查看“OpenVPN server”的源代码
来自Ubuntu中文
←
OpenVPN server
跳到导航
跳到搜索
因为以下原因,您没有权限编辑该页面:
您请求的操作仅限属于该用户组的用户执行:
用户
您可以查看和复制此页面的源代码。
=== OpenVPN === 我们可以把处于LAN环境下的特定计算机设置为一个[http://baike.baidu.com/view/480950.htm?fromtitle=VPN VPN]服务器,这个服务器可以让处于LAN之外的远程客户端和LAN上的计算机进行加密通信(通过VPN服务器接入). 当两台终端建立[http://baike.baidu.com/view/480950.htm?fromtitle=VPN VPN] 连接通道(服务端和客户端)时,[http://openvpn.net/ OpenVPN] 使用 [http://baike.baidu.com/view/7615.htm PKI(Public Key Infrastructure)]对其进行加密. VPN 服务器的硬件需求取决于最大的并发通信隧道的数量.通俗的来讲,最为普通配置的电脑可以胜任一台并发连接数不大于10的VPN服务器.而一台不大于100个并发连接数的VPN服务器则需要较高的内存和CPU配置.网络连接也是一个限制因素,所以,高配的网卡也是必须的(至少支持千兆网卡). ==== Using a bridge interface ==== An OpenVPN server often uses a bridge interface. One network connection (an ethernet card, for example) connects to the WAN (Internet) through which the VPN connection is made, and a second network connection (a second ethernet card, for example) connects to the LAN. The traffic between these two connections is "bridged." See [[Ubuntu:Jaunty#Network_Interfaces_Bridging|Network Interface Bridging]] for more details. ==== OpenVPN Server Installation ==== *Install OpenVPN: sudo apt-get install openvpn ==== Server certificates ==== *Create the OpenVPN server certificates. :*Copy the easy-rsa directory to /etc/openvpn. This will ensure that any changes to the scripts will not be lost when the package is updated. sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa/ :*Edit /etc/openvpn/easy-rsa/vars and adjust the variables for your environment: export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="''MyCity''" export KEY_ORG="''MyCompany''" export KEY_EMAIL="''webmaster@mycompany.com''" :*Run the scripts to create the server certificates: cd /etc/openvpn/easy-rsa/easy-rsa source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/ ==== Client Certificates ==== *A VPN clients requires a certificate in order to authenticate itself to the VPN server. *Create the certificate: cd /etc/openvpn/easy-rsa/ source vars ./pkitool ''hostname'' :Note: Replace ''hostname'' with the actual hostname of the client machine that will be connecting to the VPN. *Copy the certificate files that have been created to the client: :* /etc/openvpn/easy-rsa/''hostname''.ovpn :* /etc/openvpn/easy-rsa/ca.crt :* /etc/openvpn/easy-rsa/''hostname''.crt :* /etc/openvpn/easy-rsa/''hostname''.key :* /etc/openvpn/easy-rsa/ta.key :Note: Use the files that correspond to your client machine's ''hostname''. ==== Server Configuration ==== *On the OpenVPN server, modify /etc/openvpn/server.conf from the example file: sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz *Edit etc/openvpn/server.conf: sudo nano /etc/openvpn/server.conf :*Changing the following options to resemble: local 172.18.100.101 dev tap0 server-bridge 172.18.100.101 255.255.255.0 172.18.100.105 172.18.100.200 push "route 172.18.100.1 255.255.255.0" push "dhcp-option DNS 172.18.100.20" push "dhcp-option DOMAIN example.com" tls-auth ta.key 0 # This file is secret user nobody group nogroup :Notes: ::local: is the IP address of the bridge interface. ::server-bridge: needed when the configuration uses bridging. The 172.18.100.101 255.255.255.0 portion is the bridge interface and mask. The IP range 172.18.100.105 172.18.100.200 is the range of IP addresses that will be assigned to clients. ::push: directives to add networking options for clients. ::user and group: configure which user and group the openvpn daemon executes as. ::Replace all IP addresses and domain names above with those of your network. *Create helper scripts to add the tap interface to the bridge. :* Create /etc/openvpn/up.sh: sudo nano /etc/openvpn/up.sh ::Add the lines: #!/bin/sh # BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /usr/sbin/brctl addif $BR $DEV :*Create /etc/openvpn/down.sh: sudo nano /etc/openvpn/down.sh ::Add the lines: #!/bin/sh # BR=$1 DEV=$2 # /usr/sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down :*Make the scripts executable: sudo chmod 755 /etc/openvpn/down.sh sudo chmod 755 /etc/openvpn/up.sh :*Restart OpenVpn: sudo /etc/init.d/openvpn restart ==== Client Configuration ==== *Copy the example client configuration file: sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn *Edit the client configuration file: sudo nano /etc/openvpn/client.conf :*Change it to resemble: dev tap remote ''vpn.mycompany.com'' 1194 cert ''hostname''.crt key ''hostname''.key tls-auth ta.key 1 :Note: Replace ''vpn.mycompany.com'' with the hostname of your VPN server, and ''hostname''.* with the actual certificate and key filenames that correspond to the client. *Restart OpenVpn: sudo /etc/init.d/openvpn restart *Connect the VPN client to the remote LAN through the OpenVPN server. ==== Other resources ==== * [https://help.ubuntu.com/9.10/serverguide/C/openvpn.html Ubuntu 9.10 Server Guide (Karmic Koala) -- OpenVPN server]
返回
OpenVPN server
。
导航菜单
页面操作
页面
讨论
阅读
查看源代码
历史
页面操作
页面
讨论
更多
工具
个人工具
登录
导航
首页
最近更改
随机页面
页面分类
帮助
搜索
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息