OpenVPN (base CentOS6.6)(2)_linux教程_开发教程

5、创建密钥协商参数文件

[root@vpnserver easy-rsa]# pwd

/usr/share/doc/openvpn-2.0.9/easy-rsa

[root@vpnserver easy-rsa]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

...........+...+.........................+.........+........................+.........................+..........+....................+........................+

...........................+..................................+................................................+.............+............................+............

.....................+..+............+................................................................+.........................+...........................+.........

...........+.......................+.....................................+.................................................+...........................+.................

.......................+...........+..............................+....................................+......+..........................................................

.............................................+..............................................+.................+....................................+.......................

................................++*++*++*

三、VPN Server配置

前提：开启VPNServer 的ip_forward功能

1、检查相应的密钥文件

[root@master keys]# pwd

/usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[root@master keys]# cp ca.crt vpnserver.crt vpnserver.key /etc/openvpn/

[root@master keys]# ls /etc/openvpn/

ca.crt vpnserver.crt vpnserver.key

[root@master easy-rsa]# cp keys/dh1024.pem /etc/openvpn/

2、配置VPN Server

[root@master ~]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/

//openvpn server配置文件

[root@master ~]# vim /etc/openvpn/server.conf

[root@master ~]# grep -P -v "^(#|;|$)" server.conf

local 202.102.1.1

port 1194

proto udp

dev tap

ca ca.crt

cert vpnserver.crt

key vpnserver.key # This file should be kept secret

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.1.0 255.255.255.0"

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3

3、启动VPN服务器

[root@master ~]# service openvpn start

[root@master ~]# chkconfig openvpn on

[root@master ~]# ip addr sh tap0

13: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100

link/ether 12:31:8b:9a:e3:02 brd ff:ff:ff:ff:ff:ff

inet 10.8.0.1/24 brd 10.8.0.255 scope global tap0

inet6 fe80::1031:8bff:fe9a:e302/64 scope link

valid_lft forever preferred_lft forever

[root@master ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1

10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.1

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

四、VPN Client配置

1、基本环境准备

[root@slave2 ~]# ip addr show eth1

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff

inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1

inet6 fe80::20c:29ff:fe77:2aa6/64 scope link

valid_lft forever preferred_lft forever

[root@slave2 ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

[root@slave2 OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm

[root@slave2 OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm

2、从vpnserver复制相应的密钥

[root@slave2 openvpn]# cd /etc/openvpn/

[root@slave2 openvpn]# ls c*

ca.crt client1.crt client1.key

3、配置vpnserver

[root@slave2 openvpn]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/

[root@slave2 openvpn]# vi /etc/openvpn/client.conf

[root@slave2 openvpn]# grep -P -v "^(;|#|$)" client.conf

client

dev tap

proto udp

remote vpn.example.com 1194 #此FQDN必须对应vpnserver外网网卡的IP

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

comp-lzo

verb 3

4、启动并测试

[root@slave2 ~]# service openvpn restart

[root@slave2 ~]# chkconfig openvpn on

[root@slave2 ~]# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:77:2a:9c brd ff:ff:ff:ff:ff:ff

inet 192.168.2.3/24 brd 192.168.2.255 scope global eth0

inet6 fe80::20c:29ff:fe77:2a9c/64 scope link

valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff

inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1

inet 172.16.80.58/24 scope global eth1

inet6 fe80::20c:29ff:fe77:2aa6/64 scope link

valid_lft forever preferred_lft forever

10: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100

link/ether c6:b9:f9:45:99:3a brd ff:ff:ff:ff:ff:ff

inet 10.8.0.2/24 brd 10.8.0.255 scope global tap0

inet6 fe80::c4b9:f9ff:fe45:993a/64 scope link

valid_lft forever preferred_lft forever

[root@slave2 ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3

192.168.1.0/24 via 10.8.0.1 dev tap0

10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.2

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

五、VPN 技术扩展

1、基于帐号方式验证

1). vim /etc/openvpn/server.conf 添加以下内容

#########auth password########

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

#client-cert-not-required

username-as-common-name

##############################

以上三行的内容分别表示：指定用户的认证脚本；不请求客户的CA证书，使用User/Pass验证，如果同时启用证书和密码认证，注释掉该行；使用客户提供的UserName作为Common Name

2). vim /etc/openvpn/checkpsw.sh 添加以下内容

#!/bin/sh

########################################################

# This script will authenticate OpenVPN users against

# a plain text file. The passfile should simply contain

# one row per user with the username first followed by

# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"

LOG_FILE="/var/log/openvpn-password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

########################################################

if [ ! -r "${PASSFILE}" ]; then

echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}

exit 1

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then

echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then

echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}

exit 0

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

[root@node4 openvpn]# ll checkpsw.sh

-rwxr--r-- 1 root root 1191 Sep 17 23:52 checkpsw.sh

[root@node4 openvpn]# chown nobody.nobody checkpsw.sh

3). 建立用户名、密码的列表文件：/etc/openvpn/psw-file

文件的格式：用户名<Tab>密码

user1 pass

user2 pass

[root@node4 openvpn]#chmod 400 /etc/openvpn/psw-file

[root@node4 openvpn]#chown nobody.nobody /etc/openvpn/psw-file

4). 修改vpn客户端的配置文件

一是注释掉 (当然也可以不注释证书加密)

;cert client1.crt

;key client1.key

二是增加验证时询问用户名和密码

auth-user-pass

2、安装WidnowsVPN客户端

1). 从http://openvpn.se/files/上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows”

a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe

2). 执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。

3). 将ca.crt、client1.crt、client1.key复制到C:\Program Files\OpenVPN\config。（不同用户使用不同的证书，每个证书包括.crt和.key两个文件，如client2.crt和client2.key）

4). 在/root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件，改名为C:\Program Files\OpenVPN\config\client.ovpn,即先在服务器上建立配置文件，然后再上传改名到客户机上。

a) proto udp改成proto tcp

b) remote那行改成

192.168.1.103 1194

c) ca那3行改为

ca ca.crt

cert client1.crt

key client1.key

d) 注释掉comp-lzo

连接：在右下角的openvpn图标上右击，选择“Connect”。正常情况下应该能够连接成功，分配正常的IP

(责任编辑：最模板)