17.2. OpenVPN服务器安装配置
- Date:
2018-09
17.2.1. 服务器环境
OpenVPN服务器环境
系统版本 |
CentOS release 6.6 (Final) |
主机名 |
OpenVPN_001 |
硬件环境 |
x86_64 |
网络配置 |
eth0(dhcp):192.168.1.140 |
OpenVPN软件 |
17.2.2. 安装准备
17.2.2.1. 网络时间同步
1[root@OpenVPN_001 ~]# date
2Thu Sep 6 21:07:25 CST 2018
3[root@OpenVPN_001 ~]# ntpdate pool.ntp.org
428 Sep 00:53:38 ntpdate[1577]: step time server 5.103.139.163 offset 1827966.915121 sec
17.2.2.2. 关闭selinux
- 永久关闭:
下面配置会让selinux的关闭重启系统后还是关闭状态。但是配置不会立即生效。
注意
通过 source /etc/selinux/config 也不能让修改的文件立即生效。所以需要下面的临时关闭的方式结合使用。
1[root@OpenVPN_001 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
2[root@OpenVPN_001 ~]# grep SELINUX /etc/selinux/config
3# SELINUX= can take one of these three values:
4SELINUX=disabled
5# SELINUXTYPE= can take one of these two values:
6SELINUXTYPE=targeted
- 临时关闭:
下面配置是立即生效,但是系统重启后会失效。
1[root@OpenVPN_001 ~]# getenforce
2Enforcing
3[root@OpenVPN_001 ~]# setenforce 0
4[root@OpenVPN_001 ~]# getenforce
5Permissive
17.2.2.3. 关闭防火墙
注意
防火墙一般都是关闭。如果不不关闭,也可以通过配置规则允许所有使用的端口被访问。
1[root@OpenVPN_001 ~]# /etc/init.d/iptables stop
2iptables: Setting chains to policy ACCEPT: filter [ OK ]
3iptables: Flushing firewall rules: [ OK ]
4iptables: Unloading modules: [ OK ]
关闭防火墙开机自启动
1[root@OpenVPN_001 ~]# chkconfig iptables off
17.2.2.4. 系统准备命令集合
1ntpdate pool.ntp.org
2sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
3setenforce 0
4/etc/init.d/iptables stop
5chkconfig iptables off
注意
- 时间同步最好加入到定时任务。这样保证以后时间如果有错误的时候会自动更正。
echo "#time sysc by myhome at 2018-03-30" >>/var/spool/cron/rootecho "*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2&1" >>/var/spool/cron/root
17.2.3. OpenVPN安装(编译安装)
17.2.3.1. OpenVPN依赖包安装
- OpenVPN依赖包官方说明:
1[root@OpenVPN_001 ~]# yum install openssl lzo pam openssl-devel lzo-devel pam-devel -y
17.2.3.2. 安装
备注
OpenVPN官方提示2.2.x版本软件还集成
easy脚本,如果2.3.x及以后版本,则需要自己下载单独的脚本了。
- 下载
1[root@OpenVPN_001 ~]# mkdir /data/tools -p
2[root@OpenVPN_001 ~]# cd /data/tools/
3[root@OpenVPN_001 tools]# wget http://build.openvpn.net/downloads/releases/openvpn-2.2.2.tar.gz
解压并运行 configure :
1[root@OpenVPN_001 tools]# ls
2openvpn-2.2.2.tar.gz
3[root@OpenVPN_001 tools]# ll
4total 892
5-rw-r--r--. 1 root root 911158 Nov 15 2018 openvpn-2.2.2.tar.gz
6[root@OpenVPN_001 tools]# tar zxf openvpn-2.2.2.tar.gz
7[root@OpenVPN_001 tools]# ll
8total 896
9drwxrwxr-x. 16 500 500 4096 Dec 14 2011 openvpn-2.2.2
10-rw-r--r--. 1 root root 911158 Nov 15 2018 openvpn-2.2.2.tar.gz
11[root@OpenVPN_001 tools]# cd openvpn-2.2.2
12[root@OpenVPN_001 openvpn-2.2.2]# ./configure --prefix=/usr/local/openvpn-2.2.2
13checking build system type... x86_64-unknown-linux-gnu
14checking host system type... x86_64-unknown-linux-gnu
15checking for a BSD-compatible install... /usr/bin/install -c
16checking whether build environment is sane... yes
17checking for a thread-safe mkdir -p... /bin/mkdir -p
18checking for gawk... gawk
19checking whether make sets $(MAKE)... yes
20checking for ifconfig... /sbin/ifconfig
21略
22config.status: creating install-win32/Makefile
23config.status: creating install-win32/settings
24config.status: creating config.h
