RHEL5.4下openvpn的详细配置(2)

# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.10.10

在OpenVPN server上设置NAT
修改/etc/sysctl.conf文件，增加
net.ipv4.ip_forward = 1
使设置生效
[root@OpenVPN ~]#　sysctl -p
设定SNAT的规则，使用iptables命令
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.10.10
[root@OpenVPN ~]# service iptables save
六．重启所有服务器检查openvpn服务是随系统启动，应用服务器的路由表是否正常添加。

验证连通性：
从VPN客户端ping VPN服务器
[root@VPNClient ~]# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=0.858 ms
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.879 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=2.95 ms

[root@VPNClient ~]# ping 192.168.10.10
PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data.
64 bytes from 192.168.10.10: icmp_seq=0 ttl=64 time=0.563 ms
64 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=1.09 ms
64 bytes from 192.168.10.10: icmp_seq=2 ttl=64 time=1.09 ms

从VPN客户端ping 应用程序服务器
[root@VPNClient ~]# ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
64 bytes from 192.168.10.100: icmp_seq=0 ttl=63 time=13.4 ms
64 bytes from 192.168.10.100: icmp_seq=1 ttl=63 time=0.866 ms
64 bytes from 192.168.10.100: icmp_seq=2 ttl=63 time=0.697 ms


附线上server 配置和clent 配置
server.conf
local “server IP”

port 1196

proto tcp
;proto udp

;dev tap
dev tun

;dev-node MyTap

ca keys/ca.crt
cert keys/server.crt
key keys/server.key

dh keys/dh1024.pem

server 172.16.99.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

push "route 172.16.3.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script

;push "redirect-gateway"

;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

;client-to-client

;duplicate-cn

keepalive 10 120

tls-auth keys/ta.key 0 # This file is secret

;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

comp-lzo

;max-clients 100

;user nobody
;group nobody

persist-key
persist-tun

status openvpn-status.log

log openvpn.log
;log-append openvpn.log

verb 3

;mute 20


clent.conf （linux的客户端配置文件）
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote "server IP" 1196
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /home/openvpn/ws/keys/ca.crt
cert /home/openvpn/ws/keys/USER.crt
key /home/openvpn/ws/keys/USER.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth /home/openvpn/ws/keys/ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 5

# Silence repeating messages
mute 20



vpn用户建立方法
建立前先进入 openvpn/easy-rsa/keys 的目录下看看有没有重名的如果有需要提前删除
回到上级目录并先运行 . vars 命令

然后就可以根据用户需要时间来建立vpn用户

具体如下：
[root@vpnserver easy-rsa]# . vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /home/dingnan/openvpn-2.0.7/easy-rsa/keys
[root@vpnserver easy-rsa]# ./build-key user \\.build-key 后面跟的是时间 在后面就是用户名
Generating a 1024 bit RSA private key
...........................++++++
......++++++
writing new private key to 'user.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BJ]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [Baihe.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:user \\这项需要输入用户名
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/dingnan/openvpn-2.0.7/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'BJ'
stateOrProvinceName :PRINTABLE:'NA'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'Baihe.com'
commonName :PRINTABLE:'user'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Oct 18 07:43:30 2007 GMT (3 days)
Sign the certificate? [y/n]:y \\这项需要输入Y


1 out of 1 certificate requests certified, commit? [y/n]y \\这项需要输入Y
Write out database with 1 new entries
Data Base Updated


完成上述操作后，需要进入
openvpn/easy-rsa/keys 这个目录
把刚建立的用户名的文件，后缀为.crt和.key的文件拷到目录下，并压缩后发送给用户。（如果是第一次建立用户需要把ca.crt一并发给用户）



用户使用方法
先安装OPENVPN的客户端
然后进入安装目录找到config目录下，把后缀为：用户名.cat 用户名.key 和client.ovpn和ca.crt 的这些文件拷贝到其目录下。然后再修改client.ovpn这里的配置文件。
 

(责任编辑：阿里猫)