-Linu*为企业搭建稳固的SSL VPN效劳 佚名出处：论坛2013-05-16 06:55一、OpenVPN是靠虚拟的TUN/TAP设备实现SSL VPN的，因此核必须支持TUN/TAP设备模块，这个配置选项在核中，位于Device Drivers -Network device support 菜单中，全称是Universal TUN/TAP device driver support ，通常在标准核中，会以模块方式提供，在Open VPN启动时，它会自动加载此模块，因此不需要手工加载此模块。rootdic172 2.6.18-238.12.1.el5-i686# pwdrootdic172 2.6.18-238.12.1.el5-i686# make menuconfig #翻开核菜单Device Drivers -Network device support - Universal TUN/TAP device driver support #即表示以模块化加载到核中二、在安装OpenVPN之前，还需要安装一些支持包，包括OpenSSL开发库和LZO压缩开发库1、可使用yum安装OpenSSL开发库，但需要手工下载并安装LZO开发包。rootdic172 /# yum install opensslrootdic172 /# yum install openssl-devel2、可到 .oberhumer./opensource/lzo/ 下载LZOrootdic172 src# tar z*vf lzo-2.03.tar.gzrootdic172 src# cd lzo-2.03rootdic172 lzo-2.03# ./configurerootdic172 lzo-2.03# makerootdic172 lzo-2.03# make install三、配置SSL VPN效劳1、到 下载并安装roorootdic172 openvpn-2.0.9# ./configurerootdic172 openvpn-2.0.9# makerootdic172 openvpn-2.0.9# make installrootdic172 openvpn-2.0.9# cp -p sample-scripts/openvpn.init /etc/init.d/openvpnrootdic172 openvpn-2.0.9# chkconfig -add openvpnrootdic172 openvpn-2.0.9# service openvpn status #查看效劳状态openvpn: service not startedrootdic172 openvpn-2.0.9# chkconfig -level 235 openvpn onrootdic172 openvpn-2.0.9# chkconfig -list openvpnopenvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off2、开启IP转发功能# vi /etc/sysctl.confnet.ipv4.ip_forward = 1rootdic172 openvpn-2.0.9# sysctl -p3、定义OpenVPN的配置目录为/etc/openvpn，把效劳器配置文件定义为/etc/openvpn/server.confOpenVPN是一个SSL VPN实现，因此，认证中最重要的是效劳器和客户端的SSL证书管理，如果管理员之前没有SSL证书发布机制，则可以使用OpenVPN附带的一组工具来完成所有的工作。在/usr/s中，有一个easy-rsa目录，这下面就是一些一成和管理SSL证书的工具，以下为生成证书操作。rootdic172 openvpn-2.0.9# mkdir -p /etc/openvpnrootdic172 openvpn-2.0.9# cp -p sample-config-files/server.conf /etc/openvpn/ #将样本配置文件复制到/etc/openvpn/，后面再做修改4、修改vars文件变量，设置国家代码、省份、地市、机构、单位名称等rootdic172 openvpn-2.0.9# cd easy-rsa/rootdic172 easy-rsa# grep -v # varse*port D=pwde*port KEY_CONFIG=$D/fe*port KEY_DIR=$D/keysecho NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIRe*port KEY_SIZE=1024e*port KEY_COUNTRY=CNe*port KEY_PROVINCE=GDe*port KEY_CITY=SZe*port KEY_ORG=DICe*port KEY_EMAIL=tghfly222126.rootdic172 easy-rsa# source varsNOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/src/openvpn-2.0.9/easy-rsa/keys #提示可使用./clean-all去除所有包括CA在的所有证书5、使用clean-all脚本去除包括CA在的所有证书，再创立CA证书。rootdic172 easy-rsa# ./clean-all #先去除证书，再创立证书rootdic172 easy-rsa# ./build-ca #创立CA证书Generating a 1024 bit RSA private key.+.+writing new private key to ca.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN:State or Province Name (full name) GD:Locality Name (eg, city) SZ:Organization Name (eg, company) DIC:Organizational Unit Name (eg, section) :Common Name (eg, your name or your servers hostname) :dic172 #效劳器主机名Email Address tghfly222126.:6、创立效劳器密钥。rootdic172 easy-rsa# ./build-key-server server #创立效劳器端密钥Generating a 1024 bit RSA private key.+.+writing new private key to server.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN:State or Province Name (full name) GD:Locality Name (eg, city) SZ:Organization Name (eg, company) DIC:Organizational Unit Name (eg, section) :Common Name (eg, your name or your servers hostname) :dic172 #效劳器主机名Email Address tghfly222126.:Please enter the following e*tra attributesto be sent with your certificate requestA challenge password :dic172An optional company name :dic172Check that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :PRINTABLE:GDlocalityName :PRINTABLE:SZorganizationName :PRINTABLE:DICcommonName :PRINTABLE:dic172emailAddress :IA5STRING:tghfly222126.Certificate is to be certified until Jul 16 05:51:08 2021 GMT (3650 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out