[原创]用OpenVPN构建安全VPN [OpenVPN + CA] (20050305修改版本)

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

关于OpenVPN的相关内容可以在http://openvpn.net上找到。
本文原稿在ChinaUnix上可以找到，http://bbs.chinaunix.net/forum/viewtopic.php?t=503434 本文在那基础上对网友
一些看不明白的地方加以修改，并且去掉配置文件的注释以便复制粘贴，文章的侧重点没有关注于企业间使用VPN互联
〔其实稍加修改就OK了〕，而是重点放在移动用户怎么通过VPN访问企业内部网络。

Server端硬件及网络环境配置：
OS: Fedora Core 2 (在公司网络出口处，作路由或者是NAT设备使用)
eth0: 61.1.1.2 (外网地址，直接与Internet相连)
eth1: 192.168.0.1 (内网地址，连接公司内部，假设公司内部使用192.168.0.0/22这4个C地址)

Client端硬件及网络环境配置：
OS: Windown 2000 XP 为主，部分Linux
单网卡，IP地址不固定

Server端配置

首先检查pam-devel包是否安装，否则从系统盘安装改软件包
[root@vpn ~]# rpm -qa | grep pam
pam_smb-1.1.7-3.1
pam-0.77-40
pam_krb5-2.0.10-1
pam-devel-0.77-40
[root@vpn ~]#

检查lzo包是否有安装,如果没有，可以到http://rpmfind.net去找
[root@vpn ~]# rpm -qa | grep lzo
[root@vpn ~]# wget ftp://rpmfind.net/linux/dag/fedora/2/en/i386/dag/RPMS/lzo-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# rpm -ivh lzo-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# wget ftp://rpmfind.net/linux/dag/fedora/2/en/i386/dag/RPMS/lzo-devel-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# rpm -ivh lzo-devel-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# rpm -qa | grep lzo
lzo-devel-1.08-3.1.fc2.dag
lzo-1.08-3.1.fc2.dag
[root@vpn ~]#

下面开始编译安装OpenVPN
[root@vpn ~]# wget http://mesh.dl.sourceforge.net/sourceforge/openvpn/openvpn-2.0_rc16.tar.gz
[root@vpn ~]# rpmbuild -tb openvpn-2.0_rc16.tar.gz
[root@vpn ~]# cd /usr/src/redhat/RPMS/i386/
[root@vpn /usr/src/redhat/RPMS/i386]# rpm -ivh openvpn-2.0_rc6-1.i386.rpm

OK,OpenVPN安装完毕。

配置VPN Server：
[root@vpn /usr/src/redhat/RPMS/i386]# cd
[root@vpn ~]# cp -r /usr/share/openvpn/easy-rsa/ /etc/openvpn/
[root@vpn ~]# cd /etc/openvpn/easy-rsa/
[root@vpn /etc/openvpn/easy-rsa]# vi vars
修改vars 文件
-------------CUT Here-------------
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export D=`pwd`

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys

# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
# 定义你所在的国家，2个字符
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=Liaoning
# 你所在的城市
export KEY_CITY=Shenyang
# 你所在的组织
export KEY_ORG="ELM OpenVPN ORG"
# 你的邮件地址
export KEY_EMAIL="elm@elm.freetcp.com"
-------------CUT Here-----------------

#使修改的环境变量生效
[root@vpn /etc/openvpn/easy-rsa]# . vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

#初始化keys目录
[root@vpn /etc/openvpn/easy-rsa]# ./clean-all

#什成Root CA证书，用于签发Server和Client证书，请保护好keys/ca.key文件。
[root@vpn /etc/openvpn/easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
........................++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: #如果无需修改，直接回车
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) []: OpenVPN Service
Common Name (eg, your name or your server's hostname) []:OpenVPN Root CA
Email Address [elm@elm.freetcp.com]:

#查看生成的keys
[root@vpn /etc/openvpn/easy-rsa]# ls keys
ca.crt ca.key index.txt serial

#我们可以看到ca.crt ca.key文件已经什成了。
#面我们为服务器生成 Diffie-Hellman 文件
#TLS server 需要使用的一个文件
[root@vpn /etc/openvpn/easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+..............................................................+....................................................................+....+
........+.........+....................................................+.+..................................................................
................................................................................................+.......................................+......
...........................+.............+.................................................................................+..................
.....................................+.............................++*++*++*

#创建并签发VPN Server使用的CA
# `server' 为创建后的文件名，分别为server.crt server.key
[root@vpn /etc/openvpn/easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
......................++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) []:OpenVPN Service
Common Name (eg, your name or your server's hostname) []:Server No.1
Email Address [elm@elm.freetcp.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Liaoning'
localityName :PRINTABLE:'Shenyang'
organizationName :PRINTABLE:'ELM OpenVPN ORG'
organizationalUnitName:PRINTABLE:'OpenVPN Service'
commonName :PRINTABLE:'Server No.1'
emailAddress :IA5STRING:'elm@elm.freetcp.com'
Certificate is to be certified until Feb 26 14:43:44 2015 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#接下来为VPN Client颁发CA证书，如果以后要为其他Client颁发证书，直接使用build-key命令签发新证书。
# `elm' 为创建后的文件名，分别为elm.crt elm.key
#注意Common Name最好不要相同，如果相同[server要加duplicate-cn选项]，那么Email地址也不能相同,否则会出错
[root@vpn /etc/openvpn/easy-rsa]# ./build-key elm
Generating a 1024 bit RSA private key
........++++++
....................++++++
writing new private key to 'elm.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) []:OpenVPN Service
Common Name (eg, your name or your server's hostname) []:ELM
Email Address [elm@elm.freetcp.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Liaoning'
localityName :PRINTABLE:'Shenyang'
organizationName :PRINTABLE:'ELM OpenVPN ORG'
organizationalUnitName:PRINTABLE:'OpenVPN Service'
commonName :PRINTABLE:'ELM'
emailAddress :IA5STRING:'elm@elm.freetcp.com'
Certificate is to be certified until Feb 26 14:45:36 2015 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#为防止恶意攻击（如DOS、UDP port flooding），我们生成一个"HMAC firewall"
[root@vpn /etc/openvpn/easy-rsa]# openvpn --genkey --secret keys/ta.key

