Deploy OpenVPN service on RHEL5.4

I. openvpn introduction openvpn is an SSL-based vpn. It uses the industrial standard SSL/TLS Protocol to implement the Layer 2 and Layer 3 secure data link VPN. it has the following advantages: 1. It is secure Based on the SSL protocol and can be implemented through a single TCP or UDP port.

I. Introduction to openvpn

Openvpn is an SSL-based vpn. It uses the industrial standard SSL/TLS Protocol to implement the layer-2 and layer-3 secure data link VPN. Its advantages are as follows:

1. It is secure Based on the SSL protocol and can be implemented through a single TCP or UDP port.

2. With two-way authentication, the server only needs to save its own certificate and key;

3. The server only accepts clients signed by the primary CA certificate and has a recall mechanism, without the need to re-build a PKI;

4. Permission control based on Common Name

2. System Environment: RHEL5.4
Application Software
Openvpn-2.1.4.tar.gz
Lzo-2.05.tar.gz
Install openvpn
# Tar xvf lzo-2.05.tar.gz

# Cd lzo-2.05

#./Configure
# Make

# Make check

# Make test

# Make install

# Tar xvf openvpn-2.1.4.tar.gz

# Cd openvpn-2.1.4

#./Configure

# Make & make install

4. Configure openv

1. Create a Dedicated CA for openvpn and apply for the required certificates for each client on the server side of Openvpn. openvpn supports two authentication models: Shared Key and TLS-based authentication model.
For the purpose of installing the machine simple authentication process, Openvpn requires the server to perform certificate-based two-way authentication before establishing communications. The use of certificates depends on PKI.
OpenVPN has prepared many scripts for issuing certificates using private CAS.
2. To create a CA, Openvpn server, or client certificate, you must specify the country where the certificate user is located. The default value can be specified in The vars file. The parameters include:
# Cd/root/openvpn/openvpn-2.1.4/easy-rsa/2.0
# Vim vars

Export KEY_COUNTRY = "CN"
Export KEY_PROVINCE = "SHANGHAI"
Export KEY_CITY = "SHANGHAI"
Export KEY_ORG = "Frank"
Export KEY_EMAIL = 623195090@qq.com
3. Configure PKI
# Source vars
NOTE: If you run./clean-all, I will be doing a rm-rf on/root/openvpn/openvpn-2.1.4/easy-rsa/2.0/keys

[Root @ openvpn 2.0] #./clean-all
4. Create a local CA
[Root @ openvpn 2.0] #./build-ca
Generating a 1024 bit RSA private key
........................................ ....................... ++
...
Writing new private key to 'Ca. key'
-----
You are about to be asked to enter information that will be ininitialized

Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:

Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Frank]:
Organizational Unit Name (eg, section) []: Frank

Common Name (eg, your name or your server's hostname) [Frank CA]: FRANK

Name []: frank
Email Address [623195090@qq.com]:
4. Create a key and certificate for Openvpn
[Root @ openvpn 2.0] #./build-key-server

Generating a 1024 bit RSA private key
........................................ ........................ ++
... ++
Writing new private key to 'server. key'
-----
You are about to be asked to enter information that will be ininitialized

Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:

Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Frank]:
Organizational Unit Name (eg, section) []: Frank

Common Name (eg, your name or your server's hostname) [server]:

Name []: frank
Email Address [623195090@qq.com]:
 
Please enter the following 'extra 'attributes

To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from/root/openvpn/openvpn-2.1.4/easy-rsa/2.0/openssl. cnf

Check that the request matches the signature

Signature OK
The Subject's Distinguished Name is as follows

CountryName: PRINTABLE: 'cn'
StateOrProvinceName: PRINTABLE: 'shanghai'
LocalityName: PRINTABLE: 'shanghai'
OrganizationName: PRINTABLE: 'frank'
OrganizationalUnitName: PRINTABLE: 'frank'
CommonName: PRINTABLE: 'server'
Name: PRINTABLE: 'frank'
EmailAddress: IA5STRING: '2017 @ qq.com'
Certificate is to be certified until Aug 9 17:43:47 2021 GMT (3650 days)

Sign the certificate? [Y/n]: y
 
 
1 out of 1 certificate requests certified, commit? [Y/n] y

Write out database with 1 new entries
Data Base Updated
5. Create the client key and Certificate
[Root @ openvpn 2.0] #./build-key frank
Generating a 1024 bit RSA private key
...
... ++
Writing new private key to 'Frank. key'
-----
You are about to be asked to enter information that will be ininitialized

Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:

Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Frank]:
Organizational Unit Name (eg, section) []: Frank

Common Name (eg, your name or your server's hostname) [frank]:

Name []: frank
Email Address [623195090@qq.com]:
 
Please enter the following 'extra 'attributes

To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from/root/openvpn/openvpn-2.1.4/easy-rsa/2.0/openssl. cnf

Check that the request matches the signature

Signature OK
The Subject's Distinguished Name is as follows

CountryName: PRINTABLE: 'cn'
StateOrProvinceName: PRINTABLE: 'shanghai'
LocalityName: PRINTABLE: 'shanghai'
OrganizationName: PRINTABLE: 'frank'
OrganizationalUnitName: PRINTABLE: 'frank'
CommonName: PRINTABLE: 'frank'
Name: PRINTABLE: 'frank'
EmailAddress: IA5STRING: '2017 @ qq.com'
Certificate is to be certified until Aug 9 18:45:05 2021 GMT (3650 days)

Sign the certificate? [Y/n]: y
 
 
1 out of 1 certificate requests certified, commit? [Y/n]

CERTIFICATION CANCELED