1. 安装工具
opkg update
opkg install openvpn-openssl luci-app-openvpn
2. 创建证书目录
PKI_DIR="/etc/openvpn/keys"
rm -Rf ${PKI_DIR}
mkdir -p ${PKI_DIR}
chmod -R 0600 ${PKI_DIR}
cd ${PKI_DIR}
touch index.txt; echo 1000 > serial
mkdir newcerts
3. openssl.conf修改
a. 基础配置文件拷贝
cp /etc/ssl/openssl.cnf ${PKI_DIR}
b. 修改配置
PKI_CNF=${PKI_DIR}/openssl.cnf
sed -i '/^dir/ s:=.*:= /etc/openvpn/keys:' ${PKI_CNF}
sed -i '/.*Name/ s:= match:= optional:' ${PKI_CNF}
sed -i '/organizationName_default/ s:= .*:= WWW Ltd.:' ${PKI_CNF}
sed -i '/stateOrProvinceName_default/ s:= .*:= London:' ${PKI_CNF}
sed -i '/countryName_default/ s:= .*:= GB:' ${PKI_CNF}
sed -i '/default_days/ s:=.*:= 3650:' ${PKI_CNF} ## default usu.: -days 365
sed -i '/default_bits/ s:=.*:= 4096:' ${PKI_CNF} ## default usu.: -newkey rsa:2048
c. 添加必要的内容
cat >> ${PKI_CNF} <<"EOF"
###############################################################################
### Check via: openssl x509 -text -noout -in *.crt | grep 509 -A 1
[ server ]
# X509v3 Key Usage: Digital Signature, Key Encipherment
# X509v3 Extended Key Usage: TLS Web Server Authentication
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ client ]
# X509v3 Key Usage: Digital Signature
# X509v3 Extended Key Usage: TLS Web Client Authentication
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
EOF
4. 生成CA密钥和证书
openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config ${PKI_CNF} ## x509 (self-signed) for the CA
5. 生成Server密钥和证书
openssl req -batch -nodes -new -keyout "server.key" -out "server.csr" -subj "/CN=server" -config ${PKI_CNF}
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "server.csr" -out "server.crt" -config ${PKI_CNF} -extensions server
6. 生成Client密钥和证书
openssl req -batch -nodes -new -keyout "client.key" -out "client.csr" -subj "/CN=client" -config ${PKI_CNF}
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "client.csr" -out "client.crt" -config ${PKI_CNF} -extensions client
7. 生成dh2048.pem文件
openssl dhparam -out dh2048.pem 2048
8. 生成ta.key文件
openvpn --genkey tls-auth ta.key
9. 说明
完成上述步骤后,将在OpenWrt的/etc/openvpn/keys
目录中得到以下文件:
- ca.key:CA证书的私钥文件。
- ca.crt:CA证书的公钥文件。
- server.key:服务器证书的私钥文件。
- server.crt:服务器证书的公钥文件。
- client.key:客户端证书的私钥文件。
- client.crt:客户端证书的公钥文件。
- dh2048.pem:用于Diffie-Hellman密钥交换的参数文件。
- ta.key:OpenVPN数字证书。