25config.status: executing depfiles commands
编译安装:
1[root@OpenVPN_001 openvpn-2.2.2]# make && make install
17.2.3.3. 创建软连接
- 这样做的目的:
方便以后OpenVPN升级。编译新版本后。直接把软连接改一下即可。
1[root@OpenVPN_001 openvpn-2.2.2]# ln -s /usr/local/openvpn-2.2.2/ /usr/local/openvpn
2[root@OpenVPN_001 openvpn-2.2.2]# ll /usr/local/openvpn
3lrwxrwxrwx. 1 root root 25 Nov 4 06:02 /usr/local/openvpn -> /usr/local/openvpn-2.2.2/
17.2.4. OpenVPN需要的各种证书配置(ca/dh)
17.2.4.1. ca证书创建
备份vars配置:
1[root@OpenVPN_001 openvpn-2.2.2]# cd /data/tools/openvpn-2.2.2/easy-rsa/2.0/
2[root@OpenVPN_001 2.0]# pwd
3/data/tools/openvpn-2.2.2/easy-rsa/2.0
4[root@OpenVPN_001 2.0]# cp vars vars.ori.`date +%F`
5[root@OpenVPN_001 2.0]# ll vars*
6-rwxrwxr-x. 1 500 500 1841 Nov 25 2011 vars
7-rwxr-xr-x. 1 root root 1841 Nov 4 06:12 vars.ori.2018-11-04
查看vars中的配置内容:
1[root@OpenVPN_001 2.0]# grep -Ev '^#|^$' vars
2export EASY_RSA="`pwd`"
3export OPENSSL="openssl"
4export PKCS11TOOL="pkcs11-tool"
5export GREP="grep"
6export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
7export KEY_DIR="$EASY_RSA/keys"
8echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
9export PKCS11_MODULE_PATH="dummy"
10export PKCS11_PIN="dummy"
11export KEY_SIZE=1024
12export CA_EXPIRE=3650
13export KEY_EXPIRE=3650
14export KEY_COUNTRY="US"
15export KEY_PROVINCE="CA"
16export KEY_CITY="SanFrancisco"
17export KEY_ORG="Fort-Funston"
18export KEY_EMAIL="me@myhost.mydomain"
19export KEY_EMAIL=mail@host.domain
20export KEY_CN=changeme
21export KEY_NAME=changeme
22export KEY_OU=changeme
23export PKCS11_MODULE_PATH=changeme
24export PKCS11_PIN=1234
清除配置并修改配置:
1[root@OpenVPN_001 2.0]# grep -Ev '^#|^$' vars.ori.`date +%F`>vars
2
3[root@OpenVPN_001 2.0]# sed -i 's#export KEY_COUNTRY="US"#export KEY_COUNTRY="CN"#g' vars
4[root@OpenVPN_001 2.0]# sed -i 's#export KEY_PROVINCE="CA"#export KEY_PROVINCE="SD"#g' vars
5[root@OpenVPN_001 2.0]# sed -i 's#export KEY_CITY="SanFrancisco"#export KEY_CITY="QD"#g' vars
6[root@OpenVPN_001 2.0]# sed -i 's#export KEY_ORG="Fort-Funston"#export KEY_ORG="zzjlogin"#g' vars
7[root@OpenVPN_001 2.0]# sed -i 's#export KEY_EMAIL="me@myhost.mydomain"#export KEY_EMAIL="admin@display.tk"#g' vars
8[root@OpenVPN_001 2.0]# sed -i 's#export KEY_EMAIL=mail@host.domain#export KEY_EMAIL=admin@display.tk#g' vars
9[root@OpenVPN_001 2.0]# sed -i 's#export KEY_CN=changeme#export KEY_CN=CN#g' vars
10[root@OpenVPN_001 2.0]# sed -i 's#export KEY_NAME=changeme#export KEY_NAME=zzjlogin#g' vars
11[root@OpenVPN_001 2.0]# sed -i 's#export KEY_OU=changeme#export KEY_OU=zzjlogin#g' vars
让配置vars生效,并清除现在可能存在的key:
1[root@OpenVPN_001 2.0]# source vars
2NOTE: If you run ./clean-all, I will be doing a rm -rf on /data/tools/openvpn-2.2.2/easy-rsa/2.0/keys
3[root@OpenVPN_001 2.0]# ./clean-all
4[root@OpenVPN_001 2.0]# ll keys/
5total 4
6-rw-r--r--. 1 root root 0 Nov 4 06:27 index.txt
7-rw-r--r--. 1 root root 3 Nov 4 06:27 serial
创建CA证书:
1[root@OpenVPN_001 2.0]# ./build-ca
2Generating a 1024 bit RSA private key
3....++++++
4.++++++
5writing new private key to 'ca.key'
6-----
7You are about to be asked to enter information that will be incorporated
8into your certificate request.
