centos下安装openvpn服务端.docx

rootmi14 soft# cd /opt/softrootmi14 soft# wget/community/releases/openvpn-2.2.2.tar.gzrootmi14 soft# rpm -qa lzo lzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-developenssl-devel-1.0.1e-30.el6_6.4.x86_64openssl-1.0.1e-30.el6_6.4.x86_64pam-1.1.1-13.el6.x86_64rootmi14 soft# yum install -y lzo*rootmi14 soft# rpmbuild -tb openvpn-2.2.2.tar.gzerror: Failed build dependencies: pam-devel is needed by openvpn-2.2.2-1.x86_64 pkcs11-helper-devel is needed by openvpn-2.2.2-1.x86_64提示缺少依赖包rootmi14 soft# yum install -y pam-devel*上传pkcs11-helper-1.08-1.el6.rf.x86_64.rpm和pkcs11-helper-devel-1.08-1.el6.rf.x86_64.rpm到/opt/soft/rootmi14 soft# rpm -ivh pkcs11-helper-*编译rootmi14 soft# rpmbuild -tb openvpn-2.2.2.tar.gz经过编译后，提示在/root/rpmbuild/RPMS/x86_64/ 目录下生成openvpn-2.2.2-1.i386.rpm，即可按正常的.rpm的安装方式安装openvpn，也可于用相同系统下的安装。rootmi14 x86_64#cd /root/rpmbuild/RPMS/x86_64rootmi14 x86_64# rpm -ivh openvpn-2.2.2-1.x86_64.rpm初始化PKIrootmi14 x86_64# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/rootmi14 2.0# vi vars修改最后几行初始rootmi14 2.0# vi varsexport KEY_COUNTRY=USexport KEY_PROVINCE=CAexport KEY_CITY=SanFranciscoexport KEY_ORG=Fort-Funstonexport KEY_EMAIL=memyhost.mydomainexport KEY_EMAIL=mailhost.domainexport KEY_CN=changemeexport KEY_NAME=changemeexport KEY_OU=changemeexport PKCS11_MODULE_PATH=changemeexport PKCS11_PIN=1234改好的export KEY_COUNTRY=CNexport KEY_PROVINCE=GDexport KEY_CITY=BeiJingexport KEY_ORG=NetSky Studioexport KEY_EMAIL=export KEY_EMAIL=export KEY_CN=mi14export KEY_NAME=mi14export KEY_OU=mi14export PKCS11_MODULE_PATH=mi14export PKCS11_PIN=1234rootmi14 easy-rsa# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/rootmi14 2.0# ./clean-allPlease source the vars script first (i.e. source ./vars)Make sure you have edited it to reflect your configuration.rootmi14 2.0# . varsNOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keysrootmi14 2.0# ./clean-all建CA证书rootmi14 2.0# ./build-caGenerating a 1024 bit RSA private key.+.+writing new private key to ca.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN: 回车State or Province Name (full name) GD:回车Locality Name (eg, city) BeiJing:回车Organization Name (eg, company) NetSky Studio:回车Organizational Unit Name (eg, section) mi:回车Common Name (eg, your name or your servers hostname) mi14:mi14Name mi14:mi14Email Address :建服务端证书rootmi14 2.0# ./build-key-server serverGenerating a 1024 bit RSA private key.+.+writing new private key to server.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN:回车State or Province Name (full name) GD:回车Locality Name (eg, city) BeiJing:回车Organization Name (eg, company) NetSky Studio:回车Organizational Unit Name (eg, section) mi14:mi14Common Name (eg, your name or your servers hostname) server:mi14Name mi14:mi14Email Address :Please enter the following extra attributesto be sent with your certificate requestA challenge password :mi123An optional company name :回车Using configuration from /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/fCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :PRINTABLE:GDlocalityName :PRINTABLE:BeiJingorganizationName :PRINTABLE:NetSky StudioorganizationalUnitName:PRINTABLE:mi14commonName :PRINTABLE:mi14name :PRINTABLE:mi14emailAddress :IA5STRING:Certificate is to be certified until Jan 2 03:28:44 2025 GMT (3650 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updated建mi6客户端证书rootmi14 2.0# ./build-key mi6Generating a 1024 bit RSA private key.+.+writing new private key to mi6.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN:回车State or Province Name (full name) GD:回车Locality Name (eg, city) BeiJing:回车Organization Name (eg, company) NetSky Studio:回车Organizational Unit Name (eg, section) mi14:回车Common Name (eg, your name or your servers hostname) mi6:mi6Name mi:mi6Email Address :Please enter the following extra attributesto be sent with your certificate requestA challenge password :mi123An optional company name :回车Using configuration from /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/fCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :PRINTABLE:GDlocalityName :PRINTABLE:BeiJingorganizationName :PRINTABLE:NetSky StudioorganizationalUnitName:PRINTABLE:mi14commonName :PRINTABLE:mi6name :PRINTABLE:mi6emailAddress :IA5STRING:Certificate is to be certified until Jan 2 03:31:11 2025 GMT (3650 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updatedrootmi14 2.0# ./build-dhGenerating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time.+.+.+.+rootmi14 openvpn# mkdir serverrootmi14 openvpn# cp /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/server/rootmi14 openvpn# cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/server/rootmi14 openvpn# cd server/rootmi14 server# cp ser* /etc/openvpn/rootmi14 server# cp index.txt* /etc/openvpn/rootmi14 server# cp mi6.* /etc/openvpn/rootmi14 server# cp dh1024.pem /etc/openvpn/rootmi14 server# cp 0* /etc/openvpn/rootmi14 server# mv ca.crt /etc/openvpn/ca1.crtrootmi14 server# mv ca.key /etc/openvpn/ca1.keyrootmi14 2.0# cd /etc/openvpn/rootmi14 op