![nixsky[www.nixsky.com]](/templets/images/toplogo.gif)
简单说明:路由器1有固定IP地址,并且打开1194端口,把请求转发到openvpn服务器。Openvpn服务器系统为openbsd4.1,Openvpn服务器可以访问internet,除了vpn服务外还提供nat服务(在pf中nat了tun0,使虚拟专用网络里的机器可以通过openvpn服务器上internet,相当于代理服务器)。PC1、 PC2、PC3、web服务器1、web服务器2、其他服务器都通过openvpn连接到openvpn服务器,并分配到虚拟专用网络IP地址。PC1、 PC2、PC3可以玩局域网游戏,还可以通过虚拟专用网络IP地址访问web服务器1、web服务器2、其他服务器。
路由器2使PC3和web服务器2通过adsl modem 上internet。路由器2不转发端口。
做openvpn服务器
1. 安装openbsd 。有很多安装openbsd 的教程,在这里不讨论。在这里使用openbsd4.1 。
从 http;//www.openbsd.org 网站下载 openvpn-2.0.6p0.tgz 和lzo-1.08p1.tgz。复制到openbsd 的一个目录。在这里我选择 /home目录在命令行输入 。安装openvpn。
# cd /home
# pkg_add openvpn-2.0.6p0
openvpn-2.0.6p0:lzo-1.08p1: complete
openvpn-2.0.6p0: complete
2. 生成密钥
建立openvpn 配置目录
# mkdir /etc/openvpn
Openvpn本身提供生成密钥和证书的脚本。在 /usr/local/share/examples/openvpn/ 中找到 easy-rsa 目录复制到 /etc/openvpn 。
# cp –r /usr/local/share/examples/openvpn/easy-rsa /etc/openvpn/
编辑 /etc/openvpn/easy-rsa/vars
# cd /etc/openvpn/easy-rsa/
# vi vars (下面蓝色部分是vars文件内容。)
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export D=`pwd`
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys
# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"
(修改以下内容)
export KEY_COUNTRY=CN (国家)
export KEY_PROVINCE=JL (省份)
export KEY_CITY=YJ (城市)
export KEY_ORG="OpenVPN-Server" (组织或公司)
export KEY_EMAIL="demo@gmail.com" (电子邮箱)
令vars 生效。
# . ./vars (注意这是两个点)
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# ./clean-all (清除已经存在的密钥和证书)
生成CA。运行build-ca。
# ./build-ca
Generating a 1024 bit RSA private key
.++++++
..................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JL]:
Locality Name (eg, city) [YJ]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your server's hostname) []:CA
Email Address [demo@gmail.com]:
在/etc/openvpn/easy-rsa/keys目录中生成ca.crt 和ca.key。以后生成的密钥都在/etc/openvpn/easy-rsa/keys 目录中生成。
生成用于服务器的密钥。
# ./build-key-server server
Generating a 1024 bit RSA private key
.......................++++++
..++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JL]:
Locality Name (eg, city) [YJ]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your server's hostname) []:server
Email Address [demo@gmail.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JL'
localityName :PRINTABLE:'YJ'
organizationName :PRINTABLE:'OpenVPN-Server'
organizationalUnitName:PRINTABLE:'OpenVPN'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'demo@gmail.com'
Certificate is to be certified until Dec 3 11:10:26 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#在 Common Name 输入 server 。在如上的两个选择中都选 y 。
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]: y
在/etc/openvpn/easy-rsa/keys目录中生成server.crt 和server.key。
服务器得生成Diffie Hellman parameters。
# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................................................................+..........................................................................................+.......................+..........................+......................................................................++*++*++*
在/etc/openvpn/easy-rsa/keys目录中生成dh1024.pem文件。
#防止 DoS 攻击 和 UDP 端口 flooding,生成一个"HMAC firewall"
在/etc/openvpn/easy-rsa/keys目录中生成。
# openvpn --genkey --secret ta.key
到此所有将在服务器端的密钥和证书生成完毕。
现在生成客户端密钥,如果有100个用户,就得生成100个密钥。假如用户名是 king 。
# cd /etc/openvpn/easy-rsa/
# ./build-key king
Generating a 1024 bit RSA private key
..........................++++++
....++++++
writing new private key to 'king.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JL]:
Locality Name (eg, city) [YJ]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your server's hostname) []:king
Email Address [demo@gmail.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JL'
localityName :PRINTABLE:'YJ'
organizationName :PRINTABLE:'OpenVPN-Server'
organizationalUnitName:PRINTABLE:'OpenVPN'
commonName :PRINTABLE:'king'
emailAddress :IA5STRING:'demo@gmail.com'
Certificate is to be certified until Dec 3 11:46:03 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
在 Common Name 输入 king 。在如上的两个选择中都选 y 。
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]: y
在/etc/openvpn/easy-rsa/keys目录中生成king.crt 、king.key、king.csr 。
生成一个用户名为web的密钥。
# ./build-key web
Generating a 1024 bit RSA private key
.........++++++
..................................................++++++
writing new private key to 'web.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JL]:
Locality Name (eg, city) [YJ]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your server's hostname) []:web
Email Address [demo@gmail.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JL'
localityName :PRINTABLE:'YJ'
organizationName :PRINTABLE:'OpenVPN-Server'
organizationalUnitName:PRINTABLE:'OpenVPN'
commonName :PRINTABLE:'web'
emailAddress :IA5STRING:'demo@gmail.com'
Certificate is to be certified until Dec 3 11:49:55 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
在 Common Name 输入 web。在如上的两个选择中都选 y 。
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]: y
在/etc/openvpn/easy-rsa/keys目录中生成web.crt 、web.key、web.csr 。
用同样的方法生成一个用户名为knight的密钥。
在/etc/openvpn/easy-rsa/keys目录中生成knight.crt 、knight.key、knight.csr 。
看一下生成的证书和密钥。
|
Filename |
Needed By |
Purpose |
Secret |
|
ca.crt ca.key dh1024.pem server.crt server.key web.crt web.key king.crt king.key knight.crt knight.key |
server + all clients key signing machine only server only server only server only Web server 2 only Web server 2 only PC 1 only PC 1 only PC 2 only PC 2 only |
Diffie Hellman parameters Server Certificate Server Key web Certificate web Key PC 1 Certificate PC 1 key PC 2 Certificate PC 2 key |
NO YES NO NO YES NO YES NO YES NO YES |
好好保管Secret 为 YES的密钥,否则容易招来 middle-man 攻击。
3. 环境设定
配置openvpn服务器端配置文件。
在/usr/local/share/examples/openvpn/sample-config-files/ 目录中有配置文件的模板文件。把服务器配置文件 server.conf 复制到 /etc/openvpn/ 。
# cp –r /usr/local/share/examples/openvpn/sample-config-files/server.conf /etc/openvpn/
编辑 server.conf 。
# cd /etc/openvpn/
# vi server.conf (#后是注释)(蓝色部分是服务器配置文件)
############################################################
port 1194 #端口
proto tcp # 协议,udp