[Translated]20150602 How to Configure OpenVPN Server-Client on Ubuntu 15.04.md

This commit is contained in:
GOLinux 2015-06-04 10:06:20 +08:00
parent b64a24f7f9
commit 7627973a0e

View File

@ -1,41 +1,40 @@
Translating by GOLinux! Ubuntu 15.04上配置OpenVPN服务器-客户端
Howto Configure OpenVPN Server-Client on Ubuntu 15.04
================================================================================ ================================================================================
Virtual private network (VPN) is a common name of several technologies which allows to establish a network connection over other network. It called virtual because nodes connected between each over through non physical lines. And it is private due to absence of public access to network without proper rights from of the network owner. 虚拟专用网VPN是几种用于建立与其它网络连接的网络技术中常见的一个名称。它被称为虚拟网因为各个节点的连接不是通过物理线路实现的。而由于没有网络所有者的正确授权是不能通过公共线路访问到网络所以它是专用的。
![](http://blog.linoxide.com/wp-content/uploads/2015/05/vpn_custom_illustration.jpg) ![](http://blog.linoxide.com/wp-content/uploads/2015/05/vpn_custom_illustration.jpg)
[OpenVPN][1] software transfer data using TCP and UDP protocols and with help of TUN/TAP drivers. UDP protocol and TUN driver allows to establish connection to OpenVPN server for clients behind NAT. Additionally OpenVPN allows to specify custom port. It provide additional flexibility of configuration and may help in avoiding of firewall restrictions. [OpenVPN][1]软件通过TUN/TAP驱动的帮助使用TCP和UDP协议来传输数据。UDP协议和TUN驱动允许NAT后的用户建立到OpenVPN服务器的连接。此外OpenVPN允许指定自定义端口。它提额外提供了灵活的配置可以帮助你避免防火墙限制。
Security and encryption in OpenVPN provided by library OpenSSL and by Transport Layer Security (TLS). TLS is an improved version of SSL protocol. OpenVPN中由OpenSSL库和传输层安全协议TLS提供了安全和加密。TLS是SSL协议的一个改进版本。
OpenSSL provide two kinds of encryption: symmetric and asymmetric. Below we show how to configure server side of OpenVPN and how to make all preparations for use asymmetric cryptography and TLS protocol with Public Key Infrastructure (PKI). OpenSSL提供了两种加密方法对称和非对称。下面我们展示了如何配置OpenVPN的服务器端以及如何预备使用带有公共密钥非对称加密和TLS协议基础结构PKI
### Server side configuration ### ### 服务器端配置 ###
First of all we must install OpenVPN. In Ubuntu 15.04 and other Unix systems with 'apt' package manager this can be done as follows: 首先我们必须安装OpenVPN。在Ubuntu 15.04和其它带有apt报管理器的Unix系统中可以通过如下命令安装
sudo apt-get install openvpn sudo apt-get install openvpn
Then we must setup a keys. This can be done using default tools "openssl". But this way is rather difficult. That is why we can use "easy-rsa" for this purpose. Next command installs the "easy-rsa" into our system 然后我们必须配置一个密钥对这可以通过默认的“openssl”工具完成。但是这种方式十分难。这也是我们使用“easy-rsa”来实现此目的的原因。接下来的命令会将“easy-rsa”安装到系统中。
sudo apt-get unstall easy-rsa sudo apt-get unstall easy-rsa
**Remark**: all next commands executed with superuser rights, i.e. after command "sudo -i"; otherwise you can use "sudo -E" as prefix for all next commands. **注意** 所有接下来的命令要以超级用户权限执行如在“sudo -i”命令后此外你可以使用“sudo -E”作为接下来所有命令的前缀。
For beginning we need to copy "easy-rsa" into openvpn folder 开始之前我们需要拷贝“easy-rsa”到openvpn文件夹。
mkdir /etc/openvpn/easy-rsa mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa
mv /etc/openvpn/easy-rsa/easy-rsa /etc/openvpn/easy-rsa/2.0 mv /etc/openvpn/easy-rsa/easy-rsa /etc/openvpn/easy-rsa/2.0
and goes into it 然后进入到该目录
cd /etc/openvpn/easy-rsa/2.0 cd /etc/openvpn/easy-rsa/2.0
Here we start a process of key generation. 这里,我们开启了一个密钥生成进程。
Firstly we edit a "var" file. For simplify generation process we need to specify our data in it. Here is an example of "var" file: 首先我们编辑一个“var”文件。为了简化生成过程我们需要在里面指定数据。这里是“var”文件的一个样例
export KEY_COUNTRY="US" export KEY_COUNTRY="US"
export KEY_PROVINCE="CA" export KEY_PROVINCE="CA"
@ -44,25 +43,25 @@ Firstly we edit a "var" file. For simplify generation process we need to specify
export KEY_EMAIL="my@myhost.mydomain" export KEY_EMAIL="my@myhost.mydomain"
export KEY_OU=server export KEY_OU=server
Hope, field names is clear and there is no need of additional description of them. 希望这些字段名称对你而言已经很清楚,不需要进一步说明了。
Secondly we need to copy the openssl config. There is config from different version. If you haven't any certain requirement use last version of it. This is a 1.0.0 version. 其次我们需要拷贝openssl配置。另外一个版本已经有现成的配置文件如果你没有特定要求你可以使用它的上一个版本。这里是1.0.0版本。
cp openssl-1.0.0.cnf openssl.cnf cp openssl-1.0.0.cnf openssl.cnf
Thirdly we need load environment variables, which we edited on previous step 第三,我们需要加载环境变量,这些变量已经在前面一步中编辑好了。
source ./vars source ./vars
Final step of preparation for key generation is in flushing of old certificates and keys and in generation of serial and index files for new keys. This can be done by using command 生成密钥的最后一步准备工作是清空旧的证书和密钥,以及生成新密钥的序列号和索引文件。可以通过以下命令完成。
