gentoo,linux上搭建安装openvpn搭建vpn服务器

作者 in gentoo, linux, serverconfig

为了把公司的一台局域网的机器弄出去做测试环境,做了vpn,无奈了,财务不给力啊

参考http://en.gentoo-wiki.com/wiki/OpenVPN

主要用到openvpn

官方网站:http://openvpn.net

先查看内核
Device Drivers  --->
Network device support  --->
[*] Universal TUN/TAP device driver support

(内核编译模块省略)

启用内核模块

[ccn lang="bash" tab_size="4" theme="blackboard" width="800"]

# modprobe tun

[/ccn]

查看模块状态
[ccn lang="bash" tab_size="4" theme="blackboard" width="800"]

# dmesg | grep TUN
gentoo上安装openvpn

[/ccn]

[ccn lang="bash" tab_size="4" theme="blackboard" width="800"]

# emerge -av openvpn

[/ccn]

生成整数和密钥

[ccn lang="bash" tab_size="4" theme="blackboard" width="800"]

# cd /usr/share/openvpn/easy-rsa/

# emacs vars
# source ./vars
# ./clean-all
# ./build-ca

Generating a 1024 bit RSA private key
........................++++++
.....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:xm
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name []:wangchao
Email Address [me@myhost.mydomain]:ohergal@gmail.com

# ./build-key-server server
Generating a 1024 bit RSA private key
...........++++++
..++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:xm
Common Name (eg, your name or your server's hostname) [server]:
Name []:wangchao
Email Address [me@myhost.mydomain]:ohergal@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1q2w3e4r
An optional company name []:1q2w3e4r
Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'xm'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'wangchao'
emailAddress          :IA5STRING:'ohergal@gmail.com'
Certificate is to be certified until Apr 27 18:47:21 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# ./build-key client
Generating a 1024 bit RSA private key
.++++++
..............++++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:xm
Common Name (eg, your name or your server's hostname) [client]:
Name []:wch
Email Address [me@myhost.mydomain]:wchdev@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1q2w3e4r
An optional company name []:companyname1
Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'xm'
commonName            :PRINTABLE:'client'
name                  :PRINTABLE:'wch'
emailAddress          :IA5STRING:'wchdev@gmail.com'
Certificate is to be certified until Apr 27 18:49:01 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# ./build-dh

[/ccn]

拷贝密钥

[ccn lang="bash" tab_size="4" theme="blackboard" width="800"]

# mkdir -p /etc/openvpn/privnet
# mv /usr/share/openvpn/easy-rsa/keys/* /etc/openvpn/privnet/
# #everytime you update openvpn you might lose these files creating a backup is only a good idea!
# tar czvf /root/openvpn-privnet.tar.gz /etc/openvpn/privnet/
# chmod 700 /root/openvpn-privnet.tar.gz
# chmod 700 /etc/openvpn/privnet

[/ccn]

配置openvpn

[ccn lang="bash" tab_size="4" theme="blackboard" width="800"]
# emacs /etc/openvpn/openvpn.conf

port 11194
proto tcp
dev tun
ca privnet/ca.crt
cert privnet/server.crt
key privnet/server.key
dh privnet/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

[/ccn]

启动并加入启动项

[ccn lang="bash" tab_size="4" theme="blackboard" width="800"]

# /etc/init.d/openvpn start
# rc-update add openvpn default

[/ccn]

linux客户端上的配置

同样先安装openvpn

然后把密钥证书都拷贝到/etc/openvpn/client/里

[ccn lang="bash" tab_size="4" theme="blackboard" width="800"]
# emerge -av openvpn

# emacs /etc/openvpn/openvpn.conf

client
dev tun
proto tcp
# change this to your servers ip or hostname
remote yourserverip 11194
resolv-retry infinite
nobind

persist-key
persist-tun

ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/client.crt
key /etc/openvpn/client/client.key

log /var/log/openvpn/client.log
status /var/log/openvpn/client-status.log

comp-lzo
verb 3

# mkdir -p /etc/openvpn/client

# mkdir -p /var/log/openvpn

[/ccn]

拷贝
ca.crt
client.crt
client.key
三个文件

windows客户端的配置

就是去下载openvpn安装,其他的差不多

地址: http://openvpn.net/index.php/open-source/downloads.html

拷贝
ca.crt
client.crt
client.key

三个文件到

c:\Program Files\OpenVPN\config

中间遇到的问题

记得在做CA的时候要把地区选成当地的
不然会CA无法立即生效 需要过几个小时

多个客户端连接的话 需要设置
client-to-client

另外可以分配静态ip
在/etc/openvpn/server.conf中增加\
client-config-dir /etc/openvpn/ccd

然后在 /etc/openvpn/ccd目录中放针对每个客户端的个性化配置文件。
文件名就用客户端名 生成key的时候输入的 "Common Name" 名字

比如要设置客户端 liushiwei为 192.168.2.24
只要在 /etc/openvpn/ccd/liushiwei文件中包含一行:

ifconfig-push 192.168.2.24 255.255.255.0

留下评论

您的email地址不会被公开.

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据