论坛: UNIX系统 标题: [原]OpenVPN笔记 复制本贴地址    
作者: TecZm [teczm]    版主   登录
作者:TecZm  2006-02-14

此处内容需要回复帖子才能显示


[此贴被 TecZm(teczm) 在 06月06日09时06分 编辑过]

地主 发表时间: 06-05-15 17:11

回复: TecZm [teczm]   版主   登录
OenVPN客户端配置文件
[replyview]
# Linux或Unix下使用扩展名为.conf
# Windows下使用的是.ovpn
# 把需要使用的keys复制到配置文件所在目录ca.crt elm.crt elm.key ta.key

# 标注自己是个客户端
# 配置从server端pull过来,如IP地址,路由信息之类"Server使用push指令push过来的"
client

# 路由模式或桥模式
# 这项要和服务器端一样
;dev tap
dev tun

# 在Windows上如果你更多的网络接口,你需要在网络连接控制面板上增加
# TAP-Win32适配器接口名
# 在XP SP2或更高系统上,你需要使windows防火墙对该接口不执行过滤规则
# 非Windows系统通常不需要设置这个
;dev-node MyTap

# TCP还是UDP server?
;proto tcp
proto udp

# 远程服务器主机名和端口
# 你可以设置多个服务器来做负载均衡
remote server.teczm.com 1194  #用域名比较好,除非dns DOWN机
;remote my-server-2 1194

# 负载均衡时所用:
# 随机选择一个Server连接,否则按照顺序从上到下依次连接
;remote-random

# 始终重新解析Server的IP地址(如果remote后面跟的是域名),
# 保证Server IP地址是动态的使用DDNS动态更新DNS后,
# Client在自动重新连接时重新解析Server的IP地址
# 这样无需人为重新启动,即可重新接入VPN
resolv-retry infinite

# 在本机不绑定任何端口监听incoming数据,
# Client无需此操作,除非一对一的VPN有必要
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

#通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-key
#通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的,
#否则网络连接会先linkdown然后linkup
persist-tun

# 这项用于通过http代理访问openvpn服务器的情况
# 如果你使用HTTP代理连接VPN Server,把Proxy的IP地址和端口写到下面
# 如果代理需要验证,使用http-proxy server port [authfile] [auth-method]
# 其中authfile是一个2行的文本文件,用户名和密码各占一行,
# auth-method可以省略,详细信息查看Manual
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# 这项用于无线网络
# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# 证书/key文件指向
# Root CA 文件的文件名,用于验证Server CA证书合法性,
# 通过easy-rsa/build-ca生成的ca.crt,和Server配置里的ca.crt是同一个文件
ca ca.crt

# easy-rsa/build-key生成的key pair文件,
#上面生成key部分中有提到,不同客户使用不同的keys修改以下两行配置并使用他们的keys即可。
cert client.crt
key client.key


# 该项检测服务器证书可靠性
# Server使用build-key-server脚本生成的,在x509 v3扩展中加入了ns-cert-type选项
# 防止VPN client使用他们的keys + DNS hack欺骗vpn client连接他们假冒的VPN Server
# 因为他们的CA里没有这个扩展
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
# 和Server配置里一致,ta.key也一致,注意最后参数使用的是1
;tls-auth ta.key 1

# 选择一种加密算法,必需和服务器端一致
;cipher x

# 允许数据压缩
# 这项和服务器配置文件一样
comp-lzo

# 设置日志记录冗长级别
verb 3

# 重复日志记录限额
mute 20
[/replyview]

[此贴被 TecZm(teczm) 在 06月06日09时08分 编辑过]

B1层 发表时间: 06-05-15 17:11

回复: TecZm [teczm]   版主   登录
OpenVPN服务器端配置文件
[replyview]
# 哪个本地ip地址将被Openvpn监听?
# 也可以不注明
;local a.b.c.d

# 哪一个tcp/udp端口将被监听?
# 如果你要在一台机器上启动多个OpenVPN,你需要监听不同的端口
# 记着在防火墙那里打开这些端口
port 1194

# TCP还是UDP协议?
# 如果采用HTTP proxy,必须使用TCP协议
proto udp

# "dev tun" 将创建1个路由隧道
# "dev tap" 将创建1个以太网隧道
# 如果你选择桥模式,使用 "dev tap"
# 如果你需要控制每个客户端的访问控制策略
# 你必须创建防火墙规则到TUN/TAP接口
# 在非Windows系统上,你可以明确该接口,如:tun0
# 在Windows上,使用"dev-node"
# 在大多数系统上,如果你的防火墙部分或全部禁止TUN/TAP接口的话,Openvpn将可能不起作用
;dev tap
dev tun

# 在Windows上如果你更多的网络接口,你需要在网络连接控制面板上增加
# TAP-Win32适配器接口名
# 在XP SP2或更高系统上,你需要使windows防火墙对该接口不执行过滤规则
# 非Windows系统通常不需要设置这个
;dev-node MyTap

