Fedora10下OpenVPN搭建

Table of Contents

注意:我的操作都是在Windows里telnet到linux机器进行操作的:)

1 什么是VPN

VPN英文全称Virtual Private Network,中文意思即虚拟专用网络。使用VPN可以将位于Internet上不同地方的主机之间建立一个安全的通讯线路,利用公共网络建立虚拟私有网。

2 软件包安装

需要安装openvpn-2.1-0.28.rc9.fc10.rpm,可以通过搜索光盘或者镜像文件来得到此包。如果没有光盘或者镜像文件,可以通过ftp://rpmfind.net/Linux/fedora/releases/10/Everything/i386/os/Packages/openvpn-2.1-0.28.rc9.fc10.i386.rpm%E4%B8%8B%E8%BD%BD

1.png

3 包安装

执行命令:

# rpm -ivh openvpn-2.1-0.29.rc15.fc10.i386.rpm

如图:

2.png

4 证书生成

1.复制证书工具包,并建立证书目录:

# cp -r /usr/share/openvpn/easy-rsa /etc/openvpn/
# mkdir /etc/openvpn/easy-rsa/1.0/keys

2.修改ars文件

# vi /etc/openvpn/easy-rsa/1.0/vars

并按下“I”键进行编辑。

修改以下内容:

export KEY_COUNTRY=CN
export KEY_PROVINCE=CD
export KEY_CITY=CHENGDU
export KEY_ORG="0xx"
export KEY_EMAIL=lxff@21cn.com

修改完毕后按下Esc键,再按下“:”后输入wq保存。

3.初始化变量库并清空证书库

# . ./vars
# ./clean-all

注意“. ./vars”中间有两个小点,点和点之间有个空格。

3.png

4.证书验证机制

# ./build-ca

然后填入相应信息

4.jpg

之后,keys目录就生成了两个文件,分别是ca.crt和ca.key。

5.服务器证书文件

# ./build-key-server server


[root@localhost 1.0]# ./build-key-server server

Generating a 1024 bit RSA private key

..++++++

..........++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [cn]:cn
State or Province Name (full name) [cd]:cd
Locality Name (eg, city) [chengdu]:chengdu
Organization Name (eg, company) [0xx]:0xx
Organizational Unit Name (eg, section) []:lx
Common Name (eg, your name or your server's hostname) []:lx
Email Address [lxff@21cn.com]:lxff@21cn.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
Using configuration from /etc/openvpn/easy-rsa/1.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'cn'
stateOrProvinceName   :PRINTABLE:'cd'
localityName          :PRINTABLE:'chengdu'
organizationName      :PRINTABLE:'0xx'
organizationalUnitName:PRINTABLE:'lx'
commonName            :PRINTABLE:'lx'
emailAddress          :IA5STRING:'lxff@21cn.com'
Certificate is to be certified until Mar 26 17:24:35 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

执行完毕后,keys目录下生成了server.crt、server.csr和server.key三个文件。

5 客户端证书

在同一时间里,每个证书只能给一个客户端连接,如果需要更多,则重复步骤多建立。

# ./build-key client

[root@localhost 1.0]# ./build-key client

Generating a 1024 bit RSA private key

.............++++++

..........++++++

writing new private key to 'client.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [cn]:cn

State or Province Name (full name) [cd]:cd

Locality Name (eg, city) [chengdu]:chengdu

Organization Name (eg, company) [0xx]:0xx

Organizational Unit Name (eg, section) []:lx

Common Name (eg, your name or your server's hostname) []:lx

Email Address [lxff@21cn.com]:lxff@21cn.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:123456

Using configuration from /etc/openvpn/easy-rsa/1.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'cn'

stateOrProvinceName   :PRINTABLE:'cd'

localityName          :PRINTABLE:'chengdu'

organizationName      :PRINTABLE:'0xx'

organizationalUnitName:PRINTABLE:'lx'

commonName            :PRINTABLE:'lx'

emailAddress          :IA5STRING:'lxff@21cn.com'

Certificate is to be certified until Mar 26 17:28:24 2019 GMT (3650 days)

Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

6 对证书进行编译

# ./build-dh

5.png

7 服务端配置

首先拷贝证书文件到/etc/openvpn目录

# cp /etc/openvpn/easy-rsa/1.0/keys/ca.crt /etc/openvpn/
# cp /etc/openvpn/easy-rsa/1.0/keys/dh1024.pem /etc/openvpn/
# cp /etc/openvpn/easy-rsa/1.0/keys/server.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/1.0/keys/server.key /etc/openvpn/

然后拷贝配置文件到/etc/openvpn/

# cp /usr/share/doc/openvpn-2.1/sample-config-files/server. conf /etc/openvpn/

编辑配置文件,找到以下两行,将前面的“;”去除:

;user nobody
;group nobody

6.png

再启动服务

# /etc/rc.d/init.d/openvpn start

7.png

如果需要运行linux后自动启动openvpn服务,直接输入ntsysv,找到openvpn,按下空格将前面的星号打上,保存即可。

然后设置防火墙。

# setup

选择“防火墙配置”-“定置”,勾选OpenVPN后保存退出。

8.png

8 客户端设置

最后在XP下进行设置。下载openvpn-2.0.9-gui-1.0.3-install.exe(下载连接http://www.xdowns.com/soft/softdown.asp?softid=42086%EF%BC%89%EF%BC%8C%E4%B8%80%E6%AD%A5%E6%AD%A5%E5%AE%89%E8%A3%85%E5%AE%8C%E6%88%90%E5%90%8E%EF%BC%8C%E8%BF%9B%E5%85%A5C:\Program Files\OpenVPN\config(默认路径),建立一个名为“client.ovpn”的文件,并编辑内容,如下:

client
dev tap
;dev tun
;dev-node MyTap
;proto tcp
proto udp
remote 这里是LINUX的IP地址 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
route 192.168.1.0 255.255.252.0
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
#注意下面三个文件要对应
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
# Set log file verbosity.
verb 4

然后将Fedora目录/etc/openvpn/easy-rsa/1.0/keys中的ca.crt、client.crt和client.key三个文件拷贝到XP中C:\Program Files\OpenVPN\config(默认路径)目录中,可以通过U盘、FTP等方式拷贝过来,我直接用FTP拷贝的。

然后展开开始菜单,运行OpenVPN GUI

9.png

此时任务栏下的图标为红色

10.png

点击右键,选择Connect

11.png

成功后,为绿色

12.png

一个vpn就搭建完毕了,欢迎讨论不足之处:)