openvpn2.3.12安装与easy-rsa3的使用
来源:互联网 发布:ios存储数据的方法 编辑:程序博客网 时间:2024/06/16 09:02
最近公司要求在内网部署一套openvpn使用,上网查了一下才发现openvpn版本已经升级到了,其中最主要的改动是源码包里不再包含easy-rsa,如今部署openvpn要去github上面下载easy-rsa程序,并且easy-rsa也已经升级到了第三个版本(以往easy-rsa2居多),所以决定重新整理一下新版本的openvpn部署,以及easy-rsa3的使用。
部署openvpn:
一:yum源安装相关的包:
# yum -y install _64 pam-_64
二:安装lzo包,lzo包需源码包编译安装,不然编译openvpn时会报"lzo missing"的错误:
# tar -zxvf lzo-# cd lzo-# ./configure --prefix=/usr/local# make && make install
三:编译安装openvpn:
# tar -zxvf openvpn-# cd openvpn-# ./configure --prefix=/opt/apps/openvpn# make && make install
四:获取easy-rsa3应用:
创建etc目录,从/OpenVPN/easy-rsa下载easy-rsa3程序包:
# mkdir /opt/apps/openvpn/etc && cd /opt/apps/openvpn/etc# unzip easy-rsa-# cd easy-rsa-master && mv ../easyrsa3 && cd ..
以上,就获取到了easyrsa3程序,easyrsa目录结构如下:
# tree easyrsa3/easyrsa3/├── easyrsa├── openssl-├── └── x509-types ├── ca ├── client ├── COMMON └── server
可以看到easy-rsa3中,少了2版本中的许多执行文件,只剩下easyrsa一个执行文件,使用这个文件,就可以创建各种所需的密钥文件。
五:创建服务端与客户端密钥:
服务端:(这里采用无密码方式创建相关文件,避免后期输入pam密码的各种麻烦)
# cp -rp easyrsa3 key_server# cd key_server----var文件-----------# mv vars----初始化pki目录------# ./easyrsa init-pkiNote: using Easy-RSA configuration from: ./varsinit-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /opt/apps/openvpn/etc/key_server/pki----以无密码方式,创建服务器ca文件-----# ./easyrsa build-ca nopassNote: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key................................................................+++......................+++writing new private key to '/opt/apps/openvpn/etc/key_server/pki/private/'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/opt/apps/openvpn/etc/key_server/pki/----创建服务端key文件--------# ./easyrsa gen-req cmhserver nopassNote: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key...................................+++...................................................+++writing new private key to '/opt/apps/openvpn/etc/key_server/pki/private/'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [cmhserver]:Keypair and certificate request completed. Your files are:req: /opt/apps/openvpn/etc/key_server/pki/reqs/key: /opt/apps/openvpn/etc/key_server/pki/private/----注册服务端CN名,生产服务端crt文件------# ./easyrsa sign server cmhserverNote: using Easy-RSA configuration from: ./varsYou are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender.Request subject, to be signed as a server certificate for 3650 days:subject= commonName = cmhserverType the word 'yes' to continue, or any other input to abort. Confirm request details: yesUsing configuration from /opt/apps/openvpn/etc/key_server/openssl-Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :PRINTABLE:'cmhserver'Certificate is to be certified until Oct 29 03:51:14 2026 GMT (3650 days)Write out database with 1 new entriesData Base UpdatedCertificate created at: /opt/apps/openvpn/etc/key_server/pki/issued/------文件生产-------# ./easyrsa gen-dhNote: using Easy-RSA configuration from: ./varsGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time.................................................................................................................................................................+.................................................................................................................+................+..........................................................................................................................................+..........................................................................+.........+..............+..+..............................................................................................................................................................+...............................................................+.............................................+..................................................................................................................+..................................................+.................................................................................+..........+................................................................................................................+............................................................+..+...........+..................................................................+..............+..........................................................................+.+........+........................................................................................................................................................+..................++*++*DH parameters of size 2048 created at /opt/apps/openvpn/etc/key_server/pki/
客户端:
