你的位置:首页 > 技术文章

一. OpenVPN 安装环境

Server 端的环境 

1.CentOS, kernel版本: 2.6.18, IP 为 221.233.59.16(ADSL拨号)

2.kernel 需要支持 tun 设备, 需要加载 iptables 模块.

3.安装的 OpenVPN 的版本: 2.1.rc15.(目前最新版 可在http://openvpn.net 上下载).

Client 端的环境: 1.Windows XP SP2

2.openvpn-2.1_rc15-install.exe(此版本集成了 OpenVPN GUI 客户端)

二. OpenVPN 服务端安装过程

1.用putty登录到CentOS

2.下载LZO和OpenVPN 2.1.rc15 wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz

wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz yum install -y openssl-devel 

3.安装LZO和OpenVPN tar zxvf lzo-2.03.tar.gz

cd lzo-2.03

./configure

make

make install

cd ..

tar zxvf openvpn-2.1_rc15.tar.gz

cd openvpn-2.1_rc15

./configure

make

make install

cd ..

cp /root/openvpn-2.1_rc15/easy-rsa/ -r /etc/openvpn

4.生成证书初始化PKI cd /etc/openvpn/2.0/#可以设置下OpenVPN参数(也可以修改vars文件来配置)

export D=`pwd`

export KEY_CONFIG=$D/openssl.cnf

export KEY_DIR=$D/keys

export KEY_SIZE=1024

export KEY_COUNTRY=CN

export KEY_PROVINCE=GD

export KEY_CITY=SZ

export KEY_ORG="dvdmaster"

export KEY_EMAIL="support@cooldvd.com"

#也可以不用设置直接执行下面的命令

. vars

创建证书颁发机构(CA)

./clean-all

./build-ca

Generating a 1024 bit RSA private key

................++++++

........++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]:

Locality Name (eg, city) [SZ]:

Organization Name (eg, company) [dvdmaster]:

Organizational Unit Name (eg, section) []:dvdmaster

Common Name (eg, your name or your server's hostname) []:server

Email Address [support@cooldvd.com]:

建立server key

./build-key-server server

Generating a 1024 bit RSA private key

......++++++

....................++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]:

Locality Name (eg, city) [SZ]:

Organization Name (eg, company) [dvdmaster]:

Organizational Unit Name (eg, section) []:dvdmaster

Common Name (eg, your name or your server's hostname) []:server

Email Address [support@cooldvd.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:abcd1234

An optional company name []:dvdmaster

Using configuration from /etc/openvpn/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'GD'

localityName          :PRINTABLE:'SZ'

organizationName      :PRINTABLE:'dvdmaster'

organizationalUnitName:PRINTABLE:'dvdmaster'

commonName            :PRINTABLE:'server'

emailAddress          :IA5STRING:'support@cooldvd.com'

Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

生成客户端 key

./build-key client1

Generating a 1024 bit RSA private key

.....++++++

......++++++

writing new private key to 'client1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]:

Locality Name (eg, city) [SZ]:

Organization Name (eg, company) [dvdmaster]:

Organizational Unit Name (eg, section) []:dvdmaster

Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的client 生成的证书, 名字必须不同.

Email Address [support@cooldvd.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:abcd1234

An optional company name []:dvdmaster

Using configuration from /etc/openvpn/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'GD'

localityName          :PRINTABLE:'SZ'

organizationName      :PRINTABLE:'dvdmaster'

organizationalUnitName:PRINTABLE:'dvdmaster'

commonName            :PRINTABLE:'client1'

emailAddress          :IA5STRING:'support@cooldvd.com'

Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

以此类推建立其他客户端 key

./build-key client2

./build-key client3

注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.

5.生成Diffie Hellman参数 ./build-dh

6.将 keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等……) tar zcvf yskeys.tar.gz keys/

7.创建服务端配置文件 mkdir /etc/openvpn/2.0/conf

cp /root/openvpn-2.1_rc15/sample-config-files/server.conf /etc/openvpn/2.0/conf/server.conf

服务端配置文件(server.conf)样例

port 1194

proto udp

dev tun

ca /etc/openvpn/2.0/keys/ca.crt

cert /etc/openvpn/2.0/keys/ovpnser.crt

key /etc/openvpn/2.0/keys/ovpnser.key  # This file should be kept secret

dh /etc/openvpn/2.0/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 10.8.0.1"

push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址

push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址

client-to-client

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3

8.启动OpenVPN /usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &

三. OpenVPN GUI For Windows客户端安装过程

1.下载 openvpn-2.1_rc15-install.exe(此版本集成 OpenVPN  GUI)官方下载地址:http://openvpn.net/release/openvpn-2.1_rc15-install.exe

2.依屏幕指示安装OpenVPN GUI

3.配置 openvpn gui将上面第6步打包的yskeys.tar.gz中的下列证书文件解压到 你的OpenVPN GUI安装路径OpenVPNconfig文件夹下 ca.crt

ca.key

client1.crt

client1.csr

client1.key

4.修改client.ovpn把你的OpenVPN GUI安装路径OpenVPNsample-config下的client.ovpn文件复制到你的OpenVPN GUI安装路径OpenVPNconfig文件夹下,用记事本打开client.ovpn #找到remote my-server-1 1194,把my-server-1改成你的ip地址

remote 221.233.59.16 1194

5.双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.

三. OpenVPN 访问外网的设置

1.开启CentOS 5 的路由转发功能 echo 1 > /proc/sys/net/ipv4/ip_forward

#为了使CentOS重启后仍然开启路由转发功能我们需要再执行下列命令

sysctl -w net.ipv4.ip_forward=1

2.添加iptables转发规则 #因为我那天CentOS是ADSL拨号上网,所以把出口设置成ppp0,请根据实际情况设置

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE

3.必须保证server.conf配置中,有下面三个配置 push "dhcp-option DNS 10.8.0.1"

push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址

push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址

当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:

Ethernet adapter 本地连接 2:

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : TAP-Win32 Adapter V9

        Physical Address. . . . . . . . . : 00-FF-F2-1A-44-BD

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 10.8.0.6

        Subnet Mask . . . . . . . . . . . : 255.255.255.252

        Default Gateway . . . . . . . . . : 10.8.0.5

        DHCP Server . . . . . . . . . . . : 10.8.0.5

        DNS Servers . . . . . . . . . . . : 10.8.0.1

                                            202.103.44.150

                                            202.103.24.68

        Lease Obtained. . . . . . . . . . : 2009年5月8日 23:55:06

        Lease Expires . . . . . . . . . . : 2010年5月8日 23:55:06 

四. 设置 OpenVPN 服务器 reboot后自动启动 openvpn

执行

vi /etc/rc.local

然后在最后面加入此行:

/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &

五.OpenVPN 测试

连接成功之后,去www.ip138.com上看看外网ip是多少,如果是CentOS系统的外网ip那说明测试成功了~

  • 发表评论
  • 查看评论
【暂无评论!】

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。