Указываем на каком IP будет работать OpenVPN сервер (тут 192.168.1.100 – внешний IP сервера):
# Which local IP address should OpenVPN # listen on? (optional) local 192.168.1.100
Задаём OpenVPN сеть
# Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.0.0.0 255.255.255.0
Передаём параметр клиентам, благодаря которому весь их трафик будет направляться через OpenVPN
# If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). push "redirect-gateway def1 bypass-dhcp"
Теперь зададим DNS-сервера для клиентов:
# Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. push "dhcp-option DNS 10.0.0.1" push "dhcp-option DNS 8.8.8.8"
Изменим пользователя, под которым будет работать OpenVPN демон:
# It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nobody
Меняем настройки логирования:
# Output a short status file showing # current connections, truncated # and rewritten every minute. status /var/log/openvpn-status.log ... # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "Program FilesOpenVPNlog" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log log-append /var/log/openvpn.log
Переходим в созданную нами директорию для сертификатов
cd /etc/openvpn/easy-rsa
Перечитаем файл vars
# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
Удаляем старые ключи:
./clean-all
Создаём корневой сертификат:
./build-ca
После этого шага в каталоге /etc/openvpn/easy-rsa/keys появляются новые CA (Central Authority) сертификаты:
./build-ca Generating a 2048 bit RSA private key ..................+++ ..........................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [RU]: State or Province Name (full name) [NW]: Locality Name (eg, city) [Moscow]: Organization Name (eg, company) [OrgName]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [server]:vpn.example.com Name [EasyRSA]:
Далее создаём корневой сертификат для самого сервера:
./build-key-server server Generating a 2048 bit RSA private key .+++ ...............................................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [RU]: State or Province Name (full name) [NW]: Locality Name (eg, city) [Moscow]: Organization Name (eg, company) [OrgName]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [server]:vpn.example.com Name [EasyRSA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'RU' stateOrProvinceName :PRINTABLE:'NW' localityName :PRINTABLE:'Moscow' organizationName :PRINTABLE:'OrgName' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'vpn.example.com' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Apr 18 12:43:37 2025 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Генерируем ключ Диффи-Хелмана (Diffie Hellman). Алгоритм Диффи-Хелмана позволяет получить двум сторонам общий секретный ключ, использующийся для дальнейшего симметричного шифрования данных:
./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..............................................+......+................................................+.........................................................................................................................................................+............................................................................................................+..............................................................................................................................................+...................................................................................................+........+.............................................................................................................+............
Процесс занимает от 2 до 5 минут. Можно выпить чашечку кофе.
Приступим к созданию клиентских сертификатов – повторяем отдельно для каждого клиента:
./build-key client Generating a 2048 bit RSA private key .....................................+++ ..+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [RU]: State or Province Name (full name) [NW]: Locality Name (eg, city) [Moscow]: Organization Name (eg, company) [OrgName]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [client]: Name [EasyRSA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'RU' stateOrProvinceName :PRINTABLE:'NW' localityName :PRINTABLE:'Moscow' organizationName :PRINTABLE:'OrgName' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'client' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Apr 18 12:57:59 2025 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Поскольку сертификаты будут храниться у клиентов, то лучше на данных пунктах задать имя и пароль:
