第一步 准备系统(本人在Debian系统下搭建)
安装OpenVPN:
$ sudo apt-get -y install openvpn easy-rsa dnsmasq
用apt-get安装了三个包:
- openvpn提供了OpenVPN的核心
- easy-rsa包含了一些有用的密钥管理脚本
- dnsmasq是当OpenVPN所在的主机将扮演客户端的路由器时会用到的域名服务器
第二步 生成证书和私钥
建立公钥基础设施:
- 为OpenVPN服务器创建一个证书(公钥)和一个私钥
- 为每个OpenVPN客户端创建证书和私钥
- 建立一个证书颁发机构(CA)并创建证书和私钥。这个私钥用来给OpenVPN服务器和客户端的证书签名
先建立一个目录:
$ sudo mkdir /etc/openvpn/easy-rsa
然后把easy-rsa的文件拷过去:
$ sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa
在创建CA的私钥之前,先编辑/etc/openvpn/easy-rsa/vars(个人使用vim编辑器,也可以用别的)文件:
$ sudo vim /etc/openvpn/easy-rsa/vars
在文件的尾部,设置主证书和密钥的信息:
export KEY_COUNTRY="GR"
export KEY_PROVINCE="Central Macedonia"
export KEY_CITY="Thessaloniki"
export KEY_ORG="Parabing Creations"
export KEY_EMAIL="nobody@parabing.com"
export KEY_CN="VPNsRUS"
export KEY_NAME="VPNsRUS"
export KEY_OU="Parabing"
export KEY_ALTNAMES="VPNsRUS"
可以根据自己的情况设置不同的值,保存更改并退出,继续生成主证书和私钥:
$ sudo su
# cd /etc/openvpn/easy-rsa
# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# sh clean-all
# sh build-ca
Generating a 1024 bit RSA private key
...++++++
................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GR]:
State or Province Name (full name) [Central Macedonia]:
Locality Name (eg, city) [Thessaloniki]:
Organization Name (eg, company) [Parabing Creations]:
Organizational Unit Name (eg, section) [Parabing]:
Common Name (eg, your name or your server's hostname) [VPNsRUS]:
Name [VPNsRUS]:
Email Address [nobody@parabing.com]:
运行了build-ca脚本后,获得了主证书文件(keys/ca.crt)和对应的私钥(keys/ca.key)。
第三步 生成OpenVPN服务器的证书和私钥
在为OpenVPN服务器生成证书和密钥之前,可以起个名"delta",也可以用默认名称,然后运行build-key-server脚本来获取证书和密钥:
# sh build-key-server delta
Generating a 1024 bit RSA private key
....++++++
...++++++
writing new private key to 'delta.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GR]:
State or Province Name (full name) [Central Macedonia]:
Locality Name (eg, city) [Thessaloniki]:
Organization Name (eg, company) [Parabing Creations]:
Organizational Unit Name (eg, section) [Parabing]:
Common Name (eg, your name or your server's hostname) [delta]:
Name [VPNsRUS]:deltaVPN
Email Address [nobody@parabing.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'GR'
stateOrProvinceName :PRINTABLE:'Central Macedonia'
localityName :PRINTABLE:'Thessaloniki'
organizationName :PRINTABLE:'Parabing Creations'
organizationalUnitName:PRINTABLE:'Parabing'
commonName :PRINTABLE:'delta'
name :PRINTABLE:'deltaVPN'
emailAddress :IA5STRING:'nobody@parabing.com'
Certificate is to be certified until Apr 7 08:06:02 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
当脚本成功运行完之后,得到服务器的证书(keys/delta.crt)和私钥(keys/delta.key)。
第四步 生成Diffie-Hellman参数
生成Diffie-Hellman参数:
# sh build-dh
证书、私钥和包含Diffie-Hellman参数的文件已生成,它们都储存在/etc/openvpn/easy-rsa/keys中:
- ca.crt – 证书颁发机构(CA)的证书
- ca.key – CA的私钥
- delta.crt – OpenVPN服务器的证书
- delta.key – OpenVPN服务器的私钥
- dh2048.pem – Diffie-Hellman参数文件
拷贝除ca.key文件到/etc/openvpn:
# cd keys
# cp ca.crt delta.crt delta.key dh2048.pem /etc/openvpn
# cd ..
第五步 为OpenVPN客户端生成证书和私钥
要连接OpenVPN服务器,需要为客户端生成证书和私钥,在/etc/openvpn/easy-rsa有一个脚本可以完成这项工作:
# source vars
# ./build-key laptop
可以给密钥取个名字"laptop",当build-key脚本运行完之后,得到了keys/laptop.crt的证书和在keys/laptop.key的私钥。有了这两个文件和CA的证书,新建一个目录并把三个文件拷贝过去:
# mkdir /home/sub0/ovpn-client
# cd keys
# cp ca.crt laptop.crt laptop.key /home/sub0/ovpn-client
# chown -R sub0:sub0 /home/sub0/ovpn-client
# cd ..
可以给多个客户端分发这三个文件。
第六步 -- OpenVPN服务器设置
在/usr/share/doc/openvpn/examples/sample-config-files中有一个配置文件:
# cd /etc/openvpn
# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz.
