怎么查看微信微信公众号群发消息息都发给了谁,

来源:蜘蛛抓取(WebSpider) 时间:2017-11-10 03:04 标签: 微信群发消息内容大全
OpenVPN实战2:VPN与网关在同一台服器上
在上一篇博客中我们主要和大家讲解一下,在内网中如何搭建一台VPN服务器,相信大家应该有所了解,可是有博友说了我们没有多余的服务器做VPN服务器,我们只有一台Linux网关服务器,那怎么办呢?能不能将VPN服务器就搭建在网关服务器上呢?我想说这肯定是可以的,嘿嘿。那怎么来搭建呢?让我们一起来做吧!
在网关服务器上搭建VPN服务器的要点就是做防火墙映射,下面是配置要点:
1.[root@gateway ~]# echo 1 & /proc/sys/net/ipv4/ip_forward2.[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE3.[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.18.0/255.255.255.0 -j SNAT --to-source 192.168.18.254
注,eth0是公网地址接口,eth1内网地址接口。下面我们来看一下实战拓扑,大家会看的更清楚一些!
三、实战拓扑
QTiDKtdW9zdjGyzI=" border="0" height="414" src="http://www.it165.net/uploadfile/files/258.png" title="OpenVZ喎?"http://www.it165.net/pro/pkqt/" target="_blank" class="keylink"&QTiDKtdW9zdjGyzI=" /&
说明:此拓扑图是典型的中小型企业内部局部网的应用案例,本文中不会涉及NAT、Web、FTP等应用的配置,只会配置与OpenVPN的相关操作,若有其它问题欢迎大家交流讨论,谢谢。
四、环境准备
1.安装yum源
1.[root@gateway ~]# rpm -ivh 2.Retrieving 3.warning: /var/tmp/rpm-xfer.qnxpWE: Header V3 DSA signature: NOKEY, key ID && 4.Preparing...&&&&&&&&&&&&&&& ########################################### [100%]&& 5.package epel-release-5-4.noarch is already installed6.[root@gateway ~]# yum list
2.同步服务器时间
1.[root@gateway ~]# yum install -y ntp2.[root@gateway ~]# ntpdate 210.72.145.44& 3.[root@gateway ~]# hwclock -w&& 4.[root@gateway ~]# date&& 5.[root@gateway ~]# hwclock
3.安装相应的依赖包
1.[root@gateway ~]#& yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
五、具体配置过程详解
注,简单写一下配置过程:
安装lzo、openvpn软件包
为配置做准备,copy 相关文件
初始化 PKI
建立 server key
生成客户端 key
生成 Diffie Hellman 参数
将keys下的所有文件打包下载到本地 ,让客户机用。
将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/openvpn
修改服务器配置文件/etc/openvpn/server.conf
启动VPN服务器
配置Windows客户端
设置网关服务器的端口映射
测试Windows客户端连OpenVPN
好了,下面就让我们来完成上面的实战步骤。
1.安装lzo、openvpn软件包
01.[root@gateway ~]# mkdir src& 02.[root@gateway ~]# cd src/&& 03.[root@gateway src]# ls&& 04.lzo-2.04-3.2.x86_64.rpm& openvpn-2.1-0.20.rc4.el5.kb.x86_64.rpm05.[root@gateway src]# rpm -ivh lzo-2.04-3.2.x86_64.rpm&& 06.warning: lzo-2.04-3.2.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID d164ce99&& 07.Preparing...&&&&&&&&&&&&&&& ########################################### [100%]&& 08.1:lzo&&&&&&&&&&&&&&&&&&& ########################################### [100%]&& 09.[root@gateway src]# rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.x86_64.rpm&&& 10.Preparing...&&&&&&&&&&&&&&& ########################################### [100%]&& 11.1:openvpn&&&&&&&&&&&&&&& ########################################### [100%]
2.为配置做准备,copy 相关文件
1.[root@gateway src]# cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn& 2.[root@gateway src]# cd /etc/openvpn&& 3.[root@gateway openvpn]# ls&& 4.2.0&& 5.[root@gateway openvpn]# cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/&& 6.[root@gateway openvpn]# ls&& 7.2.0& server.conf
3.初始化 PKI
01.[root@gateway openvpn]# cd 2.0/& 02.[root@gateway 2.0]# ls&& 03.build-ca&&&& build-key&&&&&&&& build-key-server& clean-all&&&&& Makefile&&&&&&&&&& pkitool&&&&& sign-req&& 04.build-dh&&&& build-key-pass&&& build-req&&&&&&&& inherit-inter& openssl-0.f& README&&&&&& vars&& 05.build-inter& build-key-pkcs12& build-req-pass&&& list-crl&&&&&& f&&&&&&& revoke-full& whichopensslcnf&& 06.[root@gateway 2.0]# vim vars07.#修改下面几项:08.export KEY_COUNTRY="CN"&09.export KEY_PROVINCE="SH"&&10.export KEY_CITY="SH"&&11.export KEY_ORG="openvpn"&&12.export KEY_EMAIL=""13.[root@gateway 2.0]# env | grep KEY& 14.