# cd /opt/apps/openvpn/etc# cp -rp easyrsa3 key_client# cd key_client----var文件-----------# mv vars----初始化pki目录------# ./easyrsa init-pkiNote: using Easy-RSA configuration from: ./varsinit-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /opt/apps/openvpn/etc/key_server/pki----以无密码方式,创建客户端key文件-----# ./easyrsa gen-req cmhclient nopassNote: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key...............+++..........................+++writing new private key to '/opt/apps/openvpn/etc/key_client/pki/private/'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [cmhclient]:Keypair and certificate request completed. Your files are:req: /opt/apps/openvpn/etc/key_client/pki/reqs/key: /opt/apps/openvpn/etc/key_client/pki/private/-----进入服务端key目录,关联客户端req,使之向服务端注册----# cd ../key_server/# ./easyrsa import-req /opt/apps/openvpn/etc/key_client/pki/reqs/ cmhclientNote: using Easy-RSA configuration from: ./varsThe request has been successfully imported with a short name of: cmhclientYou may now use this name to perform signing operations on this request.-----注册客户端CN名,生产客户端key文件-------# ./easyrsa sign client cmhclientNote: using Easy-RSA configuration from: ./varsYou are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender.Request subject, to be signed as a client certificate for 3650 days:subject= commonName = cmhclientType the word 'yes' to continue, or any other input to abort. Confirm request details: yesUsing configuration from /opt/apps/openvpn/etc/key_server/openssl-Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :PRINTABLE:'cmhclient'Certificate is to be certified until Oct 29 03:54:56 2026 GMT (3650 days)Write out database with 1 new entriesData Base UpdatedCertificate created at: /opt/apps/openvpn/etc/key_server/pki/issued/
六:服务端配置,指定相关ca、crt、key文件,打开服务器路由转发以及防火墙转发:
# cp /opt/src/openvpn-/sample/sample-config-files/ /opt/apps/openvpn/etc/# grep -v "^#" | grep -v "^;" | grep -v "^$"local port 1194proto tcpdev tunca /opt/apps/openvpn/etc/key_server/pki/cert /opt/apps/openvpn/etc/key_server/pki/issued/key /opt/apps/openvpn/etc/key_server/pki/private/dh /opt/apps/openvpn/etc/key_server/pki/server ifconfig-pool-persist client-to-clientkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-verb 3
打开服务器的ip路由转发功能,并生效;
# grep ipv4 /etc/_forward= 1# sysctl -p_forward= 1# iptables -t nat -A POSTROUTING -s /24 -jMASQUERADE
七:开启服务以及客户端配置:
# /opt/apps/openvpn/sbin/openvpn --daemon --config /opt/apps/openvpn/etc/
客户端下载如下文件,并应用,即可使用密钥使用VPN:(各系统的客户端配置不一,故这里不赘述客户端配置)
/opt/apps/openvpn/etc/key_server/pki/
/opt/apps/openvpn/etc/key_client/pki/private/
/opt/apps/openvpn/etc/key_server/pki/issued/
- openvpn2.3.12安装与easy-rsa3的使用
- [Centos]openvpn 服务端的安装(easy-rsa3)
- centos7 安装 openvpn2.2.2 过程
- [运维]centos7安装openvpn2.3.14
- Python easy install的安装及使用
- Python使用easy-install安装时报UnicodeDecodeError的解决方法
- 使用easy-Excel实现Excel的读取与导出
- Python使用easy install安装BeautifulSoup
- 使用Xen made Easy源安装xen
- easy-Ui toolTip的使用
- MonkeyRunner easy package的使用
- MonkeyRunner easy package的使用
- python easy install 的使用
- jQuery Easy UI的使用
- Easy UI datagrid的使用
- easy ui Tree 的使用
- openvpn2.3.4服务器部署
- 如何用struts2+easy ui的使用
- Powerdesiger 逆向工程 pdm
- 392. Is Subsequence
- fc-san相关
- 电脑快捷键的使用
- js 获取元素坐标 和鼠标点击坐标
- openvpn2.3.12安装与easy-rsa3的使用
- 24. Swap Nodes in Pairs
- Play Framework 框架的控制器(Controller)
- Php简单日历
- C语言内存分布图
- 使用客户端连接Linux
- AndroidMainfest.xml详解——<path-permission>
- Dubbo与Zookeeper、SpringMVC整合和使用(负载均衡、容错)
- 日记--工作学习之路