ITPub博客

首页 > IT基础架构 > 网络安全 > 配置openvpn(转)

配置openvpn(转)

原创 网络安全 作者:post0 时间:2007-08-24 17:13:16 0 删除 编辑
配置openvpn(转)[@more@]

  一、安装与配置

  1、软件下载

  可以从“http://openvpn.net/”获得最新的软件

  2、软件安装

  tar xzvf openvpn-2.0.7.tar.gz

  cd openvpn-2.0

  ./configure

  make

  make install

  mknod /dev/net/tun c 10 200 #创建一个tun设备

  echo "alias char-major-10-200 tun" >>/etc/modprobe.conf

  3、初始化设置

  mkdir /etc/openvpn #创建openvpn目录

  cp -r easy-rsa /etc/openvpn #切换到OpenVPN源代码目录执行

  cd /etc/openvpn/easy-rsa

  vi vars #修改vars文件,如下:

  # These are the default values for fields

  # which will be placed in the certificate.

  # Don't leave any of these fields blank.

  export KEY_COUNTRY=cn

  #国家

  export KEY_PROVINCE=Beijing

  #所属省

  export KEY_CITY=Beijing

  #所在城市

  export KEY_ORG="test"

  #所属组织,CA证书也会根据这个生成

  export KEY_EMAIL="…@...com"

  修改后保存,下面我们开始什成keys

  #. vars #使修改的变量生效

  NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

  #./clean-all #初始化keys目录,创建所需要的文件和目录

  #./build-ca #什成Root CA证书,用于签发Server和Client证书,请保护好keys/ca.key文件

  # ls keys

  ca.crt ca.key index.txt serial

  我们可以看到ca.crt ca.key文件已经什成了

  下面我们为服务器生成 Diffie-Hellman 文件

  # ./build-dh #TLS server 需要使用的一个文件

  创建并签发VPN Server使用的CA

  # ./build-key-server server # server 为创建后的文件名,分别为server.crt server.key

  接下来为VPN Client颁发CA证书,如果以后要为其他Client颁发证书,直接使用build-key命令签发新证书。

  # ./build-key client

  为防止恶意攻击(如DOS、UDP port flooding),我们生成一个"HMAC firewall"

  #openvpn --genkey --secret keys/ta.key

  生成证书吊销链文件,防止日后有人丢失证书,被非法用户接入VPN

  #./make-crl vpncrl.pem

  4、服务器点设置

  Server使用的配置文件server.conf,如下:

