CentOS 5.3安装 OpenVPN笔记
引用
#wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
#wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
2. 编译软件包
如果在安装系统时已经把程序开发包全部安装,安装编译工具的这步可以省略。
引用#yum install rpm-build
#yum install autoconf.noarch
#yum install zlib-devel
#yum install pam-devel
#yum install openssl-devel
编译安装
引用#rpmbuild –rebuild lzo-1.08-4.rf.src.rpm
#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
#rpmbuild -tb openvpn-2.0.9.tar.gz
#rpm -Uvh /usr/src/redhat/RPMS/i386/openvpn-2.0.9-1.i386.rpm
3. 复制配置文件
引用#cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
#cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
4. 配置CA证书预生成项
引用#cd /etc/openvpn/easy-rsa/
可以使用vi编辑器对vars文件做适当修改:
引用export KEY_COUNTRY=CN
export KEY_PROVINCE=Zhejiang
export KEY_CITY=Ningbo
export KEY_ORG="OpenVPN-UNNC"
export KEY_EMAIL="[email protected]"
保存退出后执行source vars使其生效,然后执行 ./clean-all
5. 建立CA证书
引用[root@localhost easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.................++++++
..................................................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Zhejiang]:
Locality Name (eg, city) [Ningbo]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:IS
Common Name (eg, your name or your server's hostname) []:OpenVPN
Email Address [[email protected]]:
6. 生成服务器端私钥文件
引用[root@localhost easy-rsa]# ./build-key-server ovpnsrv1
Generating a 1024 bit RSA private key
...............................++++++
.............................++++++
writing new private key to 'ovpnsrv1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Zhejiang]:
Locality Name (eg, city) [Ningbo]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:IS
Common Name (eg, your name or your server's hostname) []:OpenVPN
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Zhejiang'
localityName :PRINTABLE:'Ningbo'
organizationName :PRINTABLE:'OpenVPN-Server'
organizationalUnitName:PRINTABLE:'IS'
commonName :PRINTABLE:'OpenVPN'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 26 18:00:39 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7. 生成Diffie-Hellman密钥交换
关于Diffie-Hellman的详细信息可以查看维基百科的内容http://en.wikipedia.org/wiki/Diffie- Hellman
引用[root@localhost easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
....................................................+...........................................................................
...............................................................................................+..............+........+......
.............+..................................+..........+..................................................................
.......................................+..+.............................+.....................................................
...........................................................................+......................+........+..................
.+.......................+.............+......................+..............................................................
...................++*++*++*
8. 将生成的证书文件复制到配置目录
引用[root@localhost easy-rsa]# cp keys/{ca.crt,dh1024.pem,ovpnsrv1.key,ovpnsrv1.crt} ../
9. 修改OpenVPN server 配置文件server.conf
引用[root@localhost easy-rsa]# cd ..
[root@localhost openvpn]# vi server.conf
修改的几项参数如下:
引用dev tap
;dev tun
ca ca.crt
cert ovpnsrv1.crt
key ovpnsrv1.key # This file should be kept secret
push "redirect-gateway"
push "dhcp-option DNS 202.96.104.16"
push "dhcp-option DNS 202.96.104.17"
push "redirect-gateway" 允许VPN服务器做为的网关,最后两行为在获取IP地址增加DNS。
10. 启动OpenVPN服务
引用[root@localhost openvpn]# service openvpn start
Starting openvpn: [ OK ]
[root@localhost openvpn]# netstat -anup | grep 1194
udp 0 0 0.0.0.0:1194 0.0.0.0:* 4479/openvpn
可以看到openvpn已经成功运行,监听在udp 1194端口
Windows 客户端配置
在Windows系统中可以安装OpenVPN GUI来连接服务器,但是一定要注意版本要和 OpenVPN Server 匹配。
1. 下载安装
直接从http://openvpn.se下载后安装。
2. 建立客户端证书
转到程序安装目录下的easy-rsa目录中,默认安装的位置是C:\Program Files\OpenVPN\easy-rsa,复制一份vars.bat.sample重命名为vars.bat,用文本编辑器打开,作相应修改:
引用set KEY_COUNTRY=CN
set KEY_PROVINCE=Zhejiang
set KEY_CITY=Ningbo
set KEY_ORG=OpenVPN-Server
set [email protected]
打开命令提示符,转到easy-rsa目录,执行vars.bat以设置环境变量,然后开始生成证书:
引用>vars
>copy openssl.cnf.sample openssl.cnf
>md keys
>build-key vpnhome
按照提示操作完成后,就会在keys目录下得到vpnhome.csr和vpnhome.key密钥文件
3. 为客户端证书签名
将客户端生成的证书上传至OpenVPN服务器/etc/openvpn/easy-rsa/keys目录,使用sign-req进行签名
引用[root@localhost easy-rsa]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# ./sign-req vpnhome
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Zhejiang'
localityName :PRINTABLE:'Ningbo'
organizationName :PRINTABLE:'OpenVPN-UNNC'
