阿里BaBa電腦筆記

本頁是唯讀的，您可以看到原始碼，但不能更動它。您如果覺得它不應被鎖上，請詢問管理員。
======使用公開金鑰方式...未完成======
=====為使用者建立憑證For Openvpn=====
  - Openvpn已有一些腳本可以建立憑證,把腳本複製到/etc/openvpn<code>#cp -ra /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/ /etc/openvpn</code>
  - 執行vars及clean-all<code>#cd /etc/openvpn/2.0/ 
#chmod a+x vars whichopensslcnf clean-all
#./vars
</code>
  - 建立跟憑證<code>#chmod a+x pkitool build-ca 
#./build-ca
</code>
  - 建立Openvpn server憑證<code>#chmod a+x build-key-server
#./build-key-server server
</code>
  - 建立Openvpn Client憑證<code>#chmod a+x  build-key
#./build-key client
</code>
  - 建立build-dh<code>#chmod a+x  build-dh
#./build-dh
</code>
  - 憑證建立後，都會放置在(/etc/openvpn/2.0/keys)。存放憑證路徑可能依作業環境而有所不同。<code>#ls -l /etc/openvpneasy-rsa/2.0/keys
ca.crt    ###根憑證
ca.key    ###根的私鑰 
client.crt ##client 憑證
client.csr
client.key ##client 私鑰
dh1024.pem ##以build-dh建立的
server.crt ##openvpn Server憑證
server.csr
server.key ##openvpn Server私鑰
</code>
=====基本Openvpn Server及openvpn-client以公開金鑰方式=====
====openvpn-server端設定檔====
<code>#cd  /etc/openvpn/
#vim server2.conf
dev tun
proto udp
local 192.168.50.254

push "route 192.168.200.0 255.255.255.0"
push "redirect-gateway def1"
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

keepalive 10 60
comp-lzo
daemon

log /var/log/openvpn.log
status /var/log/openvpn-status.log
</code>
====openvpn-client端設定檔====
<code>client
dev tun
proto udp
remote  192.168.50.254

resolv-retry infinite
nobind
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key

keepalive 10 60
comp-lzo
verb 3
</code>
=====分發給不同使用者不同IP(用ccd方式)以公開金鑰為基礎=====
====Openvpn-server端設定檔====
<code>#mkdir -p /etc/openvpn/ccd
#vim  openvpn-client
ifconfig-push 10.100.1.5 10.100.1.6
push "route 192.168.200.0 255.255.255.0"
</code>
<code>mode server
tls-server
dev tun
proto udp
local 192.168.50.254

server 10.100.0.0 255.255.255.0
route  10.100.1.0 255.255.255.0

push "redirect-gateway def1"

client-config-dir /etc/openvpn/ccd
ccd-exclusive

server 10.10.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

keepalive 10 60
comp-lzo
daemon

log /var/log/openvpn.log
status /var/log/openvpn-status.log</code>
**Openvpn-client端設定與基本型公開金鑰方式依樣**
=====以此種方式multiple machines on the client side when using a routed VPN=====
====Openvpn-server端設定檔====
<code>#mkdir /etc/openvpn/ccd
#vim openvpn-client2
iroute 10.100.2.0 255.255.255.0
push "route 192.168.200.0 255.255.255.0"
</code><code>mode server
tls-server
dev tun
proto udp
local 192.168.50.254

server 10.100.0.0 255.255.255.0
route  10.100.2.0 255.255.255.0
push "redirect-gateway def1"

client-config-dir /etc/openvpn/ccd
ccd-exclusive
ifconfig-pool-persist /etc/openvpn/ipp.txt

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

keepalive 10 60
comp-lzo
daemon

log /var/log/openvpn.log
status /var/log/openvpn-status.log</code>
====Openvpn-client2端設定檔====
<code>client
dev tun
proto udp
remote  192.168.50.254
resolv-retry infinite
nobind
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/openvpn-client2.crt
key /etc/openvpn/keys/openvpn-client2.key
keepalive 10 60
comp-lzo
verb 3
</code>
======參考資料======
  - [[http://openvpn.net/index.php/open-source/documentation/howto.html#policy|Configuring client-specific rules and access policies-Openvpn How to]]
  - [[http://blog.nuface.tw/?p=1347|OpenVPN 建置筆記(第7集)-紐菲斯部落格]]
阿里BaBa電腦筆記

使用者工具

網站工具

頁面工具
