Linux下OpenVPN配置.doc

Linux下OpenVPN配置OpenVPN简介：OpenVPN能够运行于大多常见的系统平台，是一个基于SSL/TLS的VPN解决方案。OpenVPN能够基于TAP/TUN虚拟设备驱动实现2层及3层的链接，提供基于SSL/TLS的工业级别加密功能，并且实现了大多数常见VPN解决方案的全部特性。但目前提供整合了OpenVPN的VPN硬件厂商还不太多。一、 下载软件包# wget /opensource/lzo/download/lzo-2.04.tar.gz# wget /release/openvpn-2.1_rc22.tar.gz# yum install openssl-devel二、解压及安装# tar xvf lzo-2.04.tar.gz# cd lzo-2.04# ./configure# make & make install# cd ./# tar xvf openvpn-2.1_rc22.tar.gz# cd openvpn-2.1_rc22# ./configure# make & make install# cd ./三、服务器端设置：1. 用easy-rsa生成服务器证书客户端证书# cp openvpn-2.1_rc22/easy-rsa/2.0 -r /etc/openvpn/# cd /etc/openvpn/2.0/编辑所需的参数再调用之# vim varsexport D=pwdexport KEY_CONFIG=$D/fexport KEY_DIR=$D/keysexport KEY_COUNTRY=CNexport KEY_PROVINCE=SHexport KEY_CITY=PDexport KEY_ORG=zyfmasterexport KEY_EMAIL=905407204# source vars#也可以不用设置，直接执行下面的命令下面这个命令在第一次安装时可以运行，以后在添加客户端时千万别运行，这个命令会清除所有已经生成的证书密钥。# ./clean-all生成服务器端ca证书# ./build-caGenerating a 1024 bit RSA private key.+.+writing new private key to ca.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN:State or Province Name (full name) SH:Locality Name (eg, city) PD:Organization Name (eg, company) zyfmaster:Organizational Unit Name (eg, section) :zyfmasterCommon Name (eg, your name or your servers hostname) zyfmaster CA:serverName :Email Address 905407204:生成服务器端密钥key, 后面这个server-name就是服务器名，可以自定义。# ./build-key-server serverGenerating a 1024 bit RSA private key.+.+writing new private key to server.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN:State or Province Name (full name) SH:Locality Name (eg, city) PD:Organization Name (eg, company) zyfmaster:Organizational Unit Name (eg, section) :zyfmasterCommon Name (eg, your name or your servers hostname) server:serverName :Email Address 905407204:Please enter the following extra attributesto be sent with your certificate requestA challenge password :abcd1234An optional company name :zyfmasterUsing configuration from /etc/openvpn/2.0/fCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :PRINTABLE:SHlocalityName :PRINTABLE:PDorganizationName :PRINTABLE:zyfmasterorganizationalUnitName:PRINTABLE:zyfmastercommonName :PRINTABLE:serveremailAddress :IA5STRING:905407204Certificate is to be certified until Dec 2 04:14:34 2022 GMT (3650 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updated生成客户端 key# ./build-key client1Generating a 1024 bit RSA private key.+.+writing new private key to client1.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN:State or Province Name (full name) SH:Locality Name (eg, city) PD:Organization Name (eg, company) zyfmaster:Organizational Unit Name (eg, section) :zyfmasterCommon Name (eg, your name or your servers hostname) client1:client1 #重要: 每个不同的client 生成的证书, 名字必须不同.Name :Email Address 905407204:Please enter the following extra attributesto be sent with your certificate requestA challenge password :abcd1234An optional company name :zyfmasterUsing configuration from /etc/openvpn/2.0/fCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :PRINTABLE:SHlocalityName :PRINTABLE:PDorganizationName :PRINTABLE:zyfmasterorganizationalUnitName:PRINTABLE:zyfmastercommonName :PRINTABLE:client1emailAddress :IA5STRING:905407204Certificate is to be certified until Dec 2 04:15:50 2022 GMT (3650 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updated以此类推建立其他客户端 key# ./build-key client2# ./build-key client3注意在进入 Common Name (eg, your name or your servers hostname) : 的输入时, 每个证书输入的名字必须不同.5.生成Diffie Hellman参数# ./build-dh6.将 keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等)# tar zcvf yskeys.tar.gz keys/*7.创建服务端配置文件# mkdir /etc/openvpn/2.0/conf# cp /root/openvpn/openvpn-2.1_rc22/sample-config-files/server.conf /etc/openvpn/2.0/conf/# vim /etc/openvpn/2.0/conf/server.confport 1194proto udpdev tunca /etc/openvpn/2.0/keys/ca.crtcert /etc/openvpn/2.0/keys/server.crtkey /etc/openvpn/2.0/keys/server.key # This file should be kept secretdh /etc/openvpn/2.0/keys/dh1024.pemserver push route push route ifconfig-pool-persist ipp.txtpush redirect-gateway def1 bypass-dhcppush dhcp-option DNS push dhcp-option DNS client-to-clientkeepalive 10 120comp-lzouser nobodygroup nobodypersist-keypersist-tunstatus openvpn-status.loglog openvpn.logverb 3四、打开服务器的路由功能1.开启CentOS 5 的路由转发功能# vim /etc/sysctl.conf修改以下内容：net.ipv4.ip_forward = 1五、使sysctl.conf配置文件生效并添加iptables转发规则：# sysctl p# iptables -t nat -A POSTROUTING -o eth0 -s /24 -j MASQUERADE# /etc/init.d/iptables save六、启动openvpn，并加入随机启动vi /etc/rc.local然后在最后面加入此行:/usr/local/sbin/openvpn -config /etc/openvpn/2.0/conf/server.conf &七、OpenVP