首页 | 编程语言 | 网站建设 | 游戏天堂 | 冲浪宝典 | 网络安全 | 操作系统 | 软件时空 | 硬件指南 | 病毒相关 | IT 认证
软讯网络 > 冲浪宝典 > 冲浪技巧 > Openvpn服务器安装与配置
【标  题】:Openvpn服务器安装与配置
【关键字】:Openvpn
【来  源】:http://www.cublog.cn/u/9284/showart.php?id=104652

Openvpn服务器安装与配置

一、      软件安装

下载软件:

 www.openvpn.net http://www.oberhumer.com/opensource/lzo/download/

 

  lzo-1.08-4.0.i386.rpm 或 lzo-2.01.tar.gz ./configure make make install 然后lzo-devel-1.08-fr2.i386.rpm

 

   openvpn-2.0.2.tar.tar ./configure make make install cd /usr/src/redhat/SOURCES rpmbuild -tb openvpn-2.0.2.tar.gz

   rpm位于:/usr/src/redhat/RPMS/i386/openvpn-2.0.2-1.i386.rpm 然后rpm -ivh 安装后配置文件在/etc/openvpn

 

另:在ipcop安装为:tar zxvf ZERINA-0.9.1b-Installer.tar.gz 然后运行./install即可

 

 

 

      服务配置

1、  复制sample配置文件到/etc/openvpn

2、  ovpnconfig配置:

1,on,jiang,jiangdaoyou,host,cert,,,,,,,,,,,,,,,,,,,,,,,,,,,

2,on,test01,test01,host,cert,,,,,,,,,,,,,,,,,,,,,,,,,,,

3、  server.conf内容

#OpenVPN Server conf

 

daemon openvpnserver

writepid /var/run/openvpn.pid

 

;local 192.168.2.229

dev tun

tun-mtu 1400

proto udp

port 1194

tls-server

ca /etc/openvpn/ca/cacert.pem

cert /etc/openvpn/certs/servercert.pem

key /etc/openvpn/certs/serverkey.pem

dh /etc/openvpn/ca/dh1024.pem

server 192.168.60.0 255.255.255.0

push "route 192.168.219.0 255.255.255.0"

push "route 192.168.34.0 255.255.255.0"

push "route 192.168.50.0 255.255.255.0"

 

client-config-dir /var/ipcop/ovpn/ccd

route 192.168.60.9 255.255.255.252

route 192.168.60.17 255.255.255.252

 

client-to-client

keepalive 10 120

status-version 1

status /var/log/server.log 30

cipher BF-CBC

comp-lzo

max-clients 100

tls-verify /etc/openvpn/verify

user nobody

group nobody

persist-key

persist-tun

4、  指定客户端IP

 

server.conf文件中增加:

 

#client-config-dir /var/ipcop/ovpn/ccd

#route 192.168.60.9 255.255.255.252

 

建立/var/ipcop/ovpn/ccd/jiangdaoyou文件,内容如下:

 

ifconfig-push 192.168.60.9 192.168.60.10

5、  文件说明:

ca目录下是ca证书 cert目录是证书库  crls为吊销列表 openssl目录中为openssl.cnf配置文件

5、启动服务

openvpn --daemon --config server.conf或/etc/init.d/openvpn start

 

      证书申请

1、申请证书:      openssl req -config openssl.cnf -new -keyout jiang.key -out jiang.req

 

Generating a 1024 bit RSA private key

..................................................................++++++

..............++++++

writing new private key to 'jiang.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) []:GuangDong

Locality Name (eg, city) []:DongGuan

Organization Name (eg, company) [My Company Ltd]:DH

Organizational Unit Name (eg, section) []:IMC

Common Name (eg, your name or your server's hostname) []:jiangdaoyou

Email Address []:jdaoyou@xxx.xxx

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

2、使用CA签名证书:openssl ca -config openssl.cnf -out jiang.pem -notext -infiles jiang.req

 

Using configuration from ../openssl/ovpn.cnf

DEBUG[load_index]: unique_subject = "yes"

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'GuangDong'

localityName          :PRINTABLE:'DongGuan'

organizationName      :PRINTABLE:'DH'

organizationalUnitName:PRINTABLE:'IMC'

commonName            :PRINTABLE:'jiangdaoyou'

Certificate is to be certified until Jul 22 03:41:46 2021 GMT (999999 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

3、导出p12证书文件

 

openssl pkcs12 -export  -in jiang.pem -inkey jiang.key -certfile ../ca/cacert.pem -out jiang.p12

 

Enter pass phrase for jiang.key:

Enter Export Password:

Verifying - Enter Export Password:

 

 

查看证书:openssl x509  -in jiang.pem -noout –subject

 

4、证书的导出

 

p12格式中导出CA证书, 则输入下列命令:

 

openssl pkcs12 -nomacver -cacerts -nokeys -in pkcs12_file -out ca_certificate.pem

 

p12格式中导出xxx.com.pemxxx.com.key 则输入下列命令:

 

openssl pkcs12 -nomacver -clcerts -nokeys -in pkcs12_file -out xxx.certificate.pem

openssl pkcs12 -nomacver -nocerts -in pkcs12_file -out xxx.private_key.pem

 

如果不对密钥加密(也即不需要输入pem密码)openssl pkcs12 -nomacver -nocerts -nodes -in pkcs12_file -out xxx.private_key.pem

 

注:暂时决定不对证书密钥进行加密

 

GUI程序中"change password"可以改变私钥的加密密码,等同在产生key时去掉-nodes参数

修改client.ovpn文件,输入:cryptoapicert "SUBJ: abc" 即可使用windows中存储的证书 abccommon name

      疑难问题

 

1.         无法获得IP:重新启动客户端电脑的dhcp client服务

2.          

 

 

 

 

十天学会ASP.NET:【上一篇】
ADSL 负载平衡之实践战略:【下一篇】
【相关文章】
  • Openvpn客户端安装与配置
  • Windows 下使用 CA 验证的 OpenVPN 的配置方法
  • 基于linux系统架构openvpn总结
  • Windows下使用CA验证的OpenVPN Server的配置方法
  • 使用OPENVPN实现各机房的互通 1
  • OpenVPN连接故障一例
  • OpenVPN在FreeBSD下使用TAP遇到的问题
  • 用OpenVPN构建安全VPN
  • [原创]用OpenVPN构建安全VPN [OpenVPN + CA]
  • OpenVPN不对数据进行加密设置方法
    • 【随机文章】
  • Excel在物理最值中的应用
  • netspy3.12
  • 变革与突破—如何认识基于构件的软件开发方法
  • 用DW MX造站内搜索
  • 找出一个数列中的最长不降(升序)数列
  • C++的class的operator定义为friend function讨论
  • 软件工程师,请不要做浮躁的人
  • 创建表头固定,表体可滚动的GridView
  • ASP.Net2.0 GridView 多列排序,显示排序图标,分页
  • 十天学会php
    • 【相关评论】
    没有相关评论
    【发表评论】
    姓名:
    邮件:
    随机码*
    评论*
          
    |  首 页  |  版权声明  |  联系我们   |  网站地图  |
    CopyRight © 2004-2007 软讯网络 All Rigths Reserved.