目錄表

使用公開金鑰方式...未完成

為使用者建立憑證For Openvpn

  1. Openvpn已有一些腳本可以建立憑證,把腳本複製到/etc/openvpn
    #cp -ra /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/ /etc/openvpn
  2. 執行vars及clean-all
    #cd /etc/openvpn/2.0/ 
#chmod a+x vars whichopensslcnf clean-all
#./vars
  3. 建立跟憑證
    #chmod a+x pkitool build-ca 
#./build-ca
  4. 建立Openvpn server憑證
    #chmod a+x build-key-server
#./build-key-server server
  5. 建立Openvpn Client憑證
    #chmod a+x  build-key
#./build-key client
  6. 建立build-dh
    #chmod a+x  build-dh
#./build-dh
  7. 憑證建立後,都會放置在(/etc/openvpn/2.0/keys)。存放憑證路徑可能依作業環境而有所不同。
    #ls -l /etc/openvpneasy-rsa/2.0/keys
ca.crt    ###根憑證
ca.key    ###根的私鑰 
client.crt ##client 憑證
client.csr
client.key ##client 私鑰
dh1024.pem ##以build-dh建立的
server.crt ##openvpn Server憑證
server.csr
server.key ##openvpn Server私鑰

基本Openvpn Server及openvpn-client以公開金鑰方式

openvpn-server端設定檔

#cd  /etc/openvpn/
#vim server2.conf
dev tun
proto udp
local 192.168.50.254

push "route 192.168.200.0 255.255.255.0"
push "redirect-gateway def1"
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

keepalive 10 60
comp-lzo
daemon

log /var/log/openvpn.log
status /var/log/openvpn-status.log

openvpn-client端設定檔

client
dev tun
proto udp
remote  192.168.50.254

resolv-retry infinite
nobind
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key

keepalive 10 60
comp-lzo
verb 3

分發給不同使用者不同IP(用ccd方式)以公開金鑰為基礎

Openvpn-server端設定檔

#mkdir -p /etc/openvpn/ccd
#vim  openvpn-client
ifconfig-push 10.100.1.5 10.100.1.6
push "route 192.168.200.0 255.255.255.0"
mode server
tls-server
dev tun
proto udp
local 192.168.50.254

server 10.100.0.0 255.255.255.0
route  10.100.1.0 255.255.255.0

push "redirect-gateway def1"

client-config-dir /etc/openvpn/ccd
ccd-exclusive

server 10.10.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

keepalive 10 60
comp-lzo
daemon

log /var/log/openvpn.log
status /var/log/openvpn-status.log

Openvpn-client端設定與基本型公開金鑰方式依樣

以此種方式multiple machines on the client side when using a routed VPN

Openvpn-server端設定檔

#mkdir /etc/openvpn/ccd
#vim openvpn-client2
iroute 10.100.2.0 255.255.255.0
push "route 192.168.200.0 255.255.255.0"
mode server
tls-server
dev tun
proto udp
local 192.168.50.254

server 10.100.0.0 255.255.255.0
route  10.100.2.0 255.255.255.0
push "redirect-gateway def1"

client-config-dir /etc/openvpn/ccd
ccd-exclusive
ifconfig-pool-persist /etc/openvpn/ipp.txt

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

keepalive 10 60
comp-lzo
daemon

log /var/log/openvpn.log
status /var/log/openvpn-status.log

Openvpn-client2端設定檔

client
dev tun
proto udp
remote  192.168.50.254
resolv-retry infinite
nobind
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/openvpn-client2.crt
key /etc/openvpn/keys/openvpn-client2.key
keepalive 10 60
comp-lzo
verb 3

參考資料

  1. Configuring client-specific rules and access policies-Openvpn How to
  2. OpenVPN 建置筆記(第7集)-紐菲斯部落格