[root@gateway 2.0]# source ./vars&&& 15.NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys&& 16.[root@gateway 2.0]# env | grep KEY&& 17.KEY_EXPIRE=3650&& 18.KEY_EMAIL=admin@free.com&& 19.KEY_SIZE=1024&& 20.KEY_DIR=/etc/openvpn/2.0/keys&& 21.KEY_CITY=SH&& 22.KEY_PROVINCE=SH&& 23.KEY_ORG=openvpn&& 24.KEY_CONFIG=/etc/openvpn/2.f&& 25.KEY_COUNTRY=CN26.[root@gateway 2.0]# ./clean-all&& 27.[root@gateway 2.0]# ls&& 28.build-ca&&&& build-key-pass&&& build-req-pass& list-crl&&&&&&&&&& pkitool&&&&& vars&& 29.build-dh&&&& build-key-pkcs12& clean-all&&&&&& Makefile&&&&&&&&&& README&&&&&& whichopensslcnf&& 30.build-inter& build-key-server& inherit-inter&& openssl-0.f& revoke-full&& 31.build-key&&& build-req&&&&&&&& keys&&&&&&&&&&& f&&&&&&& sign-req&& 32.[root@gateway 2.0]# ./build-ca&&& 33.Generating a 1024 bit RSA private key&& 34..++++++&& 35........................................++++++&& 36.writing new private key to 'ca.key'&& 37.-----&& 38.You are about to be asked to enter information that will be incorporated&& 39.into your certificate request.&& 40.What you are about to enter is what is called a Distinguished Name or a DN.&& 41.There are quite a few fields but you can leave some blank&& 42.For some fields there will be a default value,&& 43.If you enter '.', the field will be left blank.&& 44.-----&& 45.Country Name (2 letter code) [CN]:&& 46.State or Province Name (full name) [SH]:&& 47.Locality Name (eg, city) [SH]:&& 48.Organization Name (eg, company) [openvpn]:&& 49.Organizational Unit Name (eg, section) []:&& 50.Common Name (eg, your name or your server's hostname) [openvpn CA]:&& 51.Email Address [admin@free.com]:
4.建立 server key
01.[root@gateway 2.0]# ./build-key-server server& 02.Generating a 1024 bit RSA private key&& 03..................++++++&& 04..............++++++&& 05.writing new private key to 'server.key'&& 06.-----&& 07.You are about to be asked to enter information that will be incorporated&& 08.into your certificate request.&& 09.What you are about to enter is what is called a Distinguished Name or a DN.&& 10.There are quite a few fields but you can leave some blank&& 11.For some fields there will be a default value,&& 12.If you enter '.', the field will be left blank.&& 13.-----&& 14.Country Name (2 letter code) [CN]:&& 15.State or Province Name (full name) [SH]:&& 16.Locality Name (eg, city) [SH]:&& 17.Organization Name (eg, company) [openvpn]:&& 18.Organizational Unit Name (eg, section) []:&& 19.Common Name (eg, your name or your server's hostname) [server]:&& 20.Email Address [admin@free.com]:21.Please enter the following 'extra' attributes& 22.to be sent with your certificate request&& 23.A challenge password []:&& 24.An optional company name []:&& 25.Using configuration from /etc/openvpn/2.f&& 26.Check that the request matches the signature&& 27.Signature ok&& 28.The Subject's Distinguished Name is as follows&& 29.countryName&&&&&&&&&& :PRINTABLE:'CN'&& 30.stateOrProvinceName&& :PRINTABLE:'SH'&& 31.localityName&&&&&&&&& :PRINTABLE:'SH'&& 32.organizationName&&&&& :PRINTABLE:'openvpn'&& 33.commonName&&&&&&&&&&& :PRINTABLE:'server'&& 34.emailAddress&&&&&&&&& :IA5STRING:'admin@free.com'&& 35.Certificate is to be certified until May& 2 03:41:08 2024 GMT (3650 days)&& 36.Sign the certificate? [y/n]:y37.1 out of 1 certificate requests certified, commit? [y/n]y&& 38.Write out database with 1 new entries&& 39.Data Base Updated