9What you are about to enter is what is called a Distinguished Name or a DN.
10There are quite a few fields but you can leave some blank
11For some fields there will be a default value,
12If you enter '.', the field will be left blank.
13-----
14Country Name (2 letter code) [CN]:
15State or Province Name (full name) [SD]:
16Locality Name (eg, city) [QD]:
17Organization Name (eg, company) [zzjlogin]:
18Organizational Unit Name (eg, section) [zzjlogin]:
19Common Name (eg, your name or your server's hostname) [CN]:
20Name [zzjlogin]:
21Email Address [admin@display.tk]:
22[root@OpenVPN_001 2.0]# ll keys/
23total 12
24-rw-r--r--. 1 root root 1302 Nov 4 06:29 ca.crt
25-rw-------. 1 root root 916 Nov 4 06:29 ca.key
26-rw-r--r--. 1 root root 0 Nov 4 06:27 index.txt
27-rw-r--r--. 1 root root 3 Nov 4 06:27 serial
17.2.4.2. 生成服务端密钥文件
1[root@OpenVPN_001 2.0]# ./build-key-server openvpn_server
2Generating a 1024 bit RSA private key
3........................................++++++
4....................................++++++
5writing new private key to 'openvpn_server.key'
6-----
7You are about to be asked to enter information that will be incorporated
8into your certificate request.
9What you are about to enter is what is called a Distinguished Name or a DN.
10There are quite a few fields but you can leave some blank
11For some fields there will be a default value,
12If you enter '.', the field will be left blank.
13-----
14Country Name (2 letter code) [CN]:
15State or Province Name (full name) [SD]:
16Locality Name (eg, city) [QD]:
17Organization Name (eg, company) [zzjlogin]:
18Organizational Unit Name (eg, section) [zzjlogin]:
19Common Name (eg, your name or your server's hostname) [openvpn_server]:
20Name [zzjlogin]:
21Email Address [admin@display.tk]:
22
23Please enter the following 'extra' attributes
24to be sent with your certificate request
25A challenge password []:
26An optional company name []:
27Using configuration from /data/tools/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
28Check that the request matches the signature
29Signature ok
30The Subject's Distinguished Name is as follows
31countryName :PRINTABLE:'CN'
32stateOrProvinceName :PRINTABLE:'SD'
33localityName :PRINTABLE:'QD'
34organizationName :PRINTABLE:'zzjlogin'
35organizationalUnitName:PRINTABLE:'zzjlogin'
36commonName :T61STRING:'openvpn_server'
37name :PRINTABLE:'zzjlogin'
38emailAddress :IA5STRING:'admin@display.tk'
39Certificate is to be certified until Oct 31 22:33:14 2028 GMT (3650 days)
40Sign the certificate? [y/n]:y
41
42
431 out of 1 certificate requests certified, commit? [y/n]y
44Write out database with 1 new entries
45Data Base Updated
小技巧
上面整个过程,只输入两个 y 。没有设置密码。
1[root@OpenVPN_001 2.0]# ll keys/
2total 40
3-rw-r--r--. 1 root root 4009 Nov 4 06:33 01.pem
4-rw-r--r--. 1 root root 1302 Nov 4 06:29 ca.crt
5-rw-------. 1 root root 916 Nov 4 06:29 ca.key
6-rw-r--r--. 1 root root 130 Nov 4 06:33 index.txt
7-rw-r--r--. 1 root root 21 Nov 4 06:33 index.txt.attr
8-rw-r--r--. 1 root root 0 Nov 4 06:27 index.txt.old
9-rw-r--r--. 1 root root 4009 Nov 4 06:33 openvpn_server.crt
10-rw-r--r--. 1 root root 720 Nov 4 06:33 openvpn_server.csr
11-rw-------. 1 root root 916 Nov 4 06:33 openvpn_server.key
12-rw-r--r--. 1 root root 3 Nov 4 06:33 serial
13-rw-r--r--. 1 root root 3 Nov 4 06:27 serial.old
17.2.4.3. 生成密钥交换时的密钥协议文件(dh文件)
1[root@OpenVPN_001 2.0]# ./build-dh
2Generating DH parameters, 1024 bit long safe prime, generator 2
3This is going to take a long time
4............................................................