  # Which local IP address should OpenVPN

  # listen on? (optional)

  ;local a.b.c.d

  ;local *.*.*.*

  # Which TCP/UDP port should OpenVPN listen on?

  # If you want to run multiple OpenVPN instances

  # on the same machine, use a different port

  # number for each one. You will need to

  # open up this port on your firewall.

  port 5000

  # TCP or UDP server?

  ;proto tcp

  proto udp

  # "dev tun" will create a routed IP tunnel,

  # "dev tap" will create an ethernet tunnel.

  # Use "dev tap0" if you are ethernet bridging

  # and have precreated a tap0 virtual interface

  # and bridged it with your ethernet interface.

  # If you want to control access policies

  # over the VPN, you must create firewall

  # rules for the the TUN/TAP interface.

  # On non-Windows systems, you can give

  # an explicit unit number, such as tun0.

  # On Windows, use "dev-node" for this.

  # On most systems, the VPN will not function

  # unless you partially or fully disable

  # the firewall for the TUN/TAP interface.

  ;dev tap

  dev tun

  # Windows needs the TAP-Win32 adapter name

  # from the Network Connections panel if you

  # have more than one. On XP SP2 or higher,

  # you may need to selectively disable the

  # Windows firewall for the TAP adapter.

  # Non-Windows systems usually don't need this.

  ;dev-node MyTap

  # SSL/TLS root certificate (ca), certificate

  # (cert), and private key (key). Each client

  # and the server must have their own cert and

  # key file. The server and all clients will

  # use the same ca file.

  #

  # See the "easy-rsa" directory for a series

  # of scripts for generating RSA certificates

  # and private keys. Remember to use

  # a unique Common Name for the server

  # and each of the client certificates.

  #

  # Any X509 key management system can be used.

  # OpenVPN can also use a PKCS #12 formatted key file

  # (see "pkcs12" directive in man page).

  ca ca.crt

  cert server.crt

  key server.key # This file should be kept secret

  # Diffie hellman parameters.

  # Generate your own with:

  # openssl dhparam -out dh1024.pem 1024

  # Substitute 2048 for 1024 if you are using

  # 2048 bit keys.

  dh dh1024.pem

  # Configure server mode and supply a VPN subnet

  # for OpenVPN to draw client addresses from.

  # The server will take 10.8.0.1 for itself,

  # the rest will be made available to clients.

  # Each client will be able to reach the server

  # on 10.8.0.1. Comment this line out if you are

  # ethernet bridging. See the man page for more info.

  server 10.8.0.0 255.255.255.0

  # Maintain a record of client <-> virtual IP address

  # associations in this file. If OpenVPN goes down or

  # is restarted, reconnecting clients can be assigned

  # the same virtual IP address from the pool that was

  # previously assigned.

  ifconfig-pool-persist ipp.txt

  # Configure server mode for ethernet bridging.

  # You must first use your OS's bridging capability

  # to bridge the TAP interface with the ethernet

  # NIC interface. Then you must manually set the

  # IP/netmask on the bridge interface, here we

  # assume 10.8.0.4/255.255.255.0. Finally we

  # must set aside an IP range in this subnet

  # (start=10.8.0.50 end=10.8.0.100) to allocate

  # to connecting clients. Leave this line commented

  # out unless you are ethernet bridging.

  ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

  # Push routes to the client to allow it

  # to reach other private subnets behind

  # the server. Remember that these

  # private subnets will also need

  # to know to route the OpenVPN client

  # address pool (10.8.0.0/255.255.255.0)

  # back to the OpenVPN server.

  #push "route 192.168.1.0 255.255.255.0"

  push "route 192.168.2.0 255.255.255.0"

  push "route 10.1.1.0 255.255.255.0"

  route 10.3.0.0 255.255.0.0

  # To assign specific IP addresses to specific

  # clients or if a connecting client has a private

  # subnet behind it that should also have VPN access,

  # use the subdirectory "ccd" for client-specific

  # configuration files (see man page for more info).

  # EXAMPLE: Suppose the client

  # having the certificate common name "Thelonious"

  # also has a small subnet behind his connecting

  # machine, such as 192.168.40.128/255.255.255.248.

  # First, uncomment out these lines:

  ;client-config-dir ccd

  ;route 192.168.40.128 255.255.255.248

  # Then create a file ccd/Thelonious with this line:

  # iroute 192.168.40.128 255.255.255.248

  # This will allow Thelonious' private subnet to

  # access the VPN. This example will only work

  # if you are routing, not bridging, i.e. you are

  # using "dev tun" and "server" directives.

  # EXAMPLE: Suppose you want to give

  # Thelonious a fixed VPN IP address of 10.9.0.1.

  # First uncomment out these lines:

  ;client-config-dir ccd

  ;route 10.9.0.0 255.255.255.252

  # Then add this line to ccd/Thelonious:

  # ifconfig-push 10.9.0.1 10.9.0.2

  # Suppose that you want to enable different

  # firewall access policies for different groups

  # of clients. There are two methods:

  # (1) Run multiple OpenVPN daemons, one for each

  # group, and firewall the TUN/TAP interface

  # for each group/daemon appropriately.

  # (2) (Advanced) Create a script to dynamically

  # modify the firewall in response to access

  # from different clients. See man

  # page for more info on learn-address script.

  ;learn-address ./script

  # If enabled, this directive will configure

  # all clients to redirect their default

  # network gateway through the VPN, causing

  # all IP traffic such as web browsing and

  # and DNS lookups to go through the VPN

  # (The OpenVPN server machine may need to NAT

  # the TUN/TAP interface to the internet in

  # order for this to work properly).

  # CAVEAT: May break client's network config if

  # client's local DHCP server packets get routed

  # through the tunnel. Solution: make sure

  # client's local DHCP server is reachable via

  # a more specific route than the default route

  # of 0.0.0.0/0.0.0.0.

  ;push "redirect-gateway"

