| 网站地图 |
CopyRight © 2004-2007 软讯网络 All Rigths Reserved.
shtml网页SSI使用详解官方主页: http://openvpn.sourceforge.net/
首先下载,然后安装
./configure
make
make install
安装好后要创建一个tun设备
* Linux 2.4 or higher (with integrated TUN/TAP driver):
(1) make device node: mknod /dev/net/tun c 10 200
(2a) add to /etc/modules.conf: alias char-major-10-200 tun
(2b) load driver: modprobe tun
(3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
Note that either of steps (2a) or (2b) is sufficient. While (2a)
only needs to be done once per install, (2b) needs to be done once
per reboot. If you install from RPM (see above) and use the
openvpn.init script, these steps are taken care of for you.
然后配置了,我们使用比较安全的TLS方式
我们用他们提供的脚本来处理这些问题easy-rsa/*
1. Edit vars.
2. Set KEY_CONFIG to point to the openssl.cnf file
included in this distribution.
3. Set KEY_DIR to point to a directory which will
contain all keys, certificates, etc. This
directory need not exist, and if it does,
it will be deleted with rm -rf, so BE
CAREFUL how you set KEY_DIR.
4. (Optional) Edit other fields in vars
per your site data. You may want to
increase KEY_SIZE to 2048 if you are
paranoid and don't mind slower key
processing, but certainly 1024 is
fine for testing purposes. KEY_SIZE
must be compatible across both peers
participating in a secure SSL/TLS
connection.
5 . vars
6. ./clean-all
7. As you create certificates, keys, and
certificate signing requests, understand that
only .key files should be kept confidential.
.crt and .csr files can be sent over insecure
channels such as plaintext email.
8. You should never need to copy a .key file
between computers. Normally each computer
will have its own certificate/key pair.
BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
1. ./build-ca
2. ca.crt and ca.key will be built in your KEY_DIR
directory
BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY
1. ./build-inter inter
2. inter.crt and inter.key will be built in your KEY_DIR
directory and signed with your root certificate.
BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
the server end of a SSL/TLS connection).
1. ./build-dh
BUILD A CERTIFICATE SIGNING REQUEST (If
you want to sign your certificate with a root
certificate controlled by another individual
or organization, or residing on a different machine).
1. Get ca.crt (the root certificate) from your
certificate authority. Though this
transfer can be over an insecure channel, to prevent
man-in-the-middle attacks you must confirm that
ca.crt was not tampered with. Large CAs solve this
problem by hardwiring their root certificates into
popular web browsers. A simple way to verify a root
CA is to call the issuer on the telephone and confirm
that the md5sum or sha1sum signatures on the ca.crt
files match (such as with the command: "md5sum ca.crt").
2. Choose a name for your certificate such as your computer
name. In our example we will use "deception".
3. ./build-req deception
4. You can ignore most of the fields, but set
"Common Name" to something unique such as your
computer's host name. Leave all password
fields blank, unless you want your private key
to be protected by password. Using a password
is not required -- it will make your key more secure
but also more inconvenient to use, because you will
need to supply your password anytime the key is used.
NOTE: if you are using a password, use ./build-req-pass
instead of ./build-req
5. Your key will be written to $KEY_DIR/deception.key
6. Your certificate signing request will be written to
to $KEY_DIR/deception.csr
7. Email deception.csr to the individual or organization
which controls the root certificate. This can be
done over an insecure channel.
8. After the .csr file is signed by the root certificate
authority, you will receive a file deception.crt
(your certificate). Place deception.crt in your
KEY_DIR directory.
9. The combined files of deception.crt, deception.key,
and ca.crt can now be used to secure one end of
an SSL/TLS connection.
SIGN A CERTIFICATE SIGNING REQUEST
1. ./sign-req deception
2. deception.crt will be built in your KEY_DIR
directory using deception.csr and your root CA
file as input.
BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
script generates and signs a certificate in one step,
but it requires that the generated certificate and private
key files be copied to the destination host over a
secure channel.
1. ./build-key deception (no password protection)
2. OR ./build-key-pass deception (with password protection)
3. deception.crt and deception.key will be built in your
KEY_DIR directory, and deception.crt will be signed
by your root CA.
--------------------------------------------------------------------------------
easy-rsa/vars
# Edit this variable to point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$HOME/easy-rsa/openssl.cnf
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$HOME/my-openvpn-keys
# Increase this to 2048 if you
# are paranoid. If you do increase,
# make sure you build OpenVPN with
# pthread support, so you don't incur
# any performance penalty.
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@mail.kg"
--------------------------------------------------------------------------------
easy-rsa/clean-all
#!/bin/bash
#
# Initialize the $KEY_DIR directory.
# Note that this script does a
# rm -rf on $KEY_DIR so be careful!
#
d=$KEY_DIR
if test $d; then
rm -rf $d
mkdir $d && \
chmod go-rwx $d && \
touch $d/index.txt && \
echo 01 >$d/serial
else
echo you must define KEY_DIR
fi
--------------------------------------------------------------------------------
easy-rsa/build-dh
#!/bin/bash
#
# Build Diffie-Hellman parameters for the server side
# of an SSL/TLS connection.
#
if test $KEY_DIR; then
openssl dhparam -out $/dh$.pem $
else
echo you must define KEY_DIR
fi
--------------------------------------------------------------------------------
easy-rsa/build-ca
#!/bin/bash
#
# Build a root certificate
#
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi
--------------------------------------------------------------------------------
easy-rsa/build-inter
#!/bin/bash
#
# Make an intermediate CA certificate/private key pair using a locally generated
# root certificate.
#
if test $# -ne 1; then
echo "usage: build-inter
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout .key -out .csr -config $KEY_CONFIG && \
openssl ca -extensions v3_ca -days 3650 -out .crt -in .csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi
--------------------------------------------------------------------------------
easy-rsa/build-key
#!/bin/bash
#
# Make a certificate/private key pair using a locally generated
# root certificate.
#
if test $# -ne 1; then
echo "usage: build-key
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout .key -out .csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out .crt -in .csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi
--------------------------------------------------------------------------------
easy-rsa/build-key-pass
#!/bin/bash
#
# Similar to build-key, but protect the private key
# with a password.
#
if test $# -ne 1; then
echo "usage: build-key-pass
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -new -keyout .key -out .csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out .crt -in .csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi
--------------------------------------------------------------------------------
easy-rsa/build-req
#!/bin/bash
#
# Build a certificate signing request and private key. Use this
# when your root certificate and key is not available locally.
#
if test $# -ne 1; then
echo "usage: build-req
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout .key -out .csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi
--------------------------------------------------------------------------------
easy-rsa/build-req-pass
#!/bin/bash
#
# Like build-req, but protect your private key
# with a password.
#
if test $# -ne 1; then
echo "usage: build-req-pass
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -new -keyout .key -out .csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi
--------------------------------------------------------------------------------
easy-rsa/sign-req
#!/bin/bash
#
# Sign a certificate signing request (a .csr file)
# with a local root certificate and key.
#
if test $# -ne 1; then
echo "usage: sign-req
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl ca -days 3650 -out .crt -in .csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi
============================END===========================================
同时生成office.* 和 home.* 好像要使用相同的ca.*文件
WIN下的配置文件
=======================::::=======================
#
# Sample OpenVPN configuration file for
# home using SSL/TLS mode and RSA certificates/keys.
#
# '#' or ';' may be used to delimit comments.
# Use a dynamic tun device.
# For Linux 2.2 or non-Linux OSes,
# you may want to use an explicit
# unit number such as "tun1".
# OpenVPN also supports virtual
# ethernet "tap" devices.
dev tun
# Our OpenVPN peer is the office gateway.
remote you_server_ip
# 10.1.0.2 is our local VPN endpoint (home).
# 10.1.0.1 is our remote VPN endpoint (office).
ifconfig 10.1.0.2 10.1.0.1
# Our up script will establish routes
# once the VPN is alive.
; up ./home.up
# In SSL/TLS key exchange, Office will
# assume server role and Home
# will assume client role.
tls-client
# Certificate Authority file
ca ca.crt
# Our certificate/public key
cert home.crt
# Our private key
key home.key
# OpenVPN uses UDP port 5000 by default.
# Each OpenVPN tunnel must use
# a different port number.
# lport or rport can be used
# to denote different ports
# for local and remote.
; port 5000
# Downgrade UID and GID to
# "nobody" after initialization
# for extra security.
; user nobody
; group nobody
# If you built OpenVPN with
# LZO compression, uncomment
# out the following line.
; comp-lzo
# Send a UDP ping to remote once
# every 15 seconds to keep
# stateful firewall connection
# alive. Uncomment this
# out if you are using a stateful
# firewall.
; ping 15
# Uncomment this section for a more reliable detection when a system
# loses its connection. For example, dial-ups or laptops that
# travel to other locations.
; ping 15
; ping-restart 45
; ping-timer-rem
; persist-tun
; persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3
======================END=======================================
Server 使用 sample-config-files/tls-office.conf
就这么多了;)
static key 很容易配置