RHEL5.4 上部署OpenVPN 服务

企鹅博客
企鹅博客
企鹅博客
25193
文章
0
评论
2020年10月6日18:05:23 评论 12 views 4720字阅读15分44秒

一 openvpn 简介

     openvpn 是基于SSL的vpn ,其使用工业标准的SSL/TLS协议实现第二层和第三层的安全数据链路VPN .其优点如下:

      1 基于SSL协议,安全,并使用单一TCP 或者UDP 端口即可实现

      2 使用双向验证,服务器只需保存自己的证书和密钥;

      3 服务器只接受那些由主CA证书签名的客户端,并有撤回机制,而不需要重建个PKI;

      4 可以实现基于Common Name 的权限控制

二 系统环境:RHEL5.4
应用软件
 openvpn-2.1.4.tar.gz
     lzo-2.05.tar.gz
三 安装openvpn
   # tar xvf   lzo-2.05.tar.gz

   #cd lzo-2.05

   # ./configure
   # make

   # make check

   # make test    

   # make install

   #tar xvf openvpn-2.1.4.tar.gz

   #cd openvpn-2.1.4

   #./configure

   #make && make install

四   配置openv

   1 为openvpn 建立专用CA,并分别为Openvpn的服务器端机器各个客户端申请所需要的证书;openvpn 支持两种认证模型:以共享密钥及基于TLS 认证模型.
出于安装机器简话认证过程等目的,Openvpn 要求服务器端在建立通信前进行基于证书的双向认证.而证书的使用依赖于PKI
 OpenVPN 为使用私有的CA 来颁发证书准备了许多脚本,在openvpn 源码包下面的easy-rsa 下面
2 创建CA及Openvpn 服务器和个客户端所需要的证书,需啊哟为证书使用者所处的国家等信息,而这些可以在vars 文件中指定其默认值,参数包括
#cd /root/openvpn/openvpn-2.1.4/easy-rsa/2.0
#vim   vars

export KEY_COUNTRY="CN"
export KEY_PROVINCE="SHANGHAI"
export KEY_CITY="SHANGHAI"
export KEY_ORG="Frank"
export [email protected]
3 配置PKI
#source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn/openvpn-2.1.4/easy-rsa/2.0/keys

[[email protected] 2.0]# ./clean-all
4 创建本地CA
[[email protected] 2.0]# ./build-ca
Generating a 1024 bit RSA private key
...............................................................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated

into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:

Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Frank]:
Organizational Unit Name (eg, section) []:Frank

Common Name (eg, your name or your server's hostname) [Frank CA]:FRANK

Name []:frank
Email Address [[email protected]]:
4 为Openvpn 创建密钥及证书
 [[email protected] 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key
................................................................++++++
..++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated

into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:

Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Frank]:
Organizational Unit Name (eg, section) []:Frank

Common Name (eg, your name or your server's hostname) [server]:

Name []:frank
Email Address [[email protected]]:
 
Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn/openvpn-2.1.4/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok
The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'SHANGHAI'
localityName          :PRINTABLE:'SHANGHAI'
organizationName      :PRINTABLE:'Frank'
organizationalUnitName:PRINTABLE:'Frank'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'frank'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Aug 9 17:43:47 2021 GMT (3650 days)

Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries
Data Base Updated
5 创建客户端的的密钥及证书
[[email protected] 2.0]# ./build-key frank
Generating a 1024 bit RSA private key
.......................++++++
....++++++
writing new private key to 'frank.key'
-----
You are about to be asked to enter information that will be incorporated

into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:

Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Frank]:
Organizational Unit Name (eg, section) []:Frank

Common Name (eg, your name or your server's hostname) [frank]:  

Name []:frank
Email Address [[email protected]]:
 
Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn/openvpn-2.1.4/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok
The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'SHANGHAI'
localityName          :PRINTABLE:'SHANGHAI'
organizationName      :PRINTABLE:'Frank'
organizationalUnitName:PRINTABLE:'Frank'
commonName            :PRINTABLE:'frank'
name                  :PRINTABLE:'frank'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Aug 9 18:45:05 2021 GMT (3650 days)

继续阅读
关于制作U盘安装网众Linux系统 linux服务器应用

关于制作U盘安装网众Linux系统

用U盘作为引导盘能够省去刻录光盘的繁琐事情,而且当您需要对启动文档改变,比如往启动文档initrd.img中加入驱动以识别新硬件的时候,需要经常试验很多次才能成功假如每 次都去刻盘会很麻烦,所以我摸索...
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: