VPN
1 前言
一个问题,一篇文章,一出故事。
以下章节在一部服务器上同时运行一个TCP OpenVPN实例与UDP OpenVPN实例,详细配置如下,
本章我们将来完成签发OpenVPN客户端的证书。
2 最佳实践
2.1 声明客户端证书名称
clientName=will
2.2 创建客户端私钥和签发请求证书
cd /etc/openvpn/client/easy-rsa/3.0 ./easyrsa gen-req $clientName nopass
“clientName”关键字可替换成你的客户端名称,我们需要根据以下向导完成配置,
#... Common Name (eg: your user, host, or server name) [will]: #... Private-Key and Public-Certificate-Request files created. Your files are: * req: /etc/openvpn/client/easy-rsa/3.0/pki/reqs/will.req * key: /etc/openvpn/client/easy-rsa/3.0/pki/private/will.key
2.3 签署客户端证书
cd /etc/openvpn/server/easy-rsa/3.0 ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0/pki/reqs/$clientName.req $clientName
“clientName”关键字可替换成你的客户端名称,可见如下显示,
#... Request successfully imported with short-name: will This request is now ready to be signed.
执行完导入,现在来签署客户端证书,
cd /etc/openvpn/server/easy-rsa/3.0 ./easyrsa sign client $clientName
“clientName”关键字可替换成你的客户端名称,可见如下显示,
#... Confirm requested details: yes #... Certificate created at: * /etc/openvpn/server/easy-rsa/3.0/pki/issued/will-dg.crt
2.4 汇总客户端证书
cp /etc/openvpn/client/easy-rsa/3.0/pki/private/$clientName.key /etc/openvpn/client/ cp /etc/openvpn/server/easy-rsa/3.0/pki/issued/$clientName.crt /etc/openvpn/client/ cp /etc/openvpn/server/easy-rsa/3.0/pki/ca.crt /etc/openvpn/client/
注:以上三个证书客是户端配置所需的证书,请部署到OpenVPN客户端
没有评论