歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux基礎 >> 關於Linux

Linux下OpenVPN配置

OpenVPN簡介:
 
OpenVPN能夠運行於大多常見的系統平台,是一個基於SSL/TLS的VPN解決方案。OpenVPN能夠基於TAP/TUN虛擬設備驅動實現2層及3層的鏈接,提供基於SSL/TLS的工業級別加密功能,並且實現了大多數常見VPN解決方案的全部特性。但目前提供整合了OpenVPN的VPN硬件廠商還不太多。


一、 下載軟件包 # wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz # wget http://openvpn.net/release/openvpn-2.1_rc22.tar.gz # yum install openssl-devel     二、解壓及安裝 # tar xvf lzo-2.04.tar.gz # cd lzo-2.04 # ./configure # make && make install # cd ../   # tar xvf openvpn-2.1_rc22.tar.gz # cd openvpn-2.1_rc22 # ./configure # make && make install # cd ../       三、服務器端設置: 1. 用easy-rsa生成服務器證書客戶端證書 # cp openvpn-2.1_rc22/easy-rsa/2.0 -r /etc/openvpn/ # cd /etc/openvpn/2.0/ 編輯所需的參數再調用之 # vim vars export D="`pwd`" export KEY_CONFIG="$D/openssl.cnf" export KEY_DIR="$D/keys" export KEY_COUNTRY="CN" export KEY_PROVINCE="SH" export KEY_CITY="PD" export KEY_ORG="zyfmaster" export KEY_EMAIL="[email protected]"  # source vars #也可以不用設置,直接執行下面的命令   下面這個命令在第一次安裝時可以運行,以後在添加客戶端時千萬別運行,這個命令會清除所有已經生成的證書密鑰。 # ./clean-all 生成服務器端ca證書 # ./build-ca Generating a 1024 bit RSA private key ............++++++ ..................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [PD]: Organization Name (eg, company) [zyfmaster]: Organizational Unit Name (eg, section) []:zyfmaster Common Name (eg, your name or your server's hostname) [zyfmaster CA]:server Name []: Email Address [[email protected]]:     生成服務器端密鑰key, 後面這個server-name就是服務器名,可以自定義。 # ./build-key-server server  Generating a 1024 bit RSA private key .......................................++++++ .......++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [PD]: Organization Name (eg, company) [zyfmaster]: Organizational Unit Name (eg, section) []:zyfmaster Common Name (eg, your name or your server's hostname) [server]:server Name []: Email Address [[email protected]]:   Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:zyfmaster Using configuration from /etc/openvpn/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName           :PRINTABLE:'CN' stateOrProvinceName   :PRINTABLE:'SH' localityName          :PRINTABLE:'PD' organizationName      :PRINTABLE:'zyfmaster' organizationalUnitName:PRINTABLE:'zyfmaster' commonName            :PRINTABLE:'server' emailAddress          :IA5STRING:'[email protected]' Certificate is to be certified until Dec  2 04:14:34 2022 GMT (3650 days) Sign the certificate? [y/n]:y     1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated       生成客戶端 key # ./build-key client1 Generating a 1024 bit RSA private key ............++++++ ........................................................++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [PD]: Organization Name (eg, company) [zyfmaster]: Organizational Unit Name (eg, section) []:zyfmaster Common Name (eg, your name or your server's hostname) [client1]:client1 #重要: 每個不同的client 生成的證書, 名字必須不同. Name []: Email Address [[email protected]]:   Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:zyfmaster Using configuration from /etc/openvpn/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName           :PRINTABLE:'CN' stateOrProvinceName   :PRINTABLE:'SH' localityName          :PRINTABLE:'PD' organizationName      :PRINTABLE:'zyfmaster' organizationalUnitName:PRINTABLE:'zyfmaster' commonName            :PRINTABLE:'client1' emailAddress          :IA5STRING:'[email protected]' Certificate is to be certified until Dec  2 04:15:50 2022 GMT (3650 days) Sign the certificate? [y/n]:y     1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated       以此類推建立其他客戶端 key # ./build-key client2 # ./build-key client3   注意在進入 Common Name (eg, your name or your server’s hostname) []: 的輸入時, 每個證書輸入的名字必須不同.        5.生成Diffie Hellman參數 # ./build-dh   6.將 keys 下的所有文件打包下載到本地(可以通過winscp,http,ftp等等……) # tar zcvf yskeys.tar.gz keys/*   7.創建服務端配置文件 # mkdir /etc/openvpn/2.0/conf # cp /root/openvpn/openvpn-2.1_rc22/sample-config-files/server.conf /etc/openvpn/2.0/conf/ # vim /etc/openvpn/2.0/conf/server.conf port 1194   proto udp   dev tun   ca /etc/openvpn/2.0/keys/ca.crt cert /etc/openvpn/2.0/keys/server.crt key /etc/openvpn/2.0/keys/server.key  # This file should be kept secret   dh /etc/openvpn/2.0/keys/dh1024.pem   server 10.8.0.0 255.255.255.0 push "route 10.8.0.0 255.255.255.0" push "route 0.0.0.0 0.0.0.0"   ifconfig-pool-persist ipp.txt   push "redirect-gateway def1 bypass-dhcp"   push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"   client-to-client   keepalive 10 120   comp-lzo   user nobody group nobody   persist-key persist-tun   status openvpn-status.log   log         openvpn.log verb 3     四、打開服務器的路由功能 1.開啟CentOS 5 的路由轉發功能 # vim /etc/sysctl.conf 修改以下內容: net.ipv4.ip_forward = 1     五、使sysctl.conf配置文件生效並添加iptables轉發規則: # sysctl –p # iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE # /etc/init.d/iptables save     六、啟動openvpn,並加入隨機啟動 vi /etc/rc.local 然後在最後面加入此行: /usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &       七、OpenVPN GUI For Windows 客戶端安裝過程 1.下載 openvpn-2.1_rc15-install.exe(此版本集成 OpenVPN GUI)官方下載地址:http://openvpn.net/release/openvpn-2.1_rc15-install.exe 2.依屏幕指示安裝OpenVPN GUI 3.配置 openvpn gui將上面第6步打包的yskeys.tar.gz中的下列證書文件解壓到 你的OpenVPN GUI安裝路徑OpenVPNconfig文件夾下 ca.crt ca.key client1.crt client1.csr client1.key   4.修改client.ovpn把你的OpenVPN GUI安裝路徑OpenVPNsample-config下的client.ovpn文件復制到你的OpenVPN GUI安裝路徑OpenVPNconfig文件夾下,用記事本打開client.ovpn #找到remote my-server-1 1194,把my-server-1改成你的ip地址 remote a.b.c.d (自己的VPN地址)   5.雙擊 client.ovpn 即可啟動 openvpn, 或者通過 OpenVPN GUI 的控制啟動 VPN.     查看客戶端所獲得的IP:     連接成功之後,去www.ip138.com上看看外網ip是多少,如果是CentOS系統的外網ip那說明測試成功了~ 
Copyright © Linux教程網 All Rights Reserved