa]# cp keys/dh1024.pem /etc/openvpn/
 
 
 
2、配置VPN Server
 
    [root@master ~]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
 
    //openvpn server配置文件
 
    [root@master ~]# vim /etc/openvpn/server.conf 
 
    [root@master ~]# grep -P -v "^(#|;|$)" server.conf 
 
    local 202.102.1.1
 
    port 1194
 
    proto udp
 
    dev tap
 
    ca ca.crt
 
    cert vpnserver.crt
 
    key vpnserver.key  # This file should be kept secret
 
    dh dh1024.pem
 
    server 10.8.0.0 255.255.255.0
 
    ifconfig-pool-persist ipp.txt
 
    push "route 192.168.1.0 255.255.255.0"
 
    keepalive 10 120
 
    comp-lzo
 
    user nobody
 
    group nobody
 
    persist-key
 
    persist-tun
 
    status openvpn-status.log
 
    verb 3
 
    
 
3、启动VPN服务器
 
    [root@master ~]# service openvpn start
 
    [root@master ~]# chkconfig openvpn on
 
    [root@master ~]# ip addr sh tap0
 
    13: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
 
    link/ether 12:31:8b:9a:e3:02 brd ff:ff:ff:ff:ff:ff
 
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tap0
 
    inet6 fe80::1031:8bff:fe9a:e302/64 scope link 
 
       valid_lft forever preferred_lft forever
 
    [root@master ~]# ip route
 
    202.102.1.0/24 dev eth1  proto kernel  scope link  src 202.102.1.1     
 
    10.8.0.0/24 dev tap0  proto kernel  scope link  src 10.8.0.1 
 
    192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1 
 
    169.254.0.0/16 dev eth0  scope link  metric 1002 
 
    169.254.0.0/16 dev eth1  scope link  metric 1003 
 
 
 
四、VPN Client配置
 
1、基本环境准备
 
    [root@slave2 ~]# ip addr show eth1
 
    3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 
        link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff
 
        inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1
 
        inet6 fe80::20c:29ff:fe77:2aa6/64 scope link 
 
           valid_lft forever preferred_lft forever
 
    [root@slave2 ~]# ip route
 
    202.102.1.0/24 dev eth1  proto kernel  scope link  src 202.102.1.2 
 
    192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.3 
 
    169.254.0.0/16 dev eth0  scope link  metric 1002 
 
    169.254.0.0/16 dev eth1  scope link  metric 1003 
 
 
 
    [root@slave2 OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm
 
    [root@slave2 OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm
 
 
 
2、从vpnserver复制相应的密钥
 
    [root@slave2 openvpn]# cd /etc/openvpn/
 
    [root@slave2 openvpn]# ls c*
 
    ca.crt  client1.crt  client1.key
 
 
 
3、配置vpnserver
 
    [root@slave2 openvpn]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/
 
    [root@slave2 openvpn]# vi /etc/openvpn/client.conf 
 
    [root@slave2 openvpn]# grep -P -v "^(;|#|$)" client.conf 
 
    client
 
    dev tap
 
    proto udp
 
    remote vpn.example.com 1194     #此FQDN必须对应vpnserver外网网卡的IP
 
    resolv-retry infinite
 
    nobind
 
    user nobody
 
    group nobody
 
    persist-key
 
    persist-tun
 
    ca ca.crt
 
    cert client.crt
 
    key client.key
 
    comp-lzo
 
    verb 3
 
    
 
4、启动并测试
 
    [root@slave2 ~]# service openvpn restart
 
    [root@slave2 ~]# chkconfig openvpn on
 
    [root@slave2 ~]# ip addr
 
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 
        inet 127.0.0.1/8 scope host lo
 
        inet6 ::1/128 scope host 
 
           valid_lft forever preferred_lft forever
 
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 
        link/ether 00:0c:29:77:2a:9c brd ff:ff:ff:ff:ff:ff
 
        inet 192.168.2.3/24 brd 192.168.2.255 scope global eth0
 
        inet6 fe80::20c:29ff:fe77:2a9c/64 scope link 
 
           valid_lft forever preferred_lft forever
 
    3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 
        link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff
 
        inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1
 
        inet 172.16.80.58/24 scope global eth1
 
        inet6 fe80::20c:29ff:fe77:2aa6/64 scope link 
 
           valid_lft forever preferred_lft forever
 
    10: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
 
        link/ether c6:b9:f9:45:99:3a brd ff:ff:ff:ff:ff:ff
 
        inet 10.8.0.2/24 brd 10.8.0.255 scope global tap0
 
        inet6 fe80::c4b9:f9ff:fe45:993a/64 scope link 
 
           valid_lft forever preferred_lft forever
 
    [root@slave2 ~]# ip route
 
    202.102.1.0/24 dev eth1  proto kernel  scope link  src 202.102.1.2 
 
    192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.3 
 
    192.168.1.0/24 via 10.8.0.1 dev tap0 
 
    10.8.0.0/24 dev tap0  proto kernel  scope link  src 10.8.0.2 
 
    169.254.0.0/16 dev eth0  scope link  metric 1002 
 
    169.254.0.0/16 dev eth1  scope link  metric 1003 
 
 
 
五、VPN 技术扩展
 
1、基于帐号方式验证
 
    1). vim /etc/openvpn/server.conf 添加以下内容
 
    #########auth password########
 
    auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
 
    #client-cert-not-required
 
    username-as-common-name
 
    ##############################
 
    以上三行的内容分别表示:指定用户的认证脚本;不请求客户的CA证书,使用User/Pass验证,如果同时启用证书和密码认证,注释掉该行;使用客户提供的UserName作为Common Name
 
    2). vim /etc/openvpn/checkpsw.sh 添加以下内容
 
#!/bin/sh
 
########################################################
 
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
 
#
 
# This script will authenticate OpenVPN users against
 
# a plain text file. The passfile should simply contain
 
# one row per user with the username first followed by
 
# one or more space(s) or tab(s) and then the password.
 
 
 
PASSFILE="/etc/openvpn/psw-file"
 
LOG_FILE="/var/log/openvpn-password.log"
 
TIME_STAMP=`date "+%Y-%m-%d %T"`
 
 
 
########################################################
 
 
 
if [ ! -r "${PASSFILE}" ]; then
 
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
 
  exit 1
 
fi
 
 
 
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
 
 
 
if [ "${CORRECT_PASSWORD}" = "" ]; then 
 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
 
  exit 1
 
fi
 
 
 
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
 
  exit 0
 
fi
 
 
 
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
 
exit 1
 
 
 
    [root@node4 openvpn]# ll checkpsw.sh 
 
    -rwxr--r-- 1 root root 1191 Sep 17 23:52 checkpsw.sh
 
    [root@node4 openvpn]# chown nobody.nobody checkpsw.sh
 
    3). 建立用户名、密码的列表文件:/etc/openvpn/psw-file
 
    文件的格式:用户名<Tab>密码
 
    user1   pass
 
    user2   pass
 
    [root@node4 openvpn]#chmod 400 /etc/openvpn/psw-file
 
    [root@node4 openvpn]#chown nobody.nobody /etc/openvpn/psw-file
 
    4). 修改vpn客户端的配置文件
 
    一是注释掉 (当然也可以不注释证书加密)
 
     ;cert client1.crt
 
     ;key client1.key
 
    二是增加验证时询问用户名和密码
 
    auth-user-pass
 
 
 
2、安装WidnowsVPN客户端
 
    1).  从http://openvpn.se/files/上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows” 
 
    a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe 
 
    2).  执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。 
 
    3).  将ca.crt、client1.crt、client1.key复制到C:\Program Files\OpenVPN\config。(不同用户使用不同的证书,每个证书包括.crt和.key两个文件,如client2.crt和client2.key) 
 
    4).  在/root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件,改名为C:\Program Files\OpenVPN\config\client.ovpn,即先在服务器上建立配置文件,然后再上传改名到客户机上。
 
    a) proto udp改成proto tcp 
 
    b) remote那行改成 
 
    192.168.1.103   1194           
 
    c) ca那3行改为 
 
    ca ca.crt 
 
    cert client1.crt 
 
    key client1.key 
 
    d) 注释掉comp-lzo 
 
    连接:在右下角的openvpn图标上右击,选择“Connect”。正常情况下应该能够连接成功,分配正常的IP
(责任编辑:好模板)
顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
栏目列表
热点内容