OpenVPN server:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Dinofish留言 | 贡献
Dinofish留言 | 贡献
第38行: 第38行:
  sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
  sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/


==== Client Certificates ====
==== 客户端证书 ====
*A VPN clients requires a certificate in order to authenticate itself to the VPN server.
*为了能让VPN客户端在运行时能够通过服务器认证,需要生成一个客户端证书.
*Create the certificate:
*创建证书:


  cd /etc/openvpn/easy-rsa/
  cd /etc/openvpn/easy-rsa/
第46行: 第46行:
  ./pkitool ''hostname''
  ./pkitool ''hostname''


:Note: Replace ''hostname'' with the actual hostname of the client machine that will be connecting to the VPN.
:说明: 用需要连接到VPN服务器的客户端计算机名替换 ''hostname''(不含双引号).


*Copy the certificate files that have been created to the client:
*拷贝前面生成的下述认证文件到客户端:
:* /etc/openvpn/easy-rsa/''hostname''.ovpn
:* /etc/openvpn/easy-rsa/''hostname''.ovpn
:* /etc/openvpn/easy-rsa/ca.crt
:* /etc/openvpn/easy-rsa/ca.crt
第55行: 第55行:
:* /etc/openvpn/easy-rsa/ta.key
:* /etc/openvpn/easy-rsa/ta.key


:Note: Use the files that correspond to your client machine's ''hostname''.
:说明: 请拷贝和你的客户端机器名("hostname")相符的文件.


==== Server Configuration ====
==== Server Configuration ====

2014年9月12日 (五) 15:28的版本

OpenVPN

我们可以把处于LAN环境下的特定计算机设置为一个VPN服务器,这个服务器可以让处于LAN之外的远程客户端和LAN上的计算机进行加密通信(通过VPN服务器接入). 当两台终端建立VPN 连接通道(服务端和客户端)时,OpenVPN 使用 PKI(Public Key Infrastructure)对其进行加密.

VPN 服务器的硬件需求取决于最大的并发通信隧道的数量.通俗的来讲,最为普通配置的电脑可以胜任一台并发连接数不大于10的VPN服务器.而一台不大于100个并发连接数的VPN服务器则需要较高的内存和CPU配置.网络连接也是一个限制因素,所以,高配的网卡也是必须的(至少支持千兆网卡).

使用桥接模式

OpenVPN 服务器通常使用桥接模式.一个网络(如:eth0)连接到WAN(互联网),这个连接用来接入VPN请求,另外一个(如:eth1)连接到LAN(局域网),VPN数据的流动在这两个网络间可以理解为被”桥接”了.查看Network Interface Bridging获取详情.

OpenVPN 服务器的安装

  • 安装 OpenVPN:
sudo apt-get install openvpn

服务器证书

  • 创建OpenVPN服务器证书.
  • 复制 easy-rsa 目录到 /etc/openvpn. 这个操作确保在包更新后脚本内容不会丢失.
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
  • 编辑 /etc/openvpn/easy-rsa/vars 根据实际情况在其中修改相应的环境变量:
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="MyCity"
export KEY_ORG="MyCompany"
export KEY_EMAIL="[email protected]"
  • 运行脚本,创建服务器证书:
cd /etc/openvpn/easy-rsa/easy-rsa
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

客户端证书

  • 为了能让VPN客户端在运行时能够通过服务器认证,需要生成一个客户端证书.
  • 创建证书:
cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname
说明: 用需要连接到VPN服务器的客户端计算机名替换 hostname(不含双引号).
  • 拷贝前面生成的下述认证文件到客户端:
  • /etc/openvpn/easy-rsa/hostname.ovpn
  • /etc/openvpn/easy-rsa/ca.crt
  • /etc/openvpn/easy-rsa/hostname.crt
  • /etc/openvpn/easy-rsa/hostname.key
  • /etc/openvpn/easy-rsa/ta.key
说明: 请拷贝和你的客户端机器名("hostname")相符的文件.

Server Configuration

  • On the OpenVPN server, modify /etc/openvpn/server.conf from the example file:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
  • Edit etc/openvpn/server.conf:
sudo nano /etc/openvpn/server.conf
  • Changing the following options to resemble:
local 172.18.100.101
dev tap0
server-bridge 172.18.100.101 255.255.255.0 172.18.100.105 172.18.100.200
push "route 172.18.100.1 255.255.255.0"
push "dhcp-option DNS 172.18.100.20"
push "dhcp-option DOMAIN example.com"
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup
Notes:
local: is the IP address of the bridge interface.
server-bridge: needed when the configuration uses bridging. The 172.18.100.101 255.255.255.0 portion is the bridge interface and mask. The IP range 172.18.100.105 172.18.100.200 is the range of IP addresses that will be assigned to clients.
push: directives to add networking options for clients.
user and group: configure which user and group the openvpn daemon executes as.
Replace all IP addresses and domain names above with those of your network.
  • Create helper scripts to add the tap interface to the bridge.
  • Create /etc/openvpn/up.sh:
sudo nano /etc/openvpn/up.sh
Add the lines:
#!/bin/sh
#
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV
  • Create /etc/openvpn/down.sh:
sudo nano /etc/openvpn/down.sh
Add the lines:
#!/bin/sh
#
BR=$1
DEV=$2
#
/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down
  • Make the scripts executable:
sudo chmod 755 /etc/openvpn/down.sh
sudo chmod 755 /etc/openvpn/up.sh
  • Restart OpenVpn:
sudo /etc/init.d/openvpn restart

Client Configuration

  • Copy the example client configuration file:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn

  • Edit the client configuration file:
sudo nano /etc/openvpn/client.conf 
  • Change it to resemble:
dev tap
remote vpn.mycompany.com 1194
cert hostname.crt
key hostname.key
tls-auth ta.key 1
Note: Replace vpn.mycompany.com with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames that correspond to the client.
  • Restart OpenVpn:
sudo /etc/init.d/openvpn restart
  • Connect the VPN client to the remote LAN through the OpenVPN server.

Other resources