linux下openvpn安装配置文档
2011-11-25 11:18:09   来源:   评论:0 点击:

openvpn-2.2.1.tar.gz

linux下openvpn安装配置文档

环境:Centos 5.4
本安装适用于Centos/redhat/等版本安装,适用于各种vps翻墙等应用改变本地ip
本文原文来至与互联网,经本人整理后重新发布,补充了一些内容,原文有删改。
基本原创

1.下载软件

《lzo》
------------------------------------------------------------------------------------------
lzo官方网站:http://www.oberhumer.com/opensource/lzo/
lzo下载地址: http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz


《openVPN》
------------------------------------------------------------------------------------------
openVPN下载页:http://openvpn.net/index.php/open-source/downloads.html
openVPN服务端:http://swupdate.openvpn.org/community/releases/openvpn-2.2.1.tar.gz
openVPN客户端:http://swupdate.openvpn.org/community/releases/openvpn-2.2.1-install.exe

2.安装

openVPN需要openssl、lzo的支持,一般情况下系统已经安装好openssl的,所以我们需要安装lzo。

2.1 《安装openVPN所需的支持库lzo.》
------------------------------------------------------------------------------------------

[root@f5ha.com ~]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
[root@f5ha.com ~]# tar xvf lzo-2.06.tar.gz
[root@f5ha.com ~]# cd lzo-2.06
[root@f5ha.com lzo-2.06 ]# ./configure && make && make install
[root@f5ha.com lzo-2.06 ]# echo '/usr/local/lib' >> /etc/ld.so.conf
[root@f5ha.com lzo-2.06 ]# ldconfig

2.2 《安装openVPN服务端》
------------------------------------------------------------------------------------------
[root@f5ha.com ~]# wgethttp://swupdate.openvpn.org/community/releases/openvpn-2.2.1.tar.gz
[root@f5ha.com ~]# tar xvf openvpn-2.2.1.tar.gz
[root@f5ha.com ~]# cd openvpn-2.2.1
[root@f5ha.com openvpn-2.2.1 ]# ./configure && make && make install

// 默认安装在/usr/local/sbin目录下,只有一个名为openvpn的可执行文件

3.配置准备

 3.1 首先编辑 [/root/openvpn-2.2.1/easy-rsa/2.0/vars ] 文件
 [root@f5ha.com ~]# cd /root/openvpn-2.2.1/easy-rsa/2.0
 [root@f5ha.com 2.0 ]# vim vars 
 
 //根据实际情况修改一下,创建证书的时候是交互式操作,免得后续老是提示输入这些信息
-----------------------------------------------------------------------------------------

export KEY_COUNTRY="CN"
export KEY_PROVINCE="GuangDong"
export KEY_CITY="GuangZhou"
export KEY_ORG="f5ha"
export KEY_EMAIL="support@f5ha.com"
export KEY_EMAIL=support@f5ha.com
export KEY_CN=f5ha.com
export KEY_NAME=f5ha.com
export KEY_OU=f5haroom
export PKCS11_MODULE_PATH=fanqiang
export PKCS11_PIN=1234

-----------------------------------------------------------------------------------------

3.2 然后生成ca证书

[root@f5ha.com 2.0 ]#source ./vars //使修改的变量生效
NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-2.2.1/easy-rsa/2.0/keys

[root@f5ha.com 2.0 ]#./clean-all

[root@f5ha.com 2.0 ]#./build-ca

 // 回车回车再回车,前面花时间修改的还是值得的,快多了吧
-----------------------------------------------------------------------------------------
Generating a 1024 bit RSA private key
..........++++++
.....................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [f5ha]:
Organizational Unit Name (eg, section) [f5haroom]:
Common Name (eg, your name or your server's hostname) [f5ha.com]:
Name [f5ha.com]:
Email Address [support@f5ha.com]:


3.3 其次生成服务器证书及私钥

[root@f5ha.com 2.0 ]# ./build-key-server server

 //回车回车再回车,YES,YES,OK
-----------------------------------------------------------------------------------------
Generating a 1024 bit RSA private key
..............................++++++
................................................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [f5ha]:
Organizational Unit Name (eg, section) [f5haroom]:
Common Name (eg, your name or your server's hostname) [server]:
Name [f5ha.com]:
Email Address [support@f5ha.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn-2.2.1/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GuangDong'
localityName          :PRINTABLE:'GuangZhou'
organizationName      :PRINTABLE:'f5ha'
organizationalUnitName:PRINTABLE:'f5haroom'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'f5ha.com'
emailAddress          :IA5STRING:'support@f5ha.com'
Certificate is to be certified until Nov 22 01:20:40 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