5.生成客户端 key(我这里设置三个客户端分别为:client1、client2、client3,你可以根据需要生成多个客户端)
1).client1
01.[root@gateway 2.0]# ./build-key client1& 02.Generating a 1024 bit RSA private key&& 03.......++++++&& 04....++++++&& 05.writing new private key to 'client1.key'&& 06.-----&& 07.You are about to be asked to enter information that will be incorporated&& 08.into your certificate request.&& 09.What you are about to enter is what is called a Distinguished Name or a DN.&& 10.There are quite a few fields but you can leave some blank&& 11.For some fields there will be a default value,&& 12.If you enter '.', the field will be left blank.&& 13.-----&& 14.Country Name (2 letter code) [CN]:&& 15.State or Province Name (full name) [SH]:&& 16.Locality Name (eg, city) [SH]:&& 17.Organization Name (eg, company) [openvpn]:&& 18.Organizational Unit Name (eg, section) []:&& 19.Common Name (eg, your name or your server's hostname) [client1]:&& 20.Email Address [admin@free.com]:21.Please enter the following 'extra' attributes& 22.to be sent with your certificate request&& 23.A challenge password []:&& 24.An optional company name []:&& 25.Using configuration from /etc/openvpn/2.f&& 26.Check that the request matches the signature&& 27.Signature ok&& 28.The Subject's Distinguished Name is as follows&& 29.countryName&&&&&&&&&& :PRINTABLE:'CN'&& 30.stateOrProvinceName&& :PRINTABLE:'SH'&& 31.localityName&&&&&&&&& :PRINTABLE:'SH'&& 32.organizationName&&&&& :PRINTABLE:'openvpn'&& 33.commonName&&&&&&&&&&& :PRINTABLE:'client1'&& 34.emailAddress&&&&&&&&& :IA5STRING:'admin@free.com'&& 35.Certificate is to be certified until May& 2 03:46:17 2024 GMT (3650 days)&& 36.Sign the certificate? [y/n]:y37.1 out of 1 certificate requests certified, commit? [y/n]y&& 38.Write out database with 1 new entries&& 39.Data Base Updated
2).client2与client3同上我这里就不演示了,不清楚的博友可以参考上一篇博文。
6.生成 Diffie Hellman 参数
1.[root@gateway 2.0]# ./build-dh&& 2.Generating DH parameters, 1024 bit long safe prime, generator 2&& 3.This is going to take a long time&&4.................................................................++*++*++*
7.将keys下的所有文件打包下载到本地 ,让客户机用。
01.[root@gateway 2.0]# cd keys/& 02.[root@gateway keys]# ls&& 03.01.pem& ca.crt&&&&&& client1.key& client3.crt& index.txt&&&&&&&&&& serial&&&&& server.key&& 04.02.pem& ca.key&&&&&& client2.crt& client3.csr& index.txt.attr&&&&& serial.old&& 05.03.pem& client1.crt& client2.csr& client3.key& index.txt.attr.old& server.crt&& 06.04.pem& client1.csr& client2.key& dh1024.pem&& index.txt.old&&&&&& server.csr&& 07.[root@gateway keys]# tar zcvf client.tar.gz ./*&& 08../01.pem&& 09../02.pem&& 10../03.pem&& 11../04.pem&& 12../ca.crt&& 13../ca.key&& 14../client1.crt&& 15../client1.csr&& 16../client1.key&& 17../client2.crt&& 18../client2.csr&& 19../client2.key&& 20../client3.crt&& 21../client3.csr&& 22../client3.key&& 23../dh1024.pem&& 24../index.txt&& 25../index.txt.attr&& 26../index.txt.attr.old&& 27../index.txt.old&& 28../serial&& 29../serial.old&& 30../server.crt&& 31../server.csr&& 32../server.key&& 33.[root@gateway keys]# ls&& 34.01.pem& 04.pem& client1.crt& client2.crt& client3.crt& client.tar.gz& index.txt.attr&&&&& serial&&&&& server.csr&& 35.02.pem& ca.crt& client1.csr& client2.csr& client3.csr& dh1024.pem&&&& index.txt.attr.old& serial.old& server.key&& 36.03.pem& ca.key& client1.key& client2.key& client3.key& index.txt&&&&& index.txt.old&&&&&& server.crt