5......................+.....................+...............
6...........+....+...........................................
7............................................................
8....................................................+.......
9...............................................+............
10.....+......................................................
11...........+.............................................+..
12..+....++*++*++*
13[root@OpenVPN_001 2.0]# ll keys/
14total 44
15-rw-r--r--. 1 root root 4009 Nov 4 06:33 01.pem
16-rw-r--r--. 1 root root 1302 Nov 4 06:29 ca.crt
17-rw-------. 1 root root 916 Nov 4 06:29 ca.key
18-rw-r--r--. 1 root root 245 Nov 4 06:38 dh1024.pem
19-rw-r--r--. 1 root root 130 Nov 4 06:33 index.txt
20-rw-r--r--. 1 root root 21 Nov 4 06:33 index.txt.attr
21-rw-r--r--. 1 root root 0 Nov 4 06:27 index.txt.old
22-rw-r--r--. 1 root root 4009 Nov 4 06:33 openvpn_server.crt
23-rw-r--r--. 1 root root 720 Nov 4 06:33 openvpn_server.csr
24-rw-------. 1 root root 916 Nov 4 06:33 openvpn_server.key
25-rw-r--r--. 1 root root 3 Nov 4 06:33 serial
26-rw-r--r--. 1 root root 3 Nov 4 06:27 serial.old
17.2.4.4. 生成防止DDOS攻击相关配置文件
防止DDOS、UDP port flooding攻击。
1[root@OpenVPN_001 2.0]# /usr/local/openvpn/sbin/openvpn --genkey --secret keys/ta.key
2[root@OpenVPN_001 2.0]# ll keys/ta.key
3-rw-------. 1 root root 636 Nov 4 06:42 keys/ta.key
1sed -i 's#export KEY_COUNTRY="US"#export KEY_COUNTRY="CN"#g' vars
2sed -i 's#export KEY_PROVINCE="CA"#export KEY_PROVINCE="SD"#g' vars
3sed -i 's#export KEY_CITY="SanFrancisco"#export KEY_CITY="QD"#g' vars
4sed -i 's#export KEY_ORG="Fort-Funston"#export KEY_ORG="zzjlogin"#g' vars
5sed -i 's#export KEY_EMAIL="me@myhost.mydomain"#export KEY_EMAIL="admin@display.tk"#g' vars
6sed -i 's#export KEY_EMAIL=mail@host.domain#export KEY_EMAIL=admin@display.tk#g' vars
7sed -i 's#export KEY_CN=changeme#export KEY_CN=CN#g' vars
8sed -i 's#export KEY_NAME=changeme#export KEY_NAME=zzjlogin#g' vars
9sed -i 's#export KEY_OU=changeme#export KEY_OU=zzjlogin#g' vars
17.2.5. OpenVPN配置
以下文件路径转移以及配置文件初始化都是需要的:
1[root@OpenVPN_001 2.0]# mkdir /etc/openvpn
2[root@OpenVPN_001 2.0]# pwd
3/data/tools/openvpn-2.2.2/easy-rsa/2.0
4[root@OpenVPN_001 2.0]# cp -ap keys /etc/openvpn/
5[root@OpenVPN_001 2.0]# cd /data/tools/openvpn-2.2.2/sample-config-files
6[root@OpenVPN_001 sample-config-files]# cp server.conf /etc/openvpn/
7[root@OpenVPN_001 sample-config-files]# mkdir /etc/openvpn/clients
8[root@OpenVPN_001 sample-config-files]# cp client.conf /etc/openvpn/clients/
9
10[root@OpenVPN_001 sample-config-files]# cd /etc/openvpn/
11[root@OpenVPN_001 openvpn]# ls
12clients keys server.conf
