Linux为企业搭建稳固的SSL VPN服务

1、Linux为企业搭建稳固的SSL VPN服务Linux为企业搭建稳固的SSL VPN服务Linux为企业搭建稳固的SSL VPN服务资料仅供参考文件编号：2022年4月Linux为企业搭建稳固的SSL VPN服务版本号： A修改号： 1页 次： 1.0 审 核： 批 准: 发布日期： Linux为企业搭建稳固的SSL VPN服务作者：佚名出处：论坛2013-05-16 06:55一、OpenVPN是靠虚拟的TUN/TAP设备实现SSL VPN的，因此内核必须支持TUN/TAP设备模块，这个配置选项在内核中，位于Device Drivers -Network device support 菜单中

2、，全称是Universal TUN/TAP device driver support ，通常在标准内核 中，会以模块方式提供，在Open VPN启动时，它会自动加载此模块，因此不需要手工加载此模块。rootdic172 pwd/usr/src/kernels/rootdic172 make menuconfig #打开内核菜单Device Drivers Network device support Universal TUN/TAP device driver support #即表示以模块化加载到内核中二、在安装OpenVPN之前，还需要安装一些支持包，包括OpenSSL开发库和LZO压

3、缩开发库1、可使用yum安装OpenSSL开发库，但需要手工下载并安装LZO开发包。rootdic172 /# yum install opensslrootdic172 /# yum install openssl-devel2、可到 下载LZOrootdic172 src# tar zxvf rootdic172 src# cd rootdic172 # ./configurerootdic172 # makerootdic172 # make install三、配置SSL VPN服务1、到 release/ 下载并安装rootdic172 src# tar zxvf rootdic172

4、 src# cd rootdic172 ./configurerootdic172 makerootdic172 make installrootdic172 cp -p sample-scripts/ /etc/openvpnrootdic172 chkconfig -add openvpnrootdic172 service openvpn status #查看服务状态openvpn: service not startedrootdic172 chkconfig -level 235 openvpn onrootdic172 chkconfig -list openvpnopenvpn

5、0:off 1:off 2:on 3:on 4:on 5:on 6:off2、开启IP转发功能rootdic172 vi /etc/ = 1rootdic172 sysctl -p3、定义OpenVPN的配置目录为/etc/openvpn，把服务器配置文件定义为/etc/openvpn/OpenVPN是一个SSL VPN实现，因此，认证中最重要的是服务器和客户端的SSL证书管理，如果管理员之前没有SSL证书发布机制，那么可以使用OpenVPN附带的一组工具来完成所有的工作。在/usr/src/中，有一个easy-rsa目录，这下面就是一些一成和管理SSL证书的工具，以下为生成证书操作。root

6、dic172 mkdir -p /etc/openvpnrootdic172 cp -p sample-config-files/ /etc/openvpn/ #将样本配置文件复制到/etc/openvpn/，后面再做修改4、修改vars文件变量，设置国家代码、省份、地市、机构名单、单位名称邮件等rootdic172 cd easy-rsa/rootdic172 easy-rsa# grep -v # varsexport D=pwdexport KEY_CONFIG=$D/export KEY_DIR=$D/keysecho NOTE: when you run ./clean-all, I

7、 will be doing a rm -rf on $KEY_DIRexport KEY_SIZE=1024export KEY_COUNTRY=CNexport KEY_PROVINCE=GDexport KEY_CITY=SZexport KEY_ORG=DICexport KEY_EMAIL=rootdic172 easy-rsa# source varsNOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/src/ #提示可使用./clean-all清除所有包括CA在内的所有证书5、使用clean-all脚本

8、清除包括CA在内的所有证书，再创建CA证书。rootdic172 easy-rsa# ./clean-all #先清除证书，再创建证书rootdic172 easy-rsa# ./build-ca #创建CA证书Generating a 1024 bit RSA private key+writing new private key to You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter

9、 is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.Country Name (2 letter code) CN:State or Province Name (full name) GD:Locality Name (eg, city) SZ:Organi

10、zation Name (eg, company) DIC:Organizational Unit Name (eg, section) :Common Name (eg, your name or your servers hostname) :dic172 #服务器主机名Email Address:6、创建服务器密钥。rootdic172 easy-rsa# ./build-key-server server #创建服务器端密钥Generating a 1024 bit RSA private key+writing new private key to You are about to

11、be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be lef

12、t blank.Country Name (2 letter code) CN:State or Province Name (full name) GD:Locality Name (eg, city) SZ:Organization Name (eg, company) DIC:Organizational Unit Name (eg, section) :Common Name (eg, your name or your servers hostname) :dic172 #服务器主机名Email Address:Please enter the following extra att

13、ributesto be sent with your certificate requestA challenge password :dic172An optional company name :dic172Using configuration from /usr/src/Check that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :PRINTABLE:GD

14、localityName :PRINTABLE:SZorganizationName :PRINTABLE:DICcommonName :PRINTABLE:dic172emailAddress :IA5STRING:Certificate is to be certified until Jul 16 05:51:08 2021 GMT (3650 days)Sign the certificate y/n:y1 out of 1 certificate requests certified, commit y/nyWrite out database with 1 new entriesD

15、ata Base UpdatedNextPage7、创建客户端密钥，客户端密钥名可随意命名。rootdic172 easy-rsa# ./build-key clientGenerating a 1024 bit RSA private key+writing new private key to You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a

16、Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.Country Name (2 letter code) CN:State or Province Name (full name) GD:Locality Name (eg, city) SZ:Organization Name (eg, comp

17、any) DIC:Organizational Unit Name (eg, section) :Common Name (eg, your name or your servers hostname) :tgh #不同客户端，命名绝不能一样Email Address:Please enter the following extra attributesto be sent with your certificate requestA challenge password :dic172An optional company name :dic172Using configuration fr

18、om /usr/src/Check that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :PRINTABLE:GDlocalityName :PRINTABLE:SZorganizationName :PRINTABLE:DICcommonName :PRINTABLE:tghemailAddress :IA5STRING:Certificate is to be ce

19、rtified until Jul 16 05:52:27 2021 GMT (3650 days)Sign the certificate y/n:y1 out of 1 certificate requests certified, commit y/nyWrite out database with 1 new entriesData Base Updated8、创建dhDiffie-Hellman ）密钥算法文件rootdic172 easy-rsa# ./build-dhGenerating DH parameters, 1024 bit long safe prime, gener

20、ator 2This is going to take a long time.+.+*+*+*9、生成 tls-auth 密钥 ，tls-auth密钥可以为点对点的VPN连接提供了进一步的安全验证，如果选择使用这一方式，服务器端和客户端都必须拥有该密钥文件。rootdic172 easy-rsa# openvpn -genkey -secret keys/rootdic172 easy-rsa# cp -rp keys/ /etc/openvpn/ #将证书文件复制到/etc/openvpn/10、修改配置文件rootdic172 openvpn# grep -v # local #服务器所使用的IPport 1194 #使用1194端口proto udp #使用UDP协议dev tun #使用tun设备ca /etc/openvpn/keys/ #指定CA证书文件路径cert /etc/openvpn/keys/dh /etc/openvpn/keys/tls-auth /etc/openvpn/keys/ 0server #VPN客户端拨入后，所获得的IP地址池ifconfig-pool-persist push dhcp-op