8.将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/openvpn
1.[root@gateway keys]# cp ca.* server.* dh1024.pem /etc/openvpn/& 2.[root@gateway keys]# cd /etc/openvpn/&& 3.[root@gateway openvpn]# ls&& 4.2.0& ca.crt& ca.key& dh1024.pem& server.conf& server.crt& server.csr& server.key
9.修改服务器配置文件/etc/openvpn/server.conf
01.[root@gateway openvpn]# cp server.conf server.conf.bak.& 02.[root@gateway openvpn]# ls&& 03.2.0& ca.crt& ca.key& dh1024.pem& server.conf& server.conf.bak.& server.crt& server.csr& server.key&& 04.[root@gateway openvpn]# vim server.conf05.port 1194& 06.proto udp&& 07.dev tun&& 08.ca ca.crt&& 09.cert server.crt&& 10.key server.key&& 11.port 1194&& 12.proto udp&& 13.dev tun&& 14.ca ca.crt&& 15.cert server.crt&& 16.key server.key&& 17.dh dh1024.pem&& 18.server 10.8.0.0 255.255.255.0&& 19.client-to-client&& 20.keepalive 10 120&& 21.comp-lzo&& 22.persist-key&& 23.persist-tun&& 24.status openvpn-status.log&& 25.verb 4&& 26.push "dhcp-option DNS 10.8.0.1"&&27.push "dhcp-option DNS 8.8.8.8"&&28.push "dhcp-option DNS 8.8.4.4"
10.启动VPN服务器
01.[root@gateway openvpn]# /etc/init.d/openvpn start& 02.正在启动 openvpn:&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& [确定]&& 03.[root@gateway openvpn]# netstat -ntulp | grep 1194&& 04.udp&&&&&&& 0&&&&& 0 0.0.0.0:1194&&&&&&&&&&&&&&& 0.0.0.0:*&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 19147/openvpn&& 05.[root@gateway openvpn]# ifconfig&& 06.tun0&&&&& Link encap:UNSPEC& HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 07.inet addr:10.8.0.1& P-t-P:10.8.0.2& Mask:255.255.255.255&& 08.UP POINTOPOINT RUNNING NOARP MULTICAST& MTU:1500& Metric:1&& 09.RX packets:0 errors:0 dropped:0 overruns:0 frame:0&& 10.TX packets:0 errors:0 dropped:0 overruns:0 carrier:0&& 11.collisions:0 txqueuelen:100&&& 12.RX bytes:0 (0.0 b)& TX bytes:0 (0.0 b)
11.配置Windows客户端
(1).安装一下客户端(我就不演示了,大家自己安装)
(2).将服务器上生成的客户机证书文件放到config方件夹下
D:\Program Files\OpenVPN\config\test
(3).新建客户端配置文件test.ovpn
D:\Program Files\OpenVPN\config
test.ovpn 文件内容:
01.client02.dev tun03.proto udp04.remote x.x.x.x 1194 #工作单位外网IP05.persist-key06.persist-tun07.ca test\\ca.crt08.cert test\\client1.crt09.key test\\client1.key10.ns-cert-typeserver11.comp-lzo12.verb 313.redirect-gateway def1
12.设置网关服务器的端口映射(关键配置)并开启路由转发。
01.[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE&& 02.[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.18.0/255.255.255.0 -j SNAT --to-source 192.168.18.25403.[root@gateway keys]# iptables -L -t nat& 04.Chain PREROUTING (policy ACCEPT)&& 05.target&&&& prot opt source&&&&&&&&&&&&&& destination&&&&&&& 06.Chain POSTROUTING (policy ACCEPT)& 07.target&&&& prot opt source&&&&&&&&&&&&&& destination&&&&&&& 08.MASQUERADE& all& --& localhost/24&&&&&&&& anywhere&&&&&&&&&& 09.SNAT&&&&&& all& --& localhost/24&&&&&&&& localhost/24&&&&&&& to:192.168.18.25410.Chain OUTPUT (policy ACCEPT)& 11.target&&&& prot opt source&&&&&&&&&&&&&& destination&&&&&&& 12.[root@gateway keys]# vim /etc/sysctl.conf13.# Kernel sysctl configuration file for Red Hat &a href="" target="_blank" class="keylink"&Linux&/a&& 14.#&& 15.# For binary values, 0 is disabled, 1 is enabled.& See sysctl(8) and&& 16.# sysctl.conf(5) for more details.17.# Controls IP packet forwarding& 18.net.ipv4.ip_forward = 119.[root@gateway keys]# sysctl -p& 20.net.ipv4.ip_forward = 1
13.连接并测试
1).连接VPN
注,连接成功以后会出现一个绿色的小图标。下面我们ping一下试试!
