Linux为企业搭建稳固的SSL VPN服务

Linux为企业搭建稳固的SSL VPN服务 作者：佚名出处：论坛2013-05-16 06:55

一、OpenVPN是靠虚拟的TUN/TAP设备实现SSL VPN的，因此内核必须支持TUN/TAP设备模块，这个配置选项在2.6.x内核中，位于Device Drivers ->Network device support 菜单中，全称是Universal TUN/TAP device driver support ，通常在标准内核 中，会以模块方式提供，在Open VPN启动时，它会自动加载此模块，因此不需要手工加载此模块。 [root@dic172 2.6.18-238.12.1.el5-i686]# pwd /usr/src/kernels/2.6.18-238.12.1.el5-i686

[root@dic172 2.6.18-238.12.1.el5-i686]# make menuconfig #打开内核菜单 Device Drivers --->

Network device support --->

Universal TUN/TAP device driver support #即表示以模块化加载到内核中 二、在安装OpenVPN之前，还需要安装一些支持包，包括OpenSSL开发库和LZO压缩开发库

1、可使用yum安装OpenSSL开发库，但需要手工下载并安装LZO开发包。 [root@dic172 /]# yum install openssl [root@dic172 /]# yum install openssl-devel

2、可到 http://www.oberhumer.com/opensource/lzo/ 下载LZO [root@dic172 src]# tar zxvf lzo-2.03.tar.gz [root@dic172 src]# cd lzo-2.03

[root@dic172 lzo-2.03]# ./configure [root@dic172 lzo-2.03]# make

[root@dic172 lzo-2.03]# make install 三、配置SSL VPN服务

1、到 http://openvpn.net/release/ 下载openvpn-2.0.9.tar.gz并安装 [root@dic172 src]# tar zxvf openvpn-2.0.9.tar.gz [root@dic172 src]# cd openvpn-2.0.9/

[root@dic172 openvpn-2.0.9]# ./configure [root@dic172 openvpn-2.0.9]# make

[root@dic172 openvpn-2.0.9]# make install

[root@dic172 openvpn-2.0.9]# cp -p sample-scripts/openvpn.init /etc/init.d/openvpn [root@dic172 openvpn-2.0.9]# chkconfig --add openvpn

[root@dic172 openvpn-2.0.9]# service openvpn status #查看服务状态 openvpn: service not started

[root@dic172 openvpn-2.0.9]# chkconfig --level 235 openvpn on [root@dic172 openvpn-2.0.9]# chkconfig --list openvpn

openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off 2、开启IP转发功能

[root@dic172 openvpn-2.0.9]# vi /etc/sysctl.conf net.ipv4.ip_forward = 1

[root@dic172 openvpn-2.0.9]# sysctl -p

3、定义OpenVPN的配置目录为/etc/openvpn，把服务器配置文件定义为/etc/openvpn/server.conf

OpenVPN是一个SSL VPN实现，因此，认证中最重要的是服务器和客户端的SSL证书管

理，如果管理员之前没有SSL证书发布机制，那么可以使用OpenVPN附带的一组工具来完成所有的工作。

在/usr/src/openvpn-2.0.9/中，有一个easy-rsa目录，这下面就是一些一成和管理SSL证书的工具，以下为生成证书操作。

[root@dic172 openvpn-2.0.9]# mkdir -p /etc/openvpn

[root@dic172 openvpn-2.0.9]# cp -p sample-config-files/server.conf /etc/openvpn/ #将样本配置文件复制到/etc/openvpn/，后面再做修改

4、修改vars文件变量，设置国家代码、省份、地市、机构名单、单位名称邮件等 [root@dic172 openvpn-2.0.9]# cd easy-rsa/ [root@dic172 easy-rsa]# grep -v \ export D=`pwd`

export KEY_CONFIG=$D/openssl.cnf export KEY_DIR=$D/keys

echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export KEY_SIZE=1024 export KEY_COUNTRY=CN export KEY_PROVINCE=GD export KEY_CITY=SZ export KEY_ORG=\

export KEY_EMAIL=\ [root@dic172 easy-rsa]# source vars

NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/src/openvpn-2.0.9/easy-rsa/keys #提示可使用./clean-all清除所有包括CA在内的所有证书

5、使用clean-all脚本清除包括CA在内的所有证书，再创建CA证书。 [root@dic172 easy-rsa]# ./clean-all #先清除证书，再创建证书 [root@dic172 easy-rsa]# ./build-ca #创建CA证书 Generating a 1024 bit RSA private key ..........++++++ ................++++++

writing new private key to 'ca.key' -----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]: Locality Name (eg, city) [SZ]:

Organization Name (eg, company) [DIC]: Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:dic172 #服务器主机名 Email Address [tghfly222@126.com]: 6、创建服务器密钥。

[root@dic172 easy-rsa]# ./build-key-server server #创建服务器端密钥 Generating a 1024 bit RSA private key ............................................++++++ ....++++++

writing new private key to 'server.key' -----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]: Locality Name (eg, city) [SZ]:

Organization Name (eg, company) [DIC]: Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:dic172 #服务器主机名 Email Address [tghfly222@126.com]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:dic172

An optional company name []:dic172

Using configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok

The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'DIC'

commonName :PRINTABLE:'dic172'

emailAddress :IA5STRING:'tghfly222@126.com'

Certificate is to be certified until Jul 16 05:51:08 2021 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [NextPage]

7、创建客户端密钥，客户端密钥名可随意命名。

[root@dic172 easy-rsa]# ./build-key client Generating a 1024 bit RSA private key .....++++++

.......................++++++

writing new private key to 'client.key' -----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]: Locality Name (eg, city) [SZ]:

Organization Name (eg, company) [DIC]: Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:tgh #不同客户端，命名绝不能一样

Email Address [tghfly222@126.com]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:dic172

An optional company name []:dic172

Using configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok

The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'DIC' commonName :PRINTABLE:'tgh'

emailAddress :IA5STRING:'tghfly222@126.com'

Certificate is to be certified until Jul 16 05:52:27 2021 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

8、创建dhDiffie-Hellman ）密钥算法文件 [root@dic172 easy-rsa]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time