所属类别:Linux
文章作者:dow
特别推荐:免费发布信息 承包关键词~~抢爆了!HOT!
奋战OpenVPN其实上周六就完成了,但是这篇心得却整理了我整整一天。由于在OpenVPN上花的精力不多,对OpenVPN的一些基础的内容做了的基本的了解和学习,这次就把它尽可能的细化。也希望能够帮助正在需要了解和学习OpenVPN的朋友。系统环境:CentOS5操作系统。主机VPNSRV01是我的VPN Server。主机VPNCLNT00是我的测试VPN Client。Yum 安装 OpenVPN=========================================================[root@VPNSRV01]# yum install openvpn*Dependencies Resolved=============================================================================Package Arch Version Repository Size=============================================================================Installing:openvpn (主程序包) i386 2.0.9-1.el4.rf dag 345 kInstalling for dependencies:lzo2 (相关依赖包) i386 2.02-3.el4.rf dag 101 kopenssl097a (相关依赖包) i386 0.9.7a-9 base 825 kTransaction Summary=============================================================================Install 3 Package(s)Update 0 Package(s)Remove 0 Package(s)Total download size: 1.2 MIs this ok [y/N]: yDownloading Packages:(1/3): openvpn-2.0.9-1.el 100% ========================= 345 kB 00:06(2/3): openssl097a-0.9.7a 100% ========================= 825 kB 00:00(3/3): lzo2-2.02-3.el4.rf 100% ========================= 101 kB 00:03warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID e8562897Importing GPG key 0xE8562897 "CentOS-5 Key (CentOS 5 Official Signing Key)" from ftp://123.123.123.214//RPM-GPG-KEY-CentOS-5Is this ok [y/N]: yRunning Transaction Testwarning: openvpn-2.0.9-1.el4.rf: Header V3 DSA signature: NOKEY, key ID6b8d79e6Finished Transaction TestTransaction Test SucceededRunning Transaction Installing: lzo2 ######################### [1/3] Installing: openssl097a ######################### [2/3] Installing: openvpn ######################### [3/3]Installed: openvpn.i386 0:2.0.9-1.el4.rfDependency Installed: lzo2.i386 0:2.02-3.el4.rf openssl097a.i386 0:0.9.7a-9Complete!安装PAM功能包===============================================================[root@VPNSRV01]# yum install pam*Dependencies Resolved=============================================================================Package Arch Version Repository Size=============================================================================Installing:pam-devel i386 0.99.6.2-3.14.el5 base 186 kpam_abl i386 0.2.3-1.el4.rf dag 50 kpam_script i386 0.1.7-1.el4.rf dag 11 kpam_shield i386 0.9.2-1.el4.rf dag 39 kpam_ssh i386 1.91-1.el4.rf dag 88 kpamtester i386 0.1.2-1.el4.rf dag 15 kInstalling for dependencies:compat-db i386 4.2.52-5.1 base 1.7 MTransaction Summary=============================================================================Install 7 Package(s)Update 0 Package(s)Remove 0 Package(s)Total download size: 2.1 MIs this ok [y/N]: yDownloading Packages:(1/7): pam_script-0.1.7-1 100% ========================= 11 kB 00:00(2/7): pam_shield-0.9.2-1 100% ========================= 39 kB 00:01(3/7): pam_abl-0.2.3-1.el 100% ========================= 50 kB 00:01(4/7): pam-devel-0.99.6.2 100% ========================= 186 kB 00:00(5/7): pamtester-0.1.2-1. 100% ========================= 15 kB 00:00(6/7): compat-db-4.2.52-5 100% ========================= 1.7 MB 00:00(7/7): pam_ssh-1.91-1.el4 100% ========================= 88 kB 00:02Running Transaction Testwarning: pam_script-0.1.7-1.el4.rf: Header V3 DSA signature: NOKEY, key ID6b8d79e6Finished Transaction TestTransaction Test SucceededRunning Transaction Installing: compat-db ######################### [1/7] Installing: pam_script ######################### [2/7] Installing: pam_shield ######################### [3/7] Installing: pam_abl ######################### [4/7] Installing: pam-devel ######################### [5/7] Installing: pamtester ######################### [6/7] Installing: pam_ssh ######################### [7/7]Installed: pam-devel.i386 0:0.99.6.2-3.14.el5 pam_abl.i386 0:0.2.3-1.el4.rfpam_script.i386 0:0.1.7-1.el4.rf pam_shield.i386 0:0.9.2-1.el4.rf pam_ssh.i3860:1.91-1.el4.rf pamtester.i386 0:0.1.2-1.el4.rfDependency Installed: compat-db.i386 0:4.2.52-5.1Complete!察看OpenVPN的所有相关文档============================================================[root@VPNSRV01]# updatedb[root@VPNSRV01]# locate