2).测试ping一下
3).下面我们来查看一下IP所在地
VPN连接前:(办公室)
VPN连接后:(机房服务器)
好了,到这里我们的VPN与网关在一起的实战配置就全部完成了,下面我们来总结一下我们实战心得与问题汇总。
前面提到的,都是由服务端先生成客户端证书,然后分发到客户端,让客户端通过证书连接到服务器上。但有时候,这样的分发是比较麻烦的(也不安全)。这样,我们可以考虑另外一种方式: 只在服务端制作客户端证书,而客户端只需要有ca.crt文件,而不需要拿到客户端证书,当登陆服务器的时候是通过用户名和密码即可登陆OpenVPN服务器。这个功能该怎么实现呢?在下一篇博客中我们将实现这个功能。
好了,最后希望大家有所收获^_^……
TA的最新馆藏OpenVPN实战1:VPN与网关不在同一台服器上 - 服务器技术综合 - 次元立方网 - 电脑知识与技术互动交流平台
OpenVPN实战1:VPN与网关不在同一台服器上
在上一篇博客中我们给大家推荐了许多关于openvpn的理论文章,想了解一个的朋友可心点击这里:http://freeloda./4768,从这一篇博客开始我们来讲openvpn的实战,这是个openvpn实战的专题共有下面篇博客:
OpenVPN 实战1:VPN与网关不在同一台服器上
OpenVPN 实战2:VPN与网关在同一台服器上
OpenVPN 实战3:多网段互联VPN(点对多点)
OpenVPN 实战4:常见小问汇总
好了,下面开始我们今天的内容吧!
1.OpenVPN是一个用于创建虚拟专用网络加密通道的软件包,最早由James Yonan编写。OpenVPN允许参与建立VPN的单点使用预设的私钥,第三方证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库,以及SSLv3/TLSv1协议。
2.OpenVPN能在Linux、xBSD、Mac OS X与Windows 2000/XP/7上运行。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容。
3.OpenVPN所有的通信都能基于一个单一的IP端口。OpenVPN提供了两种虚拟网络接口:通用tun/Tap驱动通过它们,可以建立三层IP隧道或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据,传送的数据可通过LZO算法压缩。IANA(InternetAssigned Numbers Authority) 指定给OpenVPN的官方端口为1194。
4.OpenVPN使用通用网络协议(TCP 与UDP)的特点使它成为IPsec 等协议的理想替代,尤其是在ISP(Internet service provider)过滤某些特定VPN 协议的情况下。
5.OpenVPN 可工作于两种模式:
一种是IP遂道路由模式,主要应用于点对点。
另一种是基于以太网的遂道桥接模式,应用于点对多点,有多个分支机构。
好了,下面我们就来讲解一下点对点VPN。
三、环境准备
1.时间同步
[root@openvpn ~]# yum install -y ntp
[root@openvpn ~]# ntpdate 202.120.2.101
[root@openvpn ~]# hwclock -w
2.安装yum源
[root@openvpn ~]# rpm -ivh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
3.安装各种依赖包
[root@openvpn ~]# yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
四、实战拓扑
QTjE=" border="0" height="412" src="http://www.it165.net/uploadfile/files/248.png" title="OpenVZ喎焅"http://www.it165.net/pro/pkqt/" target="_blank" class="keylink">QTjE=" />
注,拓扑图比较简单我在这里就不详细说明了,大家自己看一下。(这里是单独一台VPN服器,没和网关放在一起)
五、具体配置过程详解
注,简单写一下配置过程:
安装lzo、openvpn软件包
为配置做准备,copy 相关文件
初始化 PKI
建立 server key
生成客户端 key
生成 Diffie Hellman 参数
将keys下的所有文件打包下载到本地 ,让客户机用。
将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/openvpn
修改服务器配置文件/etc/openvpn/server.conf
启动VPN服务器
配置Windows客户端
设置网关服务器的端口映射
测试Windows客户端连OpenVPN
设置OpenVPN访问外网的
好了,下面就让我们来完成上面的实战步骤。
1.安装lzo、openvpn软件包
[root@openvpn src]# ls
epel-release-5-4.noarch.rpm
lzo-2.04-3.2.x86_64.rpm
openvpn-2.1-0.20.rc4.el5.kb.x86_64.rpm
[root@openvpn src]# rpm -ivh lzo-2.04-3.2.x86_64.rpm
warning: lzo-2.04-3.2.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID d164ce99
Preparing...
