school怎么读openVPN-防火墙-安装配置文档V4

2021年1月20日发(作者：体裁)
Server
端安装、配置

默认系统是没有安装
openvpn
，如果能连接网络，可以方便在线安装。

（
1
）
root@ubuntuOracle:~# apt-get install openvpn
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
openvpn- blacklist
Suggested packages:
resolvconf
The following NEW packages will be installed:
openvpn openvpn-blacklist
0 upgraded, 2 newly installed, 0 to remove and 46 not upgraded.
Need to get 1440kB of archives.
After this operation, 3228kB of additional disk space will be used.
Do you want to continue [Y/n]?Y

（
2
）拷贝
openvpn
相应配置文件到
/etc/openv pn
目录下

root@ubuntuOracle:/etc# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/ope
nvpn
root@ubuntuOracle:/etc# cp -r
/usr/share/doc/openvpn/examples/sample-config- files/ /etc/openvpn

（
3
）修改产生密码所需的参数

root@ubuntuOracle:/etc/openvpn#cd 2.0
root@ubuntuOracle:/etc/openvpn/2.0# vi vars
export KEY_COUNTRY=
export KEY_PROVINCE=
export KEY_CITY=
export KEY_ORG=
export KEY_EMAIL=vpn@

（
4
）执行该配置文件，使之生效

root@ubuntuOracle:/etc/openvpn/2.0# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
查看所配置参数是否生效

root@ubuntuOracle:/etc/openvpn/2.0# env|grep KEY
KEY_EXPIRE=3650
KEY_EMAIL=vpn@
KEY_SIZE=1024
KEY_DIR=/etc/openvpn/2.0/keys
KEY_CITY=QZ
KEY_PROVINCE=FJ
KEY_ORG= SHI_JI_ZHI_CUN_VPN
KEY_CONFIG=/etc/openvpn/2.0/
KEY_COUNTRY=CN

（
5
）清除
keys
文件下密钥文件，进行初始化

root@ubuntuOracle:/etc/openvpn/2.0# ./clean- all

（
6
）建立
ca
文件

root@ubuntuOracle:/etc/openvpn/2.0# ./build-ca
Generating a 1024 bit RSA private key
.++++++
................++++++
writing new private key to ''
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:


--
默认回车

State or Province Name (full name) [FJ]:

--
默认回车

Locality Name (eg, city) [QZ]:



--
默认回车

Organization Name (eg, company) [SHI_JI_ZHI_CUN_VPN]:

--
默认回车

Organizational Unit Name (eg, section) []:VPN


--
输入
VPN
Common Name (eg, your name or your server's hostname) [SHI_JI_ZHI_CUN_VPN]:server

Email Address [vpn@]:

--
默认回车

7
）确认产生的
ca
文件

root@ubuntuOracle:/etc/openvpn/2.0# ls keys/
serial
8
）产生
server
端
key
root@ubuntuOracle:/etc/openvpn/2.0# ./build- key-server server
Generating a 1024 bit RSA private key
.............++++++
........++++++
writing new private key to ''
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:


--
默认回车

State or Province Name (full name) [FJ]:

--
默认回车

Locality Name (eg, city) [QZ]:



--
默认回车

--
输入
serv

（

（
Organization Name (eg, company) [SHI_JI_ZHI_CUN_VPN]:

Organizational Unit Name (eg, section) []:VPN

--
默认回车


--
输入
VPN
--
输入
serv
Common Name (eg, your name or your server's hostname) [server]:

er
Email Address [vpn@]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456

An optional company name []:




--
默认回车

--
输入挑战密码，这个与后面的
client
端一样

--
默认回车

Using configuration from /etc/openvpn/2.0/
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'FJ'
localityName :PRINTABLE:'QZ'
organizationName :PRINTABLE:'VPN'
organizationalUnitName:PRINTABLE:'VPN'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'@'
Certificate is to be certified until Mar 12 09:23:42 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

--
输入
y


--
输入
y

（
9
）查看所产生的
server key
文件

root@ubuntuOracle:/etc/openvpn/2.0# ls keys/
serial

（
10
）建立
client
端
key
文件

root@ubuntuOracle:/etc/openvpn/2.0# ./build- key clinet1_0_182
Generating a 1024 bit RSA private key
...............++++++
..........++++++
writing new private key to 'clinet1_0_'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:

--
默认回车

State or Province Name (full name) [FJ]:
--
默认回车

Locality Name (eg, city) [QZ]:


--
默认回车

--
默认回车

--
输入
VPN
Organization Name (eg, company) [SHI_JI_ZHI_CUN_VPN]:

Organizational Unit Name (eg, section) []:VPN

Common Name (eg, your name or your server's hostname) [clinet1_0_182]:--
默认回车

Email Address [vpn@]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from /etc/openvpn/2.0/

--
默认回车

Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'FJ'
localityName :PRINTABLE:'QZ'
organizationName :PRINTABLE:'VPN'
organizationalUnitName:PRINTABLE:'VPN'
commonName :T61STRING:'clinet1_0_182'
emailAddress :IA5STRING:'@'
Certificate is to be certified until Mar 12 09:28:00 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

--
输入
y

--
输入
y

（
11
）查看
cline t1_0_182
新产生的
client key
文件

root@ubuntuOracle:/etc/openvpn/2.0# ls keys/
clinet1_0_ serial
clinet1_0_ clinet1_0_