openvpn/etc/openvpn/etc/rc.d/init.d/openvpn/etc/rc.d/rc0.d/K76openvpn/etc/rc.d/rc1.d/K76openvpn/etc/rc.d/rc2.d/K76openvpn/etc/rc.d/rc3.d/S24openvpn/etc/rc.d/rc4.d/S24openvpn/etc/rc.d/rc5.d/S24openvpn/etc/rc.d/rc6.d/K76openvpn/usr/sbin/openvpn/usr/share/openvpn/usr/share/doc/openvpn-2.0.9/usr/share/doc/openvpn-2.0.9/AUTHORS/usr/share/doc/openvpn-2.0.9/COPYING/usr/share/doc/openvpn-2.0.9/COPYRIGHT.GPL/usr/share/doc/openvpn-2.0.9/ChangeLog/usr/share/doc/openvpn-2.0.9/INSTALL/usr/share/doc/openvpn-2.0.9/NEWS/usr/share/doc/openvpn-2.0.9/PORTS/usr/share/doc/openvpn-2.0.9/README/usr/share/doc/openvpn-2.0.9/README.auth-pam/usr/share/doc/openvpn-2.0.9/README.down-root/usr/share/doc/openvpn-2.0.9/README.plugins/usr/share/doc/openvpn-2.0.9/contrib/usr/share/doc/openvpn-2.0.9/easy-rsa/usr/share/doc/openvpn-2.0.9/management/usr/share/doc/openvpn-2.0.9/sample-config-files/usr/share/doc/openvpn-2.0.9/sample-keys/usr/share/doc/openvpn-2.0.9/sample-scripts/usr/share/doc/openvpn-2.0.9/contrib/README/usr/share/doc/openvpn-2.0.9/contrib/multilevel-init.patch/usr/share/doc/openvpn-2.0.9/contrib/openvpn-fwmarkroute-1.00/usr/share/doc/openvpn-2.0.9/contrib/pull-resolv-conf/usr/share/doc/openvpn-2.0.9/contrib/openvpn-fwmarkroute-1.00/README/usr/share/doc/openvpn-2.0.9/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down/usr/share/doc/openvpn-2.0.9/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up/usr/share/doc/openvpn-2.0.9/contrib/pull-resolv-conf/client.down/usr/share/doc/openvpn-2.0.9/contrib/pull-resolv-conf/client.up/usr/share/doc/openvpn-2.0.9/easy-rsa/.externals/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/usr/share/doc/openvpn-2.0.9/easy-rsa/README/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/usr/share/doc/openvpn-2.0.9/easy-rsa/build-ca/usr/share/doc/openvpn-2.0.9/easy-rsa/build-dh/usr/share/doc/openvpn-2.0.9/easy-rsa/build-inter/usr/share/doc/openvpn-2.0.9/easy-rsa/build-key/usr/share/doc/openvpn-2.0.9/easy-rsa/build-key-pass/usr/share/doc/openvpn-2.0.9/easy-rsa/build-key-pkcs12/usr/share/doc/openvpn-2.0.9/easy-rsa/build-key-server/usr/share/doc/openvpn-2.0.9/easy-rsa/build-req/usr/share/doc/openvpn-2.0.9/easy-rsa/build-req-pass/usr/share/doc/openvpn-2.0.9/easy-rsa/clean-all/usr/share/doc/openvpn-2.0.9/easy-rsa/list-crl/usr/share/doc/openvpn-2.0.9/easy-rsa/make-crl/usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf/usr/share/doc/openvpn-2.0.9/easy-rsa/revoke-crt/usr/share/doc/openvpn-2.0.9/easy-rsa/revoke-full/usr/share/doc/openvpn-2.0.9/easy-rsa/sign-req/usr/share/doc/openvpn-2.0.9/easy-rsa/vars/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/Makefile/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/README/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-ca/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-dh/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-inter/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-key/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-key-pass/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-key-pkcs12/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-key-server/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-req/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/build-req-pass/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/clean-all/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/inherit-inter/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/list-crl/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/openssl-0.9.6.cnf/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/openssl.cnf/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/pkitool/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/revoke-full/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/sign-req/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/vars/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/whichopensslcnf/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/README.txt/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/build-ca.bat/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/build-dh.bat/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/build-key-pkcs12.bat/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/build-key-server.bat/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/build-key.bat/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/clean-all.bat/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/index.txt.start/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/init-config.bat/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/revoke-full.bat/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/serial.start/usr/share/doc/openvpn-2.0.9/easy-rsa/Windows/vars.bat.sample/usr/share/doc/openvpn-2.0.9/management/management-notes.txt/usr/share/doc/openvpn-2.0.9/sample-config-files/README/usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf/usr/share/doc/openvpn-2.0.9/sample-config-files/firewall.sh/usr/share/doc/openvpn-2.0.9/sample-config-files/home.up/usr/share/doc/openvpn-2.0.9/sample-config-files/loopback-client/usr/share/doc/openvpn-2.0.9/sample-config-files/loopback-server/usr/share/doc/openvpn-2.0.9/sample-config-files/office.up/usr/share/doc/openvpn-2.0.9/sample-config-files/openvpn-shutdown.sh/usr/share/doc/openvpn-2.0.9/sample-config-files/openvpn-startup.sh/usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf/usr/share/doc/openvpn-2.0.9/sample