########################################### [100%]
########################################### [100%]
[root@openvpn src]# rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.x86_64.rpm
Preparing...
########################################### [100%]
########################################### [100%]
2.为配置做准备,copy 相关文件
[root@openvpn src]# cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/
[root@openvpn src]# cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
[root@openvpn src]# cd /etc/openvpn/
[root@openvpn openvpn]# ls
server.conf
3.初始化 PKI
[root@openvpn openvpn]# cd 2.0/
[root@openvpn 2.0]# ls
build-key-pass
build-req-pass
whichopensslcnf
build-key-pkcs12
openssl-0.f
revoke-full
build-inter
build-key-server
inherit-inter
[root@openvpn 2.0]# vim vars
修改下面几项:
export KEY_COUNTRY=&CN&
export KEY_PROVINCE=&SH&
export KEY_CITY=&SH&
export KEY_ORG=&openvpn&
export KEY_EMAIL=&&
[root@openvpn 2.0]# env | grep KEY
[root@openvpn 2.0]# env | grep KEY
[root@openvpn 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
[root@openvpn 2.0]# env | grep KEY
KEY_EXPIRE=3650
KEY_EMAIL=
KEY_SIZE=1024
KEY_DIR=/etc/openvpn/2.0/keys
KEY_CITY=SH
KEY_PROVINCE=SH
KEY_ORG=openvpn
KEY_CONFIG=/etc/openvpn/2.f
KEY_COUNTRY=CN
[root@openvpn 2.0]# ./clean-all
[root@openvpn 2.0]# ls
build-key-pass
build-req-pass
build-key-pkcs12
whichopensslcnf
build-inter
build-key-server
inherit-inter
openssl-0.f
revoke-full
[root@openvpn 2.0]# ./build-ca
Generating a 1024 bit RSA private key
...........................++++++
.............++++++
writing new private key to 'ca.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SH]:
Organization Name (eg, company) [openvpn]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [openvpn CA]:
Email Address []:
4.建立 server key
[root@openvpn 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
.........++++++
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SH]:
Organization Name (eg, company) [openvpn]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge pass []:
An optional company name []:
Using configuration from /etc/openvpn/2.f
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'CN'
stateOrProvinceName
:PRINTABLE:'SH'
localityName
:PRINTABLE:'SH'
organizationName
:PRINTABLE:'openvpn'
commonName
:PRINTABLE:'server'
emailAddress
:IA5STRING:''
Certificate is to be certified until Jan 24 02:40:17 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5.生成客户端 key(我这里设置三个客户端分别为:client1、client2、client3,你可以根据需要生成多个客户端)
[root@openvpn 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
.....++++++
................................++++++
writing new private key to 'client1.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SH]:
Organization Name (eg, company) [openvpn]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge pass []:
An optional company name []:
Using configuration from /etc/openvpn/2.f
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'CN'
stateOrProvinceName
:PRINTABLE:'SH'
localityName
:PRINTABLE:'SH'
organizationName
:PRINTABLE:'openvpn'
commonName
:PRINTABLE:'client1'
emailAddress
:IA5STRING:''
Certificate is to be certified until Jan 24 02:42:39 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@openvpn 2.0]# ./build-key client2
Generating a 1024 bit RSA private key
..................................++++++
............................................++++++
writing new private key to 'client2.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SH]:
Organization Name (eg, company) [openvpn]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client2]:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/2.f
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'CN'
stateOrProvinceName
:PRINTABLE:'SH'
localityName
:PRINTABLE:'SH'
organizationName
:PRINTABLE:'openvpn'
commonName
:PRINTABLE:'client2'
emailAddress
:IA5STRING:''
Certificate is to be certified until Jan 24 02:43:16 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@openvpn 2.0]# ./build-key client3
Generating a 1024 bit RSA private key
..............++++++
writing new private key to 'client3.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SH]:
Organization Name (eg, company) [openvpn]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client3]:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/2.f
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'CN'
