记一次linux openvpn (debian)的安装和使用
浏览数:43 /
时间:2015年06月20日
首先在openvpn官网下载好openvpn-2.3.5.tar.gz,easy-rsa-release-2.x.zip,官网访问需要FQ。
安装OpenVPN之前,你必须先确保Ubuntu上已经安装了C编译器(例如gcc)、OpenSSL、LZO(一种无损压缩算法)、PAM(一种可插入式的身份验证模块),我在安装时提示了如下,
命令为:
apt-get install libssl-dev apt-get install liblzo2-dev
apt-get install libpam0g-dev
‘Debian GNU/Linux 7.7.0 _Wheezy_ - Official amd64 DVD Binary-1 20141018-13:06‘ in the drive ‘/media/cdrom/‘ and press enter
源没有配置对,于是修改源,编辑编辑/etc/apt/sources.list文件,注释掉deb cdrom:开头的行。
打命令执行还是有问题,no package available,怎么可能呢,于是再看源,只有一个,所以在网上找了个阿里的源添加进去,
deb http://security.debian.org/ wheezy/updates main contrib deb-src http://security.debian.org/ wheezy/updates main contrib
deb http://mirrors.aliyun.com/debian/ squeeze main non-free contrib deb http://mirrors.aliyun.com/debian/ squeeze-proposed-updates main non-free contrib deb-src http://mirrors.aliyun.com/debian/ squeeze main non-free contrib deb-src http://mirrors.aliyun.com/debian/ squeeze-proposed-updates main non-free contrib
然后执行
apt-get update
再执行先决条件的安装,ok,很顺利就好了。
接下来是openvpn的部分了,将openvpn-2.3.5.tar.gz,easy-rsa-release-2.x.zip放入/opt文件夹内,解压
tar zxvf openvpn-2.3.5.tar.gz
unzip -q easy-rsa-release-2.x.zip
编译安装
#跳转到解压后的openvpn目录 cd openvpn-2.3.5 #调用configure ./configure #编译 make #安装 make install
将easy-rsa移动到openvpn主目录下
cp /opt/easy-rsa-release-2.x/easy-rsa/ /opt/openvpn-2.3.5 -r
开始生成证书:
进入2.0目录
cd /opt/openvpn-2.3.5/easy-rsa/2.0/
生成ca证书:
root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /opt/openvpn-2.3.5/easy-rsa/2.0/keys
./clean-all
root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# ./build-ca Generating a 1024 bit RSA private key ..............++++++ .........++++++ writing new private key to ‘ca.key‘ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [cn]: State or Province Name (full name) [zj]: Locality Name (eg, city) [hz]: Organization Name (eg, company) [goland]: Organizational Unit Name (eg, section) [goland]: Common Name (eg, your name or your server‘s hostname) [goland CA]:goland Name [EasyRSA]: Email Address [[email protected]]:
在2.0目录下生成一个keys文件夹,其内生成了ca.crt和ca.key文件。
root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# ls keys/ ca.crt ca.key index.txt serial
生成服务器证书:
root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# ./build-key-server server Generating a 1024 bit RSA private key .........................++++++ .....++++++ writing new private key to ‘server.key‘ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [cn]: State or Province Name (full name) [zj]: Locality Name (eg, city) [hz]: Organization Name (eg, company) [goland]: Organizational Unit Name (eg, section) [goland]: Common Name (eg, your name or your server‘s hostname) [server]:server Name [EasyRSA]: Email Address [[email protected]]: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []:******** An optional company name []:goland Using configuration from /opt/openvpn-2.3.5/easy-rsa/2.0/openssl-0.9.8.cnf Check that the request matches the signature Signature ok The Subject‘s Distinguished Name is as follows countryName :PRINTABLE:‘cn‘ stateOrProvinceName :PRINTABLE:‘zj‘ localityName :PRINTABLE:‘hz‘ organizationName :PRINTABLE:‘goland‘ organizationalUnitName:PRINTABLE:‘goland‘ commonName :PRINTABLE:‘server‘ name :PRINTABLE:‘EasyRSA‘ emailAddress :IA5STRING:‘[email protected]‘ Certificate is to be certified until Feb 6 04:44:03 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
生成客户端证书
root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# ./build-key client1 Generating a 1024 bit RSA private key ........++++++ .......................++++++ writing new private key to ‘client1.key‘ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [cn]: State or Province Name (full name) [zj]: Locality Name (eg, city) [hz]: Organization Name (eg, company) [goland]: Organizational Unit Name (eg, section) [goland]: Common Name (eg, your name or your server‘s hostname) [client1]:client1 Name [EasyRSA]: Email Address [[email protected]]: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []:******** An optional company name []:goland Using configuration from /opt/openvpn-2.3.5/easy-rsa/2.0/openssl-0.9.8.cnf Check that the request matches the signature Signature ok The Subject‘s Distinguished Name is as follows countryName :PRINTABLE:‘cn‘ stateOrProvinceName :PRINTABLE:‘zj‘ localityName :PRINTABLE:‘hz‘ organizationName :PRINTABLE:‘goland‘ organizationalUnitName:PRINTABLE:‘goland‘ commonName :PRINTABLE:‘client1‘ name :PRINTABLE:‘EasyRSA‘ emailAddress :IA5STRING:‘[email protected]‘ Certificate is to be certified until Feb 6 04:46:10 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
生成迪菲·赫尔曼交换密钥(迪菲·赫尔曼交换密钥是一种安全协议,用以对数据进行加密)
root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ...........................................+......................................................+.....................+.....................................................+.............+............................+....................+..................+.......+............+..............+.............................................................................................+...................................................................................+.......+..................................+.........................................................................................+.+.........................................................+...................................................................................................+.................+.................................................+.....+..+.....+.+..................+...............................................................+...................................................................................................................................................++*++*++*
生成TLS-auth密钥(抵御Dos、UDP端口淹没攻击)
root@AY140717173001562d75Z:/opt/openvpn-2.3.5/easy-rsa/2.0# openvpn --genkey --secret keys/ta.key
到此,服务器上需要的文件如下
服务器的config文件夹需要这8个文件: server.conf(windows下是server.opvn) server.crt server.csr server.key ca.crt ca.key dh1024.pem (这个看密钥长度是1024-2048) ta.key
客户端下需要的文件如下
客户端的config文件夹需要这8个文件
ca.crt
ca.key
client.conf (windows下是client.ovpn)
dh1024.pem
ta.key
client.crt
client.csr
client.key
这些文件都是服务器端生成的。ca.crt,ca.key,dh1024.pem这四个在服务器端和客户端是同一个文件.
当需要增加一个客户端时, 在服务器的easy-rsa目录下执行命令: >>vars >>build-key client-XX 然后将生成的三个client-XX连同其余四个已经存在的文件拷贝给客户端使用即可 客户端ovpn文件的修改需要参考服务器的ovpn文件,保证协议要一样
突然死机,待续。
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
