openvpn安装使用(使用证书和密码认证配置).doc

Centos6.5 安装 openvpn create by ymc023 2014-11-101.安装yum-priorities插件,保证优先级 yum install yum-priorities2.安装rpmforgehttp:/apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpm -ivh http:/apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm 选择性安装,64位用64位,32位用686rpm -ivh http:/apt.sw.be/redhat/el6/en/i386/rpmforge/RPMS/rpmforge-release-0.5.3-1.el6.rf.i686.rpm或 rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm3.安装epel/pub/epel/6/x86_64/rpm -ivh /pub/epel/6/x86_64/epel-release-6-8.noarch.rpmrpm -ivh /pub/epel/6/i386/epel-release-6-8.noarch.rpm或/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpmrpm -import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6设置 /etc/yum.repos.d/rpmforge.repo，添加顺序指令 priority=N（N 从 1 至 99，1 优先级最高），对base、updates、addons、extras 设置 priority=1，示例：以上安装完成rpmforge后,可以从rpmforge中获得openvpn的安装文件yum install openvpn4.把cp -R /usr/share/doc/openvpn-*/easy-rsa /etc/openvpn cd /etc/openvpn/easy-rsa/2.0/ chmod +x * 注:上述复制路径不同版本的具体路径不一样,请自行更改5.然后使用easy-rsa的脚本产生证书,其方法如下: ln -s f f . vars ./clean-all ./build-ca server ./build-key-server server ./build-key client ./build-dh6.配置 server.conf,首先要创建一个配置文件 cp -arp /usr/share/doc/openvpn/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/ 或,因具体路径不一样 cp -arp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server push redirect-gateway def1 bypass-dhcp push dhcp-option DNS log /var/log/openvpn.log keepalive 10 120 verb 3 client-to-client comp-lzo persist-key persist-tun以下配置需在服务端开启nat功能,让vpn用户以本机IP的身份转发数据出去客户端拨入OpenVPN后，默认网关会指向OpenVPN服务器，为了能使客户端可以上网，需要在服务端开启nat功能 首先，打开ip forward功能sed -i /net.ipv4.ip_forward/s/0/1/g /etc/sysctl.conf sysctl -w net.ipv4.ip_forward=1然后，配置iptables snatiptables -t nat -A POSTROUTING -s / -j SNAT -to-source SERVER_IPiptables -t nat -nL注:将SERVER_IP替换为服务器的出口ipOpenVPN客户端配置编辑好了服务端准备就绪，接下来开始客户端配置对于Windows客户端到http:/openvpn.se/download.html 下载gui版的OpenVPN，按照提示安装完成后，将Linux服务端使用easy-rsa产生的客户端证书、私钥和ca证书下载到本地config中。/etc/openvpn/easy-rsa/2.0/keys/ca.crt #ca证书/etc/openvpn/easy-rsa/2.0/keys/client.crt #客户端证书/etc/openvpn/easy-rsa/2.0/keys/client.key #客户端私钥将这些文件下载到D:Program FilesOpenVPNconfig下。编辑客户端OpenVPN配置文件client.ovpn，内容如下：clientdev tunproto udpremote SERVER_IP 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client.crtkey client.keycomp-lzoverb 3redirect-gateway def1route-method exeroute-delay 2将SERVER_IP写成OpenVPN服务器的ip，然后打开OpenVPN的GUI，点击连接，完成OpenVPN拨入扩展配置编辑不使用证书,使用密码认证 Server端server.conf添加4行配置 :script-security 3 auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #使用checksw.sh 验证本地明文密码client-cert-not-required #客户端不要求证书认证 ,如果同时使用证书与账号,请注销上面的配置 username-ascommon-name #用客户端的username 作为校验注:请在服务端touch 密码文件psw-file touch psw-file chomod 400 psw-file chown nobody.nobody psw-file格式如下:cat psw-filename passwdAa 123456Cc 445dfa客户端 Client.ovpn 配置 文件添加如下代码 client auth-user-pass script-security 3因openvpn.se无法打开,现提供checkpsw.sh 代码如下:chmode +x checkpsw.sh#!/bin/sh#This script will authenticate OpenVPN users againsta plain text file. The passfile should simply contain .one row per user with the username first followed by.one or more space(s) or tab(s) and then the password.PASSFILE=/etc/openvpn/psw-file LOG_FILE=/var/log/openvpn-password.log TIME_STAMP=date +%Y-%m-%d%Tif ! -r $PASSFILE ; then echo $TIME_STAMP: Could not open password file $PASSFILE for reading. $LOG_FILE exit 1 fiCORRECT_PASSWORD=awk !/;/&!/#/&$1=$usernameprint $2;exit $PASSFILEif $CORRECT_PASSWORD = ; then echo $TIME_STAMP: User does not exist: username=$username, password=$password. $LOG_FILE exit 1 fiif $password =