# yum install openvpn
# yum install easy-rsa # mkdir ~/easy-rsa # cp -ai /usr/share/easy-rsa/2.0/* ~/easy-rsa/
# vi vars . . . # Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=1024 . . . # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="TW" export KEY_PROVINCE="Taiwan" export KEY_CITY="NewTaipei" export KEY_ORG="Wieson" export KEY_EMAIL="eddie@wieson.com" export KEY_OU="WSY" . . . export KEY_CN="SVNServer" . .
# cd ~/easy-rsa # . vars # ./clean-all
# ./build-ca
範例
[root@RD30 easy-rsa]# ./build-ca Generating a 1024 bit RSA private key .++++++ .++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:TW State or Province Name (full name) [CA]:Taiwan Locality Name (eg, city) [SanFrancisco]:Taoyuan Organization Name (eg, company) [Fort-Funston]:Mapower Organizational Unit Name (eg, section) []:Software Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:Eddie Name []: Email Address [me@myhost.mydomain]:eddie@mapower.com.tw
# ./build-inter $( hostname | cut -d. -f1 ) or # ./build-key-server server
範例
[root@RD30 easy-rsa]# ./build-inter $( hostname | cut -d. -f1 ) Generating a 1024 bit RSA private key .............++++++ .....................................++++++ writing new private key to 'RD30.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:TW State or Province Name (full name) [CA]:Taiwan Locality Name (eg, city) [SanFrancisco]:Taoyuan Organization Name (eg, company) [Fort-Funston]:Mapower Organizational Unit Name (eg, section) []:Software Common Name (eg, your name or your server's hostname) [RD30]: Name []: Email Address [me@myhost.mydomain]:eddie@mapower.com.tw Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:784026 An optional company name []:eddie Using configuration from /root/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'TW' stateOrProvinceName :PRINTABLE:'Taiwan' localityName :PRINTABLE:'Taoyuan' organizationName :PRINTABLE:'Mapower' organizationalUnitName:PRINTABLE:'Software' commonName :PRINTABLE:'RD30' emailAddress :IA5STRING:'eddie@mapower.com.tw' Certificate is to be certified until Oct 14 12:17:45 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@RD30 easy-rsa]#
# ./build-dh
# mkdir /etc/openvpn/keys (如果沒有的話) # cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh1024.pem /etc/openvpn/keys/
# cp -ai /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf # TLS parms tls-server ca keys/ca.crt cert keys/4000A.crt key keys/4000A.key dh keys/dh1024.pem
local a.b.c.d --> Listen IP, if mask is listen 0.0.0.0 port 1194 --> Listen Port proto tcp --> tcp/udp dev tun --> tun/tap ca ./keys/ca.crt --> ca.crt path cert ./keys/server.crt --> server.crt path key ./keys/server.key --> server.key path dh ./keys/dh1024.pem --> dh1024.pem path server 192.168.125.0 255.255.255.0 --> openvpn ip range(server 為 192.168.125.1) push "redirect-gateway" --> 所有連線都透過此gateway push "dhcp-option DNS 168.95.1.1" --> 重導 DNS 為 此 duplicate-cn --> 使用者可重覆發入
# service openvpn start
指令:ifconfig,來查看VPN的網卡連線(tun or tap) 指令:netstat -tulnp(可查看port 1194是否有傾聽)
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT append INPUT -i tun+ -j ACCEPT append FORWARD -i tun+ -j ACCEPT append FORWARD -i eth0 -o tun+ -j ACCEPT append FORWARD -i eth1 -o tun+ -j established
management localhost 8998
telnet localhost 8998
[root@4000A openvpn]# telnet 127.0.0.1 8998 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info status OpenVPN CLIENT LIST Updated,Sat May 6 09:46:15 2017 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since eddie,220.189.249.222:59038,1309218,3106911,Sat May 6 09:15:38 2017 blue,112.17.235.18:12333,27023,24983,Sat May 6 09:46:01 2017 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 192.168.126.6,eddie,220.189.249.222:59038,Sat May 6 09:45:52 2017 192.168.126.10,blue,112.17.235.18:12333,Sat May 6 09:46:15 2017 GLOBAL STATS Max bcast/mcast queue length,0 END