-config-files/static-home.conf/usr/share/doc/openvpn-2.0.9/sample-config-files/static-office.conf/usr/share/doc/openvpn-2.0.9/sample-config-files/tls-home.conf/usr/share/doc/openvpn-2.0.9/sample-config-files/tls-office.conf/usr/share/doc/openvpn-2.0.9/sample-config-files/xinetd-client-config/usr/share/doc/openvpn-2.0.9/sample-config-files/xinetd-server-config/usr/share/doc/openvpn-2.0.9/sample-keys/README/usr/share/doc/openvpn-2.0.9/sample-keys/client.crt/usr/share/doc/openvpn-2.0.9/sample-keys/client.key/usr/share/doc/openvpn-2.0.9/sample-keys/dh1024.pem/usr/share/doc/openvpn-2.0.9/sample-keys/pass.crt/usr/share/doc/openvpn-2.0.9/sample-keys/pass.key/usr/share/doc/openvpn-2.0.9/sample-keys/pkcs12.p12/usr/share/doc/openvpn-2.0.9/sample-keys/server.crt/usr/share/doc/openvpn-2.0.9/sample-keys/server.key/usr/share/doc/openvpn-2.0.9/sample-keys/tmp-ca.crt/usr/share/doc/openvpn-2.0.9/sample-keys/tmp-ca.key/usr/share/doc/openvpn-2.0.9/sample-scripts/auth-pam.pl/usr/share/doc/openvpn-2.0.9/sample-scripts/bridge-start/usr/share/doc/openvpn-2.0.9/sample-scripts/bridge-stop/usr/share/doc/openvpn-2.0.9/sample-scripts/openvpn.init/usr/share/doc/openvpn-2.0.9/sample-scripts/verify-cn/usr/share/doc/selinux-policy-2.4.6/html/services_openvpn.html/usr/share/logwatch/default.conf/services/openvpn.conf/usr/share/logwatch/scripts/services/openvpn/usr/share/man/man8/openvpn.8.gz/usr/share/openvpn/plugin/usr/share/openvpn/plugin/lib/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so/usr/share/openvpn/plugin/lib/openvpn-down-root.so将模版中的easy-rsa的目录复制到/etc/openvpn/的路径下默认安装好OpenVPN的主配置路径/etc/openvpn/下是空的。[root@VPNSRV01]# cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/察看/etc/openvpn/easy-rsa/下的文件[root@VPNSRV01]# ll /etc/openvpn/easy-rsa/total 88drwxr-xr-x 2 root root 4096 Aug 27 10:20 2.0-rw-r--r-- 1 root root 242 Aug 27 10:20 build-ca-rw-r--r-- 1 root root 228 Aug 27 10:20 build-dh-rw-r--r-- 1 root root 529 Aug 27 10:20 build-inter-rw-r--r-- 1 root root 516 Aug 27 10:20 build-key-rw-r--r-- 1 root root 424 Aug 27 10:20 build-key-pass-rw-r--r-- 1 root root 695 Aug 27 10:20 build-key-pkcs12-rw-r--r-- 1 root root 662 Aug 27 10:20 build-key-server-rw-r--r-- 1 root root 466 Aug 27 10:20 build-req-rw-r--r-- 1 root root 402 Aug 27 10:20 build-req-pass-rw-r--r-- 1 root root 280 Aug 27 10:20 clean-all-rw-r--r-- 1 root root 264 Aug 27 10:20 list-crl-rw-r--r-- 1 root root 268 Aug 27 10:20 make-crl-rw-r--r-- 1 root root 7487 Aug 27 10:20 openssl.cnf-rw-r--r-- 1 root root 6075 Aug 27 10:20 README-rw-r--r-- 1 root root 268 Aug 27 10:20 revoke-crt-rw-r--r-- 1 root root 593 Aug 27 10:20 revoke-full-rw-r--r-- 1 root root 411 Aug 27 10:20 sign-req-rw-r--r-- 1 root root 1266 Aug 27 10:20 varsdrwxr-xr-x 2 root root 4096 Aug 27 10:20 Windows这里有很多的是脚本文件,但是目前都是没有任何级别的执行权限,因此要用命令给与他们执行的权限创造唯用户添加执行权限的命令ux[root@VPNSRV01]# alias ux='chmod u+x'出于便利和安全性的考虑,并且将这个ux命令赋给root,使root今后一直具有这个命令[root@VPNSRV01]# echo "alias ux='chmod u+x'" >> /root/.bashrc察看root的.bashrc文件,进行确认[root@VPNSRV01]# cat /root/.bashrc---------------------------------------------# .bashrc# User specific aliases and functionsalias rm='rm -i'alias cp='cp -i'alias mv='mv -i'# Source global definitionsif [ -f /etc/bashrc ]; then . /etc/bashrcfialias ux='chmod u+x' (刚才添加进来的)-----------------------------------------------赋予vars脚本用户执行权[root@VPNSRV01 easy-rsa]# ux vars使用环境载入方式将vars载入系统环境之中。这里和简单的脚本运行不同,由于vars这个脚本里面定义了许多关键的变量和环境所以简单使用“./”运行是失败的,而必须使用载入的方法“. vars”(点 空格 vars)。[root@VPNSRV01 easy-rsa]# . varsNOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys载入vars脚本后出现提示信息,提示下一步可以运行clean-all的脚本了。并且一旦运行这个文件就会清空/etc/openvpn/easy-rsa/keys/下的所有文件了。这里有2个问题:1.它怎么知道我的路径是/etc/openvpn呢?如果我换了的话,它提示出来的还是这个路径么?答案就在vars这个环境脚本当中,它是使用pwd来定义我们设置的openvpn配置文档路径的,这就能动态地捕获我们运行vars的任何路径,也就是说我们现在正在忙着操作的当前路径,都是通过载入vars时的pwd来动态定义的。2.提示中提到的keys这个目录好像没有看到?对的,现在是没有,接下来根据提示运行clean-all的时候就可以得到答案。另外需要注意的一点,这里通过执行脚本的方式载入变量和环境,而不是永久载入,重启机器后就会丢失这些环境。建议考虑通过一些方法将vars内的环境永久载入系统,比如可以考虑将执行脚本的命令加入系统启动脚本当中。赋予clean-all脚本的用户执行权限[root@VPNSRV01 easy-rsa]# ux clean-all执行clean-all脚本[root@VPNSRV01 easy-rsa]# ./clean-all察看现在/etc/openvpn/easy-rsa/下的文件[root@VPNSRV01 easy-rsa]# ll /etc/openvpn/easy-rsa/total 92drwxr-xr-x 2 root root 4096 Aug 27 10:20 2.0-rw-r--r-- 1 root root 242 Aug 27 10:20 build-ca-rw-r--r-- 1 root root 228 Aug 27 10:20 build-dh-rw-r--r-- 1 root root 529 Aug 27 10:20 build-inter-rw-r--r-- 1 root root 516 Aug 27 10:20 build-key-rw-r--r-- 1 root root 424 Aug 27 10:20 build-key-pass-rw-r--r-- 1 root root 695 Aug 27 10:20 build-key-pkcs12-rw-r--r-- 1 root root 662 Aug 27 10:20 build-key-server-rw-r--r-- 1 root root 466 Aug 27 10:20 build-req-rw-r--r-- 1 root root 402 Aug 27 10:20 build-req-pass-rwxr--r-- 1 root root 280 Aug 27 10:20 clean-alldrwx------ 2 root root 4096 Aug 27 10:41 keys (多出来了这个keys目录)-rw-r--r-- 1 root root 264 Aug 27 10:20 list-crl-rw-r--r-- 1 root root 268 Aug 27 10:20 make-crl-rw-r--r-- 1 root root 7487 Aug 27 10:20 openssl.cnf-rw-r--r-- 1 root root 6075 Aug 27 10:20 README-rw-r--r-- 1 root root 268 Aug 27 10:20 revoke-crt-rw-r--r-- 1 root root 593 Aug 27 10:20 revoke-full-rw-r--r-- 1 root root 411 Aug 27 10:20 sign-req-rwxr--r-- 1 root root 1266 Aug 27 10:20 varsdrwxr-xr-x 2 root root 4096 Aug 27 10:20 Windows这里就回答了上面的第二个问题。