在centos5上安装openvpn
时间:2009-03-20 来源:szxsztszk
一、安装lzo和openvpn软件
1.从http://rpm.pbone.net/上找到CENTOS5的下列包并安装。
openvpn-2.1-0.20.rc4.el5.kb.i386.rpm
lzo-2.02-3.el5.kb.i386.rpm
2.复制配置文件
#cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/
#cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
3.配置证书
#cd /etc/openvpn/easy-rsa/
#vi vars
修改以下参数:
export KEY_COUNTRY=CN
export KEY_PROVINCE=SHANGHAI
export KEY_CITY=SHANGHAI
export KEY_ORG=”VPN-TEST”
export KEY_EMAIL=”[email protected]”
#source ./vars
#./clean-all
4.创建证书
#./build-ca
Generating a 1024 bit RSA private key
………………………++++++
…………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:cz
Common Name (eg, your name or your server’s hostname) []:centos52
Email Address [[email protected]]:
5.创建服务器证书。按提示填写一些内容即可。
#./build-key-server ovpnsrv1
6.Building Diffie Hellman
#./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
7.复制证书到相应的目录
#cp keys/ca.crt /etc/openvpn/
#cp keys/dh1024.pem /etc/openvpn/
#cp keys/ovpnsrv1.key /etc/openvpn/
#cp keys/ovpnsrv1.crt /etc/openvpn/
8.生成客户端密钥和证书
./build-key client1
Generating a 1024 bit RSA private key .....++++++ ......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:cz
Common Name (eg, your name or your server's hostname) []:centos52 #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:********
An optional company name []:centos52
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SHANGHAI'
localityName :PRINTABLE:'SHANGHAI'
organizationName :PRINTABLE:'VPN-TEST'
organizationalUnitName:PRINTABLE:'********'
commonName :PRINTABLE:'centos52'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依此类推生成其他客户端证书/key
代码:
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
将:ca.crt、ca.key、client1.crt、client1.csr、client1.key打包下载到客户端以备使用。
9.配置openvpn
#cd ../
#vi server.conf
proto tcp
dev tap
ca ca.crt
cert ovpnsrv1.crt
key ovpnsrv1.key # This file should be kept secret
;push "redirect-gateway"
push "redirect-gateway local def1"
push "dhcp-option DNS 202.96.209.5"
10.启动openvpn服务
#service openvpn restart
#chkconfig openvpn on
二,客户端的安装与配置
1、下载并安装客户端:http://openvpn.se/files/install_packages/
2、设置证书
cmd.exe
>cd c:\Program Files\OpenVPN\easy-rsa
>copy vars.bat.sample vars.bat
edit vars.bat
set KEY_COUNTRY=CN
set KEY_PROVINCE=SHANGHAI
set KEY_CITY=SHANGHAI
set KEY_ORG=VPN-TEST
set [email protected]
(提示:这些信息要和服务器一致)
3、双击"vars.bat"文件(C:\Program Files\OpenVPN\easy-rsa)或者在命令行运行这个文件,以加载配置参数。
4、将从服务器上打包下载的密钥和证书文件,放置到:C:\Program Files\OpenVPN\config
5、#复制sample设定档:请将范例档案"client.ovpn"从"C:\Program Files\OpenVPN\sample-config"复制一份到"C:\Program Files\OpenVPN\config" (这时,这个目录里应该有7个文件:ca.crt、ca.key、client1.crt、client1.csr、client1.key、 client.ovpn、README.txt)
