OpenVPN是一個用於創建虛擬專用網絡(Virtual Private Network)加密通道的免費開源軟件。使用OpenVPN可以方便地在家庭、辦公場所、住宿酒店等不同網絡訪問場所之間搭建類似於局域網的專用網絡通道。OpenVPN使用方便,運行性能優秀,支持Solaris、Linux 2.2+(Linux 2.2+表示Linux 2.2及以上版本,下同)、OpenBSD 3.0+、FreeBSD、NetBSD、Mac OS X、Android和Windows 2000+的操作系統,並且采用了高強度的數據加密,再加上其開源免費的特性,使得OpenVPN成為中小型企業及個人的VPN首選產品。使用OpenVPN配合特定的代理服務器,可用於訪問Youtube、FaceBook、Twitter等受限網站,也可用於突破公司的網絡限制。
服務器端:CentOS6.5
客 戶 端:Windows7
服務器端軟件:epel-release-6-8.noarch.rpm,openvpn,easy-rsa
客戶端軟件: openvpn-install-2.3.4
1. 關閉SELINUX
setenforce0 //暫時關閉 sed -i '^SELINUX=/c\SELINUX=disabled' /etc/selinux/config //重啟有效
2.安裝"EPEL"源
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm //下載centos6 32位的EPEL源 rpm -ivh epel-release-6-8.noarch.rpm //安裝EPEL源 yum makecache //更新本地緩存
3. 安裝openvpn
yum -y install openvpn easy-rsa
4. easy-rsa配置
mkdir -p /etc/openvpn/easy-rsa/keys cp -rf/usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
5. 創建CA證書和密鑰
vi /etc/openvpn/easy-rsa/vars //更改你自己的國家,省份,城市,郵箱等... source ./vars //初始化證書的授權中心 ./clean-all //清除keys目錄下面的文件 ./build-ca //創建ca證書Generating a 1024 bit RSA private key.++++++......................++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [CA]:Locality Name (eg, city) [HZ]:Organization Name (eg, company) [HZ]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [changeme]:Name [changeme]:Email Address [[email protected]]:
6.創建服務端的證書和密鑰
./build-key-server serverGenerating a 1024 bit RSA private key.....++++++.................++++++writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [CA]:Locality Name (eg, city) [HZ]:Organization Name (eg, company) [HZ]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [server]:Name [changeme]:Email Address [[email protected]]: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'CA'localityName :PRINTABLE:'HZ'organizationName :PRINTABLE:'HZ'organizationalUnitName:PRINTABLE:'changeme'commonName :PRINTABLE:'server'name :PRINTABLE:'changeme'emailAddress :IA5STRING:'[email protected]'Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entriesData Base Update
7.創建客戶端的證書和密鑰
./build-key client1Generating a 1024 bit RSA private key...++++++...............++++++writing new private key to 'client1.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [CA]:Locality Name (eg, city) [HZ]:Organization Name (eg, company) [HZ]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [client1]:Name [changeme]:Email Address [[email protected]]: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'CA'localityName :PRINTABLE:'HZ'organizationName :PRINTABLE:'HZ'organizationalUnitName:PRINTABLE:'changeme'commonName :PRINTABLE:'client1'name :PRINTABLE:'changeme'emailAddress :IA5STRING:'[email protected]'Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entriesData Base Updated
8.創建迪菲霍爾曼密鑰交換參數
./build-dh
9.拷貝服務端證書、秘鑰等
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,dh2048.pem,ca.crt} /etc/openvpn
10.配置VPN服務端
cp /usr/share/doc/openvpn-2.3.*/sample/sample-config-files/server.conf/etc/openvpn/ //復制配置文件到/etc/openvpn
修改服務端配置文件:
cat server.conf | grep "^[^#|^;]" //列出未注釋的內容
local 10.17.1.20 #監聽地址 port 1194 #監聽端口 proto tcp #監聽協議 dev tun #采用路由隧道模式 ca ca.crt #ca證書路徑 cert server.crt #服務器證書 key server.key # This file should be kept secret 服務器密鑰 dh dh2048.pem #密鑰交換協議文件 server 10.8.0.0 255.255.255.0 #給客戶端分配地址池,注意:不能和VPN服務器內網網段有相同 ifconfig-pool-persist ipp.txt push "route 192.168.20.0 255.255.255.0" #允許客戶端訪問內網 20.0 的網段。 push"dhcp-option DNS 8.8.8.8" #dhcp分配dns client-to-client #客戶端之間互相通信 keepalive 10 120 #存活時間,10秒ping一次,120 如未收到響應則視為斷線 comp-lzo #傳輸數據壓縮 max-clients 100 #最多允許 100 客戶端連接 user nobody #用戶 group nobody #用戶組 persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log verb 3
11.iptables配置
清空iptables配置: iptables -F iptables -X 配置openvpn的nat功能,將所有網段的包轉發到eth0口: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 添加FORWARD白名單: iptables -A FORWARD -i tun+ -j ACCEPT 開啟系統的路由功能: echo "1" > /proc/sys/net/ipv4/ip_forward service iptables save //保存iptables配置 service iptables restart //重啟iptables
12. 啟動openvpn
service openvpn start
13. 配置客戶端
復制客戶端配置文件client.ovpn:
cp /usr/share/doc/openvpn-2.3.*/sample/sample-config-files/client.conf /etc/openvpn/client.ovpn
修改客戶端配置文件:
cat server.conf | grep "^[^#|^;]"
client devtun prototcp //改為tcp remote203.195.xxx.xxx1194 //OpenVPN服務器的外網IP和端口 resolv-retryinfinite nobind persist-key persist-tun caca.crt //client1的證書 certclient.crt keyclient.key //client1的密鑰 ns-cert-typeserver comp-lzo verb3• OpenVPN客戶端配置
1. 拷貝服務器端/etc/openvpn/easy-rsa/keys/{ca.crt,client.crt,client,key}和/etc/openvpn/client.ovpn到Windows7客戶端
2. 下載openvpn客戶端安裝
下載地址: http://pan.baidu.com/s/1ZsgpS
3. 把剛才復制過來的幾個文件拷貝到openvpn客戶端安裝目錄下面的config目錄裡面(C:\Program Files\OpenVPN\config)
4.啟動OpenVPN GUI
在電腦右下角的openvpn圖標上右擊,選擇“Connect”。正常情況下應該能夠連接成功,分配正常的IP。
原文轉載自《Linux就該這麼學》:http://www.linuxprobe.com
http://xxxxxx/Linuxjc/1134389.html TechArticle