用 OpenVPN 2.2.0建構SSL VPN加密連線

續: http://ssorc.tw/?p=265

Server 端建置

環境

CentOS 5.6 x64

OpenVPN 2.2.0

預設的yum庫沒有openvpn

所以我要用 dar rpm

rpm -ivh http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

安裝 OpenVPN

yum install openvpn

OpenVPN本身提供一個小型的KEY的管理工具，它是建構在openssl底下的，套件裝好後，在/usr/share/doc/openvpnXXX目錄下就會有easy-rsa目錄

將它copy到/etc/openvpn 目錄裡面

cp -rp /usr/share/doc/openvpn-2.2.0/easy-rsa /etc/openvpn

切換到

cd /etc/openvpn/easy-rsa/2.0

將檔案屬性是shell exec的增加 +x權限

file *|grep executable | cut -d: -f1 |while read file;do echo $file; chmod +x $file; done

設定環境

vi vars

# 照預設，會在 /etc/openvpn/easy-rsa/2.0/openssl.cnf

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# 照預設，會在 /etc/openvpn/easy-rsa/2.0/keys (如果原本已存在，就把它刪除)

export KEY_DIR=”$EASY_RSA/keys”

# 照預設，如果你要更高的話，就加到2048

export KEY_SIZE=1024

# 再到最底下修改基本資料

export KEY_COUNTRY=”TW”

export KEY_PROVINCE=”Taiwan”

export KEY_CITY=”Taipei”

export KEY_ORG=”SSORC”

export KEY_EMAIL=”cross@ssorc.tw”

執行 ，這也只 export 環境而已

. ./vars

再執行

. ./clean-all

建置DH

./build-dh

建置 server key

./pkitool –server ssorc-server

…….++++++

……………………………………………………………………….++++++

writing new private key to ‘ssorc-server.key’

—–

Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName           :PRINTABLE:’TW’

stateOrProvinceName   :PRINTABLE:’Taiwan’

localityName          :PRINTABLE:’Taipei’

organizationName      :PRINTABLE:’SSORC’

commonName            :PRINTABLE:’ssorc-server’

emailAddress          :IA5STRING:’cross@ssorc.tw’

Certificate is to be certified until Jul  1 06:02:12 2021 GMT (3650 days)

Write out database with 1 new entries

Data Base Updated

複製server conf 範本至 /etc/openvpn

cp -rp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf /etc/openvpn/

複製相關key

cp -rp keys/ca.crt keys/ssorc-server.crt keys/ssorc-server.key keys/dh1024.pem /etc/openvpn/

編輯 /etc/openvpn/server.conf

# 只要修改

cert ssorc-server.crt
key ssorc-server.key

啟動OpenVPN

/etc/init.d/openvpn start

Client 端建置

我的 client 是 WIndow7

可以到openvpn.net 官方下載 openvpn-2.2.0-install.exe

不過我先要在 server 建置 client key

 ./pkitool ssorc-client

Generating a 1024 bit RSA private key

.++++++

……++++++

writing new private key to ‘ssorc-client.key’

—–

Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName           :PRINTABLE:’TW’

stateOrProvinceName   :PRINTABLE:’Taiwan’

localityName          :PRINTABLE:’Taipei’

organizationName      :PRINTABLE:’SSORC’

commonName            :PRINTABLE:’ssorc-client’

emailAddress          :IA5STRING:’cross@ssorc.tw’

Certificate is to be certified until Jul  1 06:04:41 2021 GMT (3650 days)

Write out database with 1 new entries

Data Base Updated

產生 ssorc-client.crt 、ssorc-client.key

再回到 windows 7

安裝 openvpn-2.2.0-install.exe

裝完後到 C:Program Files (x86)OpenVPN

複製 sample-config裡的client.ovpn到 config 目錄

再將 server上的 ca.crt 、ssorc-client.crt 、ssorc-client.key 放到 config 裡

編輯 client.opvn

# 改 openvpn server IP

remote x.x.x.x 1194

cert ssorc-client.crt

key ssorc-client.key

啟用 openvpn-gui 連線

連線已通了，不過出現 Authenticate/Decrypt packet error: cipher final failed
ping得到自已的 10.8.0.6 ，但ping不到server的 10.8.0.1
只要將client.ovpn中的 cipher AES-128-CBC註解即可，再重新連線

done.