13[root@OpenVPN_001 openvpn]# cp server.conf server.conf.ori`date +%F`
14[root@OpenVPN_001 openvpn]# ls
15clients keys server.conf server.conf.ori2018-11-04
16
17[root@OpenVPN_001 openvpn]# grep -vE '^;|^$|^#' server.conf
18port 1194
19proto udp
20dev tun
21ca ca.crt
22cert server.crt
23key server.key # This file should be kept secret
24dh dh1024.pem
25server 10.8.0.0 255.255.255.0
26ifconfig-pool-persist ipp.txt
27keepalive 10 120
28comp-lzo
29persist-key
30persist-tun
31status openvpn-status.log
32verb 3
17.2.5.1. 一般配置
- 一般配置功能:
可以通过VPN链接VPN服务器;
可以设置让VPN客户端之间网络相互连通;
实现VPN客户端和VPN服务器以及VPN其他客户端之间加密传输;
可以通过连接VPN,把所有VPN设置(push的子网网段)的子网都通过VPN链路访问。
1[root@OpenVPN_001 openvpn]# vi /etc/openvpn/server.conf
2
3local 192.168.1.140
4port 52115
5proto udp
6dev tun
7ca /etc/openvpn/keys/ca.crt
8cert /etc/openvpn/keys/server.crt
9key /etc/openvpn/keys/server.key # This file should be kept secret
10dh /etc/openvpn/keys/dh1024.pem
11tls-auth /etc/openvpn/keys/ta.key 0
12server 10.8.0.0 255.255.255.0
13push "192.168.19.0 255.255.255.0"
14ifconfig-pool-persist ipp.txt
15keepalive 10 120
16comp-lzo
17persist-key
18persist-tun
19verb 3
20client-to-client
21duplicate-cn
22status openvpn-status.log
23log /var/log/openvpn.log
17.2.5.2. 代理翻墙配置
- 代理翻墙配置作用:
让所有本地访问互联网的流量都通过VPN,经过VPN中转访问互联网。
一般配置文件中的配置需要添加下面配置内容:
1push "redirect-gateway def1 bypass-dhcp bypass-dns"
2#push "redirect-gateway local def1"
3push "dhcp-option DNS 8.8.8.8"
4push "dhcp-option DNS 10.8.0.1"
添加路由:
1iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
17.2.5.3. NAT方式VPN配置
17.2.6. OpenVPN服务器添加客户端
17.2.6.1. 转移easy2.0脚本
1[root@OpenVPN_001 easy-rsa]# pwd
2/data/tools/openvpn-2.2.2/easy-rsa
3
4[root@OpenVPN_001 easy-rsa]# cp -ap 2.0 /etc/openvpn/
5[root@OpenVPN_001 easy-rsa]# cd /etc/openvpn/2.0/
6[root@OpenVPN_001 2.0]# ls
7build-ca build-key-server list-crl README
8build-dh build-req Makefile revoke-full
9build-inter build-req-pass openssl-0.9.6.cnf sign-req
10build-key clean-all openssl-0.9.8.cnf vars
11build-key-pass inherit-inter openssl-1.0.0.cnf vars.ori.2018-11-04
12build-key-pkcs12 keys pkitool whichopensslcnf
17.2.6.2. 让新目录下的vars文件生效
备注
每次创建用户时,文件 vars 都需要用命令 source 让其重新生效。并且注意不要运行 ./clean-all 否则会清空之前的证书和密钥文件。
1[root@OpenVPN_001 2.0]# source vars
17.2.6.3. 创建用户
- 用户名:
user001
- 登陆认证:
需要证书和密钥
不需要密码
1[root@OpenVPN_001 2.0]# ./build-key user001
2Generating a 1024 bit RSA private key
3...........................................................++++++
4...................................++++++
5writing new private key to 'user001.key'
6-----
7You are about to be asked to enter information that will be incorporated
8into your certificate request.
