su - root rpm -ivh http://mirror01.idc.hinet.net/EPEL/6/x86_64/epel-release-6-8.noarch.rpm yum install kernel-devel openssl-devel gcc rpm-build yum install lzo-devel pam-devel pkcs11-helper-devel openvpn easy-rsa
mknod /dev/net/tun c 10 200 modprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward vi /etc/sysctl.conf
: # Controls IP packet forwarding net.ipv4.ip_forward = 1 :
vi /etc/sysconfig/iptables
*nat -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -A FORWARD -i tun0 -j ACCEPT -A FORWARD -o tun0 -j ACCEPT :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
service iptables restart chkconfig iptables on
[root@openvpn 2.0]# rpm -q openssl openssl-1.0.0-20.el6_2.3.x86_64
useradd casrv passwd casrv cp -a /usr/share/easy-rsa ~casrv/ cd ~casrv/ chown -R casrv:casrv easy-rsa/
su - casrv cd easy-rsa/2.0/ ln -s openssl-1.0.0.cnf openssl.cnf
vi vars
: export KEY_COUNTRY="TW" export KEY_PROVINCE="Taiwan" export KEY_CITY="Taipei" export KEY_ORG="Trysoft Corp." export KEY_EMAIL="changeme" export KEY_EMAIL=changeme export KEY_CN=OpenVPN export KEY_NAME=changeme export KEY_OU=Tech :
. ./vars ./clean-all ./build-ca
[casrv@openvpn 2.0]% ./build-ca Generating a 1024 bit RSA private key : : Country Name (2 letter code) [US]:TW State or Province Name (full name) [CA]:Taiwan Locality Name (eg, city) [SanFrancisco]:Taipei Organization Name (eg, company) [Fort-Funston]:Trysoft Corp. Organizational Unit Name (eg, section) [changeme]:Tech Common Name (eg, your name or your server's hostname) [changeme]:OpenVPN Name [changeme]:OpenVPN Email Address [[email protected]]:[email protected]
./build-key-server server
[casrv@openvpn 2.0]% ./build-key-server server Generating a 1024 bit RSA private key : : Country Name (2 letter code) [US]:TW State or Province Name (full name) [CA]:Taiwan Locality Name (eg, city) [SanFrancisco]:Taipei Organization Name (eg, company) [Fort-Funston]:Trysoft Corp. Organizational Unit Name (eg, section) [changeme]:Tech Common Name (eg, your name or your server's hostname) [server]:openvpn Name [changeme]: Email Address [[email protected]]:[email protected] : A challenge password []: An optional company name []: : Certificate is to be certified until Apr 4 06:21:30 2022 GMT (3650 days) Sign the certificate? [y/n]:y : 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
./build-dh
[casrv@openvpn 2.0]% ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 : : ..++*++*++*
openvpn --genkey --secret keys/ta.key
~casrv/easy-rsa/2.0/keys/
su - casrv cd easy-rsa/2.0/ source ./vars ./build-key client1 : : ./build-key clientn
[casrv@openvpn 2.0]% ./build-key client1 Generating a 1024 bit RSA private key : writing new private key to 'client1.key' ----- : Country Name (2 letter code) [TW]: State or Province Name (full name) [Taiwan]: Locality Name (eg, city) [Taipei]: Organization Name (eg, company) [Trysoft Corp.]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) [client1]: Name [changeme]:Client1 Email Address [changeme]:[email protected] : A challenge password []: An optional company name []: : Certificate is to be certified until Apr 4 06:36:36 2022 GMT (3650 days) Sign the certificate? [y/n]:y : 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
~casrv/easy-rsa/2.0/keys/
V 220404062130Z 01 unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=openvpn/name=changeme/[email protected] V 220404063636Z 02 unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=client1/name=Client1/[email protected] : :
su - casrv cd easy-rsa/2.0/ source ./vars ./revoke-full client0
[casrv@openvpn CA]$ ./revoke-full client0 Using configuration from /home/casrv/CA/openssl.cnf Revoking Certificate 03. Data Base Updated Using configuration from /home/casrv/CA/openssl.cnf client0.crt: C = TW, ST = Taiwan, L = Taipei, O = Trysoft Corp, OU = Tech, CN = client0, name = Client0, emailAddress = [email protected] error 23 at 0 depth lookup:certificate revoked
su - root cp ~casrv/easy-rsa/2.0/keys/crl.pem /etc/openvpn/
或是建立 link 來讓 crl.pem 一致
su -root cd /etc/openvpn ln /home/casrv/easy-rsa/2.0/keys/crl.pem .