stateOrProvinceName
:PRINTABLE:'SH'
localityName
:PRINTABLE:'SH'
organizationName
:PRINTABLE:'openvpn'
commonName
:PRINTABLE:'client3'
emailAddress
:IA5STRING:''
Certificate is to be certified until Jan 24 02:43:58 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
6.生成 Diffie Hellman 参数
[root@openvpn 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........................................................................................................................................................................................................................................+.................................+.................................+...................+..............................................................................+.........................+.......................................................................................+...........+.....................+......................................+.......................................+............+...................................................................+....................................................................................................................................................................+.............................+......+.............+...........................+.............+..............................................................................+...........+........+............................+.......................................................................................................................................................+.................................................................................+.........................................................................................................................................................................................+....+............+........................................+..........+............................................................................+........+.+...................+........................+...................+................................................................................+.............................................................+....................................................................................................................................................................................................................+.....+.............................+...........+................................................................+.+.........+.................................................................................................................................................+..............................+...............................................+......+.....................................................................+..........................................................+........+.........+..................................................................................+......+.........+..................................................................................+........................................................................................+....+......................+.....+..........+............................................................................................................................................+................+..........+............................................+...............................................+................................................+............................................++*++*++*
7.将keys下的所有文件打包下载到本地 ,让客户机用。
[root@openvpn 2.0]# cd keys/
[root@openvpn keys]# ls
client1.crt
client2.crt
client3.crt
dh1024.pem
index.txt.attr.old
serial.old
server.key
client1.csr
client2.csr
client3.csr
index.txt.old
server.crt
client1.key
client2.key
client3.key
index.txt.attr
server.csr
[root@openvpn keys]# tar zcvf full.tar.gz ./*
./client1.crt
./client1.csr
./client1.key
./client2.crt
./client2.csr
./client2.key
./client3.crt
./client3.csr
./client3.key
./dh1024.pem
./index.txt
./index.txt.attr
./index.txt.attr.old
./index.txt.old
./serial.old
./server.crt
./server.csr
./server.key
[root@openvpn keys]# ls
client1.crt
client2.crt
client3.crt
dh1024.pem
index.txt.attr
server.csr