9What you are about to enter is what is called a Distinguished Name or a DN.
10There are quite a few fields but you can leave some blank
11For some fields there will be a default value,
12If you enter '.', the field will be left blank.
13-----
14Country Name (2 letter code) [CN]:
15State or Province Name (full name) [SD]:
16Locality Name (eg, city) [QD]:
17Organization Name (eg, company) [zzjlogin]:
18Organizational Unit Name (eg, section) [zzjlogin]:
19Common Name (eg, your name or your server's hostname) [user001]:
20Name [zzjlogin]:
21Email Address [admin@display.tk]:
22
23Please enter the following 'extra' attributes
24to be sent with your certificate request
25A challenge password []:
26An optional company name []:
27Using configuration from /data/tools/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
28Check that the request matches the signature
29Signature ok
30The Subject's Distinguished Name is as follows
31countryName :PRINTABLE:'CN'
32stateOrProvinceName :PRINTABLE:'SD'
33localityName :PRINTABLE:'QD'
34organizationName :PRINTABLE:'zzjlogin'
35organizationalUnitName:PRINTABLE:'zzjlogin'
36commonName :PRINTABLE:'user001'
37name :PRINTABLE:'zzjlogin'
38emailAddress :IA5STRING:'admin@display.tk'
39Certificate is to be certified until Nov 1 00:29:14 2028 GMT (3650 days)
40Sign the certificate? [y/n]:y
41
42
431 out of 1 certificate requests certified, commit? [y/n]y
44Write out database with 1 new entries
45Data Base Updated
查看创建用户以后keys目录文件变化:
1[root@OpenVPN_001 2.0]# ll -t keys/
2total 72
3-rw-r--r--. 1 root root 3872 Nov 15 19:17 02.pem
4-rw-r--r--. 1 root root 253 Nov 15 19:17 index.txt
5-rw-r--r--. 1 root root 21 Nov 15 19:17 index.txt.attr
6-rw-r--r--. 1 root root 3 Nov 15 19:17 serial
7-rw-r--r--. 1 root root 3872 Nov 15 19:17 user001.crt
8-rw-r--r--. 1 root root 712 Nov 15 19:17 user001.csr
9-rw-------. 1 root root 916 Nov 15 19:17 user001.key
10-rw-------. 1 root root 636 Nov 4 06:42 ta.key
11-rw-r--r--. 1 root root 245 Nov 4 06:38 dh1024.pem
12-rw-r--r--. 1 root root 4009 Nov 4 06:33 01.pem
13-rw-r--r--. 1 root root 21 Nov 4 06:33 index.txt.attr.old
14-rw-r--r--. 1 root root 130 Nov 4 06:33 index.txt.old
15-rw-r--r--. 1 root root 4009 Nov 4 06:33 openvpn_server.crt
16-rw-r--r--. 1 root root 3 Nov 4 06:33 serial.old
17-rw-r--r--. 1 root root 720 Nov 4 06:33 openvpn_server.csr
18-rw-------. 1 root root 916 Nov 4 06:33 openvpn_server.key
19-rw-r--r--. 1 root root 1302 Nov 4 06:29 ca.crt
20-rw-------. 1 root root 916 Nov 4 06:29 ca.key
17.2.6.4. 创建同时需要证书和密码的用户
- 用户名:
user101
- 认证方式:
证书密钥+密码
1[root@OpenVPN_001 2.0]# ./build-key-pass user101
2Generating a 1024 bit RSA private key
3..........................................++++++
4............++++++
5writing new private key to 'user101.key'
6Enter PEM pass phrase:
7Verifying - Enter PEM pass phrase:
8-----
9You are about to be asked to enter information that will be incorporated
10into your certificate request.
11What you are about to enter is what is called a Distinguished Name or a DN.