Fri Apr 21 08:08:18 2017 60.248.245.177:50610 VERIFY ERROR: depth=0, error=CRL has expired: C=TW, ST=Taiwan, L=Tainan, O=xxxx OU=Sales, CN=xxx, name=xxx, [email protected] Fri Apr 21 08:08:18 2017 60.248.245.177:50610 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
su - casrv cd easy-rsa/2.0/ source ./vars openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf
openssl crl -in crl.pem -text
Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=TW/ST=Taiwan/L=Taipei/O=xxx Co., Ltd./OU=Tech/CN=OpenVPN/name=OpenVPN/[email protected] Last Update: Apr 21 02:16:30 2017 GMT Next Update: May 21 02:16:30 2017 GMT Revoked Certificates: Serial Number: 05 Revocation Date: Jun 25 05:06:21 2012 GMT : Serial Number: 0A Revocation Date: Dec 31 02:24:45 2015 GMT Signature Algorithm: md5WithRSAEncryption 69:c4:45:ab:de:cf:ae:1f:e8:10:3c:03:12:5f:fd:47:fd:10: : bf:e3:fb:01:4a:11:ea:da:18:06:d1:5b:85:8b:da:c4:31:c8: df:81 -----BEGIN X509 CRL----- MIIB3jCCAUcwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlRXMQ8wDQYDVQQI EwZUYWl3YW4xDzANBgNVBAcTBlRhaXBlaTEmMCQGA1UEChMdRXZlcnBsYXN0IE1h : vgzp3y49jtoXHn2YqioMaciGrOzCYxCrLcVWc/Y2v+P7AUoR6toYBtFbhYvaxDHI 34E= -----END X509 CRL-----
[root@openvpn openvpn]# rpm -q openvpn openvpn-2.3.6-1.el6.x86_64
cd /etc/openvpn cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/ vi server.conf
dev tun proto tcp port 443 ca ca.crt cert server.crt key server.key #crl-verify crl.pem dh dh2048.pem server 192.168.221.0 255.255.255.0 ifconfig-pool-persist ipp.txt persist-key persist-tun status openvpn-status.log verb 3 client-to-client #push "dhcp-option DNS 192.168.11.242" #push "route 192.168.11.0 255.255.255.0" keepalive 10 120 tls-auth ta.key 0 cipher AES-128-CBC comp-lzo
cd /etc/openvpn cp ~casrv/easy-rsa/2.0/keys/dh2048.pem . cp ~casrv/easy-rsa/2.0/keys/server.crt . cp ~casrv/easy-rsa/2.0/keys/server.key . cp ~casrv/easy-rsa/2.0/keys/ca.crt . cp ~casrv/easy-rsa/2.0/keys/ta.key . service openvpn start chkconfig openvpn on
# Specify that this is a client client # Bridge device setting dev tun proto tcp # Host name and port for the server (default port is 1194) # note: replace with the correct values your server set up remote 175.98.155.2 443 # openvpn Server IP remote-cert-tls server # Client does not need to bind to a specific local port nobind # Keep trying to resolve the host name of OpenVPN server. resolv-retry infinite # Preserve state across restarts persist-key persist-tun # SSL/TLS parameters - files created previously ca ca.crt cert client1.crt key client1.key # Since we specified the tls-auth for server, we need it for the client # note: 0 = server, 1 = client tls-auth ta.key 1 # Specify same cipher as server cipher AES-128-CBC # Use compression comp-lzo # Log verbosity (to help if there are problems) verb 3
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
執行過程, 原本的 Tap-Win32 Adapter 可能會斷線
# Specify that this is a client client # Bridge device setting dev tun proto tcp # Host name and port for the server (default port is 1194) # note: replace with the correct values your server set up remote 175.98.155.2 443 # openvpn Server IP remote-cert-tls server # Client does not need to bind to a specific local port nobind # Keep trying to resolve the host name of OpenVPN server. resolv-retry infinite # Preserve state across restarts persist-key persist-tun # Specify same cipher as server cipher AES-128-CBC # Use compression comp-lzo # Log verbosity (to help if there are problems) verb 3 key-direction 1 # ca ca.crt <ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca> #cert client1.crt <cert> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </cert> #key client1.key <key> -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- </key> #tls-auth ta.key 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- ... -----END OpenVPN Static key V1----- </tls-auth>
: # SSL/TLS parameters - files created previously ca ideas_tp/ca.crt cert ideas_tp/jonathan.crt key ideas_tp/jonathan.key :