3.4 再生成客户端证书及私钥

[root@f5ha.com /root/openvpn-2.2.1/easy-rsa/2.0 ]#./build-key f5hauser

// 哎,这脚本做的好啊,回车回车回车,YES,YES,搞定
-----------------------------------------------------------------------------------------
Generating a 1024 bit RSA private key
.............................++++++
..................................++++++
writing new private key to 'f5hauser.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [f5ha]:
Organizational Unit Name (eg, section) [f5haroom]:
Common Name (eg, your name or your server's hostname) [f5hauser]:
Name [f5ha.com]:
Email Address [support@f5ha.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn-2.2.1/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GuangDong'
localityName          :PRINTABLE:'GuangZhou'
organizationName      :PRINTABLE:'f5ha'
organizationalUnitName:PRINTABLE:'f5haroom'
commonName            :PRINTABLE:'f5hauser'
name                  :PRINTABLE:'f5ha.com'
emailAddress          :IA5STRING:'support@f5ha.com'
Certificate is to be certified until Aug 19 15:45:18 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

3.5 创建服务器所需的 Diffie-Hellman 参数

[root@f5ha.com 2.0 ]#./build-dh

// dh1024.
-----------------------------------------------------------------------------------------
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......................................+.........................................+........+
..........................................................................................+
...+.......................................................................................
.....+.......+........+..........+.........................................................
.................................................+..++*++*++*

3.6 最后,生成 HMAC firewall 验证码

[root@f5ha.com 2.0 ]# /usr/local/sbin/openvpn --genkey --secret keys/ta.key

// 资料显示,这是一种经加密的散列消息验证码,可以对信息数据的完整性和真实性进行同步检查


[root@f5ha.com 2.0 ]# ls keys/
-----------------------------------------------------------------------------------------
01.pem  ca.crt  dh1024.pem  index.txt.attr      index.txt.old  serial.old  server.csr  ta.key         f5hauser.csr
02.pem  ca.key  index.txt   index.txt.attr.old  serial         server.crt  server.key  f5hauser.crt  f5hauser.key


ca.crt         //第一步./build-ca 这个脚本生成的  
ca.key         //第一步./build-ca 这个脚本生成的 
       
server.crt     //第二步./build-key-server server 生成的
server.csr     //第二步./build-key-server server 生成的
server.key     //第二步./build-key-server server 生成的
 
f5hauser.crt  //第三步./build-key f5hauser 生成的
f5hauser.csr  //第三步./build-key f5hauser 生成的
f5hauser.key  //第三步./build-key f5hauser 生成的


dh1024.pem     //第四步./build-dh生成的
ta.key         //第五步openvpn可执行文件生成的

4.开始配置

 准备工作做完了,开始进入配置流程咯。

 4.1 建立配置目录并复制证书及配置文件至其中

 [root@f5ha.com ~]# mkdir /etc/openvpn
 [root@f5ha.com ~]# cp /root/openvpn-2.2.1/easy-rsa/2.0/keys/{ca.crt,ca.key,dh1024.pem,server.crt,server.key,ta.key} /etc/openvpn/
 [root@f5ha.com ~]# tar zcf client.tar.gz /root/openvpn-2.2.1/easyrsa/2.0/keys/{ca.crt,ca.key,ta.key,f5hauser.crt,f5hauser.key,f5hauser.csr} //打包客户端所需的证书下载下来


 [root@f5ha.com ~]# cp /root/openvpn-2.2.1/sample-config-files/server.conf /etc/openvpn/
 [root@f5ha.com ~]# cp /root/openvpn-2.2.1/sample-scripts/openvpn.init /etc/init.d/openvpn

 // 查看脚本可知,官方的init启动脚本就是读取/etc/openvpn配置目录的,如果安装的路径不是默认的,得自己手动修改下这个脚本


 4.2 配置
 [root@f5ha.com ~]# cd /etc/openvpn
 [root@f5ha.com openvpn ]#grep -v '#' server.conf|grep -v '^$'|grep -v ';'

-----------------------------------------------------------------------------------------
 local 220.181.111.147                                     //指定侦听请求的IP
 port 1194                                            //指定服务端口
 proto tcp                                            //指定TCP协议
 dev tun                                              //IP层的点对点协议
 ca ca.crt                                            //前面生成的ca证书,验证客户是证书是否合法
 cert server.crt                                     
 dh dh1024.pem
 server 10.10.8.0 255.255.255.0                       //这是必须的,指定客户端获取的IP
 ifconfig-pool-persist ipp.txt
 push "redirect-gateway"                              //推送客户端网关
 push "dhcp-option DNS 202.96.128.86"                 //DNS1
 push "dhcp-option DNS 202.96.128.166"                //DNS2
 client-to-client                                     //允许客户端之间的通信
 keepalive 10 120                                     //存活时间,10秒ping一次,120秒如未收到响应则视为断线
 comp-lzo                                             //启动网络传输压缩
 max-clients 100                                      //最多允许100个客户端
 persist-key                                          //检测超时后当重启动VPN保留第一次使用的私钥
 persist-tun                                          //检测超时后当重新启动VPN后保持tun设备是连接的
 status openvpn-status.log                           
 log         openvpn.log                              //日志文件
 verb 3                                               //日志文件冗余

 //具体可根据实际情况调整配置
 
 配置完后,执行service openvpn start启动就OK了,默认侦听端口是1194.

