CentOS 6上部署OpenVPN Server
发布时间:2023-02-17 10:43:52 所属栏目:CentOS 来源:互联网
导读:背景介绍: 最近,GFW开始针对VPN进行了屏蔽,之前在VPS上搭建的PPTP/L2TP VPN在有些时候都开始变得不稳定了。 因此,打算在VPS上再搭建一个OpenVPN Server,以备不时之需。 相关配置: OS: CentOS 6.4 x86_64 Minimal 1. 安装EPEL扩展库 # yum install http
|
背景介绍: 最近,GFW开始针对VPN进行了屏蔽,之前在VPS上搭建的PPTP/L2TP VPN在有些时候都开始变得不稳定了。 因此,打算在VPS上再搭建一个OpenVPN Server,以备不时之需。 相关配置: OS: CentOS 6.4 x86_64 Minimal 1. 安装EPEL扩展库 # yum install http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm 2. 安装所需依赖软件包 # yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig 3. 安装OpenVPN # yum install openvpn 4. 下载easy-rsa 2.x # wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip # unzip 2.x.zip # cd easy-rsa-release-2.x # cp -rf easy-rsa /etc/openvpn/ 5. 配置easy-rsa vars # cd /etc/openvpn/easy-rsa/2.0/ # ln -s openssl-1.0.0.cnf openssl.cnf # chmod +x vars 修改vars文件中以下配置项: # vim vars ... # Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=1024 ... # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="JP" export KEY_PROVINCE="JP" export KEY_CITY="Tokyo" export KEY_ORG="heylinux.com" export KEY_EMAIL="guosuiyu@gmail.com" export KEY_OU="MyOrganizationalUnit" ... 执行vars文件使环境变量生效: # source ./vars NOTE: If you run ./clean-all,I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys 6. 生成所需的各种证书文件 清除旧的证书: # ./clean-all 生成服务器端CA证书,由于在vars文件中做过缺省设置,在出现交互界面时,直接一路回车即可: # ./build-ca Generating a 1024 bit RSA private key ..............................++++++ .....................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,If you enter '.',the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [JP]: Locality Name (eg,city) [Tokyo]: Organization Name (eg,company) [heylinux.com]: Organizational Unit Name (eg,section) [MyOrganizationalUnit]: Common Name (eg,your name or your server's hostname) [heylinux.com CA]: Name [EasyRSA]: Email Address [guosuiyu@gmail.com]: 生成服务器证书,仍然是在出现交互界面时,直接一路回车,并在结尾询问[y/n]时输入y即可: # ./build-key-server heylinux.com Generating a 1024 bit RSA private key ............++++++ ................++++++ writing new private key to 'heylinux.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,your name or your server's hostname) [heylinux.com]: Name [EasyRSA]: Email Address [guosuiyu@gmail.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'JP' localityName :PRINTABLE:'Tokyo' organizationName :PRINTABLE:'heylinux.com' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'heylinux.com' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'guosuiyu@gmail.com' Certificate is to be certified until Jan 26 09:49:38 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated 生成DH验证文件: # ./build-dh Generating DH parameters,1024 bit long safe prime,generator 2 This is going to take a long time ................................+.............++*++*++* 生成TLS私密文件: # cd keys # openvpn --genkey --secret ta.key # cd .. 生成客户端证书,例如eric与rainbow两个用户: # ./build-key eric Generating a 1024 bit RSA private key .++++++ ..........................................................................++++++ writing new private key to 'eric.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,company) [heylinux.com]:Nginxs.com Organizational Unit Name (eg,your name or your server's hostname) [eric]: Name [EasyRSA]: Email Address [guosuiyu@gmail.com]:eric@Nginxs.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'JP' localityName :PRINTABLE:'Tokyo' organizationName :PRINTABLE:'Nginxs.com' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'eric' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'eric@Nginxs.com' Certificate is to be certified until Jan 26 09:52:03 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated # ./build-key rainbow Generating a 1024 bit RSA private key ......................++++++ ......................++++++ writing new private key to 'rainbow.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,your name or your server's hostname) [rainbow]: Name [EasyRSA]: Email Address [guosuiyu@gmail.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'JP' localityName :PRINTABLE:'Tokyo' organizationName :PRINTABLE:'heylinux.com' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'rainbow' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'guosuiyu@gmail.com' Certificate is to be certified until Jan 26 09:52:49 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated 7. 编辑服务器配置文件: (编辑:莱芜站长网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
