bj-vpn–server配置

安裝openvpn軟體
CA配置
自簽名證書
為 bj-vpnserver 簽發證書
為 運維人員簽發證書［可以複用］
bj-vpnserver配置

一、安裝軟體
[[email protected] ~]# yum install openvpn

1.安裝編譯工具gcc g++
yum install gcc
yum install gcc-c++2.安裝lzo庫
cd /home/download/
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
tar -xvzf lzo-2.03.tar.gz
#cd lzo-2.03
./configure -prefix=/usr/local/lzo && make && make install
vi /etc/ld.so.conf

編輯完ld.so.conf,執行

ldconfig

使動態庫生效

3.安裝openssl
cd /home/download/
wget http://www.openssl.org/source/openssl-0.9.8.tar.gz
#tar -xvzf openssl-0.9.8.tar.gz
./config -prefix=/usr/local/openssl && make && make install4.安裝openvpn

cd /home/download/
wget http://www.openvpn.net/release/openvpn-2.0.9.tar.gz

一、CA配置
[[email protected] ~]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/
[[email protected] ~]# chmod +x *
[[email protected] ~]# vim vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG=“bj-vpnserver”
export

[[email protected] easy-rsa]# source vars
[[email protected] easy-rsa]# ./clean-all
[[email protected] easy-rsa]# ./build-ca //生成ca私鑰和證書
Common Name (eg, your name or your server’s hostname) []:ca

二、為 bj-vpnserver 簽發證書
[[email protected] easy-rsa]# ./build-key-server server //server自定義證書名
Common Name (eg, your name or your server’s hostname) []:bj-server

三、為 vpnclient 簽發證書
[[email protected] easy-rsa]# ./build-key client1 //client1自定義證書名
Common Name (eg, your name or your server’s hostname) []:client1

四、檢視證書
建立金鑰協商檔案 迪菲·赫爾曼金鑰
[[email protected] easy-rsa]# ./build-dh

檢視相關的證書和私鑰
[[email protected] easy-rsa]# ls keys/
01.pem ca.key client1.key index.txt.attr serial server.csr
02.pem client1.crt dh1024.pem index.txt.attr.old serial.old server.key
ca.crt client1.csr index.txt index.txt.old server.crt

五、配置bj-vpnserver
1、檢查相應的金鑰檔案
[[email protected] keys]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[[email protected] keys]# cp ca.crt server.key server.crt dh1024.pem /etc/openvpn/
[[email protected] keys]# ls /etc/openvpn/
ca.crt dh1024.pem server.crt server.key

2. server.conf [自定義]
   [[email protected] keys]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
   [[email protected] keys]# vim /etc/openvpn/server.conf
   local 20.20.20.1 //vpn伺服器提供服務的IP
   port 1194
   proto udp
   dev tun
   ca ca.crt
   cert server.crt
   key server.key
   dh dh1024.pem
   server 10.8.0.0 255.255.255.0 //隧道tun網路
   ifconfig-pool-persist ipp.txt
   ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
   push “route 192.168.10.0 255.255.255.0” //為所有客戶新增到北京內網1的路由
   push “route 192.168.20.0 255.255.255.0” //為所有客戶新增到北京內網2的路由
   client-config-dir ccd
   ;route 10.9.0.0 255.255.255.252
   ;learn-address ./script
   ;push “redirect-gateway”
   ;push “dhcp-option DNS 10.8.0.1”
   ;push “dhcp-option WINS 10.8.0.1”
   ;client-to-client
   ;duplicate-cn //是否允許證書複用
   keepalive 10 120
   ;tls-auth ta.key 0 # This file is secret
   ;cipher BF-CBC # Blowfish (default)
   ;cipher AES-128-CBC # AES
   ;cipher DES-EDE3-CBC # Triple-DES
   comp-lzo
   max-clients 100
   user nobody
   group nobody
   persist-key
   persist-tun
   status openvpn-status.log
   log openvpn.log
   verb 3
   mute 20

3. 路由轉發
   [[email protected] ~]# vim /etc/sysctl.conf
   net.ipv4.ip_forward = 1
   [[email protected] ~]# sysctl -p

4. 啟動bj-vpnserver
   [[email protected] ~]# service openvpn start
   [[email protected] ~]# chkconfig openvpn on

[[email protected] ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:ea:e7:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.254/24 brd 192.168.10.255 scope global eth0
inet6 fe80::5054:ff:feea:e7d3/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:5f:6b:73 brd ff:ff:ff:ff:ff:ff
inet 20.20.20.1/24 brd 20.20.20.255 scope global eth1
inet6 fe80::5054:ff:fe5f:6b73/64 scope link
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0