============================================================
实际配置文件
[root@f5ha.com openvpn]# cat server.conf
local 220.181.111.147
port 1194
proto udp
dev tun
  ca /etc/openvpn/ca.crt
  cert /etc/openvpn/server.crt
  key /etc/openvpn/server.key
  dh /etc/openvpn/dh1024.pem
server 10.10.8.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status /var/log/openvpn-status.log
log        /var/log/openvpn.log
verb 3
tls-auth /etc/openvpn/ta.key 0
push "redirect-gateway"

============================================================


5.iptables防火墙的配置

  首先修改/etc/sysctl.conf文件,将net.ipv4.ip_forward = 0修改成 net.ipv4.ip_forward = 1 打开IP转发功能

[root@f5ha.com ~]# sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf

[root@f5ha.com ~]# /sbin/sysctl -p

5.1 放通1194端口
-----------------------------------------------------------------------------------------
[root@f5ha.com ~]# iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
-----------------------------------------------------------------------------------------

5.2 开启客户端NAT
-----------------------------------------------------------------------------------------
[root@f5ha.com ~]# iptables -t nat -A POSTROUING -s 10.10.8.0/24 -o eth0 -j SNAT --to 10.0.0.162
-----------------------------------------------------------------------------------------

5.3 开启客户端路由转发
-----------------------------------------------------------------------------------------
[root@f5ha.com ~]# iptables -A FORWARD -s 10.10.8.0/24 -j ACCEPT
[root@f5ha.com ~]# iptables -A FORWARD -d 10.10.8.0/24 -j ACCEPT
-----------------------------------------------------------------------------------------

[root@f5ha.com ~]# /etc/init.d/iptables save
[root@f5ha.com ~]# /etc/init.d/iptables restart


===========================================================
或者直接编辑iptables配置文件成
*nat
:PREROUTING ACCEPT [1895:502159]
:POSTROUTING ACCEPT [5423:332290]
:OUTPUT ACCEPT [5423:332290]
-A POSTROUTING -s 10.10.8.0/255.255.255.0 -j SNAT --to-source 220.181.111.147
COMMIT
==================================================================
[root@f5ha.com ~]# /etc/init.d/iptables restart


6.客户端配置

6.1 下载与服务端对应的客户端版本安装

openVPN客户端:http://swupdate.openvpn.org/community/releases/openvpn-2.2.1-install.exe

6.2 将4.1节打包的客户端证书文件复制到安装目录下的config目录下
6.3 将安装目录下的sample-config/client.ovpn 复制到config目录下,根据实际情况大致修改成以下格式
-----------------------------------------------------------------------------------------
client
dev tun
proto tcp
remote 220.181.111.147 1194
persist-key
persist-tun
ca ca.crt
cert f5hauser.crt
key f5hauser.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
script-security 3
-----------------------------------------------------------------------------------------


======================================
实际配置文件
client
dev tun
proto udp
remote 220.181.111.147 1194
persist-key
persist-tun
ca ca.crt
cert f5hauser.crt
key f5hauser.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
script-security 3
======================================


6.4 启动客户端在托盘右键单击选择Connect即可。

 

完成

 

 

添加新的客户端
[root@f5ha.com 2.0]# cd /root/openvpn-2.2.1/easy-rsa/2.0
[root@f5ha.com 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-2.2.1/easy-rsa/2.0/keys
[root@f5ha.com 2.0]# ./build-key linuxuser
Generating a 1024 bit RSA private key
.........++++++
.......++++++
writing new private key to 'linuxuser.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [f5ha]:
Organizational Unit Name (eg, section) [f5haroom]:
Common Name (eg, your name or your server's hostname) [linuxuser]:
Name [f5ha.com]:
Email Address [support@f5ha.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn-2.2.1/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GuangDong'
localityName          :PRINTABLE:'GuangZhou'
organizationName      :PRINTABLE:'f5ha'
organizationalUnitName:PRINTABLE:'f5haroom'
commonName            :PRINTABLE:'linuxuser'
name                  :PRINTABLE:'f5ha.com'
emailAddress          :IA5STRING:'support@f5ha.com'
Certificate is to be certified until Nov 22 02:20:40 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

[root@f5ha.com keys]# cp linuxuser.* /etc/openvpn

 

到服务器对应目录中下载对应建立的用户名即可

客户端配置如上配置即可

相关热词搜索:linux下openvpn安装配置文档

上一篇:nfs服务配置过程记录v2
下一篇:yum升级php成PHP 5.2.17并解决You could try using --skip-broken

分享到: 收藏
频道总排行
频道本月排行