12There are quite a few fields but you can leave some blank
13For some fields there will be a default value,
14If you enter '.', the field will be left blank.
15-----
16Country Name (2 letter code) [CN]:
17State or Province Name (full name) [SD]:
18Locality Name (eg, city) [QD]:
19Organization Name (eg, company) [zzjlogin]:
20Organizational Unit Name (eg, section) [zzjlogin]:
21Common Name (eg, your name or your server's hostname) [user101]:
22Name [zzjlogin]:
23Email Address [admin@display.tk]:
24
25Please enter the following 'extra' attributes
26to be sent with your certificate request
27A challenge password []:
28An optional company name []:
29Using configuration from /etc/openvpn/2.0/openssl-1.0.0.cnf
30Check that the request matches the signature
31Signature ok
32The Subject's Distinguished Name is as follows
33countryName :PRINTABLE:'CN'
34stateOrProvinceName :PRINTABLE:'SD'
35localityName :PRINTABLE:'QD'
36organizationName :PRINTABLE:'zzjlogin'
37organizationalUnitName:PRINTABLE:'zzjlogin'
38commonName :PRINTABLE:'user101'
39name :PRINTABLE:'zzjlogin'
40emailAddress :IA5STRING:'admin@display.tk'
41Certificate is to be certified until Nov 12 11:35:19 2028 GMT (3650 days)
42Sign the certificate? [y/n]:y
43
44
451 out of 1 certificate requests certified, commit? [y/n]y
46Write out database with 1 new entries
47Data Base Updated
48[root@OpenVPN_001 2.0]# ll keys/
49total 88
50-rw-r--r--. 1 root root 4009 Nov 4 06:33 01.pem
51-rw-r--r--. 1 root root 3872 Nov 15 19:17 02.pem
52-rw-r--r--. 1 root root 3872 Nov 15 19:35 03.pem
53-rw-r--r--. 1 root root 1302 Nov 4 06:29 ca.crt
54-rw-------. 1 root root 916 Nov 4 06:29 ca.key
55-rw-r--r--. 1 root root 245 Nov 4 06:38 dh1024.pem
56-rw-r--r--. 1 root root 376 Nov 15 19:35 index.txt
57-rw-r--r--. 1 root root 21 Nov 15 19:35 index.txt.attr
58-rw-r--r--. 1 root root 21 Nov 15 19:17 index.txt.attr.old
59-rw-r--r--. 1 root root 253 Nov 15 19:17 index.txt.old
60-rw-r--r--. 1 root root 4009 Nov 4 06:33 openvpn_server.crt
61-rw-r--r--. 1 root root 720 Nov 4 06:33 openvpn_server.csr
62-rw-------. 1 root root 916 Nov 4 06:33 openvpn_server.key
63-rw-r--r--. 1 root root 3 Nov 15 19:35 serial
64-rw-r--r--. 1 root root 3 Nov 15 19:17 serial.old
65-rw-------. 1 root root 636 Nov 4 06:42 ta.key
66-rw-r--r--. 1 root root 3872 Nov 15 19:17 user001.crt
67-rw-r--r--. 1 root root 712 Nov 15 19:17 user001.csr
68-rw-------. 1 root root 916 Nov 15 19:17 user001.key
69-rw-r--r--. 1 root root 3872 Nov 15 19:35 user101.crt
70-rw-r--r--. 1 root root 712 Nov 15 19:35 user101.csr
71-rw-------. 1 root root 1041 Nov 15 19:35 user101.key
17.2.7. OpenVPN服务器客户端用户注销和恢复
- 参考:
备注
openvpn2.0.9吊销用户需要修改吊销脚本所在路径的openssl*.conf文件最后7行,需要注销掉这几行。否则吊销用户会报错。2.2.2版本没有这个问题。
吊销用户证书以后服务端需要重启才能生效。
1[root@OpenVPN_001 2.0]# pwd
2/etc/openvpn/2.0
3[root@OpenVPN_001 2.0]# ls
