Fedora 10 下 OpenVPN 搭建

Table of Contents

注意:我的操作都是在 Windows 里 telnet 到 Linux 机器进行操作的:)

1. 什么是 VPN

VPN 英文全称 Virtual Private Network,中文意思即虚拟专用网络。使用 VPN 可以将位于 Internet 上不同地方的主机之间建立一个安全的通讯线路,利用公共网络建立虚拟私有网。

2. 软件包安装

需要安装 openvpn-2.1-0.28.rc9.fc10.rpm,可以通过搜索光盘或者镜像文件来得到此包。如果没有光盘或者镜像文件,可以通过 ftp://rpmfind.net/Linux/fedora/releases/10/Everything/i386/os/Packages/openvpn-2.1-0.28.rc9.fc10.i386.rpm 下载

1.png

3. 包安装

执行命令:

# rpm -ivh openvpn-2.1-0.29.rc15.fc10.i386.rpm

如图:

2.png

4. 证书生成

1.复制证书工具包,并建立证书目录:

# cp -r /usr/share/openvpn/easy-rsa /etc/openvpn/
# mkdir /etc/openvpn/easy-rsa/1.0/keys

2.修改 ars 文件

# vi /etc/openvpn/easy-rsa/1.0/vars

并按下“I”键进行编辑。

修改以下内容:

export KEY_COUNTRY=CN
export KEY_PROVINCE=CD
export KEY_CITY=CHENGDU
export KEY_ORG="0xx"
export [email protected]

修改完毕后按下 Esc 键,再按下“:”后输入 wq 保存。

3.初始化变量库并清空证书库

# . ./vars
# ./clean-all

注意“../vars”中间有两个小点,点和点之间有个空格。

3.png

4.证书验证机制

# ./build-ca

然后填入相应信息

4.jpg

之后,keys 目录就生成了两个文件,分别是 ca.crt 和 ca.key。

5.服务器证书文件

# ./build-key-server server


[root@localhost 1.0]# ./build-key-server server

Generating a 1024 bit RSA private key

..++++++

..........++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [cn]:cn
State or Province Name (full name) [cd]:cd
Locality Name (eg, city) [chengdu]:chengdu
Organization Name (eg, company) [0xx]:0xx
Organizational Unit Name (eg, section) []:lx
Common Name (eg, your name or your server's hostname) []:lx
Email Address [[email protected]]:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
Using configuration from /etc/openvpn/easy-rsa/1.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'cn'
stateOrProvinceName   :PRINTABLE:'cd'
localityName          :PRINTABLE:'chengdu'
organizationName      :PRINTABLE:'0xx'
organizationalUnitName:PRINTABLE:'lx'
commonName            :PRINTABLE:'lx'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 26 17:24:35 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

执行完毕后,keys 目录下生成了 server.crt、server.csr 和 server.key 三个文件。

5. 客户端证书

在同一时间里,每个证书只能给一个客户端连接,如果需要更多,则重复步骤多建立。

# ./build-key client

[root@localhost 1.0]# ./build-key client
Generating a 1024 bit RSA private key
.............++++++
..........++++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [cn]:cn
State or Province Name (full name) [cd]:cd
Locality Name (eg, city) [chengdu]:chengdu
Organization Name (eg, company) [0xx]:0xx
Organizational Unit Name (eg, section) []:lx
Common Name (eg, your name or your server's hostname) []:lx
Email Address [[email protected]]:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
Using configuration from /etc/openvpn/easy-rsa/1.0/openssl.cnf
Check that the request matches the signature
Signature ok

The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'cn'
stateOrProvinceName   :PRINTABLE:'cd'
localityName          :PRINTABLE:'chengdu'
organizationName      :PRINTABLE:'0xx'
organizationalUnitName:PRINTABLE:'lx'
commonName            :PRINTABLE:'lx'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 26 17:28:24 2019 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

6. 对证书进行编译

# ./build-dh

5.png

7. 服务端配置

首先拷贝证书文件到 /etc/openvpn 目录

# cp /etc/openvpn/easy-rsa/1.0/keys/ca.crt /etc/openvpn/
# cp /etc/openvpn/easy-rsa/1.0/keys/dh1024.pem /etc/openvpn/
# cp /etc/openvpn/easy-rsa/1.0/keys/server.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/1.0/keys/server.key /etc/openvpn/

然后拷贝配置文件到 /etc/openvpn

# cp /usr/share/doc/openvpn-2.1/sample-config-files/server. conf /etc/openvpn/

编辑配置文件,找到以下两行,将前面的“;”去除:

;user nobody
;group nobody

6.png

再启动服务

# /etc/rc.d/init.d/openvpn start

7.png

如果需要运行 Linux 后自动启动 OpenVPN 服务,直接输入 ntsysv,找到 OpenVPN,按下空格将前面的星号打上,保存即可。

然后设置防火墙。

# setup

选择“防火墙配置”-“定置”,勾选 OpenVPN 后保存退出。

8.png

8. 客户端设置

最后在 XP 下进行设置。下载 openvpn-2.0.9-gui-1.0.3-install.exe,一步步安装完成后,进入 C:\Program Files\OpenVPN\config(默认路径),建立一个名为“client.ovpn”的文件,并编辑内容,如下:

client
dev tap
;dev tun
;dev-node MyTap
;proto tcp
proto udp
remote 这里是 Linux 的 IP 地址 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
route 192.168.1.0 255.255.252.0
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
#注意下面三个文件要对应
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
# Set log file verbosity.
verb 4

然后将 Fedora 目录 /etc/openvpn/easy-rsa/1.0/keys 中的 ca.crt、client.crt 和 client.key 三个文件拷贝到 XP 中 C:\Program Files\OpenVPN\config(默认路径) 目录中,可以通过 U 盘、FTP 等方式拷贝过来,我直接用 FTP 拷贝的。

然后展开开始菜单,运行 OpenVPN GUI

9.png

此时任务栏下的图标为红色

10.png

点击右键,选择 Connect

11.png

成功后,为绿色

12.png

一个 VPN 就搭建完毕了,欢迎讨论不足之处:)