keys这个目录好像之前没有的?对的,现在是没有,就是要运行接下来的clean-all脚本才会初始化生成的(如果以前没有的话),如果以前就有这个目录的话(你可以尝试在运行clean-all之前自己mkdir一个keys并且在里面丢些杂七杂八的东西),那么当你运行clean-all的时候,自动会把keys目录下的所有东西都清空一遍。事实上Keys这个目录就是我们之后生成并存放证书以及密钥的目录。Keys这个具体生成的路径是由vars环境脚本中KEY_DIR来决定的。建立CA证书按我的理解来简单介绍下这里OpenVPN的概念证书和密钥的概念。首先需要的就是一张根证书和根密钥,根证书CA。OpenVPN的Server端和Client端都会有各自的证书和密钥,不过,一套Server和Clients都使用同一个CA根证书,这个是他们成为一套的关键大前提,之后生成的Server证书和密钥以及Client的证书和密钥都是根据这个CA来签发的,因此会成为一套,因为他们通过CA而互相关联了起来。换句话说,能够成为一套OpenVPN的Server和Client的VPN系统的话,他们的Server的证书和密钥以及Client的证书和密钥必须由同一个CA证书签发,并且在实际使用和连接的时候需要用同一个CA来验证。赋予build-ca脚本用户执行权限,build-ca脚本就是生成根证书CA的脚本。[root@VPNSRV01 easy-rsa]# ux build-ca执行build-ca脚本[root@VPNSRV01 easy-rsa]# ./build-ca----------------------------------------------------------------------------------Generating a 1024 bit RSA private key.....++++++......++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.----- (在生成CA证书的过程中会有交互式的提问过程,主要是收集证书的信息)Country Name (2 letter code) [KG]:CN (这里提问国家,我填写CN表示中国)State or Province Name (full name) [NA]:Shanghai (这里提问省或州名)Locality Name (eg, city) [BISHKEK]:Shanghai (这里提问地点)Organization Name (eg, company) [OpenVPN-TEST]:Center (这里提问使用者的机构或者集团名称)Organizational Unit Name (eg, section) []:Center (这里提问部门单位)Common Name (eg, your name or your server's hostname) []:VPNSYS01 (这里提问通用名,注意,一套VPN服务端客户端系统使用同一个CA,共享同一个CA通用名CA Common Name)Email Address [me@myhost.mydomain]:kanecruiseisgod@hotmail.com (这里填写管理员的Email信箱)----------------------------------------------------------------------------------(注:如果这里发觉自己填错的话,干净回去执行clean-all脚本,清空keys下刚生成的密钥。然后使用build-ca重新做。如果到后面生成服务器和客户端的证书和密钥的时候想要返工就工作量大了。囧)这个时候可以去keys目录下看看产生的CA根证书和根密钥啦[root@VPNSRV01 easy-rsa]# ll keystotal 12-rw-r--r-- 1 root root 1233 Aug 27 11:39 ca.crt (根证书生成)-rw------- 1 root root 887 Aug 27 11:39 ca.key
(根密钥生成)-rw-r--r-- 1 root root 0 Aug 27 11:34 index.txt-rw-r--r-- 1 root root 3 Aug 27 11:34 serial建立DH参数文件按照OpenVPN的手册中提到,Diffie-Hellman参数文件(dh-pem文件)的作用是:在一个SSL/TLS连接中,服务端必须要有的。通过build-dh这个脚本来生成dh-pem文件,首先要赋予它用户执行权限[root@VPNSRV01 easy-rsa]# ux build-dh执行build-dh脚本,来生成dh文件[root@VPNSRV01 easy-rsa]# ./build-dh--------------------------------------------------------------------------------------Generating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time...............+.......................................................+..........................................................................................................+....+......+...........................+............+.....................+................+..........................................+.....+...........+..........................................+...........+..............................+.................................+..........................+...........................+....+...+...............................+.................................................................................................+....................................................+............................................................................+..............................+......................................+.+...........................++*++*++*(这里它提示说会需要很长时间,但是基本上会很短,因为这里我使用了默认安装长度1024bit)--------------------------------------------------------------------------------------这个时候可以去keys目录下看看产生的dh-pem文件啦[root@VPNSRV01 easy-rsa]# ll keystotal 16-rw-r--r-- 1 root root 1233 Aug 27 11:39 ca.crt-rw------- 1 root root 887 Aug 27 11:39 ca.key-rw-r--r-- 1 root root 245 Aug 27 11:56 dh1024.pem (dh-pem文件生成)-rw-r--r-- 1 root root 0 Aug 27 11:34 index.txt-rw-r--r-- 1 root root 3 Aug 27 11:34 serial建立OpenVPN Server端的证书和密钥每台OpenVPN Server都需要生成自己的证书和密钥,当然这都是根据之前的CA根证书签发的,使用build-key-server执行脚本来生成。赋予脚本build-key-servers的用户执行权限[root@VPNSRV01 easy-rsa]# ux build-key-server生成Server的证书和密钥。注意,这里执行build-key-server脚本后面要跟参数,参数就是Server证书生成的文件名。[root@VPNSRV01 easy-rsa]# ./build-key-server vpnsrv01------------------------------------------------------------------------------------Generating a 1024 bit RSA private key.++++++....................................++++++writing new private key to 'vpnsrv01.