安装OPENVPN:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ yum install pam-devel openssl-devel wget vim gcc gcc-c++ net-tools -y $ mkdir /byrd/tools -p $ cd /byrd/tools/ $ wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz $ tar zxf lzo-2.10.tar.gz $ cd lzo-2.10 $ ./configure --prefix=/opt/lzo-2.10 $ make && make install $ wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.18.tar.gz $ tar zxf openvpn-2.3.18.tar.gz $ cd openvpn-2.3.18 $ ln -s /opt/lzo-2.10/lib/* /usr/local/lib/ $ ln -s /opt/lzo-2.10/include/* /usr/local/include/ $ ./configure --prefix=/opt/openvpn-2.3.18 $ make && make install $ ln -s /opt/openvpn-2.3.18/ /usr/local/openvpn |
创建服务器端证书:
|
0 1 2 3 4 5 6 7 8 |
./easyrsa init-pki #初始化 ./easyrsa build-ca #创建根证书【在此过程中需要输入根名称及根密码,需要记住根密码,在以后创建新用户时需要用到】 ./easyrsa gen-req server nopass #创建服务器端证书,如果设置密码,启动服务的时候需要输入密码【在此需要输入服务端名称,不输就是默认的server】 ./easyrsa sign server server #签约服务端证书 【在此步骤需要输入根密码】 ./easyrsa gen-dh #创建Diffie-Hellman parameters |
过程:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
$ wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip $ cp -ap easy-rsa-master /root/server $ pwd /root/server/easyrsa3 $ tail -6 vars set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Zhejiang" set_var EASYRSA_REQ_CITY "Hangzhou" set_var EASYRSA_REQ_ORG "t4x.org" set_var EASYRSA_REQ_EMAIL "root@t4x.org" set_var EASYRSA_REQ_OU "t4x.org" $ ./easyrsa init-pki #初始化 $ ./easyrsa build-ca #根证书 Note: using Easy-RSA configuration from: ./vars Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus .................+++ ...+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /root/server/easyrsa3/pki/ca.crt $ ./easyrsa gen-req server #服务端证书 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .................+++ ................................+++ writing new private key to '/root/server/easyrsa3/pki/private/server.key.0zCAl5HFMo' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:hz.t4x.org Keypair and certificate request completed. Your files are: req: /root/server/easyrsa3/pki/reqs/server.req key: /root/server/easyrsa3/pki/private/server.key $ ./easyrsa sign server server #签约服务端证书 Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = hz.t4x.org Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-easyrsa.cnf Enter pass phrase for /root/server/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'hz.t4x.org' Certificate is to be certified until Jun 29 02:52:53 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /root/server/easyrsa3/pki/issued/server.crt [root@JD easyrsa3]# ./easyrsa gen-dh ##创建Diffie-Hellman parameters Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time DH parameters of size 2048 created at /root/server/easyrsa3/pki/dh.pem |
创建client证书:
|
0 1 2 3 4 5 6 |
./easyrsa init-pki 初始化 ./easyrsa gen-req byrd #创建客户端证书【名字可自己定义,记住自己输入的密码】 ./easyrsa import-req /root/client/easyrsa3/pki/reqs/byrd.req byrd #服务端目录 将得到的byrd.req导入然后签约证书【前后导入名字必须一致,输入根密码】 ./easyrsa sign-req client byrd #签约客户端证书 |
过程:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
$ cp -ap easy-rsa-master /root/client $ cd /root/client/easyrsa3/ $ ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /root/client/easyrsa3/pki $ ./easyrsa gen-req byrd Generating a 2048 bit RSA private key ......+++ .................................................................................................................................+++ writing new private key to '/root/client/easyrsa3/pki/private/byrd.key.Cumk2cEpHX' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [byrd]:byrd Keypair and certificate request completed. Your files are: req: /root/client/easyrsa3/pki/reqs/byrd.req key: /root/client/easyrsa3/pki/private/byrd.key $ cd /root/server/easyrsa3/ ------------------------------------------------ $ ./easyrsa sign-req client byrd Note: using Easy-RSA configuration from: ./vars Easy-RSA error: No request found for the input: 'byrd' Expected to find the request at: /root/server/easyrsa3/pki/reqs/byrd.req ------------------------------------------------ $ ./easyrsa import-req /root/client/easyrsa3/pki/reqs/byrd.req byrd Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: byrd You may now use this name to perform signing operations on this request. $ ./easyrsa sign-req client byrd Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = byrd Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-easyrsa.cnf Enter pass phrase for /root/server/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'byrd' Certificate is to be certified until Jun 29 02:59:04 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /root/server/easyrsa3/pki/issued/byrd.crt |
服务端配置:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ mkdir /etc/openvpn $ cp /byrd/tools/openvpn-2.3.18/sample/sample-config-files/server.conf /etc/openvpn/ $ mkdir /etc/openvpn/server $ pwd /root/server/easyrsa3 $ cp pki/ca.crt /etc/openvpn/server $ cp pki/private/server.key /etc/openvpn/server $ cp pki/issued/server.crt /etc/openvpn/server $ cp pki/dh.pem /etc/openvpn/server $ ls -l /etc/openvpn/server -rw------- 1 root root 1139 Jul 2 09:40 ca.crt -rw------- 1 root root 424 Jul 2 09:39 dh.pem -rw------- 1 root root 4531 Jul 2 09:38 server.crt -rw------- 1 root root 1834 Jul 2 09:38 server.key $ /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf |
证书吊销:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
$ ./easyrsa revoke byrd Note: using Easy-RSA configuration from: ./vars Please confirm you wish to revoke the certificate with the following subject: subject= commonName = byrd Type the word 'yes' to continue, or any other input to abort. Continue with revocation: yes Using configuration from ./openssl-easyrsa.cnf Enter pass phrase for /usr/local/openvpn/key/easyrsa3/pki/private/ca.key: Revoking Certificate F32D59143661BDE41848F122AC84BB19. Data Base Updated IMPORTANT!!! Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent the revoked cert from being accepted. $ ./easyrsa gen-crl Note: using Easy-RSA configuration from: ./vars Using configuration from ./openssl-easyrsa.cnf Enter pass phrase for /usr/local/openvpn/key/easyrsa3/pki/private/ca.key: An updated CRL has been created. CRL file: /usr/local/openvpn/key/easyrsa3/pki/crl.pem $ tail -1 /etc/openvpn/server.conf crl-verify /usr/local/openvpn/key/easyrsa3/pki/crl.pem |
QA:
|
0 1 |
Q:configure: error: route utility is required but missing A:yum install net-tools |
申明:除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!
