mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-13 22:30:37 +08:00
[Translated]20150602 How to Configure OpenVPN Server-Client on Ubuntu 15.04.md
This commit is contained in:
parent
b64a24f7f9
commit
7627973a0e
@ -1,41 +1,40 @@
|
|||||||
Translating by GOLinux!
|
Ubuntu 15.04上配置OpenVPN服务器-客户端
|
||||||
Howto Configure OpenVPN Server-Client on Ubuntu 15.04
|
|
||||||
================================================================================
|
================================================================================
|
||||||
Virtual private network (VPN) is a common name of several technologies which allows to establish a network connection over other network. It called virtual because nodes connected between each over through non physical lines. And it is private due to absence of public access to network without proper rights from of the network owner.
|
虚拟专用网(VPN)是几种用于建立与其它网络连接的网络技术中常见的一个名称。它被称为虚拟网,因为各个节点的连接不是通过物理线路实现的。而由于没有网络所有者的正确授权是不能通过公共线路访问到网络,所以它是专用的。
|
||||||
|
|
||||||
![](http://blog.linoxide.com/wp-content/uploads/2015/05/vpn_custom_illustration.jpg)
|
![](http://blog.linoxide.com/wp-content/uploads/2015/05/vpn_custom_illustration.jpg)
|
||||||
|
|
||||||
[OpenVPN][1] software transfer data using TCP and UDP protocols and with help of TUN/TAP drivers. UDP protocol and TUN driver allows to establish connection to OpenVPN server for clients behind NAT. Additionally OpenVPN allows to specify custom port. It provide additional flexibility of configuration and may help in avoiding of firewall restrictions.
|
[OpenVPN][1]软件通过TUN/TAP驱动的帮助,使用TCP和UDP协议来传输数据。UDP协议和TUN驱动允许NAT后的用户建立到OpenVPN服务器的连接。此外,OpenVPN允许指定自定义端口。它提额外提供了灵活的配置,可以帮助你避免防火墙限制。
|
||||||
|
|
||||||
Security and encryption in OpenVPN provided by library OpenSSL and by Transport Layer Security (TLS). TLS is an improved version of SSL protocol.
|
OpenVPN中,由OpenSSL库和传输层安全协议(TLS)提供了安全和加密。TLS是SSL协议的一个改进版本。
|
||||||
|
|
||||||
OpenSSL provide two kinds of encryption: symmetric and asymmetric. Below we show how to configure server side of OpenVPN and how to make all preparations for use asymmetric cryptography and TLS protocol with Public Key Infrastructure (PKI).
|
OpenSSL提供了两种加密方法:对称和非对称。下面,我们展示了如何配置OpenVPN的服务器端,以及如何预备使用带有公共密钥非对称加密和TLS协议基础结构(PKI)。
|
||||||
|
|
||||||
### Server side configuration ###
|
### 服务器端配置 ###
|
||||||
|
|
||||||
First of all we must install OpenVPN. In Ubuntu 15.04 and other Unix systems with 'apt' package manager this can be done as follows:
|
首先,我们必须安装OpenVPN。在Ubuntu 15.04和其它带有‘apt’报管理器的Unix系统中,可以通过如下命令安装:
|
||||||
|
|
||||||
sudo apt-get install openvpn
|
sudo apt-get install openvpn
|
||||||
|
|
||||||
Then we must setup a keys. This can be done using default tools "openssl". But this way is rather difficult. That is why we can use "easy-rsa" for this purpose. Next command installs the "easy-rsa" into our system
|
然后,我们必须配置一个密钥对,这可以通过默认的“openssl”工具完成。但是,这种方式十分难。这也是我们使用“easy-rsa”来实现此目的的原因。接下来的命令会将“easy-rsa”安装到系统中。
|
||||||
|
|
||||||
sudo apt-get unstall easy-rsa
|
sudo apt-get unstall easy-rsa
|
||||||
|
|
||||||
**Remark**: all next commands executed with superuser rights, i.e. after command "sudo -i"; otherwise you can use "sudo -E" as prefix for all next commands.