# 证书/key文件指向
ca ca.crt  #OpenVPN使用的ROOT CA,使用build-ca生成的,用于验证客户是证书是否合法
cert server.crt #Server使用的证书文件
key server.key  #Server使用的证书对应的key,该文件必须严格控制其安全性

#CRL文件的申明,被吊销的证书链,这些证书将无法登录
;crl-verify vpncrl.pem


# Diffie hellman文件指向
# 如果你在建立证书时使用2048的话这里是2048
# 否则默认
dh dh1024.pem

# 给接入的client分配的地址段
server 192.168.80.0 255.255.255.0

# 维护客户端和虚拟ip地址联系
# 在openvpn重启时,再次连接的客户端将依然被分配和以前一样的
# ip地址
ifconfig-pool-persist ipp.txt

# openvpn桥模式用的[我不用桥模式]
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# 下面这句使客户端能访问服务器后面的子网机器
# 比如:服务器子网网段是192.168.10.0和192.168.10.2
# 你需要在openVPN服务器端配置文件中添加下面这两句
push "route 192.168.10.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"

# 使服务器子网内机器可以访问客户端子网内机器
# 仅用于路由模式
# 假设:客户端子网网段192.168.40.0
# 首先,在服务器配置文件中添加下面这两行
#    client-config-dir ccd
#  和route 192.168.40.0  255.255.255.0
# 然后在服务器端ccd目录下创建一个文件,文件名是客户端的公共名
# 文件内容是:
#    iroute 192.168.40.0  255.255.255.0
;client-config-dir ccd
;route 192.168.40.0  255.255.255.0


# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#  ifconfig-push 10.9.0.1 10.9.0.2

# 支持对不同客户端组执行不同的防火墙策略
# 这里有两种方法
# (1) 运行多个OpenVPN守护进程, 每个对应不同的组
#    并且防火墙对不同的组和进程执行不同的策略
# (2) (高级)创建1个动态脚本使防火墙对接入的不同客户端执行不同的策略
;learn-address ./script


# 下面这句使客户端所有网络通信通过vpn
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel.  Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"

# 客户端DHCP设置
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

# 下面这句使客户端能相互访问
# 否则,默认设置下客户端间不能相互访问
client-to-client

# 这段常用于测试用途,注释该条可实现限制一个证书在同一时刻只能有一个客户端接入
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# 活动连接保时期限
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# 为防止遭到DDoS攻击
# 生成ta.key文件,并cp到服务器端和每个客户端
# 该文件用以下命令生成
# openvpn --genkey --secret ta.key
# 服务器端0,客户端1
# 该文件要严格保护
tls-auth ta.key 0 # 服务器端是0

# 选择一种加密算法,Server端和client端必须一样
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC  # AES
;cipher DES-EDE3-CBC  # Triple-DES

# 允许数据压缩
# 客户端配置文件也需要有这项
comp-lzo

# 最大客户端并发连接数量
;max-clients 100

#定义运行openvpn的用户
;user nobody
;group nobody

#通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-key
#通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的,
#否则网络连接会先linkdown然后linkup
persist-tun

#定期把openvpn的一些状态信息写到文件中,以便自己写程序计费或者进行其他操作
status openvpn-status.log

#记录日志,每次重新启动openvpn后删除原有的log信息
;log        openvpn.log 
#或者
#记录日志,每次重新启动openvpn后追加原有的log信息
log-append  openvpn.log  #[为便于管理log可将该项改为/var/log/openvpn.log]

# 设置日志记录冗长级别
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# 重复日志记录限额
# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20
[/replyview]

[此贴被 TecZm(teczm) 在 06月06日09时09分 编辑过]

B2层 发表时间: 06-05-15 17:12

回复: TecZm [teczm]   版主   登录
Easy-RSA README

这是一个小型的RSA key管理包,基于openssl命令行工具,可以在openvpn分发包的easy-rsa目录下找到。

这是参考笔记,一步一步的指令,请参见openvpn HOWTO: http://openvpn.net/howto.html

安装

1. 编辑 vars 文件.
2. 设置 KEY_CONFIG 指向openssl.cnf文件[默认vars已经做好,这个不用管了]
3. 设置 KEY_DIR 指向你的key、证书等所在目录,这个目录不必已经存在,如果它存在将被自动rm -rf[默认vars已经做好,这个不用管了]
4. 如果你觉得KEY_SIZE=1024不满足你的偏执狂,你可以设置其为2048[我觉得已经够了,所以这块不改]
  其他如:国家、省份、城市、组织、Email自己看着改吧
5  . vars
6. ./clean-all
7. As you create certificates, keys, and
  certificate signing requests, understand that
  only .key files should be kept confidential.
  .crt and .csr files can be sent over insecure
  channels such as plaintext email.
8. You should never need to copy a .key file
  between computers.  Normally each computer
  will have its own certificate/key pair.

BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY

1. ./build-ca
2. ca.crt and ca.key will be built in your KEY_DIR
  directory

BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)

1. ./build-inter inter
2. inter.crt and inter.key will be built in your KEY_DIR
  directory and signed with your root certificate.

BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
the server end of a SSL/TLS connection).

1. ./build-dh

BUILD A CERTIFICATE SIGNING REQUEST (If
you want to sign your certificate with a root
certificate controlled by another individual
or organization, or residing on a different machine).

1. Get ca.crt (the root certificate) from your
  certificate authority.  Though this
  transfer can be over an insecure channel, to prevent
  man-in-the-middle attacks you must confirm that
  ca.crt was not tampered with.  Large CAs solve this
  problem by hardwiring their root certificates into
  popular web browsers.  A simple way to verify a root
  CA is to call the issuer on the telephone and confirm
  that the md5sum or sha1sum signatures on the ca.crt
  files match (such as with the command: "md5sum ca.crt").
2. Choose a name for your certificate such as your computer
  name.  In our example we will use "mycert".
3. ./build-req mycert
4. You can ignore most of the fields, but set
  "Common Name" to something unique such as your
  computer's host name.  Leave all password
  fields blank, unless you want your private key
  to be protected by password.  Using a password
  is not required -- it will make your key more secure
  but also more inconvenient to use, because you will
  need to supply your password anytime the key is used.
  NOTE: if you are using a password, use ./build-req-pass
  instead of ./build-req
5. Your key will be written to $KEY_DIR/mycert.key
6. Your certificate signing request will be written to
  to $KEY_DIR/mycert.csr
7. Email mycert.csr to the individual or organization
  which controls the root certificate.  This can be
  done over an insecure channel.
8. After the .csr file is signed by the root certificate
  authority, you will receive a file mycert.crt
  (your certificate).  Place mycert.crt in your
  KEY_DIR directory.
9. The combined files of mycert.crt, mycert.key,
  and ca.crt can now be used to secure one end of
  an SSL/TLS connection.

SIGN A CERTIFICATE SIGNING REQUEST

1. ./sign-req mycert
2. mycert.crt will be built in your KEY_DIR
  directory using mycert.csr and your root CA
  file as input.

BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
script generates and signs a certificate in one step,
but it requires that the generated certificate and private
key files be copied to the destination host over a
secure channel.

1. ./build-key mycert (no password protection)
2. OR ./build-key-pass mycert (with password protection)
3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
4. OR ./build-key-server mycert (with nsCertType=server)
5. mycert.crt and mycert.key will be built in your
  KEY_DIR directory, and mycert.crt will be signed
  by your root CA. If ./build-key-pkcs12 was used a
  mycert.p12 file will also be created including the
  private key, certificate and the ca certificate.

IMPORTANT

To avoid a possible Man-in-the-Middle attack where an authorized
client tries to connect to another client by impersonating the
server, make sure to enforce some kind of server certificate
verification by clients.  There are currently four different ways
of accomplishing this, listed in the order of preference:

(1) Build your server certificates with the build-key-server
    script.  This will designate the certificate as a
    server-only certificate by setting nsCertType=server.
    Now add the following line to your client configuration:

    ns-cert-type server

    This will block clients from connecting to any
    server which lacks the nsCertType=server designation
    in its certificate, even if the certificate has been
    signed by the CA which is cited in the OpenVPN configuration
    file (--ca directive).

(2) Use the --tls-remote directive on the client to
    accept/reject the server connection based on the common
    name of the server certificate.

(3) Use a --tls-verify script or plugin to accept/reject the
    server connection based on a custom test of the server
    certificate's embedded X509 subject details.

(4) Sign server certificates with one CA and client certificates
    with a different CA.  The client config "ca" directive should
    reference the server-signing CA while the server config "ca"
    directive should reference the client-signing CA.

NOTES
Show certificate fields:
  openssl x509 -in cert.crt -text





B3层 发表时间: 06-05-15 17:13

回复: SHESAIDSORRY [agg230]   论坛用户   登录
好贴要顶

B4层 发表时间: 07-01-22 18:58

回复: ffsi [ffsi]   论坛用户   登录
楼主费心了,先谢了

B5层 发表时间: 07-05-08 10:51

回复: RaDom [f_h]   论坛用户   登录
Let me see see~~~

B6层 发表时间: 07-08-20 21:51

回复: 网页三贱男 [y63536034]   论坛用户   登录
    有什么办法对编程不大懂尤其加那些符号的真难看的懂哦 

B7层 发表时间: 07-10-15 19:11

回复: superban [superban]   论坛用户   登录
学习一下

B8层 发表时间: 08-03-03 11:19

回复: captain_jack [smalljack]   论坛用户   登录
坏淫

B9层 发表时间: 11-10-30 00:47

论坛: UNIX系统

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号