6、配置client端设定档
屏幕右下角工作列(OpenVPN GUI)
右键--> Edit Config(没提及的,请保持原貌)
dev tap
dev-node OpenVPN_Tap
proto tcp
remote server-ip 1194
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
7、设定openvpn TAP界面
控制面板-->网络和 Internet 连接-->网络连接-->TAP-Win32#(#)
(找出哪个界面用的是TAP-Win32,我这边的"网络连接3"滑鼠移上去会显示TAP-Win32 Adapter V8,要把"网络连接3"这个名字改成刚才"dev -node"取的名字),右键-->重新命名-->OpenVPN_Tap
8、启动openvpn用户端
右下角工作列(OpenVPN GUI)(如果用户端要透过HTTP proxy连接OpenVPN伺服器的话,请先右键--> Proxy Settings加以设定)右键--> Connect
9、测试:查看路由,并ping伺服器检测。
三、OpenVPN 访问外网的设置
恭喜!到这边可以算是完成了点对点的VPN,不过别忘了我们的目标伺服器放在内部网路的38.119.0.0网段,我们要让OpenVPN用户端的封包「过的去,回的来」,要确定两件事:
a:打开IP Forwarding功能,让OpenVPN服务器能够帮我们把封包送过去。
b:确定目标伺服器它的路由设定,能够让来自10.8.0.0/24网段的封包回到OpenVPN服务器对内网卡eth1的ip 38.119.0.0。
【a、b两步都在OpenVPN服务器上操作】
a:关于打开IP Forwarding,请执行底下指令,立即生效:
echo 1 > /proc/sys/net/ipv4/ip_forward
并且修改档案,即使服务器重新启动也不怕:
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
b:关于目标服务器的路由设定,最好由它的default route那颗router把10.8.0.0/24都指向OpenVPN伺服器的对内网卡ip 38.119.0.0。
不过因为本例目标伺服器和OpenVPN伺服器的对内网卡都在10.66.0.0/24网段,所以直接在目标伺服器上面增加路由,让封包回的来:
(目标服务器是Microsoft Windows,其他作业系统的路由指令不一样)
route -p add 10.8.0.0 mask 255.255.255.0 38.119.0.1
Linux路由命令:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 38.119.0.1
/etc/init.d/iptables save
/etc/init.d/iptables restart
不同的机器,-o eth0 参数可能不一样,具体可输入 ifconfig 查看,搞清 ip(38.119.0.1)所在的网卡IP。
1.从http://rpm.pbone.net/上找到CENTOS5的下列包并安装。
openvpn-2.1-0.20.rc4.el5.kb.i386.rpm
lzo-2.02-3.el5.kb.i386.rpm
2.复制配置文件
#cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/
#cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
3.配置证书
#cd /etc/openvpn/easy-rsa/
#vi vars
修改以下参数:
export KEY_COUNTRY=CN
export KEY_PROVINCE=SHANGHAI
export KEY_CITY=SHANGHAI
export KEY_ORG=”VPN-TEST”
export KEY_EMAIL=”[email protected]”
#source ./vars
#./clean-all
4.创建证书
#./build-ca
Generating a 1024 bit RSA private key
………………………++++++
…………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:cz
Common Name (eg, your name or your server’s hostname) []:centos52
Email Address [[email protected]]:
5.创建服务器证书。按提示填写一些内容即可。
#./build-key-server ovpnsrv1
6.Building Diffie Hellman
#./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
7.复制证书到相应的目录
#cp keys/ca.crt /etc/openvpn/
#cp keys/dh1024.pem /etc/openvpn/
#cp keys/ovpnsrv1.key /etc/openvpn/
#cp keys/ovpnsrv1.crt /etc/openvpn/
8.生成客户端密钥和证书
./build-key client1
Generating a 1024 bit RSA private key .....++++++ ......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:cz
Common Name (eg, your name or your server's hostname) []:centos52 #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:********
An optional company name []:centos52