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [KG]:CN (提问国家)State or Province Name (full name) [NA]:Shanghai (提问州或省市名)Locality Name (eg, city) [BISHKEK]:Shanghai (提问所在地名)Organization Name (eg, company) [OpenVPN-TEST]:Center (提问组织名)Organizational Unit Name (eg, section) []:Center (提问组织单位名)Common Name (eg, your name or your server's hostname) []:VPNSRV01 (给出Server的名称)Email Address [me@myhost.mydomain]:kanecruiseisgod@hotmail.com (给出管理员的信箱地址)(在Server的证书签发过程中,会有需要提供一些Exatra“额外”的信息)Please enter the following 'extra' attributes to be sent with your certificate requestA challenge password []:123456 (需要提供挑战式握手的密码)An optional company name []:Center (提供一个可选的公司名)Using configuration from /etc/openvpn/easy-rsa/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'Shanghai'localityName :PRINTABLE:'Shanghai'organizationName :PRINTABLE:'Center'organizationalUnitName:PRINTABLE:'Center'commonName :PRINTABLE:'VPNSRV01'emailAddress :IA5STRING:'kanecruiseisgod@hotmail.com'Certificate is to be certified until Aug 24 04:43:37 2017 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated(使用CA根证书将这个Server的证书签发了)-------------------------------------------------------------------------------------(那么这些在Server证书签发过程中提问到的内容有些什么要求吗?答案是有的,我之前做了一张服务器证书就废掉的,理由就是地址信息与CA的不符合,也就是说尽量将一些基本信息与CA证书上回答的基本吻合。)然后再看下keys下面又多了些什么东西[root@VPNSRV01 easy-rsa]# ll keystotal 44-rw-r--r-- 1 root root 3636 Aug 27 12:43 01.pem (多了一个dh-pem文件)-rw-r--r-- 1 root root 1233 Aug 27 11:39 ca.crt-rw------- 1 root root 887 Aug 27 11:39 ca.key-rw-r--r-- 1 root root 245 Aug 27 11:56 dh1024.pem-rw-r--r-- 1 root root 99 Aug 27 12:43 index.txt-rw-r--r-- 1 root root 21 Aug 27 12:43 index.txt.attr-rw-r--r-- 1 root root 0 Aug 27 11:34 index.txt.old-rw-r--r-- 1 root root 3 Aug 27 12:43 serial-rw-r--r-- 1 root root 3 Aug 27 11:34 serial.old-rw-r--r-- 1 root root 3636 Aug 27 12:43 vpnsrv01.crt (Server的证书文件)-rw-r--r-- 1 root root 753 Aug 27 12:43 vpnsrv01.csr (Server的SSL请求请求文件)-rw------- 1 root root 887 Aug 27 12:43 vpnsrv01.key (Server的密钥文件)建立OpenVPN Client端的证书和密钥每台OpenVPN Client都要有自己的证书和密钥,当然这些也是根据之前的CA证书来签发的,使用build-key执行脚本来生成赋予脚本build-key用户执行权限[root@VPNSRV01 easy-rsa]# ux build-key生成Client的证书和密钥。注意,这里执行build-key脚本后面要跟参数,参数就是Client证书生成的文件名。[root@VPNSRV01 easy-rsa]# ./build-key vpnclnt00 (编号00表示测试用,我的习惯)-------------------------------------------------------------------------------------Generating a 1024 bit RSA private key......++++++..............++++++writing new private key to 'vpnclnt00.key'-----You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [KG]:CN (提问国家)State or Province Name (full name) [NA]:Shanghai (提问州或省市名)Locality Name (eg, city) [BISHKEK]:Shanghai (提问所在地名)Organization Name (eg, company) [OpenVPN-TEST]:Center (提问组织名)Organizational Unit Name (eg, section) []:Center (提问组织单位名)Common Name (eg, your name or your server's hostname) []:VPNCLNT00 (给出Client的名称)Email Address [me@myhost.mydomain]:kanecruiseisgod@hotmail.com (管理员的Email地址)(在Client的证书签发过程中,也需要提供一些Exatra“额外”的信息)Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:123456 (挑战式验证口令)An optional company name []:Center (一个可选的公司名称)Using configuration from /etc/openvpn/easy-rsa/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'Shanghai'localityName :PRINTABLE:'Shanghai'organizationName :PRINTABLE:'Center'organizationalUnitName:PRINTABLE:'Center'commonName :PRINTABLE:'VPNCLNT00'emailAddress :IA5STRING:'kanecruiseisgod@hotmail.com'Certificate is to be certified until Aug 24 05:00:46 2017 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated(使用CA根证书将这个Client的证书签发了)-------------------------------------------------------------------------------------(和生成Server的证书一样,Client证书签发过程中使用的基本信息请尽量与CA根证书当中的一致)然后再看下keys下面又多了些什么东西[root@VPNSRV01 easy-rsa]# ll keystotal 68-rw-r--r-- 1 root root 3636 Aug 27 12:43 01.pem-rw-r--r-- 1 root root 3537 Aug 27 13:00 02.pem (又多了一个dh-pem文件)-rw-r--r-- 1 root root 1233 Aug 27 11:39 ca.crt-rw------- 1 root root 887 Aug 27 11:39 ca.key-rw-r--r-- 1 root root 245 Aug 27 11:56 dh1024.pem-rw-r--r-- 1 root root 199 Aug 27 13:00 index.txt-rw-r--r-- 1 root root 20 Aug 27 13:00 index.txt.attr-rw-r--r-- 1 root root 21 Aug 27 12:43 index.txt.attr.old-rw-r--r-- 1 root root 99 Aug 27 12:43 index.txt.old-rw-r--r-- 1 root root 3 Aug 27 13:00 serial-rw-r--r-- 1 root root 3 Aug 27 12:43 serial.old-rw-r--r-- 1 root root 3537 Aug 27 13:00 vpnclnt00.crt (Client的证书文件)-rw-r--r-- 1 root root 753 Aug 27 13:00 vpnclnt00.csr (Client的SSL请求证书文件)-rw------- 1 root root 887 Aug 27 13:00 vpnclnt00.key (Client的密钥文件)-rw-r--r-- 1 root root 3636 Aug 27 12:43 vpnsrv01.crt-rw-r--r-- 1 root root 753 Aug 27 12:43 vpnsrv01.csr-rw------- 1 root root 887 Aug 27 12:43 vpnsrv01.key为防止恶意攻击(如DOS、UDP port flooding),生成一个"HMAC firewall"[root@VPNSRV01 easy-rsa]# openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key察看keys下生成ta文件[root@VPNSRV01 easy-rsa]# ll keystotal 72-rw-r--r-- 1 root root 3636 Aug 27 12:43 01.pem-rw-r--r-- 1 root root 3537 Aug 27 13:00 