organizationalUnitName:PRINTABLE:'IS'
commonName :PRINTABLE:'OpenVPN'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 25 16:01:10 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4. 返回签名后的证书给客户端
签名过程完成后,将/etc/openvpn/easy-rsa/目录下的ca.crt和新生成的vpnhome.crt文件复制到C:\Program Files\OpenVPN\config。客户端的私钥文件C:\Program Files\OpenVPN\easy-rsa\vpnhome.key也需要复制到config目录下。
5. 配置客户端参数
复制C:\Program Files\OpenVPN\sample-config并重命名为C:\Program Files\OpenVPN\config,使用文本编辑器打开,做相应的修改
引用dev tap
;dev tun
dev-node OpenVPN_Michael
remote 1194 (example: remote 10.110.234.240 1194)
ca ca.crt
cert alanghome.crt
key alanghome.key
ns-cert-type server
6. 网卡配置
OpenVPN GUI安装完成后,会在Windows系统中增加一块虚拟网卡,用于建立VPN连接,这与Cisco VPN类似。由于在上一进对客户端配置文件设置了VPN设备,即dev-node使用OpenVPN_Michael,所以需要将新增的虚拟网络连接重命 名。
在控制面板中找到新增加的虚拟网络连接,可以通过其设备名为TAP_Win32 Adapter V8 进行辨别,重命名为OpenVPN_Michael即可。
7. 开启客户端VPN连接
右键点击屏幕右下角的OpenVPN GUI图标,如果没有这个图标,就从开始、程序菜单先运行OpenVPN GUI,在右键菜单中选择connect即可,系统会自动建立VPN连接,成功后变成绿色图标。如果遇到问题,可以通过菜单中的view log进行跟踪排错。
允许客户端通过VPN Server访问Internet
由于Server 已经可以访问Internet,客户端只是由于网络中间的管理设备阻隔,而不能直接访问Internet。此时就可以使用Server充当 Internet网关,前面在服务器配置中已经增加了客户端在获取IP时附加网关、DNS设置,因此这里只需要使用iptables进行SNAT即可:
引用[root@localhost openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.110.234.240
[root@localhost openvpn]# sysctl -w net.ipv4.ip_forward=1
#wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
#wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
2. 编译软件包
如果在安装系统时已经把程序开发包全部安装,安装编译工具的这步可以省略。
引用#yum install rpm-build
#yum install autoconf.noarch
#yum install zlib-devel
#yum install pam-devel
#yum install openssl-devel
编译安装
引用#rpmbuild –rebuild lzo-1.08-4.rf.src.rpm
#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
#rpmbuild -tb openvpn-2.0.9.tar.gz
#rpm -Uvh /usr/src/redhat/RPMS/i386/openvpn-2.0.9-1.i386.rpm
3. 复制配置文件
引用#cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
#cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
4. 配置CA证书预生成项
引用#cd /etc/openvpn/easy-rsa/
可以使用vi编辑器对vars文件做适当修改:
引用export KEY_COUNTRY=CN
export KEY_PROVINCE=Zhejiang
export KEY_CITY=Ningbo
export KEY_ORG="OpenVPN-UNNC"
export KEY_EMAIL="[email protected]"
保存退出后执行source vars使其生效,然后执行 ./clean-all
5. 建立CA证书
引用[root@localhost easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.................++++++
..................................................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Zhejiang]:
Locality Name (eg, city) [Ningbo]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:IS
Common Name (eg, your name or your server's hostname) []:OpenVPN
Email Address [[email protected]]:
6. 生成服务器端私钥文件
引用[root@localhost easy-rsa]# ./build-key-server ovpnsrv1
Generating a 1024 bit RSA private key
...............................++++++
.............................++++++
writing new private key to 'ovpnsrv1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Zhejiang]:
Locality Name (eg, city) [Ningbo]:
Organization Name (eg, company) [OpenVPN-Server]:
Organizational Unit Name (eg, section) []:IS
Common Name (eg, your name or your server's hostname) []:OpenVPN
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Zhejiang'
localityName :PRINTABLE:'Ningbo'
organizationName :PRINTABLE:'OpenVPN-Server'
organizationalUnitName:PRINTABLE:'IS'
commonName :PRINTABLE:'OpenVPN'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 26 18:00:39 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7. 生成Diffie-Hellman密钥交换
关于Diffie-Hellman的详细信息可以查看维基百科的内容http://en.wikipedia.org/wiki/Diffie- Hellman
引用[root@localhost easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
....................................................+...........................................................................
...............................................................................................+..............+........+......
.............+..................................+..........+..................................................................
.......................................+..+.............................+.....................................................
...........................................................................+......................+........+..................
.+.......................+.............+......................+..............................................................
...................++*++*++*
8. 将生成的证书文件复制到配置目录
引用[root@localhost easy-rsa]# cp keys/{ca.crt,dh1024.pem,ovpnsrv1.key,ovpnsrv1.crt} ../
9. 修改OpenVPN server 配置文件server.conf
引用[root@localhost easy-rsa]# cd ..
