ubuntu下的OPEN VPN服务器(二)
ubuntu下的OPEN VPN服务器(二)
3、生成证书文件
cd /etc/openvpn
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn
cd 2.0
vi vars
我的vars文件如下:
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="CN"
export KEY_PROVINCE="Sichuan"
export KEY_CITY="Chengdu"
export KEY_ORG="magic_dreamer"
export KEY_EMAIL="magic_dreamer@126.com"
source ./vars
./vars
./clean-all 命令清除keys下面的文件
./build-ca 建立keys
输出如下:
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [Sichuan]:Sichuan
Locality Name (eg, city) [Chengdu]:Chengdu
Organization Name (eg, company) [magic_dreamer]:magic_dreamer
Organizational Unit Name (eg, section) []:Carl
Common Name (eg, your name or your server's hostname) [magic_dreamer CA]:sillycat
Email Address [magic_dreamer@126.com]:magic_dreamer@126.com
./build-key-server server
输出如下:
root@kiko:/etc/openvpn/2.0# ./build-key-server server
Generating a 1024 bit RSA private key
...................++++++
...................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [Sichuan]:Sichuan
Locality Name (eg, city) [Chengdu]:Chengdu
Organization Name (eg, company) [magic_dreamer]:magic_dreamer
Organizational Unit Name (eg, section) []:Carl
Common Name (eg, your name or your server's hostname) [server]:sillycat
Email Address [magic_dreamer@126.com]:magic_dreamer@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:kaishi
An optional company name []:sillycat
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName 
RINTABLE:'CN'
stateOrProvinceName RINTABLE:'Sichuan'
localityName RINTABLE:'Chengdu'
organizationName :T61STRING:'magic_dreamer'
organizationalUnitName:PRINTABLE:'Carl'
commonName RINTABLE:'sillycat'
emailAddress :IA5STRING:'magic_dreamer@126.com'
Certificate is to be certified until Aug 16 09:43:36 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#generate client key with or without password,選擇一種就好了
./build-key-pass kiko
./build-key kiko
输出如下:
root@kiko:/etc/openvpn/2.0# ./build-key-pass kiko
Generating a 1024 bit RSA private key
.....++++++
....................++++++
writing new private key to 'kiko.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [Sichuan]:Sichuan
Locality Name (eg, city) [Chengdu]:Chengdu
Organization Name (eg, company) [magic_dreamer]:magic_dreamer
Organizational Unit Name (eg, section) []:Carl
Common Name (eg, your name or your server's hostname) [kiko]:sillycat
Email Address [magic_dreamer@126.com]:magic_dreamer@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:kaishi
An optional company name []:sillycat
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName RINTABLE:'CN'
stateOrProvinceName RINTABLE:'Sichuan'
localityName RINTABLE:'Chengdu'
organizationName :T61STRING:'magic_dreamer'
organizationalUnitName:PRINTABLE:'Carl'
commonName RINTABLE:'sillycat'
emailAddress :IA5STRING:'magic_dreamer@126.com'
Certificate is to be certified until Aug 16 09:46:25 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
./build-dh
cd keys
openssl dhparam -out dh1024.pem 1024
cd ..
openvpn --genkey --secret ta.key
4、修改服务器端配置文件
vi server.conf
#which local IP address should OpenVPN
# listen on? (optional)
local 192.168.50.253
port 1194
# TCP or UDP server?
#proto udp
proto tcp
#This is key to configuring our bridge
dev tap0
#direct these to your generated files
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/server.crt
key /etc/openvpn/2.0/keys/server.key
dh /etc/openvpn/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
#ensure the range of ip addresses you use in the last two arguments
# of this statement are not in use by either the DHCP server or any other
# device on your internal network.
server-bridge 192.168.50.253 255.255.255.0 192.168.50.240 192.168.50.250
#needed to allow communication to internal network
client-to-client
keepalive 10 120
#encryption - very important ;)
#AES encryption is backed by many security firms
#however if you are concerned about speed use blowfish: "BF-CB"
cipher AES-128-CBC
#if you have another subnet you need to provide the route
#push "route 173.23.2.0 255.255.255.0"
#server id protection
#tls-auth ta.key 0
#compression for network speed
comp-lzo
# if packets are too large fragment them (only really useful if you have an old router)
#fragment 1400
#limit the number of connections
max-clients 5
#some secuurity settings
# do not use if running server on Windows
user nobody
group nogroup
persist-key
persist-tun
#log file settings
status openvpn-status.log
verb 3
# authentication plugin
#forces client to have a linux acount in order to connect
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
其中比较注意的是IP和把协议改成了TCP
给权限
chmod +x /etc/init.d/bridge
运行
/etc/init.d/bridge start
启动
openvpn /etc/openvpn/2.0/server.conf
查看监听端口,看1194启动没有
netstat -an|grep LISTEN