  # Certain Windows-specific network settings

  # can be pushed to clients, such as DNS

  # or WINS server addresses. CAVEAT:

  # http://openvpn.net/faq.html#dhcpcaveats

  push "dhcp-option DNS 192.168.2.10"

  ;push "dhcp-option WINS 10.8.0.1"

  # Uncomment this directive to allow different

  # clients to be able to "see" each other.

  # By default, clients will only see the server.

  # To force clients to only see the server, you

  # will also need to appropriately firewall the

  # server's TUN/TAP interface.

  ;client-to-client

  # Uncomment this directive if multiple clients

  # might connect with the same certificate/key

  # files or common names. This is recommended

  # only for testing purposes. For production use,

  # each client should have its own certificate/key

  # pair.

  #

  # IF YOU HAVE NOT GENERATED INDIVIDUAL

  # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

  # EACH HAVING ITS OWN UNIQUE "COMMON NAME",

  # UNCOMMENT THIS LINE OUT.

  ;duplicate-cn

  # The keepalive directive causes ping-like

  # messages to be sent back and forth over

  # the link so that each side knows when

  # the other side has gone down.

  # Ping every 10 seconds, assume that remote

  # peer is down if no ping received during

  # a 120 second time period.

  keepalive 10 120

  # For extra security beyond that provided

  # by SSL/TLS, create an "HMAC firewall"

  # to help block DoS attacks and UDP port flooding.

  #

  # Generate with:

  # openvpn --genkey --secret ta.key

  #

  # The server and each client must have

  # a copy of this key.

  # The second parameter should be '0'

  # on the server and '1' on the clients.

  tls-auth ta.key 0 # This file is secret

  # Select a cryptographic cipher.

  # This config item must be copied to

  # the client config file as well.

  ;cipher BF-CBC # Blowfish (default)

  ;cipher AES-128-CBC # AES

  ;cipher DES-EDE3-CBC # Triple-DES

  # Enable compression on the VPN link.

  # If you enable it here, you must also

  # enable it in the client config file.

  ;comp-lzo

  # The maximum number of concurrently connected

  # clients we want to allow.

  ;max-clients 100

  # It's a good idea to reduce the OpenVPN

  # daemon's privileges after initialization.

  #

  # You can uncomment this out on

  # non-Windows systems.

  user nobody

  group nobody

  # The persist options will try to avoid

  # accessing certain resources on restart

  # that may no longer be accessible because

  # of the privilege downgrade.

  persist-key

  persist-tun

  # Output a short status file showing

  # current connections, truncated

  # and rewritten every minute.

  status openvpn-status.log

  # By default, log messages will go to the syslog (or

  # on Windows, if running as a service, they will go to

  # the "Program FilesOpenVPNlog" directory).

  # Use log or log-append to override this default.

  # "log" will truncate the log file on OpenVPN startup,

  # while "log-append" will append to it. Use one

  # or the other (but not both).

  ;log openvpn.log

  ;log-append openvpn.log

  # Set the appropriate level of log

  # file verbosity.

  #

  # 0 is silent, except for fatal errors

  # 4 is reasonable for general usage

  # 5 and 6 can help to debug connection problems

  # 9 is extremely verbose

  verb 9

  # Silence repeating messages. At most 20

  # sequential messages of the same message

  # category will be output to the log.

  ;mute 20

  把server.conf文件保存到/etc/opennvpn目录中,并把使用easy-rsa下的脚本什成的key都复制到/etc/openvpn目录下,命令如下:

  #cd /etc/openvpn

  #cp easy-rsa/keys/ca.crt .

  #cp easy-rsa/keys/server.crt .

  #cp easy-rsa/keys/server.key .

  #cp easy-rsa/keys/dh1024.pem .

  #cp easy-rsa/keys/ta.key .

  #cp easy-rsa/keys/vpncrl.pem .