02.pem-rw-r--r-- 1 root root 1233 Aug 27 11:39 ca.crt-rw------- 1 root root 887 Aug 27 11:39 ca.key-rw-r--r-- 1 root root 245 Aug 27 11:56 dh1024.pem-rw-r--r-- 1 root root 199 Aug 27 13:00 index.txt-rw-r--r-- 1 root root 20 Aug 27 13:00 index.txt.attr-rw-r--r-- 1 root root 21 Aug 27 12:43 index.txt.attr.old-rw-r--r-- 1 root root 99 Aug 27 12:43 index.txt.old-rw-r--r-- 1 root root 3 Aug 27 13:00 serial-rw-r--r-- 1 root root 3 Aug 27 12:43 serial.old-rw------- 1 root root 636 Aug 27 13:21 ta.key (ta的密钥文件)-rw-r--r-- 1 root root 3537 Aug 27 13:00 vpnclnt00.crt-rw-r--r-- 1 root root 753 Aug 27 13:00 vpnclnt00.csr-rw------- 1 root root 887 Aug 27 13:00 vpnclnt00.key-rw-r--r-- 1 root root 3636 Aug 27 12:43 vpnsrv01.crt-rw-r--r-- 1 root root 753 Aug 27 12:43 vpnsrv01.csr-rw------- 1 root root 887 Aug 27 12:43 vpnsrv01.key生成一个吊销证书链文件如果证书文件不幸由于各种原因丢失,那么持有丢失证书的人将仍然可以使用进行接入。不用销毁整个系统,可以吊销丢失的证书。执行脚本make-crl先生成吊销证书链文件。赋予make-crl脚本用户执行权限[root@VPNSRV01 easy-rsa]# ux make-crl执行make-crl脚本生成吊销证书链文件[root@VPNSRV01 easy-rsa]# ./make-crl vpncrl.pemUsing configuration from /etc/openvpn/easy-rsa/openssl.cnf察看keys下的文件[root@VPNSRV01 easy-rsa]# ll keystotal 76-rw-r--r-- 1 root root 3636 Aug 27 12:43 01.pem-rw-r--r-- 1 root root 3537 Aug 27 13:00 02.pem-rw-r--r-- 1 root root 1233 Aug 27 11:39 ca.crt-rw------- 1 root root 887 Aug 27 11:39 ca.key-rw-r--r-- 1 root root 245 Aug 27 11:56 dh1024.pem-rw-r--r-- 1 root root 199 Aug 27 13:00 index.txt-rw-r--r-- 1 root root 20 Aug 27 13:00 index.txt.attr-rw-r--r-- 1 root root 21 Aug 27 12:43 index.txt.attr.old-rw-r--r-- 1 root root 99 Aug 27 12:43 index.txt.old-rw-r--r-- 1 root root 3 Aug 27 13:00 serial-rw-r--r-- 1 root root 3 Aug 27 12:43 serial.old-rw------- 1 root root 636 Aug 27 13:21 ta.key-rw-r--r-- 1 root root 3537 Aug 27 13:00 vpnclnt00.crt-rw-r--r-- 1 root root 753 Aug 27 13:00 vpnclnt00.csr-rw------- 1 root root 887 Aug 27 13:00 vpnclnt00.key-rw-r--r-- 1 root root 491 Aug 27 13:28 vpncrl.pem (证书吊销链文件)-rw-r--r-- 1 root root 3636 Aug 27 12:43 vpnsrv01.crt-rw-r--r-- 1 root root 753 Aug 27 12:43 vpnsrv01.csr-rw------- 1 root root 887 Aug 27 12:43 vpnsrv01.key由于MSN空间的字数限制= =我那华丽的第18集伪系统工程师的故事硬是被划分了上下两集。郁闷...继续上集内容整备OpenVPN的Server和Client的主配置文件之前locate出来的列表当中,有Server和Client的主配置文件模版/usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf/usr/share/doc/openvpn-2.0.9/sample-config-files/server.confOpnVPN Server端的主配置文件主配置文件的路径为/etc/openvpn/下,因此先将模版配置文件复制到这个路径下再作修改[root@VPNSRV01 easy-rsa]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/然后配置服务端的主配置文件server.conf[root@VPNSRV01 openvpn]# vi server.conf-------------------------------------------------------------------------------# listen on? (optional);local a.b.c.d (设定监听在本机的哪个网络接口上,这里使用默认注释,表示监听所有本机上的网络接口)port 9988 (这里设定的监听端口,默认是1194,我这里修改为9988)# TCP or UDP server?;proto tcpproto udp(设定在传输层使用的协议,这里设定为默认的UDP协议)# "dev tun" will create a routed IP tunnel,# "dev tap" will create an ethernet tunnel.;dev tapdev tun(设定传输设备节点。如提示信息,tun是一个三层设备,tap是一个二层设备。而这里我们要的是IP路由,是三层的方式,因此选择tun)# Non-Windows systems usually don't need this.;dev-node MyTap(设定传输设备节点名。如提示信息,非Windows系统不需要设定这项,目前这台Server的操作系统是CentOS5,保留注释)ca /etc/openvpn/vpnkeys/ca.crtcert /etc/openvpn/vpnkeys/vpnsrv01.crtkey /etc/openvpn/vpnkeys/vpnsrv01.key # This file should be kept secret(设定根证书CA、服务器证书、以及服务器密钥文件的位置。注意,这里我都是写上了绝对路径,那是因为我更动了它们的位置。这里也可以直接写文件名而不写绝对路径,表示使用默认路径,默认为/etc/openvpn/下)dh /etc/openvpn/vpnkeys/dh1024.pem(设定Diffie Hellman参数文件的路径。同上,我也是输入了绝对路径,也可以直接输入文件名使用默认路径。默认路径为/etc/openvpn/下)# Configure server mode and supply a VPN subnetserver 10.99.0.0 255.255.255.0(设定Server端虚拟出来的VPN网段)ifconfig-pool-persist ipp.txt(设定虚拟地址租约文件,用于记录某个Client获得的IP地址,类似于dhcpd.lease文件,防止openvpn重新启动后“忘记”Client曾经使用过的IP地址)push "route 111.111.111.0 255.255.255.0" #For Net1push "route 222.222.0.0 255.255.0.0" #For Net2push "route 123.123.123.234 255.255.255.255" #For HostX(设定Push路由。当Client连接Server的时候,自动会得到这些路由条目并添加到它们的路由表中,由于是Server那里传过来的,因此叫Push路由。当Client从Server处断开的时候这些Push路由将自动在Client的路由表中删除。一个需要提醒注意的地方就是既然是加入路由,那么必须要填写的是"route 网段 子网掩码"的格式,如果不是像第三条那样是添加针对某一个主机的路由的话,那么一定要写的是网段!如果要针对一个目的网段的路由,而却写的是主机地址的话,那么这个Push路由将失败);push "redirect-gateway";push "dhcp-option DNS 10.8.0.1";push "dhcp-option WINS 10.8.0.1"(设定其他的Push信息。redirect-gateway为接入Client重新指定出口网关,如果不设定的话则是使用Server路由表当中的默认出口网关。dhcp-option下的DNS和WIN则是为接入Client重新分配域名服务器和名称服务器的IP地址。除非特殊的规划,一般这里没有设定的必要,保持注释)client-to-client(设定接入的Client之间能够被允许互相访问,默认情况下接入的Client是不能互相访问的。如果需要使它们互相访问的话请去掉默认的注释)# IF YOU HAVE NOT GENERATED INDIVIDUAL# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,# EACH HAVING ITS OWN UNIQUE "COMMON NAME",# UNCOMMENT THIS LINE OUT.;duplicate-cn(设定是否允许单证书多连接。如果有多个Client使用相同的证书接入Server,亦或Client使用的CA的Common Name有重复了,或者说客户都使用相同的CA和keys连接VPN,一定要打开这个选项,否则只允许一个人连接VPN。但是如果出于安全考虑,比如一个证书只能由一个Client对应的情况,这里就建议关闭而保留注释)keepalive 10 120(设定保活参数。