4build-ca build-key build-key-server clean-all list-crl openssl-0.9.8.cnf README vars
5build-dh build-key-pass build-req inherit-inter Makefile openssl-1.0.0.cnf revoke-full vars.ori.2018-11-04
6build-inter build-key-pkcs12 build-req-pass keys openssl-0.9.6.cnf pkitool sign-req whichopensslcnf
7[root@OpenVPN_001 2.0]# tail -7 openssl-1.0.0.cnf
8
9[ pkcs11_section ]
10engine_id = pkcs11
11dynamic_path = /usr/lib/engines/engine_pkcs11.so
12MODULE_PATH = $ENV::PKCS11_MODULE_PATH
13PIN = $ENV::PKCS11_PIN
14init = 0
1[root@OpenVPN_001 2.0]# source vars
2NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
3[root@OpenVPN_001 2.0]# cat keys/index.txt
4V 281031223314Z 01 unknown /C=CN/ST=SD/L=QD/O=zzjlogin/OU=zzjlogin/CN=openvpn_server/name=zzjlogin/emailAddress=admin@display.tk
5V 281112111717Z 02 unknown /C=CN/ST=SD/L=QD/O=zzjlogin/OU=zzjlogin/CN=user001/name=zzjlogin/emailAddress=admin@display.tk
6V 281112113519Z 03 unknown /C=CN/ST=SD/L=QD/O=zzjlogin/OU=zzjlogin/CN=user101/name=zzjlogin/emailAddress=admin@display.tk
7V 281112123710Z 04 unknown /C=CN/ST=SD/L=QD/O=zzjlogin/OU=zzjlogin/CN=user002/name=zzjlogin/emailAddress=admin@display.tk
8[root@OpenVPN_001 2.0]# cat keys/index.txt.attr
9unique_subject = yes
10[root@OpenVPN_001 2.0]# ./revoke-full user002
11Using configuration from /etc/openvpn/2.0/openssl-1.0.0.cnf
12Revoking Certificate 04.
13Data Base Updated
14Using configuration from /etc/openvpn/2.0/openssl-1.0.0.cnf
15user002.crt: C = CN, ST = SD, L = QD, O = zzjlogin, OU = zzjlogin, CN = user002, name = zzjlogin, emailAddress = admin@display.tk
16error 8 at 0 depth lookup:CRL signature failure
17140421920585544:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:217:
18[root@OpenVPN_001 2.0]# cat keys/index.txt
19V 281031223314Z 01 unknown /C=CN/ST=SD/L=QD/O=zzjlogin/OU=zzjlogin/CN=openvpn_server/name=zzjlogin/emailAddress=admin@display.tk
20V 281112111717Z 02 unknown /C=CN/ST=SD/L=QD/O=zzjlogin/OU=zzjlogin/CN=user001/name=zzjlogin/emailAddress=admin@display.tk
21V 281112113519Z 03 unknown /C=CN/ST=SD/L=QD/O=zzjlogin/OU=zzjlogin/CN=user101/name=zzjlogin/emailAddress=admin@display.tk
22R 281112123710Z 181115123756Z 04 unknown /C=CN/ST=SD/L=QD/O=zzjlogin/OU=zzjlogin/CN=user002/name=zzjlogin/emailAddress=admin@display.tk
23
24[root@OpenVPN_001 2.0]# cp -ap keys/crl.pem /etc/openvpn/keys/
/etc/openvpn/server.conf 文件中添加下面配置
1crl-verify keys/crl.pem
17.2.8. OpenVPN启动
17.2.8.1. 编译安装默认启动方式
17.2.8.2. 添加chkconfig
1[root@OpenVPN_001 2.0]# cp /data/tools/openvpn-2.2.2/sample-scripts/openvpn.init /etc/init.d/openvpn
2[root@OpenVPN_001 2.0]# chmod 755 /etc/init.d/openvpn
3[root@OpenVPN_001 2.0]# ll /etc/init.d/openvpn
4-rwxr-xr-x. 1 root root 5481 Nov 15 19:51 /etc/init.d/openvpn
备注
如果 /etc/openvpn/ 目录下有多个 .conf 文件,则需要修改/etc/init.d/openvpn这个脚本的148行
改成 for c in `/bin/ls server.conf 2>/dev/null`; do 。或者把除了openvpn服务端配置文件以外其他的 .conf 文件转移到其他目录。