asterCC, hosted call center solution based asterisk
»
zh
»
实际案例指导
»
如何搭建基于astercc系统的openvpn
您的足迹:
显示页面
修订记录
最近更改
网站地图
登录
本页面只读。您可以查看源文件,但不能更改它。如果您觉得这是系统错误,请联系管理员。
======如何搭建基于astercc系统的OpenVPN====== VPN服务器端:Centos 6.6(Final) (装有astercc系统) VPS的IP为:8.38.33.10 VPN客户端:Windows7 OpenVPN-GUI IP为:192.168.1.226 =====第一步:为VPS安装OpenVPN及所有所需软件===== ====安装EPEL仓库==== <code> wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm </code> <code> rpm -Uvh epel-release-6-8.noarch.rpm </code> ====安装OpenVPN==== 包含了 lzo 和 pkcs11-helper <code> yum install openvpn </code> ====安装Easy-rsa==== 该包用来制作ca证书,服务端证书,客户端证书。此版本为:easy-rsa3 <code> wget https://github.com/OpenVPN/easy-rsa/archive/master.zip </code> <code> unzip master.zip </code> 解压完成后,将解压得到的文件夹easy-rsa-master重命名为easy-rsa: <code> mv easy-rsa-master/ easy-rsa/ </code> 然后再将得到的easy-rsa文件夹复制到/etc/openvpn/目录下: <code> cp -R easy-rsa/ /etc/openvpn/ </code> ====安装Unzip和Zip==== 在安装Easy-rsa步骤中,假如在 "unzip master.zip" 时提示: -bash: unzip: command not found,则需要执行如下操作: debian系统,就直接执行如下命令进行安装: <code> apt-get install -y zip unzip </code> centos系统,那就需要输入下面的命令进行安装: <code> yum -y install zip unzip </code> =====第二步:编辑vars文件,根据自己环境配置===== 首先进入/etc/openvpn/easy-rsa/easyrsa3目录: <code> cd /etc/openvpn/easy-rsa/easyrsa3/ </code> 然后,在此目录下复制 vars.example 为 vars <code> cp vars.example vars </code> 最后,根据自己VPS情况修改下面字段,命令:vi vars,然后进行修改,最后 :wq 退出并保存。注意:配置文件中以 ";" 和 "#" 开头的语句均表示注释,但 ";" 是用来注释可选配置的。 <code> set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Liaoning" set_var EASYRSA_REQ_CITY "Dalian" set_var EASYRSA_REQ_ORG "Astercc Org" set_var EASYRSA_REQ_EMAIL "liuxl@astercc.com" set_var EASYRSA_REQ_OU "Support Unit" </code> =====第三步:创建服务端证书及key===== 首先,进入/etc/openvpn/easy-rsa/easyrsa3/目录,进行初始化: <code> cd /etc/openvpn/easy-rsa/easyrsa3/ </code> <code> ./easyrsa init-pki </code> 然后,创建根证书,输入并确认密码,再输入common name: <code> ./easyrsa build-ca </code> 如下: <code> [root@astercc1 easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .............................................................+++ ...........................................+++ writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt </code> 注意:在上述部分需要输入PEM密码 PEM pass phrase,输入两次,此密码必须记住,不然以后不能为证书签名。还需要输入common name 通用名,这个你自己随便设置个独一无二的,我输入的:server。 再创建服务器端证书,输入Common Name: <code> ./easyrsa gen-req server nopass </code> <code> [root@astercc1 easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .........+++ .....+++ writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key </code> 该过程中需要输入common name,回车的话,确认为:server。 创建签约服务端证书: <code> ./easyrsa sign server server </code> <code> [root@astercc1 easyrsa3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'server' Certificate is to be certified until May 30 05:45:15 2025 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt </code> 该命令中.需要你确认生成 输入yes,还需要提供创建CA时候的密码。如果你忘记了密码,那就从第三步: ./easyrsa init-pki 开始,再来一次吧。 