openvpn安装笔记

Centos5.5openVPN部署笔记Vpnserver内网IP192.168.0.2401、安装需要支持的软件lzo、openssl和libpam如果是yum的话要yumdevel版本的源码包的话直接编译安装openssl和pam我直接yum的（很久之前的事情了...）yuminstallopenssl-develyuminstallpam-devel下面是lzo压缩算法的安装，不安的话configure的时候就会提示configure:error:lzoenabledbutmissing[root@03_29downloads]#wget[root@03_29downloads]#tar-zxvflzo-2.06.tar.gz[root@03_29downloads]#cdlzo-2.06[root@03_29lzo-2.06]#./configure--prefix=/usr/local(本来想安到opt的但又懒得去软连接所以直接弄这里好了)[root@03_29lzo-2.06]#make&&makeinstall2、安装OpenVPN2.3.0先下个源码包回来--openvpn.net上有但是那个网站被墙了挂代理去搞一记好了我用的2.3.0版本然后就是解压缩什么的准备配置编译安装openvpn[root@03_29openvpn-2.3.0]#tar-zxvfopenvpn-2.3.0.tar.gz[root@03_29openvpn-2.3.0]#cdopenvpn-2.3.0[root@03_29openvpn-2.3.0]#./configure--prefix=/opt/openvpn[root@03_29openvpn-2.3.0]#make&&makeinstall下载好easy-rsa之后新建目录/etc/openvpn:[root@04_29easy-rsa-master]#mkdir/etc/openvpn再把easy-rsa搞到（cp复制过去）这个文件夹中unzipeasy-rsa-master.zipmkdir-p/etc/openvpncp-Reasy-rsa-master/etc/openvpn/easy-rsacd/etc/openvpn/easy-rsa[root@DB02openvpn]#cd/etc/openvpn/[root@DB02openvpn]#lseasy-rsaserver.conf[root@DB02openvpn]#cdeasy-rsa/[root@DB02easy-rsa]#pwd/etc/openvpn/easy-rsa[root@DB02easy-rsa]#lltotal12drwxr-xr-x2rootroot4096Feb813:451.0drwxr-xr-x3rootroot4096Feb813:472.0drwxr-xr-x2rootroot4096Feb813:45Windows然后进入这个文件夹：[root@DB02easy-rsa]#cd2.0/[root@DB022.0]#pwd/etc/openvpn/easy-rsa/2.0看看这个文件夹里面的东西~[root@DB022.0]#lltotal116-rwxr-xr-x1rootroot119Feb813:45build-ca-rwxr-xr-x1rootroot352Feb813:45build-dh-rwxr-xr-x1rootroot188Feb813:45build-inter-rwxr-xr-x1rootroot163Feb813:45build-key-rwxr-xr-x1rootroot157Feb813:45build-key-pass-rwxr-xr-x1rootroot249Feb813:45build-key-pkcs12-rwxr-xr-x1rootroot268Feb813:45build-key-server-rwxr-xr-x1rootroot213Feb813:45build-req-rwxr-xr-x1rootroot158Feb813:45build-req-pass-rwxr-xr-x1rootroot449Feb813:45clean-all-rwxr-xr-x1rootroot1471Feb813:45inherit-interdrwx------2rootroot4096Feb814:00keys-rwxr-xr-x1rootroot302Feb813:45list-crl-rw-r--r--1rootroot7791Feb813:45openssl-0.9.6.cnf-rw-r--r--1rootroot8348Feb813:45openssl-0.9.8.cnf-rw-r--r--1rootroot8245Feb813:45openssl-1.0.0.cnf-rwxr-xr-x1rootroot12984Feb813:45pkitool-rwxr-xr-x1rootroot928Feb813:45revoke-full-rwxr-xr-x1rootroot178Feb813:45sign-req-rw-r--r--1rootroot2081Feb813:47vars-rwxr-xr-x1rootroot740Feb813:45whichopensslcnf一大堆东西哈哈~~~都是相关证书什么的生成脚本~4、生成CA证书修改vars文件[root@DB022.0]#vivarsexportKEY_COUNTRY=CNexportKEY_PROVINCE=LNexportKEY_CITY=energyshluoexportKEY_ORG=Fort-FunstonexportKEY_EMAIL=linzhi.luo@energysh.comexportKEY_OU=MyOrganizationalUnit这一部分按照自己的情况来填啦0.0修改完成后保存退出然后：[root@DB022.0]#source./varsNOTE:Ifyourun./clean-all,Iwillbedoingarm-rfon/etc/openvpn/easy-rsa/2.0/keys当然在这一步之前如果执行./clean-all和./build-ca两条命令的话将会出现以下提示：[root@DB022.0]#./clean-allPleasesourcethevarsscriptfirst(i.e.source./vars)Makesureyouhaveeditedittoreflectyourconfiguration.[root@DB022.0]#./build-caPleaseeditthevarsscripttoreflectyourconfiguration,thensourceitwithsource./vars.Next,tostartwithafreshPKIconfigurationandtodeleteanypreviouscertificatesandkeys,run./clean-all.Finally,youcanrunthistool(pkitool)tobuildcertificates/keys.大意就是说修改好vars之后执行source./vars然后才能执行这些好了回到执行source./vars上面来，之后执行./clean-all这是为了针对已经有了keys/而想用改写的vars重新生成证书的情况而执行的第一次安的话不执行也好[root@DB022.0]#./clean-all然后执行./build-ca生成证书：[root@DB022.0]#./build-caGeneratinga2048bitRSAprivatekey.............+++.................................+++writingnewprivatekeyto'ca.key'-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[CN]:StateorProvinceName(fullname)[LN]:LocalityName(eg,city)[ShenYang]:OrganizationName(eg,company)[PlanetMiao]:OrganizationalUnitName(eg,section)[PlanetMiaoTeam_planetmiao.com]:CommonName(eg,yournameoryourserver'shostname)[PlanetMiaoCA]:Name[EasyRSA]:EmailAddress[hymeldon@163.com]:[root@04_292.0]#这样一直回车就好或者输入些想输入的什么的…即可结束keys的初始化看下keys/中都有些什么文件：[root@DB022.0]#cdkeys[root@DB022.0keys]#lltotal12-rw-r--r--1rootroot1814Mar2515:25ca.crt-rw-------1rootroot1704Mar2515:25ca.key-rw-r--r--1rootroot0Mar2515:23index.txt-rw-r--r--1rootroot3Mar2515:23serial5、生成DH文件下面是生成DH文件，执行./build-dh：[root@04_292.0]#./build-dhGeneratingDHparameters,2048bitlongsafeprime,generator2Thisisgoingtotakealongtime..................................................................+..............................................................................................................+..............................................+.............................................................................................................................................................................................................................................+..............+...+....................................................+..................+......................................