 |
|
树莓派配置OpenVPN服务
安装好OPENVPN后就会自动产生相应的配置文件,一下是配置文件的存放位置:
配置文件路径
/usr/sbin/openvpn 程序文件
/etc/openvpn/ 配置文件
用EASY-RSA配置并生成密钥
OpenVPN自带了EASY_RSA,一个轻量级的密钥生成工具
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
nano /etc/openvpn/easy-rsa/vars
修改export EASY_RSA="/etc/openvpn/easy-rsa" 编辑密钥存储路径
root@bpi201704:/etc/openvpn/easy-rsa# source ./vars
生成密钥
root@bpi201704:/etc/openvpn/easy-rsa# ./clean-all
root@bpi201704:/etc/openvpn/easy-rsa# ./build-ca
Generating a 1024 bit RSA private key
...................................................................................++++++
.............................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:
root@bpi201704:/etc/openvpn/easy-rsa#
生成服务器密钥
root@bpi201704:/etc/openvpn/easy-rsa# ./build-key-server server
Generating a 1024 bit RSA private key
..++++++
..........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:bpi201704
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'bpi201704'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jul 12 06:23:43 2027 GMT (3650 days)
Sign the certificate? [y/n]:
CERTIFICATE WILL NOT BE CERTIFIED
root@bpi201704:/etc/openvpn/easy-rsa#
有时需要输入y选项
生成客户端密钥
root@bpi201704:/etc/openvpn/easy-rsa# ./build-key-pass client1
Generating a 1024 bit RSA private key
......................................................++++++
..............................................................................++++++
writing new private key to 'client1.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'client1'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jul 12 06:25:25 2027 GMT (3650 days)
Sign the certificate? [y/n]:
CERTIFICATE WILL NOT BE CERTIFIED
root@bpi201704:/etc/openvpn/easy-rsa#
root@bpi201704:/etc/openvpn/easy-rsa#
有时需要输入y选项
生成DH
root@bpi201704:/etc/openvpn/easy-rsa# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................
openvpn服务端配置文件
# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/ (gzip -d)
# nano /etc/openvpn/server.conf
编辑配置
测试配置# openvpn /etc/openvpn/server.conf
service openvpn restart