这里的意思是每10秒钟通过Ping来确定Client是否存活,当然这个Ping的进行是在虚拟通道中而不是在真实外部链路上的,超过120秒无反馈表示丢失该Client)# For extra security beyond that provided# by SSL/TLS, create an "HMAC firewall"# to help block DoS attacks and UDP port flooding.## Generate with:# openvpn --genkey --secret ta.key## The server and each client must have# a copy of this key.# The second parameter should be '0'# on the server and '1' on the clients.tls-auth /etc/openvpn/vpnkeys/ta.key 0 # This file is secret(设定ta密钥的路径。之前提到的HMAC防火墙,防止DOS攻击,对于所有的控制信息,都使用HMAC signature,没有HMAC signature的控制信息不予处理,注意server端后面的数字肯定使用0,client使用1)# Enable compression on the VPN link.# If you enable it here, you must also# enable it in the client config file.comp-lzo(使用Lzo功能对虚拟链路进行压缩。另外要提的一点,如果Server端开启的话,那么连接它的Client端也要在配置文件中开启);max-clients 100(设定并发最大Client接入数)user nobodygroup nobody(设定OpenVPN服务的宿主用户,这里设定nobody。使用vipw来快速查看/etc/passwd文件,可以发现nobody是系统内置的,并且UID和GID分别为99。另外要注意的是,既然将OpenVPN服务的宿主用户设定为nobody,那么凡是关于OpenVPN服务进程相关或者需要读写的文件,请都要赋予nobody权限)persist-key(设定连接保持密钥功能。在由于keepalive检测超时后而重新启动VPN的情况,不重新读取keys,而保留第一次使用的keys)persist-tun(设定连接保持在线功能。在由于keepalive检测超时后而重新启动VPN的情况,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup)status /var/log/openvpn-status.log(设定状态记录日志路径。状态记录日志会定期把openvpn的一些状态信息写到文件中,以便自己写程序计费或者进行其他操作。注意,如果更改过OpenVPN服务宿主用户的话,请记得这里将此文件赋予宿主用户一定的权限)log /var/log/openvpn.log(设定OpenVPN的服务日志路径。注意,如果更改过OpenVPN服务宿主用户的话,请记得这里将此文件赋予宿主用户一定的权限)log-append /var/log/openvpn.log(此项和log项配合使用,每次重新启动openvpn后保留原有的log信息,新信息追加到文件最后)# 0 is silent, except for fatal errors# 4 is reasonable for general usage# 5 and 6 can help to debug connection problems# 9 is extremely verboseverb 3(设定OpenVPN的dubug等级。使用默认3级。)# Silence repeating messages. At most 20# sequential messages of the same message# category will be output to the log.;mute 20(设定日志信息的冗余程度。默认值为20,当相同的信息连续反复出现时,系统会去掉相同的20条)-------------------------------------------------------------------------------注意:如果不采用OpenVPN的默认路径而要定制路径的话,必须要严格确定每个配置项的路径是否设定正确。在启动OpenVPN服务进程前的需要确定的工作:1.建立配置文件中指定的日志文件,并赋予正确的权限[root@VPNSRV01 easy-rsa]# touch /var/log/openvpn.log[root@VPNSRV01 easy-rsa]# touch /var/log/openvpn-status.log[root@VPNSRV01 easy-rsa]# chown nobody.nobody /var/log/openvpn.log[root@VPNSRV01 easy-rsa]# chown nobody.nobody /var/log/openvpn-status.log2.确定配置文件中的配置项指定的路径例如:比如我第一次配置完Server端启动时就失败了[root@VPNSRV01 easy-rsa]# service openvpn startStarting openvpn: [FAILED]查看日志寻找原因原因[root@VPNSRV01 easy-rsa]# tail -n 10 /var/log/openvpn.logMon Aug 27 16:00:03 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007Mon Aug 27 16:00:03 2007 Diffie-Hellman initialized with 1024 bit keyMon Aug 27 16:00:03 2007 Cannot open file key file 'ta.key': No such file or directory (errno=2)Mon Aug 27 16:00:03 2007 Exiting原来ta密钥的路径没有写对,服务进程找不不到ta.key。因此整个服务启动失败。修正了正确的ta路径后再启动服务进程就正常了。因此,如果定制一些关键文件的路径时,一定要仔细根据定制情况正确编辑配置文件。3.检查系统防火墙,是否为VPN开启了。[root@VPNSRV01 easy-rsa]# iptables -A INPUT -p udp --dport 9988 -j ACCEPT[root@VPNSRV01 easy-rsa]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT检查防火墙[root@VPNSRV01 easy-rsa]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destinationACCEPT udp -- anywhere anywhere udp dpt:9988ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED4.转发开关是否打开,打开这个路由转发开关[root@VPNSRV01 vpnkeys]# echo 1 > /proc/sys/net/ipv4/ip_forward并且顺带将这个命令添加到启动脚本当中,使得每次系统启动的时候都会打开这个开关[root@VPNSRV01 vpnkeys]# echo 'echo 1 > /proc/sys/net/ipv4/ip_forward' >> /etc/rc.d/rc.local启动OpenVPN Server端的程序[root@VPNSRV01 easy-rsa]# service openvpn startStarting openvpn: [ OK ]查看Server现在的网卡情况[root@VPNSRV01 easy-rsa]# ifconfigeth0 Link encap:Ethernet HWaddr 00:16:3E:4A:C2:28 inet addr:123.123.123.233 Bcast:123.123.123.255 Mask:255.255.255.0 inet6 addr: fe80::216:3eff:fe4a:c228/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2059473 errors:0 dropped:0 overruns:0 frame:0 TX packets:1258577 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:159571429 (152.1 MiB) TX bytes:98975611 (94.3 MiB)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:273 errors:0 dropped:0 overruns:0 frame:0 TX packets:273 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:40479 (39.5 KiB) TX bytes:40479 (39.5 KiB)tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.99.0.1 P-t-P:10.99.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)(这个tun0设备就是OpenVPN虚拟出来的网络接口。另外需要提到的一点是,这个设备会被初始化,但是只有在OpenVPN的服务进程成功运行起来的时候才会有这个设备,如果运行OpenVPN进程失败的话,是看不到这个设备的。也所以,当要使用OpenVPN的时候,切记要为它的网络接口开放特定的防火墙,或者干脆关闭防火墙。否则Client是无法接入的,这里需要特别提醒。因为本人曾经卡在过这个问题上,当分析出来是防火墙的时候,比较让人感到崩溃= =)查看Server的路由[root@VPNSRV01 easy-rsa]# routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface10.99.0.2 * 255.255.255.255 UH 0 0 0 tun0123.123.123.0 * 255.255.255.0 U 0 0 0 eth010.99.0.0 10.99.0.2 255.255.255.0 UG 0 0 0 tun0169.254.0.0 * 255.255.0.0 U 0 0 0 eth0default 123.123.123.1 0.0.0.0 UG 0 0 0 eth0其中10.99.0.0部分就是虚拟网络的路由。