openvpn安装和配置.doc

1.软件包：lzo openvpn openssl 2.系统环境:Vps centos53.采用编译方式进行安装tar xzvf openssl-version.tar.gztar xzvf lzo-version.tat.gztar xzvf openvpn-version.tar.gzcd /openssl./configure -prefix=/usr/local/opensslmake;make installcd .cd /lzo./configmake;make installcd .cd openvpn./configure -with-lzo-headers=/usr/local/lzo/inlcude -with-lzo-lib=/usr/local/lzo/libmake;make install4.生成证书：cd /root/openvpn-2.0.9/easy-rsa i. export D=pwd ii. export KEY_CONFIG=$D/f iii. export KEY_DIR=$D/keys iv. export KEY_SIZE=1024 v. export KEY_COUNTRY=CN vi. export KEY_PROVINCE=BJ vii. export KEY_CITY=BJ viii. export KEY_ORG=buaa ix. export KEY_EMAIL=b) ./clean-all c) ./build-ca./clean-all ./build-ca Generating a 1024 bit RSA private key .+ .+ writing new private key to ca.key - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. - Country Name (2 letter code) CN: State or Province Name (full name) BJ: Locality Name (eg, city) BJ: Organization Name (eg, company) dvdmaster: buaaOrganizational Unit Name (eg, section) :gaitCommon Name (eg, your name or your servers hostname) :serverEmail Address :d) ./build-key-server server./build-key-server server Generating a 1024 bit RSA private key .+ .+ writing new private key to server.key - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. - Country Name (2 letter code) CN: State or Province Name (full name) BJ: Locality Name (eg, city) BJ: Organization Name (eg, company) buaa: Organizational Unit Name (eg, section) :gaitCommon Name (eg, your name or your servers hostname) :server Email Address : Please enter the following extra attributes to be sent with your certificate request A challenge password :abcd1234 An optional company name :dvdmaster Using configuration from /openvpn-2.0.5/easy-rsa/f Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName RINTABLE:CN stateOrProvinceName RINTABLE:GD localityName RINTABLE:SZ organizationName RINTABLE:dvdmaster organizationalUnitNameRINTABLE:dvdmaster commonName RINTABLE:server emailAddress :IA5STRING: Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) Sign the certificate? y/n:y 1 out of 1 certificate requests certified, commit? y/ny Write out database with 1 new entries Data Base Updated 5.客户端证书在openvpn中，这种配置方法是每一个登陆的VPN客户端需要有一个证书，每个证书在同一时刻只能供一个客户端连接（如果有两个机器安装相同证书，同时拨服务器，都能拨上，但是只有第一个拨上的才能连通网络）。所以需要建立许多份证书。下面建立三份，名称分别为client1 client3。./build-key client1 Generating a 1024 bit RSA private key .+ .+ writing new private key to client1.key - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. - Country Name (2 letter code) CN: State or Province Name (full name) BJ: Locality Name (eg, city) BJ: Organization Name (eg, company) buaa: Organizational Unit Name (eg, section) :gaitCommon Name (eg, your name or your servers hostname) :client1 #重要: 每个不同的 client 生成的证书, 名字必须不同. Email Address : Please enter the following extra attributes to be sent with your certificate request A challenge password :abcd1234 An optional company name :gait Using configuration from /openvpn-2.0.5/easy-rsa/f Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName RINTABLE:CN stateOrProvinceName RINTABLE:GD localityName RINTABLE:SZ organizationName RINTABLE:dvdmaster organizationalUnitName:PRINTABLE:dvdmaster commonName :PRINTABLE:client1 emailAddress :IA5STRING: Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) Sign the certificate? y/n:y 1 out of 1 certificate requests certified, commit? y/ny Write out database with 1 new entries Data Base Updated ) 依次类推生成其他客户端证书/key: ./build-key client2 ./build-key client3注意在进入 Common Name (eg, your name or your servers hostname) : 的输入时, 每个证书输入的名字必须不同.g) 执行./build-dhh) 生成的所有证书在/root/openvpn-2.0.9/easy-rsa/keys下。i. 其中服务器需要的是ca.crt、server.crt、server.key、dh1024.pem，每个客户端需要的是ca.crt、client1-3.crt、client1-3.key。7、 配置文件a) cp /root/openvpn-2.0.9/sample-config-files/server.conf /usr/local/etc/server.confb) vi /usr/local/etc/server.confi. proto udp改成proto tcpii. ca那四行改成ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crtcert /root/openvpn-2.0.9/easy-rsa/keys/server.crtkey /root/openvpn-2.0.9/easy-rsa/keys/server.keydh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pemiii. server.conf 配置文件见（参考文件server.conf）8、 启动服务：a) 关闭服务器、防火墙上所有对SSH（22）、openvpn（1194）的拦截。b) echo 1 /proc/sys/net/ipv4/ip_forwardc) /usr/local/sbin/openvpn -config /usr/local/etc/server.confd) 为了实现开机启动，在/etc/rc.local后面添加/usr/local/sbin/openvpn -config /usr/local/etc/server.conf /dev/null 2&1 &4. 安装客户端1、 从http:/openvpn.se/上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows”a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe2、 执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。3、 将ca.crt、client1.crt、client1.key复制到C:Program FilesOpenVPNconfig。（不同用户使用不同的证书，每个证书包括.crt和.key两个文件，如client2.crt和client2.key）4、 在/root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件，改名为C:Program FilesOpenVPNconfigclient.ovpna) proto udp改成proto tcpb) remote那行改成这里填写vpn服务器公网ip 1194（端口号）c) ca那3行改为ca ca.crtcert client1.crtkey client1.keyd) 注释掉comp-lzoserver.conf 配置文件见（参考文件client.ovpn）四,问题总结:1.在sever.conf/client.conf 里的证书keys相关的文件要写编对路径.2.proto udp改成proto tcp3./build-key client .不同的client不一样的common name 不能和上面的common name一样4.考虑证书生效时间问题，要考虑服务端和客户端的时间同步问题，具体设置时方法:Eg: date -s 20:30:30 #设置系统时间为20:30:30, clock w #将系统时间(如由date设置的时间)写入Bios;利用网络时间同步时间: ntpdate 5.在 openvz vps 上搭建openvpnv之前先执行以下过程：vzctl set 120 -devices c:10:200:rw -savevzctl exec 120 mkdir -p /dev/netvzctl exec 120 mknod /dev/net/tun c 10 200vzctl exec 120 chmod 600 /dev/net/tun否则会不能开启 TUN 6.在 vi ./etc/vz/vz.conf 里找到# IPv4 iptables kernel modulesIPTABLES=iptable_nat ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpms