openvpn安装与配置

《openvpn安装与配置》由会员上传分享，免费在线阅读，更多相关内容在行业资料-天天文库。

OpenVPN的安装与配置1一，基本安装11.1相关软件包:11.2具体安装1二，网络配置1三，具体配置13.1创建证书配置文件:13.2建立服务器的认证书和密匙:23.3建立客户端证书:23.4创建DiffieHellman参数:23.5拷贝证书相关的文件：23.6配置服务端:23.7启动服务端openvpn33.8配置client端:33.9制作启动服务4四,问题总结:4OpenVPN的安装与配置一，基本安装1.1相关软件包:http://openvpn.net/Lzo-1.08.targzOpenvpn-2.09.tar.gzopenssl1.2具体安装#cd/root#tarzxvflzo-1.08.tar.gz#cdlzo-1.08#./configure#make#makeinstall#cd/root#tarzxvfopenvpn-2.0_beta7.tar.gz#cdopenvpn-2.0#./configure--with-lzo-headers=/usr/local/include--with-lzo-lib=/usr/local/lib#make#cp–Rfopenvpn-2.0/etc/openvpn二，网络配置网络规划:vpn使用路由模式还是网桥模式建议使用路由模式.私有子网网段的规划 建立VPN往往会把各个地方的私有子网网段连接在一起.互联网IP地址分配机构(IANA)已经保留了以下3个网段为私有子网网段所用(RFC1918):10.0.0.010.255.255.255(10/8prefix)172.16.0.0172.31.255.255(172.16/12prefix)192.168.0.0192.168.255.255(192.168/16prefix)三，具体配置3.1创建证书配置文件:下面是linux/bsd/unix系统建立PKI:#cd/etc/openvpn/easy-rsa#vivarsexportKEY_COUNTRY=CNexportKEY_PROVINCE=BJexportKEY_CITY=BjexportKEY_ORG="leadtone"exportKEY_EMAIL=caojincheng@corp.leadtone.com#../vars（注意..之间有空格）#./clean-all#./build-ca最后的命令build-ca将认证CA证书，这些密匙跟openssl紧密结合.3.2建立服务器的认证书和密匙:#./build-key-serverserver3.3建立客户端证书:#./build-keyclient1#./build-keyclient2#./build-keyclient3如果你想保护你的客户端密匙，请运行build-key-pass脚本.为了区分每个客户端，必须用适当的名称命名”CommonName”,比如."client1","client2",or"client3".通常是为每个客户端指定唯一的”commonname”.3.4创建DiffieHellman参数:openvpn服务必须创建DiffeHellman:#./build-dh#cd/etc/openvpn#mkdirconfkeys#cdeasy-rsa/keys3.5拷贝证书相关的文件：#cpca.crt/etc/openvpn/keys#cpserver.crt/etc/openvpn/keys#cpserver.key/etc/openvpn/keys#cpdh1024.pem/etc/openvpn/keys 3.6配置服务端:#cdsample-config-files/#cpserver.conf/etc/openvpn/conf/#cd/etc/openvpn/conf#cpserver.confserver.conf.cao#viserver.conf---------------------------cutbegin-----------------------------------------------------------port1194prototcpdevtunca/etc/openvpn/keys/ca.crtcert/etc/openvpn/keys/server.crtkey/etc/openvpn/keys/server.key#Thisfileshouldbekeptsecretdh/etc/openvpn/keys/dh1024.pemserver172.16.0.0255.255.255.0ifconfig-pool-persistipp.txtpush"route172.16.0.0255.255.255.0"push"route172.16.0.0255.255.255.0"client-config-dir/etc/openvpn/ccdroute172.16.0.0255.255.255.0client-to-clientkeepalive10120comp-lzousernobodygroupnobodypersist-keypersist-tunstatusopenvpn-status.logverb3plugin/etc/openvpn/plugin/simple.so-------------------------------cutend------------------------------------------------3.7启动服务端openvpn#mkdirccd#cdccd#vilin ifconfig-push172.16.0.6172.16.0.7#./openvpn--configconf/server.conf3.8配置client端:#cd/etc/openvpn#mkdirconf#cdsample-config-files/#grep–v“^#”client.conf>1.conf#cp1.conf/etc/openvpn/conf/client.conf#cd../#viconf/client.conf-------------------------------------cutbegin-----------------------------------------------client;devtapdevtun;dev-nodeMyTapprototcp;protoudpremote192.168.13.2111194;remotemy-server-21194;remote-randomresolv-retryinfinitenobindusernobodygroupnobodypersist-keypersist-tun;http-proxy-retry#retryonconnectionfailures;http-proxy[proxyserver][proxyport#];mute-replay-warningsca/etc/openvpn/keys/ca.crtcert/etc/openvpn/keys/lin.crtkey/etc/openvpn/keys/lin.key;ns-cert-typeserver;tls-authta.key1 ;cipherxcomp-lzoverb3--------------------------------cutend---------------------------------------------3.9制作启动服务#cd/etc/openvpn#cdsample-scripts/#cpopenvpn.init/etc/rc.d/init.d/openvpn#chkconfig–addopenvpn#cd/etc/openvpn/conf#cpserver.conf..///将配置文件拷贝到/etc/openvpn根目录下即可.#serviceopenvpnstart即可即动openvpn服务.客户端启动服务制作类似于服务器的上述过程.四,问题总结:1.在sever.conf/client.conf里的证书keys相关的文件要写编对路径.2.协议选中tcp时，去掉udp协议.将udp协议注释掉.3../build-ca,./build-key-server//这两个的commonname必须是一样的.4../build-keyclient..不同的client不一样的commonname不能和上面的commonname一样,cdkeysindex.txtserils下有很多相关的记录.5.考虑证书生效时间问题，要考虑服务端和客户端的时间同步问题，具体设置时方法:Eg:date-s20:30:30#设置系统时间为20:30:30,clock–w#将系统时间(如由date设置的时间)写入Bios;利用网络时间同步时间:ntpdatepool.ntp.org