公司是第二次安装openvpn了,因为需要,所以这次一定告诉自己要记录下来,所以从网上找了很多资料,甄别后,进行操作,没想到异常顺利。
==============
For Server
==============
1. Download package files 下载文件
#wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
#wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
2. Install package
#rpmbuild –rebuild lzo-1.08-4.rf.src.rpm
#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
#rpmbuild -tb openvpn-2.0.9.tar.gz
#rpm -Uvh /usr/src/redhat/RPMS/i386/openvpn-2.0.9-1.i386.rpm
如果顺利就不会出下面提示了,
Error:
Failed build dependencies:
autoconf is needed by lzo-1.08-4.rf.i386
Answer:
yum install autoconf.noarch
–
Error:
Failed build dependencies:
pam-devel is needed by openvpn-2.0.9-1.