服務端:CentOS 6.7 32-bit
客戶端:Windows XP
# 關閉SELinux
sed -i '/^SELINUX\b/s/=.*/=disabled/' /etc/selinux/config
setenforce 0
# 安裝mysql-server
yum -y install mysql-server
# 啟動mysqld服務
service mysqld start
# 初始化mysql管理員(root)密碼
mysqladmin -uroot password redhat
# 創建radius數據庫
mysqladmin -uroot -predhat create radius
# 安裝radius和相關插件
yum -y install freeradius freeradius-mysql freeradius-utils
# 編輯/etc/raddb/radiusd.conf文件
sed -i '700s/#//' /etc/raddb/radiusd.conf
# 編輯/etc/raddb/sites-enabled/default文件
sed -i '170s/^/#/;177s/#//;406s/#//;454s/#//' /etc/raddb/sites-enabled/default
# 將數據結構導入radius數據庫
for file in /etc/raddb/sql/mysql/*.sql;do mysql -uroot -predhat radius < $file;done
# 新建一個用戶名和密碼都是test的用戶
mysql -uroot -predhat radius -e "insert into radcheck(username,attribute,value) values('test','Password','test')"
# 啟動radiusd服務並將其設置為開機啟動
service radiusd start
chkconfig radiusd on
# 測試(如果出現“Access-Accept”字樣則表示配置成功)
radtest test test 127.1 0 testing123
# 安裝EPEL源(默認yum源沒有openvpn和easy-rsa軟件包)
rpm -ivh http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm
# 安裝openvpn和easy-rsa軟件包
yum -y install openvpn easy-rsa
# 切換到/usr/share/easy-rsa/2.0/目錄
cd /usr/share/easy-rsa/2.0/
# 初始化環境變量
source vars
# 清除所有與證書相關的文件
./clean-all
# 生成CA相關文件(一路按回車即可)
./build-ca
# 生成服務端相關文件(一路按回車,直到提示需要輸入y/n時,輸入y再按回車,一共兩次)
./build-key-server server
# 生成dh2048.pem文件(生成過程時快時慢,在此期間不要去中斷它)
./build-dh
# 生成ta.key文件(防DDos攻擊)
openvpn --genkey --secret keys/ta.key
# 在openvpn的配置目錄下新建一個key目錄
mkdir /etc/openvpn/keys
# 將openvpn配置文件需要用到的文件復制一份到剛創建好的keys目錄中
cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
# 開啟路由轉發功能
sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
# 配置防火牆
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
service iptables save
# 安裝radiusplugin編譯所需環境
yum -y install make gcc gcc-c++ libgcrypt libgpg-error libgcrypt-devel wget
# 下載radiusplugin源碼包
wget -P /tmp http://www.nongnu.org/radiusplugin/radiusplugin_v2.1.tar.gz
# 解壓
tar xzf /tmp/radiusplugin_v2.1.tar.gz -C /usr/src/
# 切換到/usr/src/radiusplugin/目錄
cd /usr/src/radiusplugin/
# 編譯
make
# 復制radiusplugin.so和radiusplugin.cnf文件到/etc/openvpn/目錄
cp radiusplugin.{so,cnf} /etc/openvpn/
# 編輯/etc/openvpn/radiusplugin.cnf文件
sed -i '/\bsharedsecret=/s/=.*/=testing123/' /etc/openvpn/radiusplugin.cnf
# 創建/etc/openvpn/server.conf文件,內容如下
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" # 192.168.1.0/24是我這台VPN服務器所在的內網的網段,讀者應該根據自身實際情況進行修改
keepalive 10 120
tls-auth keys/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
client-cert-not-required
# 啟動openvpn服務並將其設置為開機啟動
service openvpn start
chkconfig openvpn on
客戶端配置
創建一份客戶端文件(命名為client.ovpn),內容如下(讀者要注意修改下面的服務端公網IP):
client
dev tun
proto udp
remote 服務端公網IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
auth-user-pass
tls-auth [inline] 1
將/usr/share/easy-rsa/2.0/keys/ca.crt的全部內容復制粘貼於此
將/usr/share/easy-rsa/2.0/keys/ta.key的全部內容復制粘貼於此
從服務端下載client.ovpn,並將其復制到openvpn的安裝目錄的config目錄下,最後,啟動openvpn程序,連接服務端,賬號密碼都是test,如果能獲取到IP,且能ping內網的其他機器就表示配置成功了。
最後給出我的client.ovpn的范例文本供讀者參考。
client
dev tun
proto udp
remote 192.168.1.88 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
auth-user-pass
tls-auth [inline] 1
-----BEGIN CERTIFICATE-----
MIIFEjCCA/qgAwIBAgIJAPuPhPG+3TThMA0GCSqGSIb3DQEBCwUAMIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wHhcNMTQxMTA4MDgxMTE1
WhcNMjQxMTA1MDgxMTE1WjCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw
EwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsG
A1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3Rv
biBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxVsiMkd3
n0jAFV9mz7F7HpR8oM15Fr0tjIjRZ6N3zvy8snuPtL6v7won25g8RqvzsYteyNaU
LboeqcpDFgoj3Fg9ltMnDeRp1AG/5eruaw2/q38zkOS2I1qP6HVcwABMr3CBPpqc
Be/rJXBBVqpyJQIa9F8qnXvYFyja0CD/g2xJn1TZ5gXYVsEsD4mTsTesei0mr/SS
jJlqESEEb7mrwpFcjMGTmDAamrdl4PI/IptjOhwrg62YRfpzni3fOrTDycVhaHQR
9Qbjvq+hfyzZJxPRaesCPoAR4aWhvGOMddhg7uZ7r21ZNb54QAkAudPQTVWle3it
QvQ+8ylOkoV66QIDAQABo4IBHzCCARswHQYDVR0OBBYEFHlXeNlCNmvR+Dm8tnnJ
CfpVSmwyMIHrBgNVHSMEgeMwgeCAFHlXeNlCNmvR+Dm8tnnJCfpVSmwyoYG8pIG5
MIG2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5j
aXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXph
dGlvbmFsVW5pdDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdF
YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD7j4Tx
vt004TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCFbyQbck5rI6fw
66bpoFTxKq7+8b738R0lbKggxzVzSh2KReemmuu93zyRQ4Iv3MDwAa2ffJGYFiQz
jXzun4Q0SPNocBAgV0pTPyrGH/zSOqi4CXsN02AOKGkTAVJaPLavAGlRSjGVh62g
8nAGzBDagD+FRlYzKZ3cupKGcmoXmWwrnS4YWoSf4+Dei52Fsqe43JEnY0wmXGvu
LkukweyWJIqy3iuvPaYzUWWZSe9c6Ytx5Et2y+rYbpxyLvJiX3le8Whf3u2HLuPV
cwOPvG71kHpOOVPpks2RHwQn3TwWgBWpqIN37Eaow4TuTHTgRjuATttUeAZoSLFV
9iLvv+FV
-----END CERTIFICATE-----
-----BEGIN OpenVPN Static key V1-----
9f8d9e7776a5fc310ee39676c0fd4b2b
1b5d6525e26bc33fb23a64ded18f68ee
744cd707ee27c099caa9bf6622cfa1e5
73ff1026e59503760a1bac6102543e30
0946bb831cba42eb457b88eff73599b1
d26c39e6e0af27a55a83e4ed2d70a665
dcb83715e74ca0ce90ebd76344b14c23
b70cf9428b11b771dc6c5bcf0c638522
43ff98f637e3e637686ab23d01967a96
6a9d94f63dea50db264e246646f2dc27
3c2c957360108a993ea49481aadf7046
f38145175dbee319d69fc6202ed4934c
65ff2657e46c37f0f530acea93ee99e7
c7109996cdf13b0ae5f4b3506937cadb
793c9cc063b580aa70873499e5f02252
200f29305bfb0d934b1307fd9af3c7a9
-----END OpenVPN Static key V1-----