#生成证书吊销链文件，防止日后有人丢失证书，被非法用户接入VPN
[root@vpn /etc/openvpn/easy-rsa]# ./make-crl vpncrl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

#Server使用的配置文件server.conf
----------------CUT Here-------------
port 1194
;proto tcp
proto udp
dev tap
;dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
crl-verify vpncrl.pem
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
;log-append openvpn.log
verb 3
--------------Cut Here-----------------
把server.conf文件保存到/etc/opennvpn目录中，并把使用easy-rsa下的脚本什成的key都复制到/etc/openvpn目录下，命令如下:
[root@vpn /etc/openvpn/easy-rsa]# cp keys/ca.crt ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/server.crt ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/server.key ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/dh1024.pem ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/ta.key ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/vpncrl.pem ../

#立即启动openenvpn
[root@vpn /etc/openvpn/easy-rsa]# /etc/init.d/openvpn start

#接下来配置客户端的配置文件client.conf：
#Linux或Unix下使用扩展名为.conf Windows下使用的是.ovpn,并把需要使用的keys复制到配置文件所在目录ca.crt elm.crt elm.key ta.key
-------------Cut Here---------------------
client
dev tap
;dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

;proto tcp
proto udp

remote 61.1.1.2 1194
;remote my-server-2 1194

;remote-random

resolv-retry infinite

nobind

user nobody
group nobody

route 192.168.0.0 255.255.252.0

persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

ca ca.crt
cert elm.crt
key elm.key

ns-cert-type server

tls-auth ta.key 1

comp-lzo

# Set log file verbosity.
verb 4
--------------Cut Here---------------------

Linux下Client的OpenVPN的安装方法一样，只是配置文件和keys上的不同，只要把client.conf ca.crt elm.crt elm.key

ta.key复制到/etc/openvpn目录即可启动VPN。
Win下OpenVPN的安装，WIN下有图形界面的OpenVPN-GUI程序，下载地址http://openvpn.se

下载安装，默认下一步就OK了，安装完事后在托盘上出现一个新的图标，把client.ovpn ca.crt elm.crt elm.key ta.key
文件拷贝到C:\Program Files\openvpn\config目录，然后在系统托盘上的图标点右键connect就OK了。

对于LinuxServer IPtabls的配置文件：

#首先要把系统的Forward打开
[root@vpn /etc]# cat sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
[root@vpn /etc]#

#IPTABLES的配置文件
[root@vpn /etc/sysconfig]# cat iptables
# Generated by iptables-save v1.2.1a on Tue Nov 6 19:50:51 2001
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/255.255.252.0 -o eth0 -j SNAT --to-source 61.1.1.2
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BLOCK - [0:0]
:ANTIVIRUS - [0:0]
# block internal ip address
-A INPUT -i lo -j ACCEPT
-A INPUT -j BLOCK
-A INPUT -j ANTIVIRUS

-A BLOCK -s 192.168.0.0/16 -d 0/0 -j RETURN
-A BLOCK -s 172.16.0.0/12 -d 0/0 -j REJECT
-A BLOCK -s 10.0.0.0/8 -d 0/0 -j REJECT
-A BLOCK -s 127.0.0.0/8 -d 0/0 -j REJECT
-A BLOCK -s 0.0.0.0/8 -d 0/0 -j REJECT
-A BLOCK -s 169.254.0.0/16 -d 0/0 -j REJECT
-A BLOCK -s 192.0.2.0/24 -d 0/0 -j REJECT
-A BLOCK -s 204.152.64.0/23 -d 0/0 -j REJECT
-A BLOCK -s 224.0.0.0/3 -d 0/0 -j REJECT

-A INPUT -p icmp -j ACCEPT

# OSPFD
-A INPUT -d 224.0.0.0/24 -j ACCEPT

# sync time
-A INPUT -p udp -m udp --sport 123 -j ACCEPT

# accept dns
-A INPUT -p udp -m udp --sport 53 -j ACCEPT

# accept ssh from any
-A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

# accept dhcp request
-A INPUT -p udp -m udp --dport 67 -j ACCEPT

# OpenVPN 1194_UDP
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT

# www
-A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT

# keep stats
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP

# Reject all packet to me
-A INPUT -p tcp -m tcp --syn -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp -j REJECT

-A FORWARD -j ANTIVIRUS

-A ANTIVIRUS -p tcp -m tcp --dport 135:139 -j DROP
-A ANTIVIRUS -p tcp -m tcp --dport 445 -j DROP
-A ANTIVIRUS -p udp -m udp --dport 69 -j DROP
-A ANTIVIRUS -p udp -m udp --dport 135:139 -j DROP
-A ANTIVIRUS -p udp -m udp --dport 1434 -j DROP

COMMIT
[root@vpn /etc/sysconfig]#

本文是本人在实验＋一字一句的敲上去，如果转载，麻烦注明出处，谢谢
Blog: http://elm.blog.edu.cn
http://blog.chinaunix.net/index.php?blogId=2389

--ELM