client1.csr
client2.csr
client3.csr
full.tar.gz
index.txt.attr.old
serial.old
server.key
client1.key
client2.key
client3.key
index.txt.old
server.crt
8.将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/openvpn
[root@openvpn keys]# cp ca.* server.* dh1024.pem /etc/openvpn/
[root@openvpn keys]# cd /etc/openvpn/
[root@openvpn openvpn]# ls
dh1024.pem
server.conf
server.crt
server.csr
server.key
9.修改服务器配置文件/etc/openvpn/server.conf
[root@openvpn openvpn]# cp server.conf server.conf.bak
[root@openvpn openvpn]# &server.conf
[root@openvpn openvpn]# vim server.conf
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
push &dhcp-option DNS 10.8.0.1&
push &dhcp-option DNS 8.8.8.8&
push &dhcp-option DNS 8.8.4.4&
10.启动VPN服务器
[root@openvpn openvpn]# service openvpn start
Starting openvpn:
[root@openvpn openvpn]# ifconfig
Link encap:Ethernet
HWaddr 00:50:56:A6:19:E8
inet addr:192.168.18.248
Bcast:192.168.18.255
Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fea6:19e8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST
RX packets:107910 errors:0 dropped:0 overruns:0 frame:0
TX packets:73200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes: (115.2 MiB)
TX bytes:.4 MiB)
Link encap:Local Loopback
inet addr:127.0.0.1
Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes: KiB)
TX bytes: KiB)
Link encap:UNSPEC
HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1
P-t-P:10.8.0.2
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b)
TX bytes:0 (0.0 b)
11.配置Windows客户端
(1).安装一下客户端(我就不演示了,大家自己安装)
(2).将服务器上生成的客户机证书文件放到config方件夹下
D:\Program Files\OpenVPN\config\openvpn
(3).新建客户端配置文件openvpn.ovpn
D:\Program Files\OpenVPN\config
openvpn.ovpn 文件内容:
remote x.x.x.x 1194 #工作单位外网IP
persist-key
persist-tun
ca openvpn\\ca.crt
cert openvpn\\client1.crt
key openvpn\\client1.key
ns-cert-type server
redirect-gateway def1
12.设置网关服务器的端口映射
[root@gateway ~]# /sbin/iptables -t nat -A PREROUTING -p udp -d x.x.x.x(公网IP) --dport 1194 -j DNAT --to 192.168.18.248:1194
[root@gateway ~]# /sbin/iptables -t nat -A POSTROUTING -p udp -d 192.168.18.248 --dport 1194 -j SNAT --to x.x.x.x(公网IP):1194
[root@gateway ~]# iptables -L
Chain INPUT (policy ACCEPT)
prot opt source
destination
Chain FORWARD (policy ACCEPT)
prot opt source
destination
Chain OUTPUT (policy ACCEPT)
prot opt source
destination
Chain AS0_WEBACCEPT (2 references)
prot opt source
destination
[root@gateway ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
prot opt source
destination
x.x.x.x(公网IP)
udp dpt:openvpn to:192.168.18.248:1194
Chain POSTROUTING (policy ACCEPT)
prot opt source
destination
192.168.18.248
udp dpt:openvpn to:x.x.x.x(公网IP):1194
Chain OUTPUT (policy ACCEPT)
prot opt source
destination
13.测试Windows客户端连OpenVPN(两种方法分别演示一下)
(3).测试一下
注,虽然我们VPN能ping通了但是还不能访问外网,下面我们来配置一下OpenVPN访问外网。
14.设置OpenVPN服务器访问外网
(1).开启路由转发
[root@openvpn openvpn]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@openvpn openvpn]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax =
kernel.shmall =
(2).配置NAT映射
[root@openvpn openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.18.248
[root@openvpn openvpn]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
prot opt source
destination
Chain POSTROUTING (policy ACCEPT)
prot opt source
destination
10.8.0.0/24
to:192.168.10.248
Chain OUTPUT (policy ACCEPT)
prot opt source
destination
[root@openvpn openvpn]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:
[root@openvpn openvpn]# service iptables restart
Flushing firewall rules:
Setting chains to policy ACCEPT: nat
Unloading iptables modules:
Applying iptables firewall rules:
Loading additional iptables modules: ip_conntrack_netbios_n[
[root@openvpn openvpn]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
prot opt source
destination
Chain POSTROUTING (policy ACCEPT)
prot opt source
destination
10.8.0.0/24
to:192.168.18.248
Chain OUTPUT (policy ACCEPT)
prot opt source
destination
15.最后测试
好了,现在我们就可以访问外网了。到这里我们简的点对点VPN就配置完成了!
上面我们演示了点结点VPN的配置过程且VPN与网关不在同一台服务器上,有博友会问了放一台服务器做VPN多浪费啊,那么网关与VPN在同一台服务器上又该怎么配置呢?在下一篇博客中我们将演示,VPN与网关在同一台服务器上的点对点VPN配置。今天的博客就到这里了,最后希望大家有所收获吧^_^&&
延伸阅读:
目的:通过挂载的方式,可以类似访问本地磁盘的方式一...
本教程为 李华明 编著的iOS-Cocos2d游戏开发系列教程:教程涵盖关于i......
专题主要学习DirectX的初级编程入门学习,对Directx11的入门及初学者有......
&面向对象的JavaScript&这一说法多少有些冗余,因为JavaScript 语言本......
Windows7系统专题 无论是升级操作系统、资料备份、加强资料的安全及管......

我要回帖

更多关于 微信群发消息内容大全 的文章

 

随机推荐