（
12
）产生密码动态库

r
oot@ubuntuOracle:/etc/openvpn/2.0# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....................+....... ............................+...........
+
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
+
.
.
.
+
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
+............................................. ....+...........................
+............. ...........................+...................... ..................
+
.
.
.
.
..
.
.
.
.
.
.
.
.
..
.
.
.
.
.
.
.
.
..
+
.
.
.
.
.
.
.
..
.
.
.
.
.
.
.
.
..
.
.
.
.
.
+................. .................................................. .+.......
+..............
+......
+...... ......................
+...............
+
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
+.................. ..............................................+... .............
+................................ .....................+.....................
+.
.
.
.
.
.
.
.
.
..
.
.
.
.
.
.
.
.
..
.
.
+
.
.
.
.
.
..
.
.
.
.
.
.
.
.
.+............................................... ....................................
.......... .................................................. .................
+............................ .......................................
+
.< br>.
.
.
.
.
.
.
.
.
.< br>.
.
.
.
.
.
.
.
.
.< br>.
.
.
.
.
.
.
.
.
.< br>.
+
.
.
.
.
.
.
.
.< br>.
.
.
.
.
+..................... .................................+.....+.......+.. ..
+
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
+
.
.
.
.
.
.
.
.
.
.
.
.
+
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
+...................................... .................................................. .................................................. ............
+................................. .........................+........................ ......+...+........+.............................. ......................
+.......+............... .................................................. .............+...............+.................... .......................................
+...... ..............
+..........
+.............
................................................< br>+.............................................. .................................................. ..............+................................... .................
+.........+....+............. .................................................. ........................+............++*++*++*

（
13
）拷贝
keys
目录下所产生的密钥文件

root@ubuntuOracle:/etc/openvpn/2.0# cp keys/ca.* keys/server.* keys/ /etc/
openvpn/
root@ubuntuOracle:/etc/openvpn/2.0# cd /etc/openvpn/
root@ubuntuOracle:/etc/openvpn# ls
2.0 up
date-resolv-conf


root@ubuntuOracle:~# >/etc/openvpn/ --
清空配置文件

（
14
）配置
openvpn
配置文件

root@ubuntuOracle:~# vi /etc/openvpn/ --
将底下这些粘贴过来

root@ubuntuOracle:~# cat /etc/openvpn/
local 172.16.1.222
port 1194
proto udp
dev tun
ca
cert
key # This file should be kept secret
dh
server 10.8.0.0 255.255.255.0
ifconfig- pool-persist
push

keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
log-append /var/log/
verb 5

plugin /usr/lib/openvpn/ login
client- cert-not-required
username-as-common-name

（
15
）打开报文转发功能

root@ubuntuOracle:~# vi /etc/
echo 1 >/proc/sys/net/ipv4/ip_forward
exit 0



（
16
）调试（应该有如下的信息出现）

root@ubuntuOracle:/etc/openvpn# openvpn --config /etc/openvpn/
Tue Mar 15 17:30:43 2011 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] buil
t on Dec 15 2010
Tue Mar 15 17:30:43 2011 Diffie-Hellman initialized with 1024 bit key
Tue Mar 15 17:30:43 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m
Tue Mar 15 17:30:43 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 15 17:30:43 2011 TUN/TAP device tun0 opened
Tue Mar 15 17:30:43 2011 TUN/TAP TX queue length set to 100
Tue Mar 15 17:30:43 2011 ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Tue Mar 15 17:30:44 2011 route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Tue Mar 15 17:30:44 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 E
L:0 AF:3/1 ]
Tue Mar 15 17:30:44 2011 Socket Buffers: R=[262144->131072] S=[262144->131072]
Tue Mar 15 17:30:44 2011 UDPv4 link local (bound): [undef]:1194
Tue Mar 15 17:30:44 2011 UDPv4 link remote: [undef]
Tue Mar 15 17:30:44 2011 MULTI: multi_init called, r=256 v=256
Tue Mar 15 17:30:44 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Tue Mar 15 17:30:44 2011 IFCONFIG POOL LIST
Tue Mar 15 17:30:44 2011 Initialization Sequence Completed



Tue Mar 15 17:31:08 2011 event_wait : Interrupted system call (code=4)
Tue Mar 15 17:31:08 2011 TCP/UDP: Closing socket
Tue Mar 15 17:31:08 2011 route del -net 10.8.0.0 netmask 255.255.255.0
Tue Mar 15 17:31:08 2011 Closing TUN/TAP interface
Tue Mar 15 17:31:08 2011 SIGINT[hard,] received, process exiting

（
17
）重启服务

root@ubuntuOracle:/etc/openvpn# /etc/init.d/openvpn restart
* Starting virtual private network daemon.
* server (OK)
...done.

root@ubuntuOracle:/etc/openvpn# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:e3:a9:c9
inet addr:172.16.1.222 Bcast:172.16.1.255 Mask:255.255.254.0
inet6 addr: fe80::20c:29ff:fee3:a9c9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:999890 errors:0 dropped:0 overruns:0 frame:0
TX packets:24333 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:106325971 (101.4 MB) TX bytes:6495355 (6.1 MB)
Interrupt:17 Base address:0x1080

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5207 errors:0 dropped:0 overruns:0 frame:0
TX packets:5207 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7746844 (7.3 MB) TX bytes:7746844 (7.3 MB)