# gunzip -d server.conf.gz
# mv server.conf delta.conf
把server.conf.gz拷贝到/etc/openvpn,解压并重命名到delta.conf。可以按个人喜好给OpenVPN服务器配置文件取名字,但它必须有".conf"扩展名。现在用vim打开配置文件:
# vim delta.conf
首先,定位到这一行
cert server.crt key server.key
确认OpenVPN服务器证书和私钥的位置和名称,这两行要改成
cert delta.crt
key delta.key
然后定位到这一行
dh dh1024.pem
用"2048"代替"1024":
dh dh2048.pem
在配置文件的末尾,添加下面这两行:
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
最后这两行表示客户端用OpenVPN作为默认的网关,并用10.8.0.1作为DNS服务器。注意10.8.0.1是OpenVPN启动时自动创建的隧道接口的IP。
运行OpenVPN服务器:
service openvpn start
默认OpenVPN服务器监听1194/UDP端口。可以使用netstat工具查看:
netstat -anup
第七步 为OpenVPN客户端搭建DNS
打开dnsmasq的配置文件:
# vim /etc/dnsmasq.conf
定位到这行:
#listen-address=
把它换成下面这样:
listen-address=127.0.0.1, 10.8.0.1
然后定位到这行:
#bind-interfaces
把"#"删了:
bind-interfaces
重启dnsmasq:
# service dnsmasq restart
* Restarting DNS forwarder and DHCP server dnsmasq [ OK ]
现在,dnamasq在本地回环(lo)和隧道(tun0)接口监听DNS请求。netstat的输出看起来是这个样子的:
# netstat -anup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:57219 0.0.0.0:* 638/dhclient
udp 0 0 0.0.0.0:1194 0.0.0.0:* 911/openvpn
udp 0 0 127.0.0.1:53 0.0.0.0:* 1385/dnsmasq
udp 0 0 10.8.0.1:53 0.0.0.0:* 1385/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 638/dhclient
udp6 0 0 :::39148 :::* 638/dhclient
第八步 路由功能
如果需要在一些机器或虚拟机上运行的OpneVPN有路由的功能,这意味着要开启IP转发。为了打开它,用root账户键入:
# echo "1" > /proc/sys/net/ipv4/ip_forward
为了让这个设置重启也好用,编辑 /etc/sysctl.conf:
# vim /etc/sysctl.conf
编辑这行:
#net.ipv4.ip_forward=1
把"#"删了:
net.ipv4.ip_forward=1
还需要激活一些iptables相关的规则:
# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
# iptables -A FORWARD -j REJECT
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
在/etc/rc.local里进行修改:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service dnsmasq restart
exit 0
倒数第二行:
service dnsmasq restart
表示在系统启动时,dnsmasq会尝试在OpenVPN之前启动。但是OpenVPN启动之前是没有隧道(tun0)接口的,所以dnsmasq自然就挂了。过了一阵,当/etc/rc.local读到隧道(tun0)接口出现时,它会重启dnsmasq然后就可以了。
第九步 客户端设置
在第五步中,在用户的home目录里我们建立了ovpn-client文件夹。那里有CA的证书和客户端证书和私钥。现在只缺客户端配置文件了,在/usr/share/doc/openvpn/examples/sample-config-files有一个示例配置文件:
# exit
$ cd ~/ovpn-client
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf.
编辑client.conf,定位到这一行:
remote my-server-1 1194
"my-server-1"是一个占位符,现在要把它换成我们自己服务器的公网域名或IP。如果已经给服务器分配域名了,那只要把它填到my-server-1的位置。如果没有域名,可以用如下命令获取公网IP:
$ curl ipecho.net/plain ; echo
假如使用域名dnsalias.net,那么这一行应该像这样填写:
remote ovpn.dnsalias.net 1194
"ovpn"是给服务器起的主机名。假如是静态IP的话,那么这一行应该是这样的:
remote 1.2.3.4 1194
还要修改两行:
cert client.crt
key client.key
客户端的证书和密钥的名字分别是laptop.crt和laptop.key,所以client.conf要包含下面这两行:
cert laptop.crt
key laptop.key
在确认保存client.conf的修改之后,需要安全的把整个ovpn-client文件夹传输到客户端。可以使用scp命令(安全拷贝或在SSH上拷贝)。
第十步 连接到服务器
Linux系统: 只需安装openvpn包。然后连接OpenVPN服务器的方式是新建一个终端,切换到ovpn-client文件夹并以root身份或使用sudo来键入下列命令:
openvpn --config client.conf
任何时候需要终止OpenVPN,按[CTRL+C]就可以了。
网友评论