Install Notes。
Server:
1.安裝 lzo
2.安裝 openvpn
3.copy設定範例
cp -r /usr/share/doc/openvpn-2.0.2/easy-rsa/ /etc/openvpn/
cp /usr/share/doc/openvpn-2.0.2/sample-config-files/server.conf /etc/openvpn/
4.設定CA環境 (var 在windows裡就是var.bat)
cd /etc/openvpn/easy-rsa/
export KEY_COUNTRY=TW
export KEY_PROVINCE=Taiwan
export KEY_CITY=Taipei
export KEY_ORG="PersonalVPN"
export KEY_EMAIL="jerry@google.xx"
. ./vars
./clean-all
5.建立root CA
./build-ca
Generating a 1024 bit RSA private key
......++++++
................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Taiwan]:
Locality Name (eg, city) [Taipei]:
Organization Name (eg, company) [PersonalVPN]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:CA
Email Address [njerry@google.xx]:
6.建立server key及crt
./build-key-server ovpnsrv1
Generating a 1024 bit RSA private key
............................++++++
....++++++
writing new private key to 'ovpnsrv1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Taiwan]:
Locality Name (eg, city) [Taipei]:
Organization Name (eg, company) [PersonalVPN]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:ovpnsrv1
Email Address [jerry@google.xx]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'TW'
stateOrProvinceName :PRINTABLE:'Taiwan'
localityName :PRINTABLE:'Taipei'
organizationName :PRINTABLE:'PersonalVPN'
organizationalUnitName:PRINTABLE:'test'
commonName :PRINTABLE:'ovpnsrv1'
emailAddress :IA5STRING:'jerry@google.xx'
Certificate is to be certified until Sep 7 20:36:58 2015 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7.建立Diffie Hellman
./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................................+............................................
..+............................................................................
...................+....................................+......................
8.安裝 server 所需的 CA 文件
cp keys/ca.crt ../
cp keys/dh1024.pem ../
cp keys/ovpnsrv1.key ../
9.修改server設定檔
cd ../
vi server.conf
dev tap
;dev tun
ca ca.crt
cert ovpnsrv1.crt
key ovpnsrv1.key # This file should be kept secret
cp keys/ovpnsrv1.crt ../
10.啟動 server
service openvpn restart
chkconfig openvpn on
Client
試試看prebuild key能不能簡化install,待續。
參考資料
http://www.study-area.org/tips/openvpn.html
沒有留言:
張貼留言