centos6.6安装OpenVPN

前端之家收集整理的这篇文章主要介绍了centos6.6安装OpenVPN前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

centos6.6安装OpenVPN

一、实验环境

wKioL1mp-kbiSczLAABLvUSmat0338.png

OpenVPN server配置两张网卡hostonly配置10.1.1.1,vmnet1配置172.16.1.1

内网服务器配置一张网卡采用hostonly配置10.1.1.2

OpenVPN client配置一张网卡采用vmnet1配置172.16.1.2

二、安装依赖包

1.安装epel源

2.安装openssl、openssl-devel、lzo-devel

#yuminstallopensslopenssl-devellzo-devel

三、安装openvpn

1.下载软件包openvpn-2.0.9.tar.gz

2.编译安装

#tarxfopenvpn-2.0.9.tar.gz
#cdopenvpn-2.0.9
#./configure--prefix=/usr/local/openvpn
#make
#makeinstall

3.创建相关目录

#cd/usr/local/openvpn
#mkdir{etc,var}
#mkdiretc/keys
#mkdirvar/run

4.easy-rsa配置

#cp-rp/usr/local/src/openvpn-2.0.9/easy-rsa/usr/local/openvpn/etc/

5.创建CA证书和密钥

#cd/usr/local/openvpn/etc/easy-rsa/2.0
#设置变量
#vivars
exportKEY_COUNTRY="CN"
exportKEY_PROVINCE="FJ"
exportKEY_CITY="FZ"
exportKEY_ORG="Opr"
exportKEY_EMAIL="opr@hnr.com"
#source./vars#初始化证书的授权中心
#./clean-all#清除keys目录下面的文件
#./build-ca#创建ca证书
Generatinga1024bitRSAprivatekey
................................++++++
.....++++++
writingnewprivatekeyto'ca.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[FJ]:
LocalityName(eg,city)[FZ]:
OrganizationName(eg,company)[Opr]:
OrganizationalUnitName(eg,section)[]:HB
CommonName(eg,yournameoryourserver'shostname)[OprCA]:CA
EmailAddress[opr@hnr.com]:

6.创建服务端证书和密钥

[root@localhost2.0]#./build-key-serverserver
Generatinga1024bitRSAprivatekey
..............................++++++
.....................................++++++
writingnewprivatekeyto'server.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,yournameoryourserver'shostname)[server]:
EmailAddress[opr@hnr.com]:
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
Usingconfigurationfrom/usr/local/openvpn/etc/easy-rsa/2.0/openssl.cnf
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDistinguishedNameisasfollows
countryName:PRINTABLE:'CN'
stateOrProvinceName:PRINTABLE:'FJ'
localityName:PRINTABLE:'FZ'
organizationName:PRINTABLE:'Opr'
organizationalUnitName:PRINTABLE:'HB'
commonName:PRINTABLE:'server'
emailAddress:IA5STRING:'opr@hnr.com'
CertificateistobecertifieduntilAug2702:13:132027GMT(3650days)
Signthecertificate?[y/n]:y
1outof1certificaterequestscertified,commit?[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated

7.创建客户端证书和密钥

[root@localhost2.0]#./build-keyhenairong
Generatinga1024bitRSAprivatekey
..........++++++
..................................++++++
writingnewprivatekeyto'henairong.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,yournameoryourserver'shostname)[henairong]:
EmailAddress[opr@hnr.com]:hnr@hnr.com
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
Usingconfigurationfrom/usr/local/openvpn/etc/easy-rsa/2.0/openssl.cnf
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDistinguishedNameisasfollows
countryName:PRINTABLE:'CN'
stateOrProvinceName:PRINTABLE:'FJ'
localityName:PRINTABLE:'FZ'
organizationName:PRINTABLE:'Opr'
organizationalUnitName:PRINTABLE:'HB'
commonName:PRINTABLE:'henairong'
emailAddress:IA5STRING:'hnr@hnr.com'
CertificateistobecertifieduntilAug2702:15:282027GMT(3650days)
Signthecertificate?[y/n]:y
1outof1certificaterequestscertified,commit?[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated

8.创建迪菲霍尔曼密钥交换参数

# ./build-dh

9.复制服务端证书及相关密钥文件

#cd/usr/local/openvpn/etc/easy-rsa/2.0/keys/
#cpca.crtdh1024.pemserver.crtserver.key/usr/local/openvpn/etc/keys/

四、配置OpenVpn

1.提供服务端配置文件

#cp/usr/local/src/openvpn-2.0.9/sample-config-files/server.conf/usr/local/openvpn/etc/

2.修改配置文件

#cd/usr/local/openvpn/etc/
#viserver.conf
local172.16.1.1
port1194
prototcp
devtun
ca/usr/local/openvpn/etc/keys/ca.crt
cert/usr/local/openvpn/etc/keys/server.crt
key/usr/local/openvpn/etc/keys/server.key#Thisfileshouldbekeptsecret
dh/usr/local/openvpn/etc/keys/dh1024.pem
server192.168.100.0255.255.255.0#给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
ifconfig-pool-persistipp.txt
push"route10.1.1.0255.255.255.0"#允许客户端访问内网的网段
client-to-client
keepalive10120
comp-lzo
max-clients100
usernobody
groupnobody
persist-key
persist-tun
status/usr/local/openvpn/var/openvpn-status.log
log/usr/local/openvpn/var/openvpn.log
verb3
auth-user-pass-verify/usr/local/openvpn/etc/checkpsw.shvia-env
username-as-common-name