到此,OpenVPN的Server端已经基本完成。将Server上之前为测试Client生成的证书密钥以及一些相关文件复制到Client端的/etc/openvpn/目录下这里,Client需要向Server得到五个重要的文件CA证书文件 (我这里是ca.crt)Client证书文件 (我这里是vpnclnt00.crt)Client密钥文件 (我这里是vpnclnt00.key)Client的SSL证书请求文件 (我这里是vpnclnt00.csr)ta密钥文件 (我这里是ta.key)配置Client端的主配置文件Client上也安装了OpenVPN的包,所以也有模版文件/usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf这里将Client的主配置模版文件复制到OpenVPN的主配置路径下[root@VPNCLNT00 ~]# ll /etc/openvpn/total 48-rw-r--r-- 1 root root 1233 Aug 27 14:09 ca.crt-rw-r--r-- 1 root root 254 Aug 28 02:29 client.conf-rw-r--r-- 1 root root 636 Aug 27 14:09 ta.key-rw-r--r-- 1 root root 3537 Aug 27 14:09 vpnclnt00.crt-rw-r--r-- 1 root root 753 Aug 27 14:09 vpnclnt00.csr-rw-r--r-- 1 root root 887 Aug 27 14:09 vpnclnt00.key可以看到在Client的主配置路径下一共有6个文件。5个是证书密钥,1个是Client端的主配置文件client.conf现在我们来编辑客户端主配置文件client.conf[root@VPNCLNT00 ~]# vi /etc/openvpn/client.conf----------------------------------------------------------------------------client(声明这个配置文件作用于客户端)dev tun(使用tun三层虚拟连接设备)proto udp(使用UDP协议)remote 123.123.123.233 9988(设定远程Server的IP地址和端口,这里要和Server对应起来。如果有多个Server可以连接的话可以配置多条remote,一行一条)resolv-retry infinite(始终重新解析Server的IP地址,如果remote后面跟的是域名,保证Server IP地址是动态的使用DDNS动态更新DNS后,Client在自动重新连接时重新解析Server的IP地址,这样无需人为重新启动,即可重新接入VPN)nobind(表示Client端不像Server端那样需要开放特定的端口,nobind的意思就是Client的不绑定特定的监听端口)user nobodygroup nobody(指定OpenVPN服务进程的宿主用户)persist-key(设定连接保持密钥功能。在由于keepalive检测超时后而重新启动VPN的情况,不重新读取keys,而保留第一次使用的keys)persist-tun(设定连接保持在线功能。在由于keepalive检测超时后而重新启动VPN的情况,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup)ca ca.crtcert vpnclnt00.crtkey vpnclnt00.key(设定CA证书、Client证书以及Client密钥文件的路径。与之前我Server端的配置不同,这里我没有写绝对路径而只是写了一些文件名。这是因为我使用了默认的OpenVPN的主路径/etc/openvpn/。如果不是使用默认路径而是定制更改了这些文件的位置的话,那么就需要注上详细的绝对路径了)ns-cert-type server(这一项是Server配置文件server.conf当中没有的。Server使用build-key-server脚本什成的,在x509 v3扩展中加入了ns-cert-type选项,为的是防止黑客操纵他们的VPN Client模拟成VPN Server,然后使用他们的keys + DNS欺骗其他的Client连接他们假冒的VPN Server。因为他们的CA里没有这个扩展)tls-auth ta.key 1(设定ta密钥的路径。这里我使用/etc/openvpn/的默认路径。所以直接打了文件名而不是绝对路径。这个配置项是关于HMAC防火墙,防止DOS攻击,对于所有的控制信息,都使用HMAC signature,没有HMAC signature的控制信息不予处理。这里Client使用的值是1,注意server端后面的数字肯定使用0)comp-lzo(设定启用Lzo将虚拟链路压缩。注意,这里一定要与Server配置统一。Server启用这条时Client也要启用,相对的Server关闭这条的时候Client也要关闭)verb 3(Debug等级);mute 20(意义同Server端的设定)-------------------------------------------------------------------------------------------------------运行Client的OpenVPN[root@VPNCLNT00 ~]# service openvpn startStarting openvpn: [ OK ]查看Client的路由表[root@VPNCLNT00 ~]# routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface10.99.0.5 * 255.255.255.255 UH 0 0 0 tun0123.123.123.234 10.99.0.5 255.255.255.255 UGH 0 0 0 tun010.99.0.0 10.99.0.5 255.255.255.0 UG 0 0 0 tun0111.111.111.0 10.99.0.5 255.255.255.0 UG 0 0 0 tun0222.222.0.0 10.99.0.5 255.255.0.0 UG 0 0 0 tun0192.168.0.0 * 255.255.255.0 U 0 0 0 eth0169.254.0.0 * 255.255.0.0 U 0 0 0 eth0default 192.168.0.101 0.0.0.0 UG 0 0 0 eth0查看Client的网络接口[root@VPNCLNT00 ~]# ifconfigeth0 Link encap:Ethernet HWaddr 00:16:3E:27:F9:47 inet addr:192.168.0.231 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::216:3eff:fe27:f947/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13328 errors:0 dropped:0 overruns:0 frame:0 TX packets:11761 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:7013030 (6.6 MiB) TX bytes:1647512 (1.5 MiB)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:56 errors:0 dropped:0 overruns:0 frame:0 TX packets:56 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:6020 (5.8 KiB) TX bytes:6020 (5.8 KiB)tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.99.0.6 P-t-P:10.99.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)使用Client从虚拟网络中Ping向Server[root@VPNCLNT00 ~]# ping 10.99.0.1PING 10.99.0.1 (10.99.0.1) 56(84) bytes of data.64 bytes from 10.99.0.1: icmp_seq=1 ttl=64 time=21.7 ms64 bytes from 10.99.0.1: icmp_seq=2 ttl=64 time=21.6 ms64 bytes from 10.99.0.1: icmp_seq=3 ttl=64 time=22.0 ms64 bytes from 10.99.0.1: icmp_seq=4 ttl=64 time=21.8 ms64 bytes from 10.99.0.1: icmp_seq=5 ttl=64 time=21.7 ms64 bytes from 10.99.0.1: icmp_seq=6 ttl=64 time=21.7 ms(成功Ping通,连通正确)看到tun0出现,分配到了虚拟网络的地址。并且路由表当中也拥有了虚拟网络的路由条目,还看到Server那里Push过来的路由。说明Client已经正常连接上了Server了。想想上个周六,Client端的OpenVPN起来OK,但是不出现tun0的设备。我还以为是我配置哪里出了问题,反复地排差,看反馈信息是写No Route to host,没有去往Server的路由,但是我一直能够Ping通那台Server。所以我一直认为是tun0设备没有初始好...结果搞半天是由于Server的防火墙将VPN端口关闭造成的,囧,一直到半夜3点半,结果原来是这问题...所以,当VPN没有协商成功的时候,tun0这个设备是不会启动的,也不会在ifconfig当中看到。强制手动启动也是没有用得,这个我也尝试过...囧。所以,提醒大家一个地方哦,当Client启动OpenVPN去连接Server的时候如果有以下现象:1.从ifconfig当中没有看到tun0启动,2.信息反馈一直为No Route to Host的时候,请记得先看看是不是你Server端的防火墙没有放行...弄半天为了这低级问题,我怨念...- -
相关信息· SQL SERVER 与ACCESS、EXCEL的数据转换
· 用squid再次疯狂加速你的web
· 总结:路由器配置错误五则
· 免费电影音乐下载更方便!
12086
8501