记一次linux openvpn (debian)的安装和使用

首先在openvpn官网下载好openvpn-2.3.5.tar.gz,easy-rsa-release-2.x.zip,官网访问需要FQ。

安装OpenVPN之前,你必须先确保Ubuntu上已经安装了C编译器(例如gcc)、OpenSSL、LZO(一种无损压缩算法)、PAM(一种可插入式的身份验证模块),我在安装时提示了如下,

命令为:

apt-get install libssl-dev 
apt-get install liblzo2-dev
apt-get install libpam0g-dev
Debian GNU/Linux 7.7.0 _Wheezy_ - Official amd64 DVD Binary-1 20141018-13:06
in the drive /media/cdrom/ and press enter

源没有配置对,于是修改源,编辑编辑/etc/apt/sources.list文件,注释掉deb cdrom:开头的行。

打命令执行还是有问题,no package available,怎么可能呢,于是再看源,只有一个,所以在网上找了个阿里的源添加进去,

deb http://security.debian.org/ wheezy/updates main contrib
deb-src http://security.debian.org/ wheezy/updates main contrib
deb http://mirrors.aliyun.com/debian/ squeeze main non-free contrib
deb http://mirrors.aliyun.com/debian/ squeeze-proposed-updates main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ squeeze main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ squeeze-proposed-updates main non-free contrib

然后执行

apt-get update

再执行先决条件的安装,ok,很顺利就好了。

接下来是openvpn的部分了,将openvpn-2.3.5.tar.gz,easy-rsa-release-2.x.zip放入/opt文件夹内,解压

tar zxvf openvpn-2.3.5.tar.gz
unzip -q easy-rsa-release-2.x.zip

编译安装

#跳转到解压后的openvpn目录
cd openvpn-2.3.5
#调用configure
./configure
#编译
make
#安装
make install

将easy-rsa移动到openvpn主目录下

cp /opt/easy-rsa-release-2.x/easy-rsa/ /opt/openvpn-2.3.5 -r

开始生成证书:

进入2.0目录

cd /opt/openvpn-2.3.5/easy-rsa/2.0/

生成ca证书:

root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /opt/openvpn-2.3.5/easy-rsa/2.0/keys
 ./clean-all
root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# ./build-ca
Generating a 1024 bit RSA private key
..............++++++
.........++++++
writing new private key to ca.key
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [zj]:
Locality Name (eg, city) [hz]:
Organization Name (eg, company) [goland]:
Organizational Unit Name (eg, section) [goland]:
Common Name (eg, your name or your servers hostname) [goland CA]:goland
Name [EasyRSA]:
Email Address [[email protected]]:

在2.0目录下生成一个keys文件夹,其内生成了ca.crt和ca.key文件。

root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# ls keys/
ca.crt  ca.key  index.txt  serial 

生成服务器证书:

root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# ./build-key-server server
Generating a 1024 bit RSA private key
.........................++++++
.....++++++
writing new private key to server.key
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [zj]:
Locality Name (eg, city) [hz]:
Organization Name (eg, company) [goland]:
Organizational Unit Name (eg, section) [goland]:
Common Name (eg, your name or your servers hostname) [server]:server
Name [EasyRSA]:
Email Address [[email protected]]:

Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:********
An optional company name []:goland
Using configuration from /opt/openvpn-2.3.5/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:cn
stateOrProvinceName   :PRINTABLE:zj
localityName          :PRINTABLE:hz
organizationName      :PRINTABLE:goland
organizationalUnitName:PRINTABLE:goland
commonName            :PRINTABLE:server
name                  :PRINTABLE:EasyRSA
emailAddress          :IA5STRING:[email protected]
Certificate is to be certified until Feb  6 04:44:03 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

生成客户端证书

root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# ./build-key client1
Generating a 1024 bit RSA private key
........++++++
.......................++++++
writing new private key to client1.key
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [zj]:
Locality Name (eg, city) [hz]:
Organization Name (eg, company) [goland]:
Organizational Unit Name (eg, section) [goland]:
Common Name (eg, your name or your servers hostname) [client1]:client1
Name [EasyRSA]:
Email Address [[email protected]]:

Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:********
An optional company name []:goland
Using configuration from /opt/openvpn-2.3.5/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:cn
stateOrProvinceName   :PRINTABLE:zj
localityName          :PRINTABLE:hz
organizationName      :PRINTABLE:goland
organizationalUnitName:PRINTABLE:goland
commonName            :PRINTABLE:client1
name                  :PRINTABLE:EasyRSA
emailAddress          :IA5STRING:[email protected]
Certificate is to be certified until Feb  6 04:46:10 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

生成迪菲·赫尔曼交换密钥(迪菲·赫尔曼交换密钥是一种安全协议,用以对数据进行加密)

root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........................................+......................................................+.....................+.....................................................+.............+............................+....................+..................+.......+............+..............+.............................................................................................+...................................................................................+.......+..................................+.........................................................................................+.+.........................................................+...................................................................................................+.................+.................................................+.....+..+.....+.+..................+...............................................................+...................................................................................................................................................++*++*++*

生成TLS-auth密钥(抵御Dos、UDP端口淹没攻击)

root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# openvpn --genkey --secret keys/ta.key

到此,服务器上需要的文件如下

服务器的config文件夹需要这8个文件:
server.conf(windows下是server.opvn)
server.crt
server.csr
server.key
ca.crt
ca.key
dh1024.pem  (这个看密钥长度是1024-2048)
ta.key

客户端下需要的文件如下

客户端的config文件夹需要这8个文件
ca.crt
ca.key
client.conf (windows下是client.ovpn)
dh1024.pem
ta.key
client.crt
client.csr
client.key

这些文件都是服务器端生成的。ca.crt,ca.key,dh1024.pem这四个在服务器端和客户端是同一个文件.

当需要增加一个客户端时,
在服务器的easy-rsa目录下执行命令:
>>vars
>>build-key client-XX
然后将生成的三个client-XX连同其余四个已经存在的文件拷贝给客户端使用即可

客户端ovpn文件的修改需要参考服务器的ovpn文件,保证协议要一样

  突然死机,待续。

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。