http://jackxiang.com/index.php zh-cn http://jackxiang.com/post// jack <xdy108@126.com> Fri, 12 Mar 2010 05:35:14 +0000 http://jackxiang.com/post//
一. OpenVPN 安装环境
Server 端的环境
CentOS, kernel版本: 2.6.18, IP 为 221.233.59.16(ADSL拨号)
kernel 需要支持 tun 设备, 需要加载 iptables 模块.
安装的 OpenVPN 的版本: 2.1.rc15.(目前最新版 可在http://openvpn.net 上下载).
Client 端的环境:
Windows XP SP2
openvpn-2.1_rc15-install.exe(此版本集成了 OpenVPN GUI 客户端)
二. OpenVPN 服务端安装过程

用putty登录到CentOS
下载LZO和OpenVPN 2.1.rc15
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gzwget http://openvpn.net/release/openvpn-2.1_rc15.tar.gzyum install -y openssl-devel安装LZO和OpenVPN
tar zxvf lzo-2.03.tar.gzcd lzo-2.03./configuremakemake installcd ..tar zxvf openvpn-2.1_rc15.tar.gzcd openvpn-2.1_rc15./configuremakemake installcd ..cp /root/openvpn-2.1_rc15/easy-rsa/ -r /etc/openvpn生成证书
初始化PKI

cd /etc/openvpn/2.0/#可以设置下OpenVPN参数(也可以修改vars文件来配置)export D=`pwd`export KEY_CONFIG=$D/openssl.cnfexport KEY_DIR=$D/keysexport KEY_SIZE=1024export KEY_COUNTRY=CNexport KEY_PROVINCE=GDexport KEY_CITY=SZexport KEY_ORG="dvdmaster"export KEY_EMAIL="support@cooldvd.com"#也可以不用设置直接执行下面的命令. vars创建证书颁发机构(CA)

./clean-all./build-caGenerating a 1024 bit RSA private key................++++++........++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [GD]:Locality Name (eg, city) [SZ]:Organization Name (eg, company) [dvdmaster]:Organizational Unit Name (eg, section) []:dvdmasterCommon Name (eg, your name or your server's hostname) []:serverEmail Address [support@cooldvd.com]:建立server key

./build-key-server serverGenerating a 1024 bit RSA private key......++++++....................++++++writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [GD]:Locality Name (eg, city) [SZ]:Organization Name (eg, company) [dvdmaster]:Organizational Unit Name (eg, section) []:dvdmasterCommon Name (eg, your name or your server's hostname) []:serverEmail Address [support@cooldvd.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:abcd1234An optional company name []:dvdmasterUsing configuration from /etc/openvpn/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'CN'stateOrProvinceName   :PRINTABLE:'GD'localityName          :PRINTABLE:'SZ'organizationName      :PRINTABLE:'dvdmaster'organizationalUnitName:PRINTABLE:'dvdmaster'commonName            :PRINTABLE:'server'emailAddress          :IA5STRING:'support@cooldvd.com'Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated生成客户端 key

./build-key client1Generating a 1024 bit RSA private key.....++++++......++++++writing new private key to 'client1.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [GD]:Locality Name (eg, city) [SZ]:Organization Name (eg, company) [dvdmaster]:Organizational Unit Name (eg, section) []:dvdmasterCommon Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的client 生成的证书, 名字必须不同.Email Address [support@cooldvd.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:abcd1234An optional company name []:dvdmasterUsing configuration from /etc/openvpn/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'CN'stateOrProvinceName   :PRINTABLE:'GD'localityName          :PRINTABLE:'SZ'organizationName      :PRINTABLE:'dvdmaster'organizationalUnitName:PRINTABLE:'dvdmaster'commonName            :PRINTABLE:'client1'emailAddress          :IA5STRING:'support@cooldvd.com'Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated以此类推建立其他客户端 key

./build-key client2./build-key client3注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.

生成Diffie Hellman参数
./build-dh将 keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等......)
tar zcvf yskeys.tar.gz keys/创建服务端配置文件
mkdir /etc/openvpn/2.0/confcp /root/openvpn-2.1_rc15/sample-config-files/server.conf /etc/openvpn/2.0/conf/server.conf
服务端配置文件(server.conf)样例

port 1194proto udpdev tunca /etc/openvpn/2.0/keys/ca.crtcert /etc/openvpn/2.0/keys/ovpnser.crtkey /etc/openvpn/2.0/keys/ovpnser.key  # This file should be kept secretdh /etc/openvpn/2.0/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 10.8.0.1"push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址client-to-clientkeepalive 10 120comp-lzouser nobodygroup nobodypersist-keypersist-tunstatus openvpn-status.logverb 3启动OpenVPN
/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &三. OpenVPN GUI For Windows 客户端安装过程

下载 openvpn-2.1_rc15-install.exe(此版本集成 OpenVPN  GUI)
官方下载地址:http://openvpn.net/release/openvpn-2.1_rc15-install.exe

依屏幕指示安装OpenVPN GUI
配置 openvpn gui

将上面第6步打包的yskeys.tar.gz中的下列证书文件解压到 你的OpenVPN GUI安装路径\OpenVPN\config文件夹下

ca.crtca.keyclient1.crtclient1.csrclient1.key修改client.ovpn
把你的OpenVPN GUI安装路径\OpenVPN\sample-config下的client.ovpn文件复制到你的OpenVPN GUI安装路径\OpenVPN\config文件夹下,用记事本打开client.ovpn

#找到remote my-server-1 1194,把my-server-1改成你的ip地址remote 221.233.59.16 1194双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.
三. OpenVPN 访问外网的设置

开启CentOS 5 的路由转发功能
echo 1 > /proc/sys/net/ipv4/ip_forward#为了使CentOS重启后仍然开启路由转发功能我们需要再执行下列命令sysctl -w net.ipv4.ip_forward=1添加iptables转发规则
#因为我那天CentOS是ADSL拨号上网,所以把出口设置成ppp0,请根据实际情况设置iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE必须保证server.conf配置中,有下面三个配置
push "dhcp-option DNS 10.8.0.1"push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:

Ethernet adapter 本地连接 2:        Connection-specific DNS Suffix  . :        Description . . . . . . . . . . . : TAP-Win32 Adapter V9        Physical Address. . . . . . . . . : 00-FF-F2-1A-44-BD        Dhcp Enabled. . . . . . . . . . . : Yes        Autoconfiguration Enabled . . . . : Yes        IP Address. . . . . . . . . . . . : 10.8.0.6        Subnet Mask . . . . . . . . . . . : 255.255.255.252        Default Gateway . . . . . . . . . : 10.8.0.5        DHCP Server . . . . . . . . . . . : 10.8.0.5        DNS Servers . . . . . . . . . . . : 10.8.0.1                                            202.103.44.150                                            202.103.24.68        Lease Obtained. . . . . . . . . . : 2009年5月8日 23:55:06        Lease Expires . . . . . . . . . . : 2010年5月8日 23:55:06四. 设置 OpenVPN 服务器 reboot后自动启动 openvpn
执行

vi /etc/rc.local然后在最后面加入此行:

/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &五.OpenVPN 测试
连接成功之后,去www.ip138.com上看看外网ip是多少,如果是CentOS系统的外网ip那说明测试成功了~
来源：http://rashost.com/blog/centos-openvpn-install ]]> http://jackxiang.com/post//#blogcomment <user@domain.com> Thu, 01 Jan 1970 00:00:00 +0000 http://jackxiang.com/post//#blogcomment