openvpn实际测试文档Word文档格式.docx
- 文档编号:6818379
- 上传时间:2023-05-07
- 格式:DOCX
- 页数:26
- 大小:263.63KB
openvpn实际测试文档Word文档格式.docx
《openvpn实际测试文档Word文档格式.docx》由会员分享,可在线阅读,更多相关《openvpn实际测试文档Word文档格式.docx(26页珍藏版)》请在冰点文库上搜索。
启动OpenVPN
∙6.1
手动启动
∙6.2
systemd服务配置
∙6.3
让NetworkManager启动连接
∙6.4
Gnome配置
∙7
参见
下载链接:
http:
//swupdate.openvpn.org/community/releases/
openvpn-2.3版本不自带easy-ra
openvpn-2.2版本自带easy-ra
依赖Lzo
架构:
网络拓扑结构为星形,那毫无疑问VPN的server会有很多client来交互,对server的稳定性是一个考验,因此将server定义为一台高性能,高可用的VPN硬件设备,其他客户端可以选择利用开源软件在linux上直接实现
架构图:
实现:
修改一些配置
./configure&
&
make&
makeinstall
[root@bs038openvpn-2.2.2]#mkdir/etc/openvpn
[root@bs038openvpn-2.2.2]#cp-R/home/work/install/openvpn-2.2.2/easy-rsa/etc/openvpn
一些变量生效
sourcevars
会有提示,先执行删除之前遗留的keys
./clean-all
生成
rootCA证书
cnni
Key会在keys,可以看到ca.crt,ca.key已经生成
为服务器生成Diffie-Hellman文件,后面配置OpenVPNServer时所需要
./build-dh
为服务器生成证书和密钥,
[root@bs0382.0]#./build-key-server218.241.108.38
Generatinga1024bitRSAprivatekey
........++++++
................................++++++
writingnewprivatekeyto'
218.241.108.38.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'
.'
thefieldwillbeleftblank.
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[SH]:
LocalityName(eg,city)[SHANGHAI]:
OrganizationName(eg,company)[xiejieling#gmaildotcom]:
OrganizationalUnitName(eg,section)[changeme]:
CNNIC
CommonName(eg,yournameoryourserver'
shostname)[218.241.108.38]:
Name[changeme]:
cnnic
EmailAddress[mail@host.domain]:
xiejieling#
Pleaseenterthefollowing'
extra'
attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
123456
Anoptionalcompanyname[]:
Usingconfigurationfrom/etc/openvpn/easy-rsa/2.0/openssl-f
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'
sDistinguishedNameisasfollows
countryName:
PRINTABLE:
'
CN'
stateOrProvinceName:
SH'
localityName:
SHANGHAI'
organizationName:
T61STRING:
xiejieling#gmaildotcom'
organizationalUnitName:
CNNIC'
commonName:
218.241.108.38'
name:
cnnic'
emailAddress:
IA5STRING:
xiejieling#'
CertificateistobecertifieduntilMar2203:
53:
102026GMT(3650days)
Signthecertificate?
