======使用公開金鑰方式...未完成======
=====為使用者建立憑證For Openvpn=====
- Openvpn已有一些腳本可以建立憑證,把腳本複製到/etc/openvpn#cp -ra /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/ /etc/openvpn
- 執行vars及clean-all#cd /etc/openvpn/2.0/
#chmod a+x vars whichopensslcnf clean-all
#./vars
- 建立跟憑證#chmod a+x pkitool build-ca
#./build-ca
- 建立Openvpn server憑證#chmod a+x build-key-server
#./build-key-server server
- 建立Openvpn Client憑證#chmod a+x build-key
#./build-key client
- 建立build-dh#chmod a+x build-dh
#./build-dh
- 憑證建立後,都會放置在(/etc/openvpn/2.0/keys)。存放憑證路徑可能依作業環境而有所不同。#ls -l /etc/openvpneasy-rsa/2.0/keys
ca.crt ###根憑證
ca.key ###根的私鑰
client.crt ##client 憑證
client.csr
client.key ##client 私鑰
dh1024.pem ##以build-dh建立的
server.crt ##openvpn Server憑證
server.csr
server.key ##openvpn Server私鑰
=====基本Openvpn Server及openvpn-client以公開金鑰方式=====
====openvpn-server端設定檔====
#cd /etc/openvpn/
#vim server2.conf
dev tun
proto udp
local 192.168.50.254
push "route 192.168.200.0 255.255.255.0"
push "redirect-gateway def1"
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
keepalive 10 60
comp-lzo
daemon
log /var/log/openvpn.log
status /var/log/openvpn-status.log
====openvpn-client端設定檔====
client
dev tun
proto udp
remote 192.168.50.254
resolv-retry infinite
nobind
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
keepalive 10 60
comp-lzo
verb 3
=====分發給不同使用者不同IP(用ccd方式)以公開金鑰為基礎=====
====Openvpn-server端設定檔====
#mkdir -p /etc/openvpn/ccd
#vim openvpn-client
ifconfig-push 10.100.1.5 10.100.1.6
push "route 192.168.200.0 255.255.255.0"
mode server
tls-server
dev tun
proto udp
local 192.168.50.254
server 10.100.0.0 255.255.255.0
route 10.100.1.0 255.255.255.0
push "redirect-gateway def1"
client-config-dir /etc/openvpn/ccd
ccd-exclusive
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
keepalive 10 60
comp-lzo
daemon
log /var/log/openvpn.log
status /var/log/openvpn-status.log
**Openvpn-client端設定與基本型公開金鑰方式依樣**
=====以此種方式multiple machines on the client side when using a routed VPN=====
====Openvpn-server端設定檔====
#mkdir /etc/openvpn/ccd
#vim openvpn-client2
iroute 10.100.2.0 255.255.255.0
push "route 192.168.200.0 255.255.255.0"
mode server
tls-server
dev tun
proto udp
local 192.168.50.254
server 10.100.0.0 255.255.255.0
route 10.100.2.0 255.255.255.0
push "redirect-gateway def1"
client-config-dir /etc/openvpn/ccd
ccd-exclusive
ifconfig-pool-persist /etc/openvpn/ipp.txt
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
keepalive 10 60
comp-lzo
daemon
log /var/log/openvpn.log
status /var/log/openvpn-status.log
====Openvpn-client2端設定檔====
client
dev tun
proto udp
remote 192.168.50.254
resolv-retry infinite
nobind
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/openvpn-client2.crt
key /etc/openvpn/keys/openvpn-client2.key
keepalive 10 60
comp-lzo
verb 3
======參考資料======
- [[http://openvpn.net/index.php/open-source/documentation/howto.html#policy|Configuring client-specific rules and access policies-Openvpn How to]]
- [[http://blog.nuface.tw/?p=1347|OpenVPN 建置筆記(第7集)-紐菲斯部落格]]