  创建OpenVPN启动脚本,可以在源代码目录中找到,在sample-scripts目录下的openvpn.init文件,将其复制到/etc/init.d/目录中,改名为openvpn

  然后运行:

  #chkconfig --add openvpn

  #chkconfig openvpn on

  立即启动openenvpn

  #/etc/init.d/openvpn start

  5、客户端配置

  配置客户端的配置文件client.ovpn,如下:

  ##############################################

  # Sample client-side OpenVPN 2.0 config file #

  # for connecting to multi-client server. #

  # #

  # This configuration can be used by multiple #

  # clients, however each client should have #

  # its own cert and key files. #

  # #

  # On Windows, you might want to rename this #

  # file so it has a .ovpn extension #

  ##############################################

  # Specify that we are a client and that we

  # will be pulling certain config file directives

  # from the server.

  client

  # Use the same setting as you are using on

  # the server.

  # On most systems, the VPN will not function

  # unless you partially or fully disable

  # the firewall for the TUN/TAP interface.

  ;dev tap

  dev tun

  # Windows needs the TAP-Win32 adapter name

  # from the Network Connections panel

  # if you have more than one. On XP SP2,

  # you may need to disable the firewall

  # for the TAP adapter.

  #dev-node MyTap

  # Are we connecting to a TCP or

  # UDP server? Use the same setting as

  # on the server.

  ;proto tcp

  proto udp

  # The hostname/IP and port of the server.

  # You can have multiple remote entries

  # to load balance between the servers.

  remote …..168

  remote …….35

  port 5000

  ;remote my-server-2 1194

  # Choose a random host from the remote

  # list for load-balancing. Otherwise

  # try hosts in the order specified.

  remote-random

  # Keep trying indefinitely to resolve the

  # host name of the OpenVPN server. Very useful

  # on machines which are not permanently connected

  # to the internet such as laptops.

  resolv-retry infinite

  # Most clients don't need to bind to

  # a specific local port number.

  nobind

  # Downgrade privileges after initialization (non-Windows only)

  ;user nobody

  ;group nobody

  # Try to preserve some state across restarts.

  persist-key

  persist-tun

  # If you are connecting through an

  # HTTP proxy to reach the actual OpenVPN

  # server, put the proxy server/IP and

  # port number here. See the man page

  # if your proxy server requires

  # authentication.

  ;http-proxy-retry # retry on connection failures

  ;http-proxy [proxy server] [proxy port #]

  # Wireless networks often produce a lot

  # of duplicate packets. Set this flag

  # to silence duplicate packet warnings.

  ;mute-replay-warnings

  # SSL/TLS parms.

  # See the server config file for more

  # description. It's best to use

  # a separate .crt/.key file pair

  # for each client. A single ca

  # file can be used for all clients.

  ca ca.crt

  cert client.crt

  key client.key

  # Verify server certificate by checking

  # that the certicate has the nsCertType

  # field set to "server". This is an

  # important precaution to protect against

  # a potential attack discussed here:

  # http://openvpn.net/howto.html#mitm

  #

  # To use this feature, you will need to generate

  # your server certificates with the nsCertType

  # field set to "server". The build-key-server

  # script in the easy-rsa folder will do this.

  ns-cert-type server

  # If a tls-auth key is used on the server

  # then every client must also have the key.

  tls-auth ta.key 1

  # Select a cryptographic cipher.

  # If the cipher option is used on the server

  # then you must also specify it here.

  ;cipher x

  # Enable compression on the VPN link.

  # Don't enable this unless it is also

  # enabled in the server config file.

  ;comp-lzo

  # Set log file verbosity.

  verb 3

  # Silence repeating messages

  ;mute 20

  只要把client.ovpn ca.crt client.crt client.key ta.key文件拷贝到C:Program Filesopenvpnconfig目录下,“start OpenVpn on this config file

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/8225414/viewspace-965585/,如需转载,请注明出处,否则将追究法律责任。

上一篇: DebuggingCoreFile(转)
请登录后发表评论 登录
全部评论
  • 博文量
    2031
  • 访问量
    7938252