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SHANGHAI'
localityName :PRINTABLE:'SHANGHAI'
organizationName :PRINTABLE:'VPN-TEST'
organizationalUnitName:PRINTABLE:'********'
commonName :PRINTABLE:'centos52'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依此类推生成其他客户端证书/key
代码:
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
将:ca.crt、ca.key、client1.crt、client1.csr、client1.key打包下载到客户端以备使用。
9.配置openvpn
#cd ../
#vi server.conf
proto tcp
dev tap
ca ca.crt
cert ovpnsrv1.crt
key ovpnsrv1.key # This file should be kept secret
;push "redirect-gateway"
push "redirect-gateway local def1"
push "dhcp-option DNS 202.96.209.5"
10.启动openvpn服务
#service openvpn restart
#chkconfig openvpn on
二,客户端的安装与配置
1、下载并安装客户端:http://openvpn.se/files/install_packages/
2、设置证书
cmd.exe
>cd c:\Program Files\OpenVPN\easy-rsa
>copy vars.bat.sample vars.bat
edit vars.bat
set KEY_COUNTRY=CN
set KEY_PROVINCE=SHANGHAI
set KEY_CITY=SHANGHAI
set KEY_ORG=VPN-TEST
set [email protected]
(提示:这些信息要和服务器一致)
3、双击"vars.bat"文件(C:\Program Files\OpenVPN\easy-rsa)或者在命令行运行这个文件,以加载配置参数。
4、将从服务器上打包下载的密钥和证书文件,放置到:C:\Program Files\OpenVPN\config
5、#复制sample设定档:请将范例档案"client.ovpn"从"C:\Program Files\OpenVPN\sample-config"复制一份到"C:\Program Files\OpenVPN\config" (这时,这个目录里应该有7个文件:ca.crt、ca.key、client1.crt、client1.csr、client1.key、 client.ovpn、README.txt)
6、配置client端设定档
屏幕右下角工作列(OpenVPN GUI)
右键--> Edit Config(没提及的,请保持原貌)
dev tap
dev-node OpenVPN_Tap
proto tcp
remote server-ip 1194
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
7、设定openvpn TAP界面
控制面板-->网络和 Internet 连接-->网络连接-->TAP-Win32#(#)
(找出哪个界面用的是TAP-Win32,我这边的"网络连接3"滑鼠移上去会显示TAP-Win32 Adapter V8,要把"网络连接3"这个名字改成刚才"dev -node"取的名字),右键-->重新命名-->OpenVPN_Tap
8、启动openvpn用户端
右下角工作列(OpenVPN GUI)(如果用户端要透过HTTP proxy连接OpenVPN伺服器的话,请先右键--> Proxy Settings加以设定)右键--> Connect
9、测试:查看路由,并ping伺服器检测。
三、OpenVPN 访问外网的设置
恭喜!到这边可以算是完成了点对点的VPN,不过别忘了我们的目标伺服器放在内部网路的38.119.0.0网段,我们要让OpenVPN用户端的封包「过的去,回的来」,要确定两件事:
a:打开IP Forwarding功能,让OpenVPN服务器能够帮我们把封包送过去。
b:确定目标伺服器它的路由设定,能够让来自10.8.0.0/24网段的封包回到OpenVPN服务器对内网卡eth1的ip 38.119.0.0。
【a、b两步都在OpenVPN服务器上操作】
a:关于打开IP Forwarding,请执行底下指令,立即生效:
echo 1 > /proc/sys/net/ipv4/ip_forward
并且修改档案,即使服务器重新启动也不怕:
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
b:关于目标服务器的路由设定,最好由它的default route那颗router把10.8.0.0/24都指向OpenVPN伺服器的对内网卡ip 38.119.0.0。
不过因为本例目标伺服器和OpenVPN伺服器的对内网卡都在10.66.0.0/24网段,所以直接在目标伺服器上面增加路由,让封包回的来:
(目标服务器是Microsoft Windows,其他作业系统的路由指令不一样)
route -p add 10.8.0.0 mask 255.255.255.0 38.119.0.1
Linux路由命令:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 38.119.0.1
/etc/init.d/iptables save
/etc/init.d/iptables restart
不同的机器,-o eth0 参数可能不一样,具体可输入 ifconfig 查看,搞清 ip(38.119.0.1)所在的网卡IP。
相关阅读 更多 +
