bj-vpn–server配置
安装openvpn软件
CA配置
自签名证书
为 bj-vpnserver 签发证书
为 运维人员签发证书[可以复用]
bj-vpnserver配置
一、安装软件
[root@bj-vpnserver ~]# yum install openvpn
1.安装编译工具gcc g++
yum install gcc
yum install gcc-c++2.安装lzo库
cd /home/download/
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
tar -xvzf lzo-2.03.tar.gz
#cd lzo-2.03
./configure -prefix=/usr/local/lzo && make && make install
vi /etc/ld.so.conf
编辑完ld.so.conf,执行
ldconfig
使动态库生效
3.安装openssl
cd /home/download/
wget http://www.openssl.org/source/openssl-0.9.8.tar.gz
#tar -xvzf openssl-0.9.8.tar.gz
./config -prefix=/usr/local/openssl && make && make install4.安装openvpn
cd /home/download/
wget http://www.openvpn.net/release/openvpn-2.0.9.tar.gz
tar -xvzf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9
./configure -prefix=/usr/local/openvpn && make && make install
一、CA配置
[root@bj-vpnserver ~]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/
[root@bj-vpnserver ~]# chmod +x *
[root@bj-vpnserver ~]# vim vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG=“bj-vpnserver”
export KEY_EMAIL="[email protected]"
[root@bj-vpnserver easy-rsa]# source vars
[root@bj-vpnserver easy-rsa]# ./clean-all
[root@bj-vpnserver easy-rsa]# ./build-ca //生成ca私钥和证书
Common Name (eg, your name or your server’s hostname) []:ca
二、为 bj-vpnserver 签发证书
[root@bj-vpnserver easy-rsa]# ./build-key-server server //server自定义证书名
Common Name (eg, your name or your server’s hostname) []:bj-server
三、为 vpnclient 签发证书
[root@bj-vpnserver easy-rsa]# ./build-key client1 //client1自定义证书名
Common Name (eg, your name or your server’s hostname) []:client1
四、查看证书
创建密钥协商文件 迪菲·赫尔曼密钥
[root@bj-vpnserver easy-rsa]# ./build-dh
查看相关的证书和私钥
[root@bj-vpnserver easy-rsa]# ls keys/
01.pem ca.key client1.key index.txt.attr serial server.csr
02.pem client1.crt dh1024.pem index.txt.attr.old serial.old server.key
ca.crt client1.csr index.txt index.txt.old server.crt
五、配置bj-vpnserver
1、检查相应的密钥文件
[root@bj-vpnserver keys]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[root@bj-vpnserver keys]# cp ca.crt server.key server.crt dh1024.pem /etc/openvpn/
[root@bj-vpnserver keys]# ls /etc/openvpn/
ca.crt dh1024.pem server.crt server.key
-
server.conf [自定义]
[root@bj-vpnserver keys]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
[root@bj-vpnserver keys]# vim /etc/openvpn/server.conf
local 20.20.20.1 //vpn服务器提供服务的IP
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0 //隧道tun网络
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
push “route 192.168.10.0 255.255.255.0” //为所有客户添加到北京内网1的路由
push “route 192.168.20.0 255.255.255.0” //为所有客户添加到北京内网2的路由
client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push “redirect-gateway”
;push “dhcp-option DNS 10.8.0.1”
;push “dhcp-option WINS 10.8.0.1”
;client-to-client
;duplicate-cn //是否允许证书复用
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
mute 20 -
路由转发
[root@bj-vpnserver ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@bj-vpnserver ~]# sysctl -p -
启动bj-vpnserver
[root@bj-vpnserver ~]# service openvpn start
[root@bj-vpnserver ~]# chkconfig openvpn on
[root@bj-vpnserver ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:ea:e7:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.254/24 brd 192.168.10.255 scope global eth0
inet6 fe80::5054:ff:feea:e7d3/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:5f:6b:73 brd ff:ff:ff:ff:ff:ff
inet 20.20.20.1/24 brd 20.20.20.255 scope global eth1
inet6 fe80::5054:ff:fe5f:6b73/64 scope link
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0