./clean-all ./clean-all
Now we finish preparation and ready to start generation process. Lets generate certificate first 现在,我们完成了准备工作,准备好启动生成进程了。让我们先来生成证书。
./build-ca ./build-ca
In dialog we see default variants, which we specified in "vars" file before. We may check them, edit if needed and then press ENTER couple of times. Dialog looks as follows 在对话中我们可以看到默认的变量这些变量是我们先前在“vars”中指定的。我们可以检查以下如有必要进行编辑然后按回车几次。对话如下
Generating a 2048 bit RSA private key Generating a 2048 bit RSA private key
.............................................+++ .............................................+++
@ -85,11 +84,11 @@ In dialog we see default variants, which we specified in "vars" file before. We
Name [EasyRSA]: Name [EasyRSA]:
Email Address [me@myhost.mydomain]: Email Address [me@myhost.mydomain]:
Next we need to generate a server key 接下来,我们需要生成一个服务器密钥
./build-key-server server ./build-key-server server
Dialog of this command is shown below: 该命令的对话如下:
Generating a 2048 bit RSA private key Generating a 2048 bit RSA private key
........................................................................+++ ........................................................................+++
@ -134,72 +133,72 @@ Dialog of this command is shown below:
Write out database with 1 new entries Write out database with 1 new entries
Data Base Updated Data Base Updated
Here we must answer "yes" on last two questions about "sign the certificate" and about "commit". 这里最后两个关于“签署证书”和“提交”的问题我们必须回答“yes”。
Now we have certificate and server key. Next step is to generate Diffie-Hellman key. Execute the below command and be patient. During next couple minutes we will see a lots of dots and pluses symbols. 现在我们已经有了证书和服务器密钥。下一步就是去省城Diffie-Hellman密钥。执行以下命令耐心等待。在接下来的几分钟内我们将看到许多点和加号。
./build-dh ./build-dh
Example of the output of this command you can find below 该命令的输出样例如下
Generating DH parameters, 2048 bit long safe prime, generator 2 Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time This is going to take a long time
................................+................<and many many dots> ................................+................<and many many dots>
After a long wait we can move to generation of the last key. This is key for TLS-authentication. Here is a command for it: 在漫长的等待之后我们可以继续生成最后的密钥了该密钥用于TLS验证。命令如下
openvpn --genkey --secret keys/ta.key openvpn --genkey --secret keys/ta.key
Now, generation completed and we can move all generated files to the final location. 现在,生成完毕,我们可以移动所有生成的文件到最后的位置中。
cp -r /etc/openvpn/easy-rsa/2.0/keys/ /etc/openvpn/ cp -r /etc/openvpn/easy-rsa/2.0/keys/ /etc/openvpn/
Finally we create OpenVPN configuration file. Let's copy it from example: 最后我们来创建OpenVPN配置文件。让我们从样例中拷贝过来吧
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn cd /etc/openvpn
gunzip -d /etc/openvpn/server.conf.gz gunzip -d /etc/openvpn/server.conf.gz
Then edit it 然后编辑
vim /etc/openvpn/server.conf vim /etc/openvpn/server.conf
We need to specify custom paths to keys 我们需要指定密钥的自定义路径
ca /etc/openvpn/keys/ca.crt ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem dh /etc/openvpn/keys/dh2048.pem
That's all. After restart of OpenVPN configuration of server side is complete. 一切就绪。在重启OpenVPN后服务器端配置就完成了。
service openvpn restart service openvpn restart
### Client side configuration for Unix ### ### Unix的客户端配置 ###
Suppose we have a device with Unix like operation system, for example Ubuntu 15.04, and with installed OpenVPN. We want to connect to OpenVPN server from previous section. Firstly we need a key for the client. For generation of this key go to folder on server: 假定我们有一台装有类Unix操作系统的设备比如Ubuntu 15.04并安装有OpenVPN。我们想要从先前的部分连接到OpenVPN服务器。首先我们需要为客户端生成密钥。为了生成该密钥请转到服务器上的目录中
cd /etc/openvpn/easy-rsa/2.0 cd /etc/openvpn/easy-rsa/2.0
Load environment variables 加载环境变量
source vars source vars
and create a client key 然后创建客户端密钥
./build-key client ./build-key client
We will see a same dialog as described in previous section on part about server key generation. Fill actual information about client in it. 我们将看到一个与先前关于服务器密钥生成部分的章节描述一样的对话,填入客户端的实际信息。
You need run other command in case of requirement of password protect key. Here it is 如果需要密码保护密钥,你需要运行另外一个命令,命令如下
./build-key-pass client ./build-key-pass client
In this case you will be prompted to input password in beginning of establishing of VPN connection. 在此种情况下在建立VPN连接时会提示你输入密码。
Now we need to copy follows files from server to client into /etc/openvpn/keys/ folder. 现在,我们需要将以下文件从服务器拷贝到客户端/etc/openvpn/keys/文件夹。
List of files from server: 服务器文件列表:
- ca.crt, - ca.crt,
- dh2048.pem, - dh2048.pem,
@ -207,7 +206,7 @@ List of files from server:
- client.key, - client.key,
- ta.key. - ta.key.
