服务器端
1.下载openvpn源
[root@localhost opt]#wget
2.安装openvpn
[root@localhost opt]#sed –in-place “s/\\(.*enabled.*=\\).*/\1 0/” /etc/yum.repos.d/rpmforge.repo
[root@localhost opt]#yum –enablerepo rpmforge install openvpn
[root@localhost opt]#mkdir -p /etc/openvpn/easy-rsa
[root@localhost opt]#cd /etc/openvpn/easy-rsa
[root@localhost easy-rsa]#cp -Rv /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* ./
[root@localhost easy-rsa]#chmod u+x clean-all build-ca whichopensslcnf build-dh build-key pkitool build-key-server
3.拷贝配置文件
[root@localhost easy-rsa]#cd ..
[root@localhost openvpn]#cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf ./
[root@localhost easy-rsa]#cd /etc/easy-rsa[root@localhost easy-rsa]#vim vars
修该为自己的信息
export KEY_COUNTRY=”CN”export KEY_PROVINCE=”CHINA”export KEY_CITY=”BEIJING”export KEY_ORG=”CSDN”export KEY_EMAIL=”www.linuxidc.com@”
[root@localhost easy-rsa]#. ./vars #使其生效
[root@localhost easy-rsa]# ./clean-all #初始化
[root@localhost easy-rsa]# ./build-ca #创建根证书Generating a 1024 bit RSA private key……++++++……………..++++++writing new private key to ‘ca.key’—–You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [CN]:State or Province Name (full name) [CHINA]:Locality Name (eg, city) [BEIJING]:Organization Name (eg, company) [CSDN]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server’s hostname) [CSDN CA]:Name []:Email Address [gaoming@dev.csdn.net]:
[root@localhost easy-rsa]# ./build-key-server server #创建服务器证书Generating a 1024 bit RSA private key…………………………………………++++++………….++++++writing new private key to ‘server.key’—–You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [CN]:State or Province Name (full name) [CHINA]:Locality Name (eg, city) [BEIJING]:Organization Name (eg, company) [CSDN]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server’s hostname) [server]:serverName []:Email Address [gaoming@dev.csdn.net]:
Please enter the following ‘extra’ attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/openssl.cnfCheck that the request matches the signatureSignature okThe Subject’s Distinguished Name is as followscountryName :PRINTABLE:’CN’stateOrProvinceName :PRINTABLE:’CHINA’localityName :PRINTABLE:’BEIJING’organizationName :PRINTABLE:’CSDN’commonName :PRINTABLE:’server’emailAddress :IA5STRING:’gaoming@dev.csdn.net’Certificate is to be certified until Mar 10 02:45:38 2022 GMT (3650 days)Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated
[root@localhost easy-rsa]# ./build-key client #创建客户端证书Generating a 1024 bit RSA private key………………….++++++………………………………………………..++++++writing new private key to ‘client.key’—–You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [CN]:State or Province Name (full name) [CHINA]:Locality Name (eg, city) [BEIJING]:Organization Name (eg, company) [CSDN]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server’s hostname) [client]:Name []:Email Address [gaoming@dev.csdn.net]:
Please enter the following ‘extra’ attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/openssl.cnfCheck that the request matches the signatureSignature okThe Subject’s Distinguished Name is as followscountryName :PRINTABLE:’CN’stateOrProvinceName :PRINTABLE:’CHINA’localityName :PRINTABLE:’BEIJING’organizationName :PRINTABLE:’CSDN’commonName :PRINTABLE:’client’emailAddress :IA5STRING:’gaoming@dev.csdn.net’Certificate is to be certified until Mar 10 02:46:46 2022 GMT (3650 days)Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated
[root@localhost easy-rsa]# ./build-dh #生成Diffie Hellman文件Generating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time……………….+……………………………………………………………………………………………………………………………….+……………………………………………+………………………………………+……………………………..+…………………………………………………………………………………………………………………..+…………………………..+………………………………………………………….+……..+……………………………………………………………………+………………………………….+…………………………………………………………………+…+…………….+………+………………….+…………………………………………………………………………….+………………………..+………………………….+..+…………………..+……………..+……………………….+………………….+….+……………………………………..+……………….+……………………………………………………………..+……..+………………………………………………………………………………………………………..+………………………………………………………………………………………+……………………+…………………………….+………………………………………………………..+……………………………+…+……………………………………………………………….+…………………+…………………..+……..+………………………..+………….+………………….+….+…..++*++*++*4.配置文件
[root@localhost openvpn]#vim server.conf
local 117.79.92.146port 1194proto udpdev tapca ./easy-rsa/keys/ca.crtcert ./easy-rsa/keys/server.crtdh ./easy-rsa/keys/dh1024.pemserver 10.8.0.0 255.255.255.0
push “route 192.168.1.0 255.255.255.0″ifconfig-pool-persist ipp.txtclient-to-clientkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-status.loglog openvpn.logverb 3
5.启动openvpn
[root@localhost openvpn]#/etc/init.d/openvpn start
Starting openvpn: [ OK ][root@localhost openvpn]# ifconfig #多出的虚拟网卡tap0 Link encap:Ethernet HWaddr 66:78:46:2C:A8:8B inet addr:10.8.0.1 Bcast:10.8.0.255 Mask:255.255.255.0 inet6 addr: fe80::6478:46ff:fe2c:a88b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:27 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:5728 (5.5 KiB)客户端
安装方法和服务器一样,,不同的是不用拷贝easy-rsa目录,拷贝配置文件的时候选择client.conf,把服务器的ca.crt,client.crt.client.key 拷贝到客户端
启动服务即可
注意事项:生成证书时一定要同步好时间,如果服务器端用nobody运行,别忘记赋予权限
偶尔会想,如果人生真如一场电子游戏,