|
**注意**: 所有接下来的命令要以超级用户权限执行,如在“sudo -i”命令后;此外,你可以使用“sudo -E”作为接下来所有命令的前缀。
|
||||||
|
|
||||||
For beginning we need to copy "easy-rsa" into openvpn folder
|
开始之前,我们需要拷贝“easy-rsa”到openvpn文件夹。
|
||||||
|
|
||||||
mkdir /etc/openvpn/easy-rsa
|
mkdir /etc/openvpn/easy-rsa
|
||||||
cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa
|
cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa
|
||||||
mv /etc/openvpn/easy-rsa/easy-rsa /etc/openvpn/easy-rsa/2.0
|
mv /etc/openvpn/easy-rsa/easy-rsa /etc/openvpn/easy-rsa/2.0
|
||||||
|
|
||||||
and goes into it
|
然后进入到该目录
|
||||||
|
|
||||||
cd /etc/openvpn/easy-rsa/2.0
|
cd /etc/openvpn/easy-rsa/2.0
|
||||||
|
|
||||||
Here we start a process of key generation.
|
这里,我们开启了一个密钥生成进程。
|
||||||
|
|
||||||
Firstly we edit a "var" file. For simplify generation process we need to specify our data in it. Here is an example of "var" file:
|
首先,我们编辑一个“var”文件。为了简化生成过程,我们需要在里面指定数据。这里是“var”文件的一个样例:
|
||||||
|
|
||||||
export KEY_COUNTRY="US"
|
export KEY_COUNTRY="US"
|
||||||
export KEY_PROVINCE="CA"
|
export KEY_PROVINCE="CA"
|
||||||
@ -44,25 +43,25 @@ Firstly we edit a "var" file. For simplify generation process we need to specify
|
|||||||
export KEY_EMAIL="my@myhost.mydomain"
|
export KEY_EMAIL="my@myhost.mydomain"
|
||||||
export KEY_OU=server
|
export KEY_OU=server
|
||||||
|
|
||||||
Hope, field names is clear and there is no need of additional description of them.
|
希望这些字段名称对你而言已经很清楚,不需要进一步说明了。
|
||||||
|
|
||||||
Secondly we need to copy the openssl config. There is config from different version. If you haven't any certain requirement use last version of it. This is a 1.0.0 version.
|
其次,我们需要拷贝openssl配置。另外一个版本已经有现成的配置文件,如果你没有特定要求,你可以使用它的上一个版本。这里是1.0.0版本。
|
||||||
|
|
||||||
cp openssl-1.0.0.cnf openssl.cnf
|
cp openssl-1.0.0.cnf openssl.cnf
|
||||||
|
|
||||||
Thirdly we need load environment variables, which we edited on previous step
|
第三,我们需要加载环境变量,这些变量已经在前面一步中编辑好了。
|
||||||
|
|
||||||
source ./vars
|
source ./vars
|
||||||
|
|
||||||
Final step of preparation for key generation is in flushing of old certificates and keys and in generation of serial and index files for new keys. This can be done by using command
|
生成密钥的最后一步准备工作是清空旧的证书和密钥,以及生成新密钥的序列号和索引文件。可以通过以下命令完成。
|
||||||
|
|
||||||
./clean-all
|
./clean-all
|
||||||
|
|
||||||
Now we finish preparation and ready to start generation process. Lets generate certificate first
|
现在,我们完成了准备工作,准备好启动生成进程了。让我们先来生成证书。
|
||||||
|
|
||||||
./build-ca
|
./build-ca
|
||||||
|
|
||||||
In dialog we see default variants, which we specified in "vars" file before. We may check them, edit if needed and then press ENTER couple of times. Dialog looks as follows
|
在对话中,我们可以看到默认的变量,这些变量是我们先前在“vars”中指定的。我们可以检查以下,如有必要进行编辑,然后按回车几次。对话如下
|
||||||
|
|
||||||
Generating a 2048 bit RSA private key
|
Generating a 2048 bit RSA private key
|
||||||
.............................................+++
|
.............................................+++
|
||||||
@ -85,11 +84,11 @@ In dialog we see default variants, which we specified in "vars" file before. We
|
|||||||
Name [EasyRSA]:
|
Name [EasyRSA]:
|
||||||
Email Address [me@myhost.mydomain]:
|
Email Address [me@myhost.mydomain]:
|
||||||
|
|
||||||
