OpenVPN (base CentOS6.6)_linux教程_开发教程

VPN基本概念

虚拟专用网VPN

功能：在不安全的公共网络上建立安全的专用网络，进行数据加密传输

VPN与隧道技术

隧道协议包括

乘客协议：被封装的协议，如PPP,SLIP

封装协议：隧道的建立、维持及断开，如L2TP、IPSec

承载协议：承载经过封装后的数据包的协议，如IP

实例部署

一、环境部署

内网主机(slave1) vpnserver(master) vpnclient(slave2)

192.168.1.0/24 192.168.1.1 202.102.1.2

202.102.1.1

在内网主机上指定网关：

[root@slave1 ~]# ip route

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2

169.254.0.0/16 dev eth0 scope link metric 1002

default via 192.168.1.1 dev eth0

添加内、外网接口地址

[root@master ~]# ip addr show eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:1f:e0:45 brd ff:ff:ff:ff:ff:ff

inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0

inet6 fe80::20c:29ff:fe1f:e045/64 scope link

valid_lft forever preferred_lft forever

[root@master ~]# ip addr show eth1

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:1f:e0:4f brd ff:ff:ff:ff:ff:ff

inet 202.102.1.1/24 brd 202.102.1.255 scope global eth1

inet6 fe80::20c:29ff:fe1f:e04f/64 scope link

valid_lft forever preferred_lft forever

[root@master ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

[root@master ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

二、CA证书签发

流程如下：创建CA / 为VPN Server签发证书 / 为VPN Client签发证书 / 生成密钥交换参数文件

1、CA配置　并为vpnserver和vpnclient生成私钥及签名证书　(在vpnserver端完成)

安装openvpn相关软件

[root@vpnserver OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm //用于数据压缩

[root@vpnserver OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm

生成CA私钥和证书文件：

[root@vpnserver OpenVPN]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/

[root@vpnserver easy-rsa]# ls

2.0 build-key build-req make-crl revoke-full

build-ca build-key-pass build-req-pass openssl.cnf sign-req

build-dh build-key-pkcs12 clean-all README vars

build-inter build-key-server list-crl revoke-crt Windows

[root@vpnserver easy-rsa]# chmod +x *

[root@vpnserver easy-rsa]# vim vars

export KEY_COUNTRY=CN

export KEY_PROVINCE=BJ

export KEY_CITY=BJ

export KEY_ORG="uplooking"

export KEY_EMAIL="ca@example.com"

[root@vpnserver easy-rsa]# source vars

NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[root@vpnserver easy-rsa]# ./clean-all #清除keys目录下以前的证书文件

[root@vpnserver easy-rsa]# ./build-ca #生成ca私钥和证书

Generating a 1024 bit RSA private key

..........................++++++

...........++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []:jiaoxue

Common Name (eg, your name or your server's hostname) []: ca.example.com

Email Address [ca@example.com]:

[root@vpnserver easy-rsa]# ls//查看生成了keys目录

2.0 build-key-pass clean-all README Windows

build-ca build-key-pkcs12 keys revoke-crt

build-dh build-key-server list-crl revoke-full

build-inter build-req make-crl sign-req

build-key build-req-pass openssl.cnf vars

[root@vpnserver easy-rsa]# ls keys/

ca.crt ca.key index.txt serial

2、生成vpnserver的私钥和证书：

[root@vpnserver easy-rsa]# ./build-key-server vpnserver

Generating a 1024 bit RSA private key

..................................................++++++

.........................++++++

writing new private key to 'vpnserver.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []:jiaoxue

Common Name (eg, your name or your server's hostname) []:vpnserver.example.com

Email Address [ca@example.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BJ'

localityName :PRINTABLE:'BJ'

organizationName :PRINTABLE:'uplooking'

commonName :PRINTABLE:'vpnserver.example.com'

emailAddress :IA5STRING:'ca@example.com'

Certificate is to be certified until Jun 29 04:03:05 2023 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@vpnserver easy-rsa]# ls keys/

01.pem index.txt serial vicvpnserver.csr

ca.crt index.txt.attr serial.old vicvpnserver.key

ca.key index.txt.old vicvpnserver.crt

3、为每一个client生成的私钥和证书：

[root@vpnserver easy-rsa]# ./build-key client1

Generating a 1024 bit RSA private key

............................++++++

...................++++++

writing new private key to 'client1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []:jiaoxue

Common Name (eg, your name or your server's hostname) []: client1.example.com

Email Address [ca@example.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BJ'

localityName :PRINTABLE:'BJ'

organizationName :PRINTABLE:'uplooking'

commonName :PRINTABLE:'client1.example.com'

emailAddress :IA5STRING:'ca@example.com'

Certificate is to be certified until Nov 6 11:38:59 2022 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

4、查看相关的证书和私钥

[root@vpnserver easy-rsa]# ls keys/

01.pem client1.crt index.txt.attr serial.old

02.pem client1.csr index.txt.attr.old vicvpnserver.crt

ca.crt client1.key index.txt.old vicvpnserver.csr

ca.key index.txt serial vicvpnserver.key

(责任编辑：最模板)