RHEL5.4 上部署openvpn 服务
一 openvpn 简介 openvpn 是基于SSL的vpn ,其使用工业标准的SSL/TLS协议实现第二层和第三层的安全数据链路VPN .其优点如下: 1 基于SSL协议,安全,并使用单一TCP 或者UDP 端口即可实现 2 使用双向验证,服务器只需保存自己的证书和密钥; 3 服务器只接受那些由主CA证书签名的客户端,并有撤回机制,而不需要重建个PKI; 4 可以实现基于Common Name 的权限控制 二 系统环境:RHEL5.4 应用软件 openvpn-2.1.4.tar.gz lzo-2.05.tar.gz 三 安装openvpn# tar xvf lzo-2.05.tar.gz #cd lzo-2.05 # ./configure# make # make check # make test # make install #tar xvf openvpn-2.1.4.tar.gz #cd openvpn-2.1.4 #./configure #make && make install 四 配置openv 1 为openvpn 建立专用CA,并分别为Openvpn的服务器端机器各个客户端申请所需要的证书;openvpn 支持两种认证模型:以共享密钥及基于TLS 认证模型. 出于安装机器简话认证过程等目的,Openvpn 要求服务器端在建立通信前进行基于证书的双向认证.而证书的使用依赖于PKI OpenVPN 为使用私有的CA 来颁发证书准备了许多脚本,在openvpn 源码包下面的easy-rsa 下面 2 创建CA及Openvpn 服务器和个客户端所需要的证书,需啊哟为证书使用者所处的国家等信息,而这些可以在vars 文件中指定其默认值,参数包括 #cd /root/openvpn/openvpn-2.1.4/easy-rsa/2.0
#vim vars export KEY_COUNTRY="CN" export KEY_PROVINCE="SHANGHAI" export KEY_CITY="SHANGHAI" export KEY_ORG="Frank" export KEY_EMAIL=623195090@qq.com 3 配置PKI #source varsNOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn/openvpn-2.1.4/easy-rsa/2.0/keys [root@openvpn 2.0]# ./clean-all 4 创建本地CA [root@openvpn 2.0]# ./build-ca Generating a 1024 bit RSA private key ............................................................... ........ writing new private key to ''ca.key'' -----You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ''.'', the field will be left blank. ----- Country Name (2 letter code) [CN]:State or Province Name (full name) [SHANGHAI]: Locality Name (eg, city) [SHANGHAI]: Organization Name (eg, company) [Frank]:Organizational Unit Name (eg, section) []:Frank Common Name (eg, your name or your server''s hostname) [Frank CA]:FRANK Name []:frank Email Address [623195090@qq.com]: 4 为Openvpn 创建密钥及证书[root@openvpn 2.0]# ./build-key-server server Generating a 1024 bit RSA private key ................................................................ .. writing new private key to ''server.key'' -----You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank |
||
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |