OpenVPN 建置方案
作者: <netman@study-area.org>
-------------------------------------------------
v.2.0
一, 功能介紹
* SSL vpn 方案
* 可完整支援 L2 及 L3 連線
* 使用 CA 簽章確認及加密, 也可使用單一鍵值對稱加密
* 同時支援 Linux, FreeBSD, OS X 與 Windows
* 支援 tunnel 及 TAP 連線方式
* GPL 授權方式
二, 實作環境
2.1 server
OS: CentOS 5.5 Linux
real IP: 192.168.100.225
vpn IP: 10.8.0.1
2.2 client
OS: Windows XP(home)
real IP: 10.0.2.x(dhcp)
vpn IP: 10.8.0.x(server assigned)
三, 安裝
3.1 server
# 安裝 lzo (source rpm)
rpmbuild --rebuild http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
rpm -ivh /usr/src/redhat/RPMS/i386/lzo-*.rpm
# 安裝 pcks11-helper
rpm -ivh http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
yum install -y pkcs11-helper-devel
# 安裝 openvpn
mkdir /usr/src/pkgs
cd /usr/src/pkgs
wget http://openvpn.net/release/openvpn-2.1.3.tar.gz
rpmbuild -tb openvpn-2.1.3.tar.gz
rpm -ivh /usr/src/redhat/RPMS/i386/openvpn-*.rpm
# 複制設定範例
cp -r /usr/share/doc/openvpn-2.1.3/easy-rsa/ /etc/openvpn/
cp /usr/share/doc/openvpn-2.1.3/sample-config-files/server.conf /etc/openvpn/
# 設定 CA 環境
cd /etc/openvpn/easy-rsa/2.0
vi vars
export KEY_COUNTRY=TW
export KEY_PROVINCE=Taiwan
export KEY_CITY=Tainan
export KEY_ORG="Study-Area"
export KEY_EMAIL="netman@study-area.org"
. ./vars
./clean-all
# 建置 root CA
./build-ca
Generating a 1024 bit RSA private key
......++++++
................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Taiwan]:
Locality Name (eg, city) [Tainan]:
Organization Name (eg, company) [Study-Area]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:CA
Email Address [netman@study-area.org]:
# 建置 server key 及 crt
./build-key-server ovpnsrv1
Generating a 1024 bit RSA private key
............................++++++
....++++++
writing new private key to 'ovpnsrv1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Taiwan]:
Locality Name (eg, city) [Tainan]:
Organization Name (eg, company) [Study-Area]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:ovpnsrv1
Email Address [netman@study-area.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'TW'
stateOrProvinceName :PRINTABLE:'Taiwan'
localityName :PRINTABLE:'Tainan'
organizationName :PRINTABLE:'Study-Area'
organizationalUnitName:PRINTABLE:'test'
commonName :PRINTABLE:'ovpnsrv1'
emailAddress :IA5STRING:'netman@study-area.org'
Certificate is to be certified until Sep 7 20:36:58 2015 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 建置 Diffie Hellman 參數
./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................................+..............................................
+................................................................................
...............+....................................+............................
.................+...
# 安裝 server 所需的 CA 文件
cp keys/ca.crt /etc/openvpn
cp keys/dh1024.pem /etc/openvpn
cp keys/ovpnsrv1.key /etc/openvpn
cp keys/ovpnsrv1.crt /etc/openvpn
# 配置 server 設定檔(沒提及的請保持原樣)
cd /etc/openvpn
vi server.conf
dev tap
;dev tun
ca ca.crt
cert ovpnsrv1.crt
key ovpnsrv1.key # This file should be kept secret
# 啟動 server
service openvpn restart
chkconfig openvpn on
--------------------------
3.2 Client
# 下載並安裝 openvpn (GUI 版本)
http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
# 設定環境
cmd.exe
cd "c:\Program Files\OpenVPN\easy-rsa"
copy openssl.cnf.sample openssl.cnf
copy vars.bat.sample vars.bat
edit vars.bat
(內容必需與 server 一至, 尤其 KEY_ORG 項目.)
# 建置 CA環境
vars
# 建置 client key 與 crs
md keys
build-key ovpnclt1
....
Common Name (eg, your name or your server's hostname) []:ovpnclt1
....
# 提交 crs (請使用安全方式, 本例用 pscp.exe .)
pscp keys/ovpnclt1.csr root@192.168.100.225:/etc/openvpn/easy-rsa/2.0/keys
# 轉至 server, 簽署 client crt
------------------------
cd /etc/openvpn/easy-rsa/2.0
./sign-req ovpnclt1
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'TW'
stateOrProvinceName :PRINTABLE:'Taiwan'
localityName :PRINTABLE:'Tainan'
organizationName :PRINTABLE:'Study-Area'
organizationalUnitName:PRINTABLE:'test'
commonName :PRINTABLE:'ovpnclt1'
emailAddress :IA5STRING:'netman@study-area.org'
Certificate is to be certified until Sep 7 21:07:33 2015 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
------------------------
# 安裝 CA 文件
cd ..\config
pscp root@192.168.100.151:/etc/openvpn/easy-rsa/keys/ovpnclt1.crt .\
pscp root@192.168.100.151:/etc/openvpn/easy-rsa/keys/ca.crt .\
copy ..\easy-rsa\keys\ovpnclt1.key .\
# 複制 sample 設定檔:
copy ..\sample-config\client.ovpn .\
# 配置 client 端設定檔
右下角(OpenVPN GUI)
右鍵--> Edit Config (沒提及的, 請保持原貌)
dev tap
;dev tun
dev-node OpenVPN_Tap
remote 192.168.100.225 1194
ca ca.crt
cert ovpnclt1.crt
key ovpnclt1.key
ns-cert-type server
# 設定 openvpn TAP 界面
控制台-->網路連線-->TAP-Win32#(#)
右鍵-->重新命名-->OpenVPN_Tap
# 啟動 openvpn client
右下角(OpenVPN GUI)
右鍵--> Connect
# 測試
ping 10.8.0.1
四, 注意:
4.1 要允許多個 client 相互連線, 須在 server 端打開:
client-to-client
若要連接網內主機,需要注意雙向路由以及 ip_forward 的設定。
4.2 若想隱藏 server IP, 但純作 bridge 來用:
;server 10.3.0.0 255.255.255.0
server-bridge 10.8.0.1 255.255.255.0 10.8.0.129 10.8.0.246
4.3 若由其它 CA 建的 csr , Organization(KEY_ORG=)必需要一至.
否則, 不能簽署.
4.4 CA 文件分佈:
server:
ca.crt
dh1024.pem
server.crt
server.key # 必須保密
client:
ca.crt
client.crt
client.key # 必須保密
CA server:
ca.crt
ca.key # 必須保密
4.5 Windows XP + SP2 與某些安全套件一併運行可能會導至 windows client 端不能成功.
目前除了移除 SP2 或衝突套件外, 暫無更好方法.
參考: http://openvpn.se/xpsp2_problem.html
五, 官方網站及文件:
http://openvpn.net/
http://openvpn.net/howto.html
------- Change Log -------
v1.0 by netman
2005-09-12 於 台南
v2.0 by netman
2012-09-10 於 台南
|