linux:vpn:openvpn2
目錄表
使用公開金鑰方式...未完成
為使用者建立憑證For Openvpn
- Openvpn已有一些腳本可以建立憑證,把腳本複製到/etc/openvpn
#cp -ra /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/ /etc/openvpn
- 執行vars及clean-all
#cd /etc/openvpn/2.0/ #chmod a+x vars whichopensslcnf clean-all #./vars
- 建立跟憑證
#chmod a+x pkitool build-ca #./build-ca
- 建立Openvpn server憑證
#chmod a+x build-key-server #./build-key-server server
- 建立Openvpn Client憑證
#chmod a+x build-key #./build-key client
- 建立build-dh
#chmod a+x build-dh #./build-dh
- 憑證建立後,都會放置在(/etc/openvpn/2.0/keys)。存放憑證路徑可能依作業環境而有所不同。
#ls -l /etc/openvpneasy-rsa/2.0/keys ca.crt ###根憑證 ca.key ###根的私鑰 client.crt ##client 憑證 client.csr client.key ##client 私鑰 dh1024.pem ##以build-dh建立的 server.crt ##openvpn Server憑證 server.csr server.key ##openvpn Server私鑰
基本Openvpn Server及openvpn-client以公開金鑰方式
openvpn-server端設定檔
#cd /etc/openvpn/ #vim server2.conf dev tun proto udp local 192.168.50.254 push "route 192.168.200.0 255.255.255.0" push "redirect-gateway def1" server 10.10.0.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/ipp.txt ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem keepalive 10 60 comp-lzo daemon log /var/log/openvpn.log status /var/log/openvpn-status.log
openvpn-client端設定檔
client dev tun proto udp remote 192.168.50.254 resolv-retry infinite nobind ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/client.crt key /etc/openvpn/keys/client.key keepalive 10 60 comp-lzo verb 3
分發給不同使用者不同IP(用ccd方式)以公開金鑰為基礎
Openvpn-server端設定檔
#mkdir -p /etc/openvpn/ccd #vim openvpn-client ifconfig-push 10.100.1.5 10.100.1.6 push "route 192.168.200.0 255.255.255.0"
mode server tls-server dev tun proto udp local 192.168.50.254 server 10.100.0.0 255.255.255.0 route 10.100.1.0 255.255.255.0 push "redirect-gateway def1" client-config-dir /etc/openvpn/ccd ccd-exclusive server 10.10.0.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/ipp.txt ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem keepalive 10 60 comp-lzo daemon log /var/log/openvpn.log status /var/log/openvpn-status.log
Openvpn-client端設定與基本型公開金鑰方式依樣
以此種方式multiple machines on the client side when using a routed VPN
Openvpn-server端設定檔
#mkdir /etc/openvpn/ccd #vim openvpn-client2 iroute 10.100.2.0 255.255.255.0 push "route 192.168.200.0 255.255.255.0"
mode server tls-server dev tun proto udp local 192.168.50.254 server 10.100.0.0 255.255.255.0 route 10.100.2.0 255.255.255.0 push "redirect-gateway def1" client-config-dir /etc/openvpn/ccd ccd-exclusive ifconfig-pool-persist /etc/openvpn/ipp.txt ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem keepalive 10 60 comp-lzo daemon log /var/log/openvpn.log status /var/log/openvpn-status.log
Openvpn-client2端設定檔
client dev tun proto udp remote 192.168.50.254 resolv-retry infinite nobind ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/openvpn-client2.crt key /etc/openvpn/keys/openvpn-client2.key keepalive 10 60 comp-lzo verb 3
參考資料
linux/vpn/openvpn2.txt · 上一次變更: 2013/07/06 01:28 (外部編輯)
若無特別註明,本 wiki 上的內容都是採用以下授權方式: CC Attribution-Share Alike 3.0 Unported
