Linux下OpenVPN配置

Linux下OpenVPN配置

OpenVPN简介：

OpenVPN能够运行于大多常见的系统平台，是一个基于SSL/TLS的VPN解决方案。OpenVPN能够基于TAP/TUN虚拟设备驱动实现2层及3层的链接，提供基于SSL/TLS的工业级别加密功能，并且实现了大多数常见VPN解决方案的全部特性。但目前提供整合了OpenVPN的VPN硬件厂商还不太多。

一、 下载软件包

# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz # wget http://openvpn.net/release/openvpn-2.1_rc22.tar.gz # yum install openssl-devel

二、解压及安装

# tar xvf lzo-2.04.tar.gz # cd lzo-2.04 # ./configure

# make && make install

# cd ../

# tar xvf openvpn-2.1_rc22.tar.gz # cd openvpn-2.1_rc22 # ./configure

# make && make install # cd ../

三、服务器端设置：

1. 用easy-rsa生成服务器证书客户端证书

# cp openvpn-2.1_rc22/easy-rsa/2.0 -r /etc/openvpn/ # cd /etc/openvpn/2.0/ 编辑所需的参数再调用之 # vim vars export D=\

export KEY_CONFIG=\export KEY_DIR=\export KEY_COUNTRY=\export KEY_PROVINCE=\export KEY_CITY=\export KEY_ORG=\

export KEY_EMAIL=\# source vars

#也可以不用设置，直接执行下面的命令

下面这个命令在第一次安装时可以运行，以后在添加客户端时千万别运行，这个命令会清除所有已经生成的证书密钥。 # ./clean-all 生成服务器端ca证书 # ./build-ca

Generating a 1024 bit RSA private key ............++++++ ..................++++++

writing new private key to 'ca.key' -----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [PD]:

Organization Name (eg, company) [zyfmaster]: Organizational Unit Name (eg, section) []:zyfmaster

Common Name (eg, your name or your server's hostname) [zyfmaster CA]:server Name []:

Email Address [905407204@qq.com]:

生成服务器端密钥key, 后面这个server-name就是服务器名，可以自定义。 # ./build-key-server server

Generating a 1024 bit RSA private key .......................................++++++ .......++++++

writing new private key to 'server.key' -----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [PD]:

Organization Name (eg, company) [zyfmaster]: Organizational Unit Name (eg, section) []:zyfmaster

Common Name (eg, your name or your server's hostname) [server]:server Name []:

Email Address [905407204@qq.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:zyfmaster

Using configuration from /etc/openvpn/2.0/openssl.cnf Check that the request matches the signature Signature ok

The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'PD' organizationName :PRINTABLE:'zyfmaster' organizationalUnitName:PRINTABLE:'zyfmaster' commonName :PRINTABLE:'server'

emailAddress :IA5STRING:'905407204@qq.com'

Certificate is to be certified until Dec 2 04:14:34 2022 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

生成客户端 key # ./build-key client1

Generating a 1024 bit RSA private key ............++++++

........................................................++++++ writing new private key to 'client1.key' -----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [SH]: Locality Name (eg, city) [PD]:

Organization Name (eg, company) [zyfmaster]: Organizational Unit Name (eg, section) []:zyfmaster

Common Name (eg, your name or your server's hostname) [client1]:client1 #重要: 每个不同的client 生成的证书, 名字必须不同. Name []:

Email Address [905407204@qq.com]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:zyfmaster

Using configuration from /etc/openvpn/2.0/openssl.cnf Check that the request matches the signature Signature ok

The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'PD' organizationName :PRINTABLE:'zyfmaster' organizationalUnitName:PRINTABLE:'zyfmaster' commonName :PRINTABLE:'client1'

emailAddress :IA5STRING:'905407204@qq.com'

Certificate is to be certified until Dec 2 04:15:50 2022 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

以此类推建立其他客户端 key # ./build-key client2 # ./build-key client3

注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.

5.生成Diffie Hellman参数 # ./build-dh

6.将 keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等……) # tar zcvf yskeys.tar.gz keys/*

7.创建服务端配置文件

# mkdir /etc/openvpn/2.0/conf

# cp /root/openvpn/openvpn-2.1_rc22/sample-config-files/server.conf /etc/openvpn/2.0/conf/

# vim /etc/openvpn/2.0/conf/server.conf port 1194

proto udp dev tun

ca /etc/openvpn/2.0/keys/ca.crt cert /etc/openvpn/2.0/keys/server.crt

key /etc/openvpn/2.0/keys/server.key # This file should be kept secret

dh /etc/openvpn/2.0/keys/dh1024.pem

server 10.8.0.0 255.255.255.0 push \push \

ifconfig-pool-persist ipp.txt

push \

push \push \

client-to-client

keepalive 10 120 comp-lzo

user nobody group nobody

persist-key persist-tun

status openvpn-status.log

log openvpn.log verb 3

四、打开服务器的路由功能 1.开启CentOS 5 的路由转发功能 # vim /etc/sysctl.conf 修改以下内容：

net.ipv4.ip_forward = 1

五、使sysctl.conf配置文件生效并添加iptables转发规则： # sysctl –p

# iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE # /etc/init.d/iptables save

六、启动openvpn，并加入随机启动 vi /etc/rc.local 然后在最后面加入此行:

/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &

七、OpenVPN GUI For Windows 客户端安装过程

1.下载 openvpn-2.1_rc15-install.exe(此版本集成 OpenVPN GUI)官方下载地址:http://openvpn.net/release/openvpn-2.1_rc15-install.exe 2.依屏幕指示安装OpenVPN GUI

3.配置 openvpn gui将上面第6步打包的yskeys.tar.gz中的下列证书文件解压到 你的OpenVPN GUI安装路径OpenVPNconfig文件夹下 ca.crt ca.key client1.crt client1.csr client1.key

4.修改client.ovpn把你的OpenVPN GUI安装路径OpenVPNsample-config下的client.ovpn文件复制到你的OpenVPN GUI安装路径OpenVPNconfig文件夹下,用记事本打开client.ovpn #找到remote my-server-1 1194,把my-server-1改成你的ip地址 remote a.b.c.d (自己的VPN地址)

5.双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.

查看客户端所获得的IP：

连接成功之后,去www.ip138.com上看看外网ip是多少,如果是CentOS系统的外网ip那说明测试成功了~

http://blog.chinaunix.net/uid-26835604-id-3484906.html

本文来源：https://www.bwwdw.com/article/tgf2.html