Next we need to generate a server key
|
接下来,我们需要生成一个服务器密钥
|
||||||
|
|
||||||
./build-key-server server
|
./build-key-server server
|
||||||
|
|
||||||
Dialog of this command is shown below:
|
该命令的对话如下:
|
||||||
|
|
||||||
Generating a 2048 bit RSA private key
|
Generating a 2048 bit RSA private key
|
||||||
........................................................................+++
|
........................................................................+++
|
||||||
@ -134,72 +133,72 @@ Dialog of this command is shown below:
|
|||||||
Write out database with 1 new entries
|
Write out database with 1 new entries
|
||||||
Data Base Updated
|
Data Base Updated
|
||||||
|
|
||||||
Here we must answer "yes" on last two questions about "sign the certificate" and about "commit".
|
这里,最后两个关于“签署证书”和“提交”的问题,我们必须回答“yes”。
|
||||||
|
|
||||||
Now we have certificate and server key. Next step is to generate Diffie-Hellman key. Execute the below command and be patient. During next couple minutes we will see a lots of dots and pluses symbols.
|
现在,我们已经有了证书和服务器密钥。下一步,就是去省城Diffie-Hellman密钥。执行以下命令,耐心等待。在接下来的几分钟内,我们将看到许多点和加号。
|
||||||
|
|
||||||
./build-dh
|
./build-dh
|
||||||
|
|
||||||
Example of the output of this command you can find below
|
该命令的输出样例如下
|
||||||
|
|
||||||
Generating DH parameters, 2048 bit long safe prime, generator 2
|
Generating DH parameters, 2048 bit long safe prime, generator 2
|
||||||
This is going to take a long time
|
This is going to take a long time
|
||||||
................................+................<and many many dots>
|
................................+................<and many many dots>
|
||||||
|
|
||||||
After a long wait we can move to generation of the last key. This is key for TLS-authentication. Here is a command for it:
|
在漫长的等待之后,我们可以继续生成最后的密钥了,该密钥用于TLS验证。命令如下:
|
||||||
|
|
||||||
openvpn --genkey --secret keys/ta.key
|
openvpn --genkey --secret keys/ta.key
|
||||||
|
|
||||||
Now, generation completed and we can move all generated files to the final location.
|
现在,生成完毕,我们可以移动所有生成的文件到最后的位置中。
|
||||||
|
|
||||||
cp -r /etc/openvpn/easy-rsa/2.0/keys/ /etc/openvpn/
|
cp -r /etc/openvpn/easy-rsa/2.0/keys/ /etc/openvpn/
|
||||||
|
|
||||||
Finally we create OpenVPN configuration file. Let's copy it from example:
|
最后,我们来创建OpenVPN配置文件。让我们从样例中拷贝过来吧:
|
||||||
|
|
||||||
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
|
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
|
||||||
cd /etc/openvpn
|
cd /etc/openvpn
|
||||||
gunzip -d /etc/openvpn/server.conf.gz
|
gunzip -d /etc/openvpn/server.conf.gz
|
||||||
|
|
||||||
Then edit it
|
然后编辑
|
||||||
|
|
||||||
vim /etc/openvpn/server.conf
|
vim /etc/openvpn/server.conf
|
||||||
|
|
||||||
We need to specify custom paths to keys
|
我们需要指定密钥的自定义路径
|
||||||
|
|
||||||
ca /etc/openvpn/keys/ca.crt
|
ca /etc/openvpn/keys/ca.crt
|
||||||
cert /etc/openvpn/keys/server.crt
|
cert /etc/openvpn/keys/server.crt
|
||||||
key /etc/openvpn/keys/server.key # This file should be kept secret
|
key /etc/openvpn/keys/server.key # This file should be kept secret
|
||||||
dh /etc/openvpn/keys/dh2048.pem
|
dh /etc/openvpn/keys/dh2048.pem
|
||||||
|
|
||||||
That's all. After restart of OpenVPN configuration of server side is complete.
