Fedora 15下配置安装openvpn server
来源:互联网 发布:博拉网络是做什么的 编辑:程序博客网 时间:2024/06/05 06:17
1.安装所需要的包
根据网上兄弟们介绍的经验,需要安装lzo lib,在Fedora下对应的包为lzo-devel.
命令:
yum install lzo-devel
yum install openvpn
2.生成证书
openopn完成后会在/usr/share/openvpn/easy-rsa目录下生成证书工具包。我们把openvpn的证书工具包拷到/etc/openvpn下。拷到/etc/openvpn下是因为,按装/usr/share/openvpn/easy-rsa/2.o/vas中所述,如果是使用rpm包安装的openvpn,在升级的时候/usr/share/openvpn/easy-rsa目录会被更新掉,到时候我们所生成的证书和数据库文件就不存在了。
命令:
证书工具包默认位置:/usr/share/openvpn/easy-rsa
准备配置证书位置:/etc/openvpn/
证书生成位置:/etc/openvpn/easy-rsa/2.0/keys
# cp -r/usr/share/openvpn/easy-rsa /etc/openvpn/
# mkdir/etc/openvpn/easy-rsa/2.0/keys
2、 修改vars变量初始化配置文件,编辑easy-rsa/2.0/vars文件
注释掉exportCA_EXPIRE=3650,在前面加个#号即可
注释掉exportKEY_EXPIRE=3650,在前面加个#号即可
修改证书默认值
exportKEY_COUNTRY="CN"
exportKEY_PROVINCE="SH"
exportKEY_CITY="Shanghai"
exportKEY_ORG="mediaman"
exportKEY_EMAIL="samsun.xu@mediaman.com.cn"
3、 初始化证书仓库
a) 初始化变量库
#. vars
b) 清空证书库
#./clean-all
注意:命令前有个点的,别漏了。
4、 证书验证机制
#./build-ca
........++++++
writingnew private key to 'ca.key'
-----
Youare about to be asked to enter information that will be incorporated
intoyour certificaterequest.
Whatyou are about to enter is what is called a Distinguished Name or aDN.
Thereare quite a few fields but you can leave some blank
Forsome fields there will be a default value,
Ifyou enter '.', the field will be left blank.
-----
CountryName (2 letter code) [CN]:
Stateor Province Name (full name) [SH]:
LocalityName (eg, city) [Shanghai]:
OrganizationName (eg, company) [mediaman]:
OrganizationalUnit Name (eg, section) []:vpn
CommonName (eg, your name or your server's hostname)[]:server
EmailAddress [samsun.xu@mediaman.com.cn]:
执行过程中,输入对应的信息,中间有询问y/n的都输入y,完成后在keys目录下,会生成ca.crt和ca.key这两个文件
5、 服务器证书
#./build-key-serverserver
Generatinga 1024 bit RSA private key
......++++++
....................++++++
writingnew privatekey to 'server.key'
-----
Youare about to be asked to enter information that will be incorporated
intoyour certificate request.
Whatyou are about to enter is what is called a Distinguished Name or aDN.
Thereare quite a few fields but you can leave some blank
Forsome fields there will be a default value,
Ifyou enter '.', the field will be left blank.
-----
CountryName (2 letter code) [CN]:
Stateor Province Name (full name) [SH]:
LocalityName (eg, city) [Shanghai]:
OrganizationName (eg, company) [mediaman]:
OrganizationalUnit Name (eg, section) []:vpn
CommonName (eg, your name or your server's hostname) [server]:
EmailAddress [samsun.xu@mediaman.com.cn]:
Pleaseenter the following 'extra' attributes
tobe sent with your certificate request
Achallenge password []:q1w2e3r4
Anoptional company name []:mediaman
Usingconfiguration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Checkthat the request matches the signature
Signatureok
TheSubject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'Shanghai'
organizationName :PRINTABLE:'mediaman'
organizationalUnitName:PRINTABLE:'vpn'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'samsun.xu@mediaman.com.cn'
Certificateis to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Signthe certificate? [y/n]:y
1out of 1 certificate requests certified, commit? [y/n]y
Writeout database with1 new entries
DataBase Updated
执行完成后在keys目录下,会生成server.crt、server.csr和server.key这三个文件
6、 客户端证书
在openvpn中,这种配置方法是每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。
#./build-keyclient1
Generatinga 1024 bit RSA private key
.....++++++
......++++++
writingnew private key to 'client1.key'
-----
Youare about to be asked to enter information that will be incorporated
intoyour certificate request.
Whatyou are about to enter is what is called a Distinguished Name or aDN.
Thereare quite a few fields but you can leave some blank
Forsome fields there will be a default value,
Ifyou enter '.', the field will be left blank.
-----
CountryName (2 letter code) [CN]:
Stateor Province Name (full name) [SH]:
LocalityName (eg, city) [Shanghai]:
OrganizationName (eg, company) [mediaman]:
OrganizationalUnit Name (eg, section) []:vpn
CommonName (eg, your name or your server's hostname) [client1]:
EmailAddress [samsun.xu@mediaman.com.cn]:client1@mediaman.com.cn
Pleaseenter the following 'extra' attributes
tobe sent with your certificate request
Achallenge password []:q1w2e3r4
Anoptional company name []:mediaman
Usingconfiguration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Checkthat the request matches the signature
Signatureok
TheSubject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'Shanghai'
organizationName :PRINTABLE:'mediaman'
organizationalUnitName:PRINTABLE:'vpn'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'client1@mediaman.com.cn'
Certificateis to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Signthe certificate?[y/n]:y
1out of 1 certificate requests certified, commit? [y/n]y
Writeout database with 1 new entries
DataBase Updated
执行完成后在keys目录下,会生成client1.crt、client1.csr和client1.key这三个文件。
一个服务器端可以配多个客户端证书,但是每个客户端都不能一样,主要体现在CommonName这里,每一个客户端的CommonName都必须不一样,你可以再继续建出client2,client3。。。如下
#./build-keyclient2
#./build-keyclient3
7、编译证书
将刚刚生成出来的证书和钥匙等等进行了一次加密算法,具体是怎么样的算法我也不知道,然后证书和钥匙我们就都作好了。
#./build-dh
此时在keys目录下,会生成dh1024.pem文件。
五、 配置服务端
如果第四步都正常的情况下,我们就开始配置服务端了,如果中间过程有出现什么问题,建议清空证书库,重新来过,执行./clean-all来清空库。
1、 首先把几个证书、钥匙和验证机制都拷贝到/etc/openvpn目录下
# cp/etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/
# cp/etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/
# cp/etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn/
# cp/etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn/
2、 然后把服务器的配置文件拷贝到/etc/openvpn目录下
# cp/usr/share/doc/openvpn-2.1/sample-config-files/server.conf/etc/openvpn/
3、 编辑/etc/openvpn/server.conf配置文件
去掉前面的;分号
;user nobody
;group nobody
4、 启动openvpn
#/etc/init.d/openvpnstart
查看一下端口1194是否已开放,如果1194已开放那就恭喜你,你的openvpn服务端已经配置成功了。
5、 设置开机自启动openvpn
#ntsysv
找到openvpn服务,并选中服务确认即可,下次系统启动的时候会自动加载openvpn服务。ntsysv是管理通过软件安装工具安装的软件的自启动列表,如果你没有安装ntsysv的话建议你安装(都安装了整个图形界面了,还差安装这么一个小工具?)或者用chkconfig直接配置openvpn开关,这个就不说了。
6、 设置防火墙
在系统管理中,打开防火墙配置,开启OpenVPN和SSH(前面打沟即可)。
- Fedora 15下配置安装openvpn server
- Fedora 安装 openvpn server
- Fedora 8 openvpn服务端图形界面安装配置
- Ubuntu Server下安装OpenVPN Server
- CentOS 7 安装配置OpenVPN Server
- CentOS 7 安装配置OpenVPN Server
- CentOS 7 安装配置 OpenVPN Server
- CentOS 7 安装配置OpenVPN Server
- CentOS 7 安装配置 OpenVPN Server
- Linux下安装openvpn安装,配置
- fedora 下安装 telnet server
- fedora 下 安装 telnet server
- CentOS6 环境下的OpenVPN安装配置
- CentOS6 环境下的OpenVPN安装配置
- 在Ubuntu12.04下安装配置openvpn
- 在Ubuntu 下安装配置OpenVPN
- OpenVPN Server On Linux(Debian/Ubuntu) 安装配置小结
- Linux下配置OpenVPN
- 求解啊!!!!
- Mongodb源码分析--Mongos之balancer(均衡)
- RuntimeException
- LoadRunner录制脚本时报加载GrooveUtil.dll出错的解决方法
- 关于调用qsort的几种用法
- Fedora 15下配置安装openvpn server
- PHP安全习惯1
- MyC++之浅谈堆栈
- PHP安全习惯2
- 正则表达式(regex)及C语言实现,超强查找/匹配/替换算法
- 使用commons-dbutils简化JDBC操作(一)
- C/C++ 声明与定义
- iphone下self用法
- PHP安全习惯3