树莓派配置OpenVPN服务

树莓派配置OpenVPN服务

安装好OPENVPN后就会自动产生相应的配置文件,一下是配置文件的存放位置:
配置文件路径
/usr/sbin/openvpn 程序文件
/etc/openvpn/ 配置文件



用EASY-RSA配置并生成密钥


OpenVPN自带了EASY_RSA,一个轻量级的密钥生成工具
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
nano /etc/openvpn/easy-rsa/vars
修改export EASY_RSA="/etc/openvpn/easy-rsa" 编辑密钥存储路径
root@bpi201704:/etc/openvpn/easy-rsa# source ./vars



生成密钥


root@bpi201704:/etc/openvpn/easy-rsa# ./clean-all root@bpi201704:/etc/openvpn/easy-rsa# ./build-ca Generating a 1024 bit RSA private key ...................................................................................++++++ .............................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:
root@bpi201704:/etc/openvpn/easy-rsa#



生成服务器密钥

root@bpi201704:/etc/openvpn/easy-rsa# ./build-key-server server Generating a 1024 bit RSA private key ..++++++ ..........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:bpi201704
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'bpi201704'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jul 12 06:23:43 2027 GMT (3650 days)
Sign the certificate? [y/n]:
CERTIFICATE WILL NOT BE CERTIFIED
root@bpi201704:/etc/openvpn/easy-rsa#
有时需要输入y选项



生成客户端密钥

root@bpi201704:/etc/openvpn/easy-rsa# ./build-key-pass client1
Generating a 1024 bit RSA private key
......................................................++++++
..............................................................................++++++
writing new private key to 'client1.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'client1'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jul 12 06:25:25 2027 GMT (3650 days)
Sign the certificate? [y/n]:
CERTIFICATE WILL NOT BE CERTIFIED
root@bpi201704:/etc/openvpn/easy-rsa#
root@bpi201704:/etc/openvpn/easy-rsa#
有时需要输入y选项



生成DH


root@bpi201704:/etc/openvpn/easy-rsa# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................



openvpn服务端配置文件


# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/ (gzip -d)
# nano /etc/openvpn/server.conf
编辑配置
测试配置# openvpn /etc/openvpn/server.conf
service openvpn restart

Syndicate content