[root@localhost openvpn]# vi server.conf
修改的几项参数如下:
引用dev tap
;dev tun
ca ca.crt
cert ovpnsrv1.crt
key ovpnsrv1.key # This file should be kept secret
push "redirect-gateway"
push "dhcp-option DNS 202.96.104.16"
push "dhcp-option DNS 202.96.104.17"
push "redirect-gateway" 允许VPN服务器做为的网关,最后两行为在获取IP地址增加DNS。
10. 启动OpenVPN服务
引用[root@localhost openvpn]# service openvpn start
Starting openvpn: [ OK ]
[root@localhost openvpn]# netstat -anup | grep 1194
udp 0 0 0.0.0.0:1194 0.0.0.0:* 4479/openvpn
可以看到openvpn已经成功运行,监听在udp 1194端口
Windows 客户端配置
在Windows系统中可以安装OpenVPN GUI来连接服务器,但是一定要注意版本要和 OpenVPN Server 匹配。
1. 下载安装
直接从http://openvpn.se下载后安装。
2. 建立客户端证书
转到程序安装目录下的easy-rsa目录中,默认安装的位置是C:\Program Files\OpenVPN\easy-rsa,复制一份vars.bat.sample重命名为vars.bat,用文本编辑器打开,作相应修改:
引用set KEY_COUNTRY=CN
set KEY_PROVINCE=Zhejiang
set KEY_CITY=Ningbo
set KEY_ORG=OpenVPN-Server
set [email protected]
打开命令提示符,转到easy-rsa目录,执行vars.bat以设置环境变量,然后开始生成证书:
引用>vars
>copy openssl.cnf.sample openssl.cnf
>md keys
>build-key vpnhome
按照提示操作完成后,就会在keys目录下得到vpnhome.csr和vpnhome.key密钥文件
3. 为客户端证书签名
将客户端生成的证书上传至OpenVPN服务器/etc/openvpn/easy-rsa/keys目录,使用sign-req进行签名
引用[root@localhost easy-rsa]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# ./sign-req vpnhome
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Zhejiang'
localityName :PRINTABLE:'Ningbo'
organizationName :PRINTABLE:'OpenVPN-UNNC'
organizationalUnitName:PRINTABLE:'IS'
commonName :PRINTABLE:'OpenVPN'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 25 16:01:10 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4. 返回签名后的证书给客户端
签名过程完成后,将/etc/openvpn/easy-rsa/目录下的ca.crt和新生成的vpnhome.crt文件复制到C:\Program Files\OpenVPN\config。客户端的私钥文件C:\Program Files\OpenVPN\easy-rsa\vpnhome.key也需要复制到config目录下。
5. 配置客户端参数
复制C:\Program Files\OpenVPN\sample-config并重命名为C:\Program Files\OpenVPN\config,使用文本编辑器打开,做相应的修改
引用dev tap
;dev tun
dev-node OpenVPN_Michael
remote 1194 (example: remote 10.110.234.240 1194)
ca ca.crt
cert alanghome.crt
key alanghome.key
ns-cert-type server
6. 网卡配置
OpenVPN GUI安装完成后,会在Windows系统中增加一块虚拟网卡,用于建立VPN连接,这与Cisco VPN类似。由于在上一进对客户端配置文件设置了VPN设备,即dev-node使用OpenVPN_Michael,所以需要将新增的虚拟网络连接重命 名。
在控制面板中找到新增加的虚拟网络连接,可以通过其设备名为TAP_Win32 Adapter V8 进行辨别,重命名为OpenVPN_Michael即可。
7. 开启客户端VPN连接
右键点击屏幕右下角的OpenVPN GUI图标,如果没有这个图标,就从开始、程序菜单先运行OpenVPN GUI,在右键菜单中选择connect即可,系统会自动建立VPN连接,成功后变成绿色图标。如果遇到问题,可以通过菜单中的view log进行跟踪排错。
允许客户端通过VPN Server访问Internet
由于Server 已经可以访问Internet,客户端只是由于网络中间的管理设备阻隔,而不能直接访问Internet。此时就可以使用Server充当 Internet网关,前面在服务器配置中已经增加了客户端在获取IP时附加网关、DNS设置,因此这里只需要使用iptables进行SNAT即可:
引用[root@localhost openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.110.234.240
[root@localhost openvpn]# sysctl -w net.ipv4.ip_forward=1
为保证系统重启后仍然有效,可将iptables一句写入/etc/rc.local,或者加上其它的防火墙设置项,共同写成一个开机执行的shell script
参考文章:http://www.throx.net/2008/04/13/openvpn-and-centos-5-installation- and-configuration-guide/
安装时候 也可以直接用rpm包
lzo-2.02-2.el5.1.i386.rpm openvpn-2.1-0.29.rc15.el5.i386.rpm
顶(0)
踩(0)
上一篇:Linux DNAT 应用
下一篇:Linux tcpdump 用法
- 最新评论