3.提供用户密码账号验证配置

#vicheckpsw.sh
#!/bin/sh
###########################################################
#checkpsw.sh(C)2004MathiasSundman<mathias@openvpn.se>
#
#ThisscriptwillauthenticateOpenVPNusersagainst
#aplaintextfile.Thepassfileshouldsimplycontain
#onerowperuserwiththeusernamefirstfollowedby
#oneormorespace(s)ortab(s)andthenthepassword.
PASSFILE="/usr/local/openvpn/etc/psw-file"
LOG_FILE="/usr/local/openvpn/var/openvpn-password.log"
TIME_STAMP=`date"+%Y-%m-%d%T"`
###########################################################
if[!-r"${PASSFILE}"];then
echo"${TIME_STAMP}:Couldnotopenpasswordfile\"${PASSFILE}\"forreading.">>${LOG_FILE}
exit1
fi
CORRECT_PASSWORD=`awk'!/^;/&&!/^#/&&$1=="'${username}'"{print$2;exit}'${PASSFILE}`
if["${CORRECT_PASSWORD}"=""];then
echo"${TIME_STAMP}:Userdoesnotexist:username=\"${username}\",password=\"${password}\".">>${LOG_FILE}
exit1
fi
if["${password}"="${CORRECT_PASSWORD}"];then
echo"${TIME_STAMP}:Successfulauthentication:username=\"${username}\".">>${LOG_FILE}
exit0
fi
echo"${TIME_STAMP}:Incorrectpassword:username=\"${username}\",password=\"${password}\".">>${LOG_FILE}
exit1
#chmod+xcheckpsw.sh
提供账号密码文件
#vipsw-file
#chmod400psw-file

4.配置服务脚本

修改文件权限
#chown-Rnobody.nobody/usr/local/openvpn
提供服务脚本
#cp-p/usr/local/src/openvpn-2.0.9/sample-scripts/openvpn.init/etc/init.d/openvpn
修改服务脚本
#vi/etc/init.d/openvpn
openvpn="/usr/local/openvpn/sbin/openvpn"
#PIDdirectory
piddir="/usr/local/openvpn/var/run/openvpn"
#Ourworkingdirectory
work=/usr/local/openvpn/etc

5.启动服务

# service openvpn start

五、安装配置windows客户端

1.下载软件包

openvpn-install-2.3.11-I601-x86_64.exe

2.双机安装

3.提供配置文件、密钥及证书文件

从服务端下载刚才生产的客户端证书及密钥,CA证书

下载源码目录下客户端配置文件

/usr/local/src/openvpn-2.0.9/sample-config-files/client.conf

将以上文件复制到安装目录下

C:\Program Files\OpenVPN\config

4.修改配置文件client.conf

client
devtun
prototcp
remote172.16.1.11194
resolv-retryinfinite
nobind
persist-key
persist-tun
caca.crt
certhenairong.crt
keyhenairong.key
comp-lzo
verb3
auth-user-passpasswd

5.创建账号密码文件

C:\Program Files\OpenVPN\config\passwd

henairong

nihao123!

6.启动服务

管理员身份运行

验证

spacer.gif

wKioL1mp_GLTPKoVAABR7rIwuzM828.png-wh_50

在10.1.1.2远程主机上需要添加路由

# route add -net 192.168.100.0/24 gw 10.1.1.1

六、客户端证书吊销

#cd/usr/local/openvpn/etc/easy-rsa/2.0
#source./vars
#./revoke-fullhenairong

spacer.gif

wKioL1mp_ICRu_B7AABSwPWKS3c780.png-wh_50

出现以上错误解决如下

修改openssl.conf注释如下几行

#[pkcs11_section]
#engine_id=pkcs11
#dynamic_path=/usr/lib/engines/engine_pkcs11.so
#MODULE_PATH=$ENV::PKCS11_MODULE_PATH
#PIN=$ENV::PKCS11_PIN
#init=0
[root@localhost2.0]#./revoke-fullhenairong
Usingconfigurationfrom/usr/local/openvpn/etc/easy-rsa/2.0/openssl.cnf
RevokingCertificate02.
DataBaseUpdated
Usingconfigurationfrom/usr/local/openvpn/etc/easy-rsa/2.0/openssl.cnf
henairong.crt:C=CN,ST=FJ,L=FZ,O=Opr,OU=HB,CN=henairong,emailAddress=hnr@hnr.com
error8at0depthlookup:CRLsignaturefailure
140167567640392:error:0D0C50A1:asn1encodingroutines:ASN1_item_verify:unknownmessagedigestalgorithm:a_verify.c:217:

这条命令执行完成之后, 会在 keys 目录下面, 生成一个 crl.pem 文件,这个文件中包含了吊销证书的名单。

成功注销某个证书之后,可以打开 keys/index.txt 文件,可以看到被注销的证书前面,已标记为R.

spacer.gif

wKiom1mp_M_haVj5AAAevpCrLIM331.png-wh_50

修改服务端配置文件打开crl-verify 选项

#vi/usr/local/openvpn/etc/server.conf
crl-verify/usr/local/openvpn/etc/easy-rsa/2.0/keys/crl.pem

重启服务

# service openvpn restart

猜你在找的CentOS相关文章