由於 OpenVPN 是使用憑證的認証方式,所以必須先利用一部電腦(Windows 或 Linux)來產生主機與用戶端所需的不同憑證檔,以下將說明如何在 Linux 上產生這些憑證檔。
找一台 Linux,從官網下載 OpenVPN 安裝檔
http://openvpn.net/index.php/downloads.html
$wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
$tar xzf openvpn-2.0.9.tar.gz
$cd openvpn-2.0.9/
$cd easy-rsa/
$vi vars
reference to undefined name 'syntax' Exception of type 'MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException' was thrown. (click for details)Callstack:
at 實驗專案/Networking/PfSense/如何設定_OpenVPN_服務
MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException: reference to undefined name 'syntax' Exception of type 'MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException' was thrown.
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptVar expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Expr.DekiScriptVar.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Evaluate (MindTouch.Deki.Script.Expr.DekiScriptAccess expr, DekiScriptExpressionEvaluationState state, Boolean evaluateProperties) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptAccess expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Expr.DekiScriptAccess.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptCall expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Expr.DekiScriptCall.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptSequence expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Expr.DekiScriptSequence.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptReturnScope expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
註:以上那些參數隨意輸入
$source ./vars
$./clean-all
$./build-ca
..... ...... Country Name (2 letter code) [TW]:(按 Enter) State or Province Name (full name) [ALANG]:(按 Enter) Locality Name (eg, city) [HsinChu]:(按 Enter) Organization Name (eg, company) [pfSense-VPN]:(按 Enter) Organizational Unit Name (eg, section) []:(按 Enter) Common Name (eg, your name or your server's hostname) []:alang-pfsense Email Address [alang@myhost.mydomain]:(按 Enter) |
註:Common Name 隨便輸入
$./build-key-server server
.... .... Country Name (2 letter code) [TW]:(按 Enter) State or Province Name (full name) [ALANG]:(按 Enter) Locality Name (eg, city) [HsinChu]:(按 Enter) Organization Name (eg, company) [pfSense-VPN]:(按 Enter) Organizational Unit Name (eg, section) []:(按 Enter) Common Name (eg, your name or your server's hostname) []:server Email Address [alang@myhost.mydomain]:(按 Enter) ... ... A challenge password []:(按 Enter) An optional company name []:(按 Enter) ... ... Sign the certificate? [y/n]:y ... 1 out of 1 certificate requests certified, commit? [y/n]y |
$./build-dh
$./build-key pfsense-client
.. ... Country Name (2 letter code) [TW]:(按 Enter) State or Province Name (full name) [ALANG]:(按 Enter) Locality Name (eg, city) [HsinChu]:(按 Enter) Organization Name (eg, company) [pfSense-VPN]:(按 Enter) Organizational Unit Name (eg, section) []:(按 Enter) Common Name (eg, your name or your server's hostname) []:client Email Address [alang@myhost.mydomain]:(按 Enter) ... ... A challenge password []:(按 Enter) An optional company name []:(按 Enter) ... ... Sign the certificate? [y/n]:y ... 1 out of 1 certificate requests certified, commit? [y/n]y |
到這裡已經完成憑證檔的產生程序。所有後面步驟會用到的憑證檔都存在 keys 目錄內,包含有:
ca.crt
ca.key
dh{xxx}.pem
server.crt
server.key
pfsense-client.crt
pfsense-client.key
最後再檢查一下這些檔案大小,如果有出現 0 的,表示該檔案產生失敗,請重新再產生一次。 回到 pfSense 的管理網頁,選擇《Firewall》《OpenVPN》《Server》,按一下+新增項目
Protocol = TCP
Dynamic IP = yes
Address Pool = 輸入 VPN Client 的子網路,這必須與其他子網路不同,像LAN/WAN/DMZ/LAN2。
Local network = 區域網路的網段,通常是 LAN,如果是保持空白,VPN 的用戶將無法連接區域網路。
Authentication method = PKI 將不同的憑證檔內容複製到頁面上各個相應欄位,在 Linux 要列出檔案內容,使用指令 cat $cat ca.crt 複製包含有 -----BEGIN CERTIFICATE----- 和 -----END CERTIFICATE---- 之間區段的內容。 圖上有說明。
LZO compression = 可選擇封包是否壓縮,如果開啟這,用戶端的設定也須開啟此功能
Custom options = 一般情況可保持空白,如果有 DMZ 或 LAN2 的其他子網路,要使 VPN Client 可以連接它們,須加上一些設定,例如 LAN2 為 10.10.9.0/24 時,請輸入:
push "route 10.10.9.0 255.255.255.0"
如須加多個功能參數,以分號作分隔。
設定兩個基本規則 LAN & WAN: 在 LAN 須有這一項規則
如果沒有,請自行增加
在 WAN 介面,要有這項規則
如果沒有,請自行增加
到這裡 pfSense 有關 OpenVPN 的設定已經完成。 接下來要作用戶端的設定,選一台 Windows,須先安裝 OpenVPN 用戶端軟體,這網站可以下載 http://openvpn.se/ 安裝過程中,會自動新增一個虛擬網路介面 TAP-Win32 Adapter,這是用來建立 VPN 連線通道用的。
新增用戶端的OpenVPN 設定檔,《開始》《所有程式》《OpenVPN》《OpenVPN configuration file directory》 在這資料夾新增一個文字檔,檔名為 pfsense.ovpn,內容如下
reference to undefined name 'syntax' Exception of type 'MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException' was thrown. (click for details)Callstack:
at 實驗專案/Networking/PfSense/如何設定_OpenVPN_服務
MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException: reference to undefined name 'syntax' Exception of type 'MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException' was thrown.
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptVar expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Expr.DekiScriptVar.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Evaluate (MindTouch.Deki.Script.Expr.DekiScriptAccess expr, DekiScriptExpressionEvaluationState state, Boolean evaluateProperties) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptAccess expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Expr.DekiScriptAccess.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptCall expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Expr.DekiScriptCall.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptSequence expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Expr.DekiScriptSequence.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptReturnScope expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0
如果 pfsense 有開啟 LZO compression,這裡的 comp-lzo 要移除註解。接著複製前面步驟製作的憑證檔到一樣的資料夾內,檔名有 ca.crt
pfsense-client.crt
pfsense-client.key
終於都完成了,開始試連吧!使用很簡單,在桌面的右下角工作區,會多一個 OpenVPN 的連接圖示,按右鍵選 connect 或 disconnect 即可。
小技巧: LZO compression 實際使用後,覺得連線後的反應速度好像有變快。
參考連結:
http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf