OpenVPN服务器与客户端的安装、配置与使用方法

Linux环境下OpenVPN的配置

第1章 OpenVPN的安装环境

1.1 服务器端的环境

1. redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6 2. kernel需要支持tun设备, 需要加载iptables模块.

检查 tun 是否安装的命令: modinfo tun

3. 如果没有modinfo命令, 直接找一下, 看看 kernel 里是否有tun.o文件: 代码: find -name tun.o

4. 检查iptables模块, 查看是否有下列文件: /etc/init.d/iptables

1.2 客户端的环境

1. 操作系统：WinXP

2. 客户端软件：OpenVPN GUI For windows 1.0.3 , 可在 openvpn.se 下载 注意: OpenVPN GUI for windows 的版本要和 OpenVPN Server 的版本配套.

例如, 服务器装的是 OpenVPN 2.0.5, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe

第2章 服务器端安装OpenVPN

2.1 软件下载

1. 下载 LZO（http://www.oberhumer.com/opensource/lzo/download/），解压到lzo-2.04 wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz tar zxvf lzo-2.04.tar.gz

2. 下载 OpenVPN（http://openvpn.net/）, 解压到openvpn-2.2-beta3 源码下载地址：http://openvpn.net/index.php/open-source/downloads.html

wget http://swupdate.openvpn.net/community/releases/openvpn-2.2-beta5.tar.gz

tar zxvf openvpn-2.2-beta3.tar.gz

2.2 辅助软件安装

1. 安装 LZO cd lzo-2.2 ./configure make

make check make install 2. 安装 openssl

yum -y install openssl*

2.3 OpenVPN安装

cd openvpn-2.2-beta3 ./configure

# 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行) ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib make

make install

2.4 生成OpenVPN证书Key 2.4.1 生成证书初始化PKI

2.4.1.1 准备证书生成工具

mkdir /etc/openvpn/ mkdir /etc/openvpn/tools

cp easy-rsa/2.0/* /etc/openvpn/tools/ cd /etc/openvpn/tools/

2.4.1.2 准备证书生成工具

初始化 PKI (如果没有 export 命令也可以用 setenv [name] [value] 命令): . vars

也可以不用设置直接执行下面的命令 cd /openvpn-2.0.5/easy-rsa/2.0 export D=`pwd`

export KEY_CONFIG=$D/openssl.cnf export KEY_DIR=$D/keys export KEY_SIZE=1024

export KEY_COUNTRY=CN export KEY_PROVINCE=BJ export KEY_CITY=BJ

export KEY_ORG=\

export KEY_EMAIL=\ export OPENSSL=/usr/bin/openssl 或者：

（1）修改openssl.cnf （2）source ./vars （3）./clean-all

2.4.2清除所有证书文件

#清除所有证书文件（keys目录） （2）source ./vars （3）./clean-all

2.4.3 创建证书颁发机构(CA)

./build-ca

Generating a 1024 bit RSA private key .....................++++++

...............................++++++

writing new private key to 'ca.key' -----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]: Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [TSINGHUA]: Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [TSINGHUA CA]: Name []:

Email Address [liu-w@tsinghua.edu.cn]:

2.4.4 建立 server key

./build-key-server server

Generating a 1024 bit RSA private key ............................++++++

..........................................................................++++++ writing new private key to 'server.key' -----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]: Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [TSINGHUA]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [server]: Name []:

Email Address [liu-w@tsinghua.edu.cn]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:

An optional company name []:

Using configuration from /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok

The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'BJ'

organizationName :PRINTABLE:'TSINGHUA' commonName :PRINTABLE:'server'

emailAddress :IA5STRING:'liu-w@tsinghua.edu.cn'

Certificate is to be certified until Nov 17 20:01:55 2020 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

2.4.5 生成客户端 key

2.4.5.1 设置环境变量

cd /root/.backup/easy-rsa/2.0 export D=`pwd`

export KEY_CONFIG=$D/openssl.cnf export KEY_DIR=$D/keys export KEY_SIZE=1024

export KEY_COUNTRY=CN export KEY_PROVINCE=BJ export KEY_CITY=BJ

export KEY_ORG=\

export KEY_EMAIL=\ export OPENSSL=/usr/bin/openssl

或者：

（1）修改openssl.cnf （2）source ./vars

2.4.5.2 生成客户端Key

./build-key client1

Generating a 1024 bit RSA private key ................................++++++ ...................................++++++

writing new private key to 'client1.key' -----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]: Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [TSINGHUA]: Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [client1]: Name []:

Email Address [liu-w@tsinghua.edu.cn]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:

An optional company name []:

Using configuration from /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok

The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'BJ'

organizationName :PRINTABLE:'TSINGHUA' commonName :PRINTABLE:'client1'

emailAddress :IA5STRING:'liu-w@tsinghua.edu.cn'

Certificate is to be certified until Nov 17 20:03:37 2020 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

2.4.6 生成带密码的客户端 key

./build-key --pass test

Generating a 1024 bit RSA private key ............++++++

...................................++++++

writing new private key to 'test.key' Enter PEM pass phrase: XXXXXX

Verifying - Enter PEM pass phrase: XXXXXX -----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]: Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [TSINGHUA]: Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [test]: Name []:

Email Address [liu-w@tsinghua.edu.cn]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:

An optional company name []:

Using configuration from /root/.backup/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok

The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'BJ'

organizationName :PRINTABLE:'TSINGHUA' commonName :PRINTABLE:'test'

emailAddress :IA5STRING:'liu-w@tsinghua.edu.cn'

Certificate is to be certified until Nov 18 03:06:44 2020 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

2.4.7 生成其它客户端 key

./build-key client2 ./build-key client3

注意：在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同

2.4.8 生成Diffie Hellman参数

export D=`pwd`

export KEY_CONFIG=$D/openssl.cnf export KEY_DIR=$D/keys export KEY_SIZE=1024

export KEY_COUNTRY=CN export KEY_PROVINCE=BJ export KEY_CITY=BJ

export KEY_ORG=\

export KEY_EMAIL=\ export OPENSSL=/usr/bin/openssl

./build-dh

Please source the vars script first (i.e. \Make sure you have edited it to reflect your configuration.

2.5 生成OpenVPN客户端证书目录

mkdir client1

mv -f client1* client1 cp ca.key client1

cp ca.crt client1 touch client01.ovpn

vim client01.ovpn client dev tap proto tcp

remote A.B.C.D 1194 persist-key persist-tun ca ca.crt

cert client1.crt key client1.key ns-cert-type server comp-lzo verb 3

redirect-gateway def1

第3章 下载客户端证书

将 keys 下的所有文件打包下载到本地

tar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys

cp mykeys.tar /home/dvdmastersys/public_html/mykeys.tar

将 mykeys.tar 移到 web public(绝对路径因人而异) 上, http://www.a.com/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除 rm /home/dvdmastersys/public_html/mykeys.tar

第4章 服务器端配置OpenVPN

4.1 创建目录/etc/openvpn

mkdir /etc/openvpn

4.2 复制服务器端证书和配置文件到/etc/openvpn

cd /root/openvpn/openvpn-2.2-beta3/sample-keys cp dh1024.pem /etc/openvpn/

cd /root/openvpn/openvpn-2.2-beta3/sample-scripts

然后用 cp openvpn.init /etc/init.d/openvpn

cd /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0/keys cp * /etc/openvpn/

# 进入源代码解压目录下的sample-config-files子目录 cd /root/openvpn/openvpn-2.2-beta3//sample-config-files/ cp server.conf /etc/openvpn/server.conf

4.3 配置OpenVPN服务端配置文件

vim /etc/openvpn/server.conf

################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. #

# # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). #

# # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # \

# # # Comments are preceded with '#' or ';' #

#################################################

# Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d local A.B.C.D

# Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194

# TCP or UDP server? proto tcp ;proto udp

# \# \# Use \# and have precreated a tap0 virtual interface # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use \

# On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. dev tap ;dev tun ;tun-ipv6

# Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter.

# Non-Windows systems usually don't need this. ;dev-node MyTap

# SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. #

# See the \# of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. #

# Any X509 key management system can be used.

# OpenVPN can also use a PKCS #12 formatted key file # (see \

ca /etc/openvpn/ca.crt

cert /etc/openvpn/server.crt

key /etc/openvpn/server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with:

# openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys.

dh /etc/openvpn/dh1024.pem

# Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are

# ethernet bridging. See the man page for more info. server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned.

ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate

# to connecting clients. Leave this line commented # out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need

# to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0)

# back to the OpenVPN server.

;push \;push \push \

# To assign specific IP addresses to specific # clients or if a connecting client has a private

# subnet behind it that should also have VPN access, # use the subdirectory \# configuration files (see man page for more info).

# EXAMPLE: Suppose the client

# having the certificate common name \# also has a small subnet behind his connecting

# machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

# Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using \

# EXAMPLE: Suppose you want to give

# Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

# Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods:

# (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man

# page for more info on learn-address script. ;learn-address ./script

# If enabled, this directive will configure # all clients to redirect their default

# network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN

# (The OpenVPN server machine may need to NAT # the TUN/TAP interface to the internet in # order for this to work properly).

# CAVEAT: May break client's network config if # client's local DHCP server packets get routed # through the tunnel. Solution: make sure # client's local DHCP server is reachable via # a more specific route than the default route # of 0.0.0.0/0.0.0.0. push \

# Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats ;push \;push \push \push \push \

# Uncomment this directive to allow different # clients to be able to \

# By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client

# Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. #

# IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

# EACH HAVING ITS OWN UNIQUE \# UNCOMMENT THIS LINE OUT. ;duplicate-cn

# The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down.

# Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120

# For extra security beyond that provided # by SSL/TLS, create an \

# to help block DoS attacks and UDP port flooding. #

# Generate with:

# openvpn --genkey --secret ta.key #

# The server and each client must have # a copy of this key.

# The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.

# This config item must be copied to # the client config file as well.

;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES

;cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo

# The maximum number of concurrently connected # clients we want to allow. ;max-clients 100

# It's a good idea to reduce the OpenVPN # daemon's privileges after initialization.

#

# You can uncomment this out on # non-Windows systems. ;user nobody ;group nobody

# The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun

# Output a short status file showing # current connections, truncated # and rewritten every minute.

status /etc/openvpn/openvpn-status.log

# By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the \# Use log or log-append to override this default.

# \# while \ Use one # or the other (but not both). ;log openvpn.log

log-append /var/log/openvpn/openvpn.log

# Set the appropriate level of log # file verbosity. #

# 0 is silent, except for fatal errors # 4 is reasonable for general usage

# 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3

# Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20

4.4 启动OpenVPN服务

cd /etc/init.d/

chkconfig openvpn on service openvpn start

4.5 创建客户端配置文件

4.5.1 Linux客户端配置文件

cd $dir/sample-config-files/ #进入源代码解压目录下的sample-config-files子目录 cp client.conf etc/openvpn/client.conf vim etc/openvpn/client.conf

client ;dev tun ;tun-ipv6 ;proto udp dev tap proto tcp

remote A.B.C.D 1194 persist-key persist-tun ca ca.crt cert client1.crt key client1.key ns-cert-type server comp-lzo verb 3

redirect-gateway def1

4.5.2 Windows客户端配置文件

vim client01.ovpn client dev tap proto tcp

remote A.B.C.D 1194 persist-key persist-tun

ca ca.crt

cert client1.crt key client1.key ns-cert-type server comp-lzo verb 3

redirect-gateway def1

第5章 服务器端配置iptables

服务器端配置iptables实现数据包转发

5.1 打开路由

VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet. 在 linux host 上添加路由命令:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source A.B.C.D(本机IP地址)

以下是写入iptables的命令文件：

*nat

:PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0]

-A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT --to-source A.B.C.D COMMIT *filter

:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i tun+ -j ACCEPT -A INPUT -i tap+ -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -s 127.0.0.1 -j ACCEPT -A INPUT -d 127.0.0.1 -j ACCEPT

-A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A FORWARD -i tap+ -j ACCEPT -A FORWARD -i eth0 -j ACCEPT

#

:RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT

5.2 存盘

/etc/init.d/iptables save

5.3 重新启动iptables

/etc/init.d/iptables restart 1. 注意事项

5.4 打开ip forward

需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下: sysctl -a | grep for #显示结果:

net.ipv4.conf.tun0.mc_forwarding = 0 net.ipv4.conf.tun0.forwarding = 1 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 1

net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.forwarding = 1 net.ipv4.ip_forward = 1

如果你的主机上列数值不是为1, 则要将其改成1 sysctl -w net.ipv4.ip_forward=1

编辑 /etc/sysctl.conf vim /etc/sysctl.conf

把 net.ipv4.ip_forward 设置为 1 net.ipv4.ip_forward = 1

执行以下命令来启用改变： sysctl -p /etc/sysctl.conf

5.5 开启域名服务器

1. 开始域名服务器

如果你需要访问一些已经被GFW封掉了域名的网站, 但你的 OpenVPN 服务器没有被封的话，那么你需要在你的主机上开启 name server, 并将 dns push 给 client。 一般的独立主机, 都带有 private dns server rpm -qa | grep bind /etc/init.d/named start 2. 注意事项

必须保证 server.conf 配置中, 有这三个配置: push \

push \ # name server 地址 push \ # name server 地址

第6章 客户端OpenVPN安装配置

6.1 安装OpenVPN

6.1.1 下载客户端OpenVPN

http://swupdate.openvpn.net/community/releases/openvpn-2.2-beta3-install.exe

6.1.2 安装客户端OpenVPN

双击openvpn-2.2-beta3-install.exe，按默认方式安装。

6.2 配置客户端OpenVPN

1. 将配置文件（client17整个目录）复制到C:\\Program Files\\OpenVPN\\config中

安装结束后, 进入安装文件夹下的 config 目录, 然后将上面建立的 client.conf 文件从 server 上下载到此文件夹, 并更名为 client.ovpn

同时, 将 mykeys.tar 中的下列证书文件解压到此文件夹: ca.crt ca.key client1.crt client1.csr client1.key

第7章 运行客户端OpenVPN

7.1Windows

双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.

如果双击 client.ovpn 没有反应, 则在任务栏点 OpenVPN GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 然后再点右键中的 connect即可. 1. 右击任务栏中的“OpenVPN GUI”图标

2. 选择Client17?Connect

当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出 Ethernet adapter Local Area Connection 3: Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : TAP-Win32 Adapter V8 Physical Address. . . . . . . . . : 00-FF-AA-B0-60-2B Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.8.0.6

Subnet Mask . . . . . . . . . . . : 255.255.255.252 Default Gateway . . . . . . . . . : 10.8.0.5 DHCP Server . . . . . . . . . . . : 10.8.0.5 DNS Servers . . . . . . . . . . . : 10.8.0.1

70.88.98.10 70.88.99.11 Lease Obtained. . . . . . . . . . : 2006年5月25日 5:13:52 Lease Expires . . . . . . . . . . : 2007年5月25日 5:13:52

7.2 Linux

openvpn --config client7.conf

第8章 OpenVPN证书管理

8.1 吊销证书

8.1.1 修正bug

Openvpn有一个bug, 如果你直接注销证书, 会出现一个报错: Using configureation from openssl.cnf error on line 282 of config file 'openssl.cnf'

所以，需要编辑openssl.cnf文件, 把[pkcs11_section]及其这个选择下的内容注释掉. 就可以了。

cd /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0 vim openssl.cnf #[ pkcs11_section ] #engine_id = pkcs11

#dynamic_path = /usr/lib/engines/engine_pkcs11.so

#MODULE_PATH = $ENV::PKCS11_MODULE_PATH #PIN = $ENV::PKCS11_PIN #init = 0

8.1.2准备工作

cd /root/.backup/easy-rsa/2.0/ export D=`pwd`

export KEY_CONFIG=$D/openssl.cnf export KEY_DIR=$D/keys export KEY_SIZE=1024

export KEY_COUNTRY=CN export KEY_PROVINCE=BJ export KEY_CITY=BJ

export KEY_ORG=\

export KEY_EMAIL=\ export OPENSSL=\

8.1.3 吊销证书

./revoke-full test

Using configuration from /root/.backup/easy-rsa/2.0/openssl.cnf Revoking Certificate 25. Data Base Updated

Using configuration from /root/.backup/easy-rsa/2.0/openssl.cnf

test.crt: /C=CN/ST=BJ/L=BJ/O=TSINGHUA/CN=test/emailAddress=liu-w@tsinghua.edu.cn error 23 at 0 depth lookup:certificate revoked

Note the \verification of the revoked certificate failed.

8.1.4 配置OpenVPN服务，使证书吊销生效

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration: crl-verify crl.pem

Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped.

cp crl.pem /etc/openvpn/

#以下操作只需执行一次，以后执行吊销操作就可以省略了 vim /etc/openvpn/server.conf 添加一行：

crl-verify crl.pem 重启openvpn

service openvpn restart

本文来源：https://www.bwwdw.com/article/16hr.html