安裝open-v-p-n軟體
bj-vpn–server配置
安裝openvpn軟體
CA配置
自簽名證書
為 bj-vpnserver 簽發證書
為 運維人員簽發證書[可以複用]
bj-vpnserver配置
一、安裝軟體
[[email protected] ~]# yum install openvpn
1.安裝編譯工具gcc g++
yum install gcc
yum install gcc-c++2.安裝lzo庫
cd /home/download/
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
tar -xvzf lzo-2.03.tar.gz
#cd lzo-2.03
./configure -prefix=/usr/local/lzo && make && make install
vi /etc/ld.so.conf
編輯完ld.so.conf,執行
ldconfig
使動態庫生效
3.安裝openssl
cd /home/download/
wget http://www.openssl.org/source/openssl-0.9.8.tar.gz
#tar -xvzf openssl-0.9.8.tar.gz
./config -prefix=/usr/local/openssl && make && make install4.安裝openvpn
cd /home/download/
wget http://www.openvpn.net/release/openvpn-2.0.9.tar.gz
tar -xvzf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9
./configure -prefix=/usr/local/openvpn && make && make install
一、CA配置
[[email protected] ~]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/
[[email protected] ~]# chmod +x *
[[email protected] ~]# vim vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG=“bj-vpnserver”
export
[[email protected] easy-rsa]# source vars
[[email protected] easy-rsa]# ./clean-all
[[email protected] easy-rsa]# ./build-ca //生成ca私鑰和證書
Common Name (eg, your name or your server’s hostname) []:ca
二、為 bj-vpnserver 簽發證書
[[email protected] easy-rsa]# ./build-key-server server //server自定義證書名
Common Name (eg, your name or your server’s hostname) []:bj-server
三、為 vpnclient 簽發證書
[[email protected] easy-rsa]# ./build-key client1 //client1自定義證書名
Common Name (eg, your name or your server’s hostname) []:client1
四、檢視證書
建立金鑰協商檔案 迪菲·赫爾曼金鑰
[[email protected] easy-rsa]# ./build-dh
檢視相關的證書和私鑰
[[email protected] easy-rsa]# ls keys/
01.pem ca.key client1.key index.txt.attr serial server.csr
02.pem client1.crt dh1024.pem index.txt.attr.old serial.old server.key
ca.crt client1.csr index.txt index.txt.old server.crt
五、配置bj-vpnserver
1、檢查相應的金鑰檔案
[[email protected] keys]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[[email protected] keys]# cp ca.crt server.key server.crt dh1024.pem /etc/openvpn/
[[email protected] keys]# ls /etc/openvpn/
ca.crt dh1024.pem server.crt server.key
-
server.conf [自定義]
[[email protected] keys]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
[[email protected] keys]# vim /etc/openvpn/server.conf
local 20.20.20.1 //vpn伺服器提供服務的IP
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0 //隧道tun網路
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
push “route 192.168.10.0 255.255.255.0” //為所有客戶新增到北京內網1的路由
push “route 192.168.20.0 255.255.255.0” //為所有客戶新增到北京內網2的路由
client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push “redirect-gateway”
;push “dhcp-option DNS 10.8.0.1”
;push “dhcp-option WINS 10.8.0.1”
;client-to-client
;duplicate-cn //是否允許證書複用
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
mute 20 -
路由轉發
[[email protected] ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[[email protected] ~]# sysctl -p -
啟動bj-vpnserver
[[email protected] ~]# service openvpn start
[[email protected] ~]# chkconfig openvpn on
[[email protected] ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:ea:e7:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.254/24 brd 192.168.10.255 scope global eth0
inet6 fe80::5054:ff:feea:e7d3/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:5f:6b:73 brd ff:ff:ff:ff:ff:ff
inet 20.20.20.1/24 brd 20.20.20.255 scope global eth1
inet6 fe80::5054:ff:fe5f:6b73/64 scope link
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0