1.Установка OpenVPN-сервера
1 |
# apt-get install openvpn openssl |
1 |
# mkdir /etc/openvpn/easy-rsa/ |
1 |
# cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/ |
1 |
# cd /etc/openvpn/easy-rsa/ |
2.Настройка переменных окружения
1 |
# nano vars |
1 2 3 4 5 6 |
export KEY_COUNTRY="UA" export KEY_PROVINCE="Kharkov" export KEY_CITY="Kharkov" export KEY_ORG="IT" export KEY_EMAIL="admin@mydomain.com" export KEY_OU="IT-Department" |
Выполняем инициализацию переменных.
1 |
# source ./vars |
1 |
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys |
Удаляем старые ключи
1 |
# ./clean-all |
3.Создание сертификатов и ключей Создаём корневой сертификат и ключ:
1 |
# ./build-ca |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
Generating a 2048 bit RSA private key ....+++ .....................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [UA]: State or Province Name (full name) [Kharkov]: Locality Name (eg, city) [Kharkov]: Organization Name (eg, company) [IT]: Organizational Unit Name (eg, section) [IT-Department]: Common Name (eg, your name or your server's hostname) [IT CA]:server Name [EasyRSA]: Email Address [admin@mydomain.com]: |
Создаём сертификат и ключ для сервера:
1 |
# ./build-key-server server |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
Generating a 2048 bit RSA private key ................+++ ...............+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [UA]: State or Province Name (full name) [Kharkov]: Locality Name (eg, city) [Kharkov]: Organization Name (eg, company) [IT]: Organizational Unit Name (eg, section) [IT-Department]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [admin@mydomain.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'UA' stateOrProvinceName :PRINTABLE:'Kharkov' localityName :PRINTABLE:'Kharkov' organizationName :PRINTABLE:'IT' organizationalUnitName:PRINTABLE:'IT-Department' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'admin@mydomain.com' Certificate is to be certified until Jul 4 20:31:26 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
Создаем ключ и сертификат для клиента user1
1 |
# ./build-key user1 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
Generating a 2048 bit RSA private key ................................................................+++ ...................................+++ writing new private key to 'user1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [UA]: State or Province Name (full name) [Kharkov]: Locality Name (eg, city) [Kharkov]: Organization Name (eg, company) [IT]: Organizational Unit Name (eg, section) [IT-Department]: Common Name (eg, your name or your server's hostname) [user1]: Name [EasyRSA]: Email Address [admin@mydomain.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'UA' stateOrProvinceName :PRINTABLE:'Kharkov' localityName :PRINTABLE:'Kharkov' organizationName :PRINTABLE:'IT' organizationalUnitName:PRINTABLE:'IT-Department' commonName :PRINTABLE:'user1' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'admin@mydomain.com' Certificate is to be certified until Jul 4 20:32:23 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
Аналогично […]