|
一切就绪。在重启OpenVPN后,服务器端配置就完成了。
|
||||||
|
|
||||||
service openvpn restart
|
service openvpn restart
|
||||||
|
|
||||||
### Client side configuration for Unix ###
|
### Unix的客户端配置 ###
|
||||||
|
|
||||||
Suppose we have a device with Unix like operation system, for example Ubuntu 15.04, and with installed OpenVPN. We want to connect to OpenVPN server from previous section. Firstly we need a key for the client. For generation of this key go to folder on server:
|
假定我们有一台装有类Unix操作系统的设备,比如Ubuntu 15.04,并安装有OpenVPN。我们想要从先前的部分连接到OpenVPN服务器。首先,我们需要为客户端生成密钥。为了生成该密钥,请转到服务器上的目录中:
|
||||||
|
|
||||||
cd /etc/openvpn/easy-rsa/2.0
|
cd /etc/openvpn/easy-rsa/2.0
|
||||||
|
|
||||||
Load environment variables
|
加载环境变量
|
||||||
|
|
||||||
source vars
|
source vars
|
||||||
|
|
||||||
and create a client key
|
然后创建客户端密钥
|
||||||
|
|
||||||
./build-key client
|
./build-key client
|
||||||
|
|
||||||
We will see a same dialog as described in previous section on part about server key generation. Fill actual information about client in it.
|
我们将看到一个与先前关于服务器密钥生成部分的章节描述一样的对话,填入客户端的实际信息。
|
||||||
|
|
||||||
You need run other command in case of requirement of password protect key. Here it is
|
如果需要密码保护密钥,你需要运行另外一个命令,命令如下
|
||||||
|
|
||||||
./build-key-pass client
|
./build-key-pass client
|
||||||
|
|
||||||
In this case you will be prompted to input password in beginning of establishing of VPN connection.
|
在此种情况下,在建立VPN连接时,会提示你输入密码。
|
||||||
|
|
||||||
Now we need to copy follows files from server to client into /etc/openvpn/keys/ folder.
|
现在,我们需要将以下文件从服务器拷贝到客户端/etc/openvpn/keys/文件夹。
|
||||||
|
|
||||||
List of files from server:
|
服务器文件列表:
|
||||||
|
|
||||||
- ca.crt,
|
- ca.crt,
|
||||||
- dh2048.pem,
|
- dh2048.pem,
|
||||||
@ -207,7 +206,7 @@ List of files from server:
|
|||||||
- client.key,
|
- client.key,
|
||||||
- ta.key.
|
- ta.key.
|
||||||
|
|
||||||
After that we go to the client and prepare configuration file. Location of file is /etc/openvpn/client.conf and content of it presents below
|
在此之后,我们转到客户端,准备配置文件。配置文件位于/etc/openvpn/client.conf,内容如下
|
||||||
|
|
||||||
dev tun
|
dev tun
|
||||||
proto udp
|
proto udp
|
||||||
@ -234,15 +233,15 @@ After that we go to the client and prepare configuration file. Location of file
|
|||||||
verb 3
|
verb 3
|
||||||
mute 20
|
mute 20
|
||||||
|
|
||||||
After that we need to restart OpenVPN for accepting a new configuration.
|
在此之后,我们需要重启OpenVPN以接受新配置。
|
||||||
|
|
||||||
service openvpn restart
|
service openvpn restart
|
||||||
|
|
||||||
That's it, the configuration of the client is over.
