OpenVPN 安裝

回覆文章
alee
文章: 4
註冊時間: 2011-07-25 09:53:02

OpenVPN 安裝

文章 alee »

安裝環境 ubuntu8.04 server or ubuntu10.04 server

安裝openvpn套件
apt-get install openvpn

cp /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/ -rp
cd /etc/openvpn/easy-rsa/2.0

設定openvpn 產生金鑰設定檔
vi vars
-------------------------------------------
export KEY_SIZE=2048 //金鑰長度 1024 or 2048
export CA_EXPIRE=31 //CA 金鑰可用期間,設定可使用31天
export KEY_EXPIRE=31 //一般金鑰可用期間
export KEY_COUNTRY="TW" //產生金鑰設定檔,國家,設定2位元尾碼
export KEY_PROVINCE="TAIWAN" //省分
export KEY_CITY="TAICHONG" //城市
export KEY_ORG="sinya" //組織公司
export KEY_EMAIL="alee@551.com.tw" //信箱
-------------------------------------------

執行金鑰環境設定
. ./vars //注意有二個點,好像一個點也可以
./clean-all //第一次執行時使用,會清除keys 裡面所有資料

產生ca金鑰
./build-ca

顯示以下訊息,全部按enter
Country Name (2 letter code) [TW]:
State or Province Name (full name) [TAIWAN]:
Locality Name (eg, city) [TAICHONG]:
Organization Name (eg, company) [sinya]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [sinya CA]:
Email Address [alee@551.com.tw]:


產生server 金鑰
./build-key-server server

顯示以下訊息,全部按enter
Country Name (2 letter code) [TW]:
State or Province Name (full name) [TAIWAN]:
Locality Name (eg, city) [TAICHONG]:
Organization Name (eg, company) [sinya]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Email Address [alee@551.com.tw]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'TW'
stateOrProvinceName :PRINTABLE:'TAIWAN'
localityName :PRINTABLE:'TAICHONG'
organizationName :PRINTABLE:'sinya'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'alee@551.com.tw'
Certificate is to be certified until Apr 23 01:06:01 2011 GMT (31 days)

會顯示二個詢問,全部按y
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y


產生dh 認證
./build-dh

拷備openvpn設定檔
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gzip -d server.conf.gz

產生ta key, 去防Dos 及 UDP port flooding 攻擊
cd /etc/openvpn/easy-rsa/2.0/keys
openvpn --genkey --secret ta.key


修改openvpn設定檔
vi server.conf
-------------------------------------------------
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0 //server 發ip的網段
push "route 10.10.70.0 255.255.255.0" //會在client加入routing table
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
--------------------------------------------------


啟動openvpn
/etc/init.d/openvpn start
檢查是否啟動成功
ifconfig
顯示以下訊息表示成功
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255

=====================分隔線======================================



注消client 憑證
./revoke-full client2

這個時候,會有報錯。

Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 282 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
17264:error:0E065068:configuration file routines:STR_COPY:variable has no
value:conf_def.c:629:line 282
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 282 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
17265:error:0E065068:configuration file routines:STR_COPY:variable has no
value:conf_def.c:629:line 282
foo.crt: XXXXXXXX
error 3 at 0 depth lookup:unable to get certificate CRL

打開 openssl.cnf 文件

# [ pkcs11_section ]
# engine_id = pkcs11
# dynamic_path = /usr/lib/engines/engine_pkcs11.so
# MODULE_PATH = $ENV::PKCS11_MODULE_PATH
# PIN = $ENV::PKCS11_PIN
# init = 0

把上面282行前後注譯掉,就可以了。

再執行一次
./revoke-full client1
顯示
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Revoking Certificate 02.
Data Base Updated
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
client1.crt: /C=CN/ST=BJ/L=BeiJing/O=iredmail/CN=client1/emailAddress=shake.chen@gmail.com
error 23 at 0 depth lookup:certificate revoked

這個時候,error23,就是表示已經注譯成功。不過你會發現這個時候,用這個證書還是可以登彔。

其實這個時候,會在keys下產生crl.pem,裡面就是注消掉證書。

我們還需要編輯一下 server.conf

添加

crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem

重新启动openvpn,这个时候,你就会发现客户端已经不能登陆。
回頂端
回覆文章

回到「Linux」