[y/n]:
y
1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
[root@bs0382.0]#
为客户端生成证书,这时候生成的证书要分发给客户端来用的
[root@bs0382.0]#./build-keychampion.xie
......++++++
..........................++++++
champion.xie.key'
shostname)[champion.xie]:
champion.xie'
55:
502026GMT(3650days)
Key生成的文件
Vars文件里的key长度决定生成dhkey的标示
[root@bs038sample-config-files]#cd/home/work/install/openvpn-2.2.2/sample-config-files
[root@bs038sample-config-files]#cpserver.conf/etc/
给每台机器增加一个私网地址
在openvpn的server上
Ipaddradd10.10.8.1/24devlo\:
1
在openvpn的client上
Ipaddradd10.10.7.1/24devlo\:
配置文件修改
一是将protoudp
改为prototcp
,即服务启动用TCP1194端口。
二是将ca那4行内容改成如下所示的形式(记得写绝对路径):
ca/root/openvpn-2.2.0/easy-rsa/2.0/keys/ca.crt
ca后面接的是
rootCA
它使用的是buid-ca生成的,用于验证客户端证书是否合法的。
cert/root/openvpn-2.2.0/easy-rsa/2.0/keys/server.crt
key/root/openvpn-2.2.0/easy-rsa/2.0/keys/server.key
dh/root/openvpn-2.2.0/easy-rsa/2.0/keys/dh1024.pem
三是将server那行改为如下内容:
server10.10.8.0255.255.255.0//这是OpenVPN服务器启动时为VPN网络分配的网段,注意不要与公网中的IP发生冲突。
四是将verb3改为verb5
为了系统测试
ipaddradd10.10.8.3/24deveth0
在其他机器ping10.10.8.3如果登陆VPN后能ping通这个地址,证明VPN连接正常
开启系统的转发
echo"
1"
>
/proc/sys/net/ipv4/ip_forward
VPN服务启动
/usr/local/openvpn/sbin/openvpn--config/etc/server.conf&
[root@bs0382.0]#/usr/local/sbin/openvpn--config/etc/server.conf&
[1]50732
[root@bs0382.0]#ThuMar2412:
472016us=417761CurrentParameterSettings:
ThuMar2412:
472016us=417883config='
/etc/server.conf'
472016us=417908mode=1
472016us=417927persist_config=DISABLED
472016us=417946persist_mode=1
472016us=417964show_ciphers=DISABLED
472016us=417982show_digests=DISABLED
472016us=417999show_engines=DISABLED
472016us=418017genkey=DISABLED
472016us=418034key_pass_file='
[UNDEF]'
472016us=418052show_tls_ciphers=DISABLED
472016us=418069Connectionprofiles[default]:
472016us=418088proto=tcp-server
472016us=418106local='
472016us=418124local_port=1194
472016us=418142remote='
472016us=418161remote_port=1194
472016us=418179remote_float=DISABLED
472016us=418196bind_defined=DISABLED
472016us=418213bind_local=ENABLED
472016us=418231connect_retry_seconds=5
472016us=418248connect_timeout=10
472016us=418265connect_retry_max=0
472016us=418283socks_proxy_server='
472016us=418301socks_proxy_port=0
472016us=418318socks_proxy_retry=DISABLED
472016us=418335ConnectionprofilesEND
472016us=418352remote_random=DISABLED
472016us=418373ipchange='
472016us=418391dev='
tun'
472016us=418408dev_type='
472016us=418426dev_node='
472016us=418446lladdr='
472016us=418463topology=1
472016us=418480tun_ipv6=DISABLED
472016us=418498ifconfig_local='
10.10.8.1'
472016us=418516ifconfig_remote_netmask='
10.10.8.2'
472016us=418533ifconfig_noexec=DISABLED
472016us=418551ifconfig_nowarn=DISABLED
472016us=418569shaper=0
472016us=418586tun_mtu=1500
472016us=418604tun_mtu_defined=ENABLED
472016us=418622link_mtu=1500
472016us=418640link_mtu_defined=DISABLED
472016us=418661tun_mtu_extra=0
472016us=418679tun_mtu_extra_defined=DISABLED
472016us=418747fragment=0
472016us=418769mtu_discover_type=-1
472016us=418787mtu_test=0
472016us=418805mlock=DISABLED
472016us=418825keepalive_ping=10
472016us=418844keepalive_timeout=120
472016us=418862inactivity_timeout=0
472016us=418885ping_send_timeout=10
472016us=418903ping_rec_timeout=240
472016us=418920ping_rec_timeout_action=2
472016us=418938ping_timer_remote=DISABLED
472016us=418956remap_sigusr1=0
472016us=418973explicit_exit_notification=0
472016us=418991persist_tun=ENABLED
472016us=419009persist_local_ip=DISABLED
472016us=419026persist_remote_ip=DISABLED
472016us=419043persist_key=ENABLED
472016us=419060mssfix=1450
472016us=419077passtos=DISABLED
472016us=419095resolve_retry_seconds=1000000000
472016us=419113username='
472016us=419131groupname='
472016us=419155chroot_dir='
472016us=419173cd_dir='
472016us=419192selinux_context='
472016us=419212writepid='
472016us=419229up_script='
4720
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- openvpn 实际 测试 文档