|
好了,客户端配置完成。
|
||||||
|
|
||||||
### Client side configuration for Android ###
|
### 安卓客户端配置 ###
|
||||||
|
|
||||||
Configuration of OpenVPN on Android devices is quite similar to configuration on Unix system. We need a pack with a configuration file, with a keys and with a certificates. Here is a list of them:
|
安卓设备上的OpenVPN配置和Unix系统上的十分类似,我们需要一个含有配置文件、密钥和证书的包。文件列表如下:
|
||||||
|
|
||||||
- configuration file (.ovpn),
|
- configuration file (.ovpn),
|
||||||
- ca.crt,
|
- ca.crt,
|
||||||
@ -250,9 +249,9 @@ Configuration of OpenVPN on Android devices is quite similar to configuration on
|
|||||||
- client.crt,
|
- client.crt,
|
||||||
- client.key.
|
- client.key.
|
||||||
|
|
||||||
Client key can be generated by the same way as described in previous section.
|
客户端密钥生成方式和先前章节所述的一样。
|
||||||
|
|
||||||
Configuration file has a follows content
|
配置文件内容如下
|
||||||
|
|
||||||
client tls-client
|
client tls-client
|
||||||
dev tun
|
dev tun
|
||||||
@ -273,11 +272,11 @@ Configuration file has a follows content
|
|||||||
verb 3
|
verb 3
|
||||||
mute 20
|
mute 20
|
||||||
|
|
||||||
All this files we must to move on SD-card of our device.
|
所有这些文件我们必须移动我们设备的SD卡上。
|
||||||
|
|
||||||
Then we need to install [OpenVPN Connect][2].
|
然后,我们需要安装[OpenVPN连接][2]。
|
||||||
|
|
||||||
Next configuration process is very simple:
|
接下来,配置过程很是简单:
|
||||||
|
|
||||||
open setting of OpenVPN and select Import options
|
open setting of OpenVPN and select Import options
|
||||||
select Import Profile from SD card option
|
select Import Profile from SD card option
|
||||||
@ -285,18 +284,18 @@ Next configuration process is very simple:
|
|||||||
application offered us to create a new profile
|
application offered us to create a new profile
|
||||||
tap on the Connect button and wait a second
|
tap on the Connect button and wait a second
|
||||||
|
|
||||||
And thats all. Now our Android device has connection to our private network using secure VPN connection.
|
搞定。现在,我们的安卓设备已经通过安全的VPN连接连接到我们的专用网。
|
||||||
|
|
||||||
### Conclusion ###
|
### 尾声 ###
|
||||||
|
|
||||||
So, initial configuration of OpenVPN takes a time, but it is compensated by easy clients configuration and the ability to connect from any device. Moreover OpenVPN provided a high security level and ability to connection from different places including clients located behind NAT. Therefore OpenVPN may equally well be used both at home and in enterprise.
|
虽然OpenVPN初始配置花费不少时间,但是简易客户端配置为我们弥补了时间上的损失,也提供了从任何设备连接的能力。此外,OpenVPN提供了一个很高的安全等级,以及从不同地方连接的能力,包括位于NAT后面的客户端。因此,OpenVPN可以同时在家和在企业中使用。
|
||||||
|
|
||||||
--------------------------------------------------------------------------------
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
via: http://linoxide.com/ubuntu-how-to/configure-openvpn-server-client-ubuntu-15-04/
|
via: http://linoxide.com/ubuntu-how-to/configure-openvpn-server-client-ubuntu-15-04/
|
||||||
|
|
||||||
作者:[Ivan Zabrovskiy][a]
|
作者:[Ivan Zabrovskiy][a]
|
||||||
译者:[译者ID](https://github.com/译者ID)
|
译者:[GOLinux](https://github.com/GOLinux)
|
||||||
校对:[校对者ID](https://github.com/校对者ID)
|
校对:[校对者ID](https://github.com/校对者ID)
|
||||||
|
|
||||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
|
Loading…
Reference in New Issue
Block a user