After that we go to the client and prepare configuration file. Location of file is /etc/openvpn/client.conf and content of it presents below 在此之后,我们转到客户端,准备配置文件。配置文件位于/etc/openvpn/client.conf内容如下
dev tun dev tun
proto udp proto udp
@ -234,15 +233,15 @@ After that we go to the client and prepare configuration file. Location of file
verb 3 verb 3
mute 20 mute 20
After that we need to restart OpenVPN for accepting a new configuration. 在此之后我们需要重启OpenVPN以接受新配置。
service openvpn restart service openvpn restart
That's it, the configuration of the client is over. 好了,客户端配置完成。
### Client side configuration for Android ### ### 安卓客户端配置 ###
Configuration of OpenVPN on Android devices is quite similar to configuration on Unix system. We need a pack with a configuration file, with a keys and with a certificates. Here is a list of them: 安卓设备上的OpenVPN配置和Unix系统上的十分类似我们需要一个含有配置文件、密钥和证书的包。文件列表如下
- configuration file (.ovpn), - configuration file (.ovpn),
- ca.crt, - ca.crt,
@ -250,9 +249,9 @@ Configuration of OpenVPN on Android devices is quite similar to configuration on
- client.crt, - client.crt,
- client.key. - client.key.
Client key can be generated by the same way as described in previous section. 客户端密钥生成方式和先前章节所述的一样。
Configuration file has a follows content 配置文件内容如下
client tls-client client tls-client
dev tun dev tun
@ -273,11 +272,11 @@ Configuration file has a follows content
verb 3 verb 3
mute 20 mute 20
All this files we must to move on SD-card of our device. 所有这些文件我们必须移动我们设备的SD卡上。
Then we need to install [OpenVPN Connect][2]. 然后,我们需要安装[OpenVPN连接][2]。
Next configuration process is very simple: 接下来,配置过程很是简单:
open setting of OpenVPN and select Import options open setting of OpenVPN and select Import options
select Import Profile from SD card option select Import Profile from SD card option
@ -285,18 +284,18 @@ Next configuration process is very simple:
application offered us to create a new profile application offered us to create a new profile
tap on the Connect button and wait a second tap on the Connect button and wait a second
And thats all. Now our Android device has connection to our private network using secure VPN connection. 搞定。现在我们的安卓设备已经通过安全的VPN连接连接到我们的专用网。
### Conclusion ### ### 尾声 ###
So, initial configuration of OpenVPN takes a time, but it is compensated by easy clients configuration and the ability to connect from any device. Moreover OpenVPN provided a high security level and ability to connection from different places including clients located behind NAT. Therefore OpenVPN may equally well be used both at home and in enterprise. 虽然OpenVPN初始配置花费不少时间但是简易客户端配置为我们弥补了时间上的损失也提供了从任何设备连接的能力。此外OpenVPN提供了一个很高的安全等级以及从不同地方连接的能力包括位于NAT后面的客户端。因此OpenVPN可以同时在家和在企业中使用。
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
via: http://linoxide.com/ubuntu-how-to/configure-openvpn-server-client-ubuntu-15-04/ via: http://linoxide.com/ubuntu-how-to/configure-openvpn-server-client-ubuntu-15-04/
作者:[Ivan Zabrovskiy][a] 作者:[Ivan Zabrovskiy][a]
译者:[译者ID](https://github.com/译者ID) 译者:[GOLinux](https://github.com/GOLinux)
校对:[校对者ID](https://github.com/校对者ID) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出