搭建Openvpn初尝试

OpenVPN服务器端安装和配置
1、安装lzo
#tar -zxvf lzo-2.03.tar.gz
#cd lzo-2.03
# ./configure   --prefix=/usr/local/lzo
#make 
#Make install
2、安装openvpn
   tar -zxvf openvpn-2.0.9.tar.gz
   cd openvpn-2.0.9
  ./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib  --
with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib
   make
   make install
3、生成证书和Key
#cd easy-rsa/
#vi vars
export D=`pwd`
    export KEY_CONFIG=$D/openssl.cnf
    export KEY_DIR=$D/keys
    echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
    export KEY_SIZE=1024
    export KEY_COUNTRY=CN
    export KEY_PROVINCE=BJ
    export KEY_CITY=BJ
    export KEY_ORG="OpenVPN-TEST"
    export KEY_EMAIL=wjpheart@126.com
#chmod a+x vars
[root@localhost easy-rsa]# ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /home/weijunping/openvpn-2.0.9/easy-rsa/keys
[root@localhost easy-rsa]# ./clean-all
you must define KEY_DIR
[root@localhost easy-rsa]# export D=`pwd`
[root@localhost easy-rsa]# export KEY_CONFIG=$D/openssl.cnf
[root@localhost easy-rsa]# export KEY_DIR=$D/keys
[root@localhost easy-rsa]# export KEY_SIZE=1024
[root@localhost easy-rsa]# export KEY_COUNTRY=CN
[root@localhost easy-rsa]# export KEY_PROVINCE=BJ
[root@localhost easy-rsa]# export KEY_CITY=BJ
[root@localhost easy-rsa]# export KEY_ORG="OpenVPN-TEST"
[root@localhost easy-rsa]# export KEY_EMAIL=wjpheart@126.com
[root@localhost easy-rsa]# ./clean-all
[root@localhost easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
....++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [BJ]:BJ
Locality Name (eg, city) [BJ]:BJ
Organization Name (eg, company) [OpenVPN-TEST]:bokee
Organizational Unit Name (eg, section) []:blogchina
Common Name (eg, your name or your server's hostname) []:bokee-inc.com
Email Address [wjpheart@126.com]:
[root@localhost easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
..........++++++
..........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [BJ]:BJ
Locality Name (eg, city) [BJ]:BJ
Organization Name (eg, company) [OpenVPN-TEST]:bokee
Organizational Unit Name (eg, section) []:blogchina
Common Name (eg, your name or your server's hostname) []:bokee-inc.com
Email Address [wjpheart@126.com]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wjpinrain
An optional company name []:bokee
Using configuration from /home/weijunping/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BJ'
organizationName      :PRINTABLE:'bokee'
organizationalUnitName:PRINTABLE:'blogchina'
commonName            :PRINTABLE:'bokee-inc.com'
emailAddress          :IA5STRING:'wjpheart@126.com'
Certificate is to be certified until Sep 12 03:40:48 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost easy-rsa]#
 [root@localhost easy-rsa]# 建立 Diffie Hellman 参数
[root@localhost easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......+...........................................................+...............................+..+..+...................
.............+...........................................................................................+....................+...............................................................+..................+......................................+...................+.......................+......++*++*++*
4、创建服务端配置文件
#mkdir /usr/local/openvpn/etc/
[root@localhostopenvpn]#cd /home/weijunping/openvpn-2.9/sample-config-files/
[root@localhost sample-config-files]# cp server.conf /usr/local/openvpn/etc/
[root@localhost sample-config-files]# vi /usr/local/openvpn/etc/server.conf
编辑后的server.conf文件内容如下：
port 1194
proto udp
dev tun
ca /home/weijunping/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /home/weijunping/openvpn-2.0.9/easy-rsa/keys/server.crt
key /home/weijunping/openvpn-2.0.9/easy-rsa/keys/server.key
dh /home/weijunping/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
push "dhcp-option DNS 202.106.0.20" (指定DNS服务器的地址)
client-to-client
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /home/weijunping/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
verb 4
5、部署server端key文件
#mkdir /usr/local/openvpn/etc/keys
#cd /home/weijunping/openvpn-2.0.9/easy-rsa/keys
#cp ca.crt server.crt server.key dh1024.pem /usr/local/openvpn/etc/keys
6,启动openvpn server
#/usr/local/openvpn/sbin/openvpn –daemon –config /usr/local/openvpn/etc/server.conf
[root@localhost keys]# netstat -unlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
udp        0      0 0.0.0.0:1194                0.0.0.0:*                               28763/openvpn  
二、openvpn客户端安装配置
[root@localhost ~]# cd /home/weijunping/openvpn-2.0.9/easy-rsa/
[root@localhost easy-rsa]# ./build-key weijunping
Generating a 1024 bit RSA private key
....++++++
writing new private key to 'weijunping.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [BJ]:BJ
Locality Name (eg, city) [BJ]:BJ
Organization Name (eg, company) [OpenVPN-TEST]:bokee
Organizational Unit Name (eg, section) []:blogchina
Common Name (eg, your name or your server's hostname) []:weijunping
Email Address [wjpheart@126.com]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:bokee
Using configuration from /home/weijunping/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BJ'
organizationName      :PRINTABLE:'bokee'
organizationalUnitName:PRINTABLE:'blogchina'
commonName            :PRINTABLE:'weijunping'
emailAddress          :IA5STRING:'wjpheart@126.com'
Certificate is to be certified until Sep 12 03:42:31 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2.进入指定目录将指定文件下载到windows本地
#/home/weijunping/openvpn-2.0.9/easy-rsa/keys
将里面的ca.crt、ca.key、weijunping.crt、weijunping.csr、weijunping.key下载到本地
然后下载客户端配置文件client.conf 重命名该文件为：client.ovpn
内容如下
client
dev tun
proto udp
remote 172.16.10.231 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca "C://Program Files//OpenVPN//config//ca.crt"
cert "C://Program Files//OpenVPN//config//weijunping.crt"
key "C://Program Files//OpenVPN//config//weijunping.key"
comp-lzo
verb 3
安装客户端软件方法：
双击openvpn-2.0.9-gui-1.0.3-install.exe软件，按照默认安装路径安装
将ca.crt、ca.key、weijunping.crt、weijunping.csr、weijunping.key、client.ovpn文件移动到C:/Program Files/OpenVPN/config目录下
之后右击右下角的小图标，选择connect ，就可以正常使用了！
三、Openvpn访问外网的设置
1.开启路由功能
在linux上开启路由功能其实很简单，只需要执行一条命令就OK了，其实这个命令的作用是修改/proc/sys/net/opv4/ip_forward文件，默认这
个文件里的值是0，就是不转发数据包，我们要做的就是修改这个文件把0修改成1就OK了。
#echo 1 > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# more /proc/sys/net/ipv4/ip_forward
1
如果系统重启的话就不生效了，如果想永久加上去就需要修改/etc/sysctl.conf
把net.ipv4.ip_forward=0 0修改成1就可以了。
Vpn连接成功后，还需要设置路由，才能透过VPN访问internet
#iptables –t nat –A POSTROUTING –s 10.8.0.0/24 –o eth1 –j SNAT –to-source 172.16.10.231 记住这个地址要是公网地址哦，此处特意修改了内网地址

 
作者“Just do it !”