最后,创建Diffie-Hellman,确保key穿越不安全网络的命令,可能会执行很长时间,请耐心等待,不要中断: <code> ./easyrsa gen-dh </code> =====第四步:创建客户端证书===== 首先,进入root目录新建client文件夹,文件夹可随意命名,然后拷贝前面解压得到的easy-ras文件夹到client文件夹,进入下列目录: <code> cd /root/ mkdir client //&& cd client cp -R /etc/easy-rsa/ client/ cd client/easy-rsa/easyrsa3/ </code> 然后进行初始化: <code> ./easyrsa init-pki </code> 再创建客户端key及生成证书(记住生成是自己输入的密码): <code> ./easyrsa gen-req andy //名字是自己定义的 </code> 然后再将得到的andy.req导入然后签约证书: a.进入到/etc/openvpn/easy-rsa/easyrsa3/ <code> cd /etc/openvpn/easy-rsa/easyrsa3/ </code> b.导入req <code> ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/andy.req andy </code> c.签约证书 <code> ./easyrsa sign client andy </code> 这里生成client,所以必须为client,andy要与之前导入名字一致。上面签约证书跟server类似,就不截图了,但是期间还是要输入CA的密。 最后这一步很重要,现在说一下我们上面都生成了什么东西 服务端:(/etc/openvpn/easy-rsa 文件夹) /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/andy.req /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/easy-rsa/easyrsa3/pki/issued/andy.crt /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem 客户端:(/root/client/easy-rsa 文件夹) /root/client/easy-rsa/easyrsa3/pki/private/andy.key /root/client/easy-rsa/easyrsa3/pki/reqs/andy.req //这个文件被我们导入到了服务端文件所以那里也有 a.这一步就是拷贝这些文件放入到相应位置。将下列文件放到/etc/openvpn/,目录执行命令: <code> cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn </code> 这样就将上述四个文件放入到了/etc/openvpn目录下。 b.这一步将下列文件放到/root/client,目录下执行命令: <code> cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/andy.crt /root/client cp /root/client/easy-rsa/easyrsa3/pki/private/andy.key /root/client </code> 这样就将上述三个文件复制到了/root/client目录,包括:ca.crt、andy.crt、andy.key =====第五步:为服务端编写配置文件===== 当你安装好了openvpn时候,他会提供一个server配置的文件例子,在 /usr/share/doc/openvpn-2.3.6/sample/sample-config-files 下会有一个server.conf文件,我们将这个文件复制到/etc/openvpn <code> cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn </code> 然后修改配置 vi server.conf,如下: <code> local 192.168.1.178(跟自己vps IP一致) port 1194 dev tun proto udp ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key # This file should be kept secret dh /etc/openvpn/dh.pem server 10.8.0.0 255.255.255.0 ????? #假如不行,改写成服务端的192.168.1.219地址试一下 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" #网关重定向 push "dhcp-option DNS 8.8.8.8" keepalive 10 120 comp-lzo max-clients 100 persist-key persist-tun status openvpn-status.log verb 3 </code> 每个项目都会由一大堆介绍。上述修改,openvpn提供的server.conf已经全部提供,我们只需要去掉前面的注释 #(或;),然后修改我们自己的有关配置。 ??开启系统转发功能?? [root@vpn ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 0 改成 net.ipv4.ip_forward = 1 [root@vpn ~]# sysctl -p [root@vpn ~]# sysctl -a | grep net.ipv4.ip_forward net.ipv4.ip_forward = 1 ??封装出去的数据包(eth0是你的vps外网的网卡)??: /sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE =====第六步:下载openvpn客户端,并进行配置===== =====第七步:测试排错===== {{:zh:实际案例指导:win7上的openvpn.jpg?700|}} <code> </code>
zh/实际案例指导/如何搭建基于astercc系统的openvpn.1433301271.txt.gz
· 最后更改: 2017/12/12 03:11 (外部编辑)
显示页面
修订记录
反向链接
回到顶部
