vyatta证书制作-easyrsa

13726

服务器端：　　ca.crt

　　　　　　ABC-HQ.crt

　　　　　　ABC-HQ.key

　　　　　　dh.pem

客户端： ca.crt （和服务器端相同）， ABC-feizhou.crt

　　　　　　　　　　　　　　　　　　 ABC-feizhou.key

 

 

yum -y install epel-release
yum -y install openvpn easy-rsa
cp /usr/share/easy-rsa/3.0.8/easyrsa /usr/bin/
cp -ar /usr/share/easy-rsa/3.0.8/ /etc/openvpn/easyrsa3/
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easyrsa3/vars

cd /etc/openvpn/easyrsa3/

easyrsa init-pki
cp openssl-easyrsa.cnf pki/
easyrsa build-ca nopass
easyrsa gen-req ABC-HQ nopass
./easyrsa sign-req server ABC-HQ

easyrsa gen-dh

easyrsa gen-req ABC-feizhou nopass
./easyrsa sign-req client ABC-feizhou

tar -czf /tmp/pki4.tar.gz ./pki

 

openvpn 安装

yum -y install openvpn 涉及3个包

(1/3): pkcs11-helper-1.25.1-1.oe1.x86_64.rpm 339 kB/s | 59 kB 00:00
(2/3): openvpn-help-2.4.8-8.oe1.noarch.rpm 829 kB/s | 174 kB 00:00
(3/3): openvpn-2.4.8-8.oe1.x86_64.rpm 1.5 MB/s | 338 kB 00:00

安装完后，放配置文件

/etc/openvpn/

.
├── ca.crt

├── dh.pem
├── myvpn.conf

├── server.crt
└── server.key

 ca.crt ,server.crt.server.key dh.pem是之前生成的。

修改myvpn.conf ，从/etc/openvpn/server/server.conf 拷贝而来

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret

dh /etc/openvpn/dh.pem

取消注释：comp-lzo

增加注释：#tls-auth ta.key 0 # This file is secret

增加网段：server 20.8.0.0 255.255.255.0

 

 

准备服务文件

cp /lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
 vi /etc/systemd/system/openvpn-server@.service 修改为：--config /etc/openvpn/%i.conf

systemctl enable openvpn-server@myvpn.service

systemctl start openvpn-server@myvpn.service

 

准备window客户端文件

ca.crt client.crt client.key

client
dev tun
proto udp
remote 1.1.1.1 2222
resolv-retry infinite
nobind
mute-replay-warnings
ca ABC-ca.crt
cert ABC-client.crt
key ABC-client.key
comp-lzo
cipher AES-256-CBC