Red Hat Enterprise Linux AS release 4 Update 8.docx
《Red Hat Enterprise Linux AS release 4 Update 8.docx》由会员分享,可在线阅读,更多相关《Red Hat Enterprise Linux AS release 4 Update 8.docx(9页珍藏版)》请在冰豆网上搜索。
RedHatEnterpriseLinuxASrelease4Update8
RedHatEnterpriseLinuxASrelease4Update8下安装OpenVPN服务器
标签:
Openvpn安装openvpnlinux
原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处、作者信息和本声明。
否则将追究法律责任。
一、OpenVPN的安装环境
1、Server端的环境
RedHatEnterpriseLinuxASrelease4(NahantUpdate8)
Kernel:
2.6.27.48
Ip:
192.168.0.1
2、Client端的环境
WindowsXPPROSP2
Ip:
192.168.0.2
二、OpenVPN服务端安装过程
1、检查kernel需要支持tun设备,需要加载iptables模块。
检查tun是否安装:
代码:
[root@localhost~]#modinfotun
filename:
/lib/modules/2.6.27.48/kernel/drivers/net/tun.ko
description:
UniversalTUN/TAPdevicedriver
author:
(C)1999-2004MaxKrasnyansky
license:
GPL
alias:
char-major-10-200
vermagic:
2.6.27.48SMPmod_unloadmodversions6864KSTACKS
depends:
2、检查OpenSSL
如果需要启用SSL连接,则需要先安装OpenSSL。
默认rhel4内都安装了OpenSSL ,如果没有请自行安装。
3、下载安装Lzo
从下载最新版lzo-2.03.tar.gz
代码:
[root@localhostsrc]#tarzxvflzo-2.03.tar.gz
[root@localhostsrc]#cdlzo-2.03
[root@localhostlzo-2.03]#./configure
[root@localhostlzo-2.03]#make
[root@localhostlzo-2.03]#makecheck (运行检查,此步骤可以省略)
[root@localhostlzo-2.03]#maketest (运行全面测试,此步骤可以省略)
[root@localhostlzo-2.03]#makeinstall (试用root身份安装)
4、下载安装OpenVPN
从下载最新版本openvpn-2.1.2.tar.gz
代码:
[root@localhostsrc]#tarzxvfopenvpn-2.1.2.tar.gz
[root@localhostsrc]#cdopenvpn-2.1.2
[root@localhostopenvpn-2.1.2]#./configure--prefix=/usr/local/openvpn\
--with-lzo-lib=/usr/local/lib \
--with-ssl-headers=/usr/include/openssl\
--with-ssl-lib=/lib
[root@localhostopenvpn-2.1.2]#make
[root@localhostopenvpn-2.1.2]#makeinstall
5、生成vpn服务端和客户端的证书和密钥
设置环境变量
方法一:
export声明变量
代码:
[root@localhostopenvpn-2.1.2]#cdeasy-rsa/2.0
[root@localhost2.0]#exportD=`pwd`
[root@localhost2.0]#exportKEY_CONFIG=$D/f
[root@localhost2.0]#exportKEY_DIR=$D/keys
[root@localhost2.0]#exportKEY_SIZE=1024
[root@localhost2.0]#exportKEY_COUNTRY=CN
[root@localhost2.0]#exportKEY_PROVINCE=SH
[root@localhost2.0]#exportKEY_CITY=SH
[root@localhost2.0]#exportKEY_ORG=""
[root@localhost2.0]#exportKEY_EMAIL="me@"
方法二:
编辑环境变量文件vars
代码:
[root@localhost2.0]#vivars (按照上面的内容修改变量文件里的相应变量值)
[root@localhost2.0]#.vars
清理以前的ca证书和密钥
代码:
[root@localhost2.0]#./clean-all
生成CA
代码:
[root@localhost2.0]#./build-ca
Generatinga1024bitRSAprivatekey
...............++++++
.....++++++
writingnewprivatekeyto'ca.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[SH]:
LocalityName(eg,city)[Shanghai]:
OrganizationName(eg,company)[]:
OrganizationalUnitName(eg,section)[]:
CommonName(eg,yournameoryourserver'shostname)[CA]:
Name[]:
EmailAddress[me@]:
因为已经在变量里设置过了,所以直接回车就是默认值了。
为openvpn服务端生成key
代码:
[root@localhost2.0]#./build-key-serverserver
Generatinga1024bitRSAprivatekey
.........................................++++++
.........++++++
writingnewprivatekeyto'server.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[SH]:
LocalityName(eg,city)[Shanghai]:
OrganizationName(eg,company)[]:
OrganizationalUnitName(eg,section)[]:
CommonName(eg,yournameoryourserver'shostname)[server]:
Name[]:
EmailAddress[me@]:
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
Usingconfigurationfrom/usr/local/src/openvpn-2.1.2/easy-rsa/2.0/f
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDistinguishedNameisasfollows
countryName :
PRINTABLE:
'CN'
stateOrProvinceName :
PRINTABLE:
'SH'
localityName :
PRINTABLE:
'Shanghai'
organizationName :
PRINTABLE:
''
commonName :
PRINTABLE:
'server'
emailAddress :
IA5STRING:
'me@'
CertificateistobecertifieduntilAug1707:
20:
172020GMT(3650days)
Signthecertificate?
[y/n]:
y
1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
为客户端生成key
代码:
[root@localhost2.0]#./build-keyclient1
Generatinga1024bitRSAprivatekey
....................................++++++
........++++++
writingnewprivatekeyto'client1.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[SH]:
LocalityName(eg,city)[Shanghai]:
OrganizationName(eg,company)[]:
OrganizationalUnitName(eg,section)[]:
CommonName(eg,yournameoryourserver'shostname)[client1]:
Name[]:
EmailAddress[me@]:
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
Usingconfigurationfrom/usr/local/src/openvpn-2.1.2/easy-rsa/2.0/f
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDistinguishedNameisasfollows
countryName :
PRINTABLE:
'CN'
stateOrProvinceName :
PRINTABLE:
'SH'
localityName :
PRINTABLE:
'Shanghai'
organizationName :
PRINTABLE:
''
commonName :
PRINTABLE:
'client1'
emailAddress :
IA5STRING:
'me@'
CertificateistobecertifieduntilAug1707:
24:
462020GMT(3650days)
Signthecertificate?
[y/n]:
y
1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
如果有多个客户端,可以使用./build-key依次生成不同的客户端key。
注意在进入CommonName(eg,yournameoryourserver'shostname)[]:
的输入时,每个证书输入的名字必须不同。
生成DiffieHellman参数
代码:
[root@localhost2.0]#./build-dh
GeneratingDHparameters,1024bitlongsafeprime,generator2
Thisisgoingtotakealongtime
...............................+....+..........................+..............................................................+............+..............+.................................................................+.......................................+............................................+...........+..............+..........................................................................+.......................+.......................................+................................+...........................+........+....................+.+.+........................................+....++*++*++*
6、为服务器端生成配置文件和服务启动脚本
代码:
[root@localhostopenvpn-2.1.2]#mkdir/etc/openvpn
[root@localhostopenvpn-2.1.2]#cpsample-config-files/server.conf/etc/openvpn
[root@localhostopenvpn-2.1.2]#cpsample-scripts/openvpn.init/etc/init.d/openvpnd
注意:
这个默认的openvpn.init脚本里的openvpn应用程序的路径可能跟你实际安装的不一样,需要更改的。
[root@localhostopenvpn-2.1.2]#vi/etc/init.d/openvpnd
将脚本里:
openvpn_locations="/usr/sbin/openvpn/usr/local/sbin/openvpn"修改成实际安装的路径,比如:
openvpn_locations="/usr/local/openvpn/sbin/openvpn"
[root@localhostopenvpn-2.1.2]#chkconfig--addopenvpnd
[root@localhostopenvpn-2.1.2]#cpeasy-rsa/2.0/keys/ca.crt/etc/openvpn/
[root@localhostopenvpn-2.1.2]#cpeasy-rsa/2.0/keys/server.crt/etc/openvpn/
[root@localhostopenvpn-2.1.2]#cpeasy-rsa/2.0/keys/server.key/etc/openvpn/
[root@localhostopenvpn-2.1.2]#cpeasy-rsa/2.0/keys/dh1024.pem/etc/openvpn/
7、启动openvpn服务端
代码:
[root@localhostopenvpn-2.1.2]#serviceopenvpndstart
Startingopenvpn:
[OK]
[root@localhostopenvpn-2.1.2]#tail/var/log/messages
Aug2015:
50:
29localhostopenvpn[20961]:
OpenVPN2.1.2i686-pc-linux-gnu[SSL][LZO2][EPOLL]builtonAug202010
Aug2015:
50:
29localhostopenvpn[20961]:
NOTE:
OpenVPN2.1requires'--script-security2'orhighertocalluser-definedscriptsorexecutables
Aug2015:
50:
29localhostopenvpn[20961]:
Diffie-Hellmaninitializedwith1024bitkey
Aug2015:
50:
29localhostopenvpn[20961]:
TLS-AuthMTUparms[L:
1542D:
138EF:
38EB:
0ET:
0EL:
0]
Aug2015:
50:
29localhostopenvpn[20961]:
SocketBuffers:
R=[109568->131072]S=[109568->131072]
Aug2015:
50:
29localhostopenvpn[20961]:
ROUTEdefault_gateway=222.73.34.190
Aug2015:
50:
29localhostopenvpn[20961]:
TUN/TAPdevicetun0opened
Aug2015:
50:
29localhostopenvpn[20961]:
TUN/TAPTXqueuelengthsetto100
Aug2015:
50:
29localhostopenvpn[20961]:
/sbin/ifconfigtun010.8.0.1pointopoint10.8.0.2mtu1500
Aug2015:
50:
29localhostkernel:
tun0:
DisabledPrivacyExtensions
Aug2015:
50:
29localhostopenvpn[20961]:
/sbin/routeadd-net10.8.0.0netmask255.255.255.0gw10.8.0.2
Aug2015:
50:
29localhostopenvpn[20961]:
DataChannelMTUparms[L:
1542D:
1450EF:
42EB:
135ET:
0EL:
0AF:
3/1]
Aug2015:
50:
29localhostopenvpn[20966]:
UDPv4linklocal(bound):
[
升级会员 