linux下OPEN×××安装详解

安裝openvpn
3.1 server
# 安裝 lzo
在网站上下载lzo*.tar.gz的包
tar -zxvf lzo*.tar.gz
cd lzo*
./configure
make && make install

# 安裝 openvpn
cd /usr/local/src
wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
tar -zxvf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9
./configure
make && make install

# 复制设定规范
cp -r /usr/local/src/openvpn-2.0.9/ /etc/openvpn/
cp -r /usr/local/src/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
# 设定 CA 环境
cd /etc/openvpn/easy-rsa/  //当然你也可以不写
vi vars
 export KEY_COUNTRY=TW
 export KEY_PROVINCE=Taiwan
 export KEY_CITY=Tainan
 export KEY_ORG="Study-Area"
 export KEY_EMAIL="netman@study-area.org"
. ./vars
./clean-all

# 建立 root CA
./build-ca
 Generating a 1024 bit RSA private key
 ......++++++
 ................++++++
 writing new private key to 'ca.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [TW]:
 State or Province Name (full name) [Taiwan]:
 Locality Name (eg, city) [Tainan]:
 Organization Name (eg, company) [Study-Area]:
 Organizational Unit Name (eg, section) []:test
 Common Name (eg, your name or your server's hostname) []:CA
 Email Address [netman@study-area.org]:

# 建立 server key 及 crt
./build-key-server S1
 Generating a 1024 bit RSA private key
 ............................++++++
 ....++++++
 writing new private key to 'ovpnsrv1.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [TW]:
 State or Province Name (full name) [Taiwan]:
 Locality Name (eg, city) [Tainan]:
 Organization Name (eg, company) [Study-Area]:
 Organizational Unit Name (eg, section) []:test
 Common Name (eg, your name or your server's hostname) []:ovpnsrv1
 Email Address [netman@study-area.org]:

 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
 Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
 Check that the request matches the signature
 Signature ok
 The Subject's Distinguished Name is as follows
 countryName           :PRINTABLE:'TW'
 stateOrProvinceName   :PRINTABLE:'Taiwan'
 localityName          :PRINTABLE:'Tainan'
 organizationName      :PRINTABLE:'Study-Area'
 organizationalUnitName:PRINTABLE:'test'
 commonName            :PRINTABLE:'ovpnsrv1'
 emailAddress          :IA5STRING:'netman@study-area.org'
 Certificate is to be certified until Sep  7 20:36:58 2015 GMT (3650 days)
 Sign the certificate? [y/n]:y

 1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated

# 建立 Diffie Hellman 参数
./build-dh
 Generating DH parameters, 1024 bit long safe prime, generator 2
 This is going to take a long time
 ..................................+............................................
 ..+............................................................................
 ...................+....................................+......................
 .......................+...

 
# 安裝 server 所需的 CA 文件
cp keys/ca.crt ../
cp keys/dh1024.pem ../
cp keys/S1.key ../
cp keys/S1.crt ../

# 配置 server.conf(沒提及的請保持原樣)
cd ../
vi server.conf
 dev tap
 ;dev tun
 ca ca.crt
 cert ovpnsrv1.crt
 key ovpnsrv1.key  # This file should be kept secret

# 启动openvpn server
//把/etc/openvpn/sample-scripts/openvpn.init 复制到/etc/init.d/openvpn
chmod 755 /etc/init.d/openvpn
service openvpn restart 
chkconfig openvpn on

--------------------------
3.2 Client

# 下载并安装 openvpn (GUI 版本)
http://openvpn.se/files/install_packages/openvpn-2.1_beta7-gui-1.0.3-install.exe

# 设定环境
cmd.exe
cd "c:\Program Files\Open×××\easy-rsa"
copy openssl.cnf.sample openssl.cnf
copy vars.bat.sample vars.bat
edit vars.bat
 (內容必须与server 一至, 尤其 KEY_ORG 项目.)

# 建立 CA 环境（client）

vars

#为vpn clients 生成证书与密匙在server上操作

./build-key client1
./build-key client2
./build-key client3
Common Name 处分别填client1 client2 client3，别的同vpn server 设置

# 安裝 CA 文件 //在客户端操作
cd ..\config
把服务器上的C1.crt和ca.crt  下载到本地的Open×××的config目录 //winscp

copy ..\easy-rsa\keys\ovpnclt1.key .\ //config目录

# 複制 sample 設定檔:
copy ..\sample-config\client.ovpn .\ //config目录

# 配置 client 端設定檔
右下角(Open××× GUI)
右鍵--> Edit Config (沒提及的, 請保持原貌)
 dev tap
 ;dev tun
 remote 192.168.100.151 1194
 ca C:\\keys\\ca.crt
        cert C:\\keys\\C1.crt
        key C:\\keys\\C1.key

# 設定 openvpn TAP 界面
控制台-->網路連線-->TAP-Win32#(#)
右鍵-->重新命名-->Open×××_Tap

# 啟動 openvpn client
右下角(Open××× GUI)
右鍵--> Connect

# 測試
ping 10.8.0.1

C:\Program Files\Open×××\easy-rsa>ping 10.8.0.1

Pinging 10.8.0.1 with 32 bytes of data:

Reply from 10.8.0.1: bytes=32 time=1ms TTL=64
Reply from 10.8.0.1: bytes=32 time<1ms TTL=64
Reply from 10.8.0.1: bytes=32 time<1ms TTL=64
Reply from 10.8.0.1: bytes=32 time<1ms TTL=64

Ping statistics for 10.8.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\Program Files\Open×××\easy-rsa>

四, 注意:

4.1 要允許多個 client 相互連線, 須在 server 端打開:
client-to-client

4.2 若想隱藏 server IP, 但純作 bridge 來用:
;server 10.3.0.0 255.255.255.0
server-bridge 10.8.0.1 255.255.255.0 10.8.0.129 10.8.0.246

4.3 若由其它 CA 建的 csr , Organization(KEY_ORG=)必需要一至.
否則, 不能簽署.

4.4 CA 文件分佈:
 server:
  ca.crt
  dh1024.pem
  server.crt
  server.key # 必須保密
 client:
  ca.crt
  client.crt
  client.key # 必須保密
 CA server:
  ca.crt
  ca.key  # 必須保密