一直想写一片关于VPN配置方面的文章,由于时间等等很多问题,一直没有落实,现在终于和大家见面了,由于本人知识有限也并非专业从事这方面工作的,难免有错误,望指正,共同提高。
自从认识VPN以来,一直在找寻一个容易配置、功能强大、支持多系统的VPN程序,由于一直没有找到合适的软件,Linux下的FreeSWAN、OpenBSD FreeBSD下的IPSec、Windows下的PPTP都试了试,始终不能满足自己的要求,直到OpenVPN的出现。
关于各种VPN软件或者硬件的优缺点,在这里我就不再叙述了,因为这个掺杂着很多人为的因素在里边(萝卜好吃还是青菜好吃?),一个软件:稳定、符合自己的要求、自己用的习惯就是一个好软件。
对于OpenVPN,在CU的VPN版面也有过很多的讨论,其中也不乏精华的文章,但是都是使用Static key验证的,从字面上就可以看出来Static key使用的就是预先生成的key对数据进行加密和解密,也就是常说的对称试加密,加密和解密双方必须预先知道加密的Key。本文讨论的是基于TLS加密方式,使用CA验证VPN Client的身份,OpenVPN使用TLS加密是通过使用公开密钥(非对称密钥,加密解密使用不同的key,一个称为Public key,另一个是Private key)对数据进行加密的,对于TLS传输的工作原理,大家可以去Google一下,资料一大堆。对于OpenVPN使用TLS mode,首先Server和Client要有相同CA签发的证书,双方通过交换证书验证双方的合法性以决定是否建立VPN连接,然后使用对方CA把自己目前使用的数据加密方法(类似于密钥)加密后发送给对方,由于使用对方CA加密的,所以只有对方CA对应的Private key才能解密该字串,保证了此密钥的安全性,并且此密钥定期改变,对于窃听者来说,可能还没有破解出密钥,通信双方已经更换密钥了。
我个人对OpenVPN的感觉(或者说是我使用OpenVPN的理由),NAT穿透力特强,支持HTTP代理,对动态地址支持很好,可配置性强,配置安全,开源便于二次开发...其他没有想好:)。
关于OpenVPN的相关内容可以在http://openvpn.net上找到。
下面开始正式讨论OpenVPN的安装和配置方法,本文是在Fedora Core 2环境下配置的,由于机器在网络中不是在网关的位置,所以使用NAT方式来访问内网,否则还涉及到配置网络设备的路由。假设我的VPN Server有2块网卡,eth0对外,IP:61.1.1.2 eth1对内,IP:192.168.1.2,内网地址:192.168.0.0/16
本文除配置文件中行首的"#"是注释外,其他行首的"#"都是提示符,如果在非配置文件一行中第二次出现"#"说明后面的是注释,书写命令时可以省略。
获取并安装Openvpn:
首先检查系统是否安装lzo实时压缩工具
$rpm -qa | grep lzo
如果没有安装可以在http://www.oberhumer.com/opensource/lzo/找到并安装,安装方法详见压缩包中的INSTALL文件,当然也可以用rpm包安装,记住一定要安装lzo-devel开头的那个包,因为OpenVPN需要使用lzo的头文件。
$wget http://mesh.dl.sourceforge.net/sourceforge/openvpn/openvpn-2.0_rc16.tar.gz
$tar -zxvf openvpn-2.0_rc16.tar.gz
$cd openvpn-2.0_rc16
$./configure
$make
$su
#make install
按照INSTALL文件中的说明,做如下操作:
#mknod /dev/net/tun c 10 200 #创建一个tun设备
#echo "alias char-major-10-200 tun" >;>; /etc/modprobe.conf
#echo 1 >; /proc/sys/net/ipv4/ip_forward #打开系统的转发功能
接下来就生成服务器客户端需要使用的keys了,为了方便,我们使用OpenVPN包自带的脚本生成。
#mkdir /etc/openvpn
#cp -r easy-rsa /etc/openvpn #切换到OpenVPN源代码目录执行
修改vars 文件
-------------CUT Here-------------
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export D=`pwd`
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys
# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
# 定义你所在的国家,2个字符
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=Liaoning
# 你所在的城市
export KEY_CITY=Shenyang
# 你所在的组织
export KEY_ORG="ELM OpenVPN ORG"
# 你的单位
export KEY_OU="OpenVPN Service"
# 你的邮件地址
export KEY_EMAIL="elm@elm.freetcp.com"
-------------CUT Here-----------------
修改后保存,下面我们开始什成keys,以下为shell命令 "#" 为提示符
#. vars #使修改的变量生效
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
#./clean-all #初始化keys目录,创建所需要的文件和目录
#./build-ca #什成Root CA证书,用于签发Server和Client证书,请保护好keys/ca.key文件。
Generating a 1024 bit RSA private key
........................++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: #如果无需修改,直接回车
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) [OpenVPN Service]:
Common Name (eg, your name or your server's hostname) []:OpenVPN Root CA
Email Address [elm@elm.freetcp.com]:
# ls keys
ca.crt ca.key index.txt serial
我们可以看到ca.crt ca.key文件已经什成了。
下面我们为服务器生成 Diffie-Hellman 文件
# ./build-dh #TLS server 需要使用的一个文件
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
创建并签发VPN Server使用的CA
# ./build-key-server server # server 为创建后的文件名,分别为server.crt server.key
Generating a 1024 bit RSA private key
......................++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) [OpenVPN Service]:
Common Name (eg, your name or your server's hostname) []:Server No.1
Email Address [elm@elm.freetcp.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName  RINTABLE:'CN'
stateOrProvinceName RINTABLE:'Liaoning'
localityName RINTABLE:'Shenyang'
organizationName RINTABLE:'ELM OpenVPN ORG'
organizationalUnitNameRINTABLE:'OpenVPN Service'
commonName RINTABLE:'Server No.1'
emailAddress :IA5STRING:'elm@elm.freetcp.com'
Certificate is to be certified until Feb 26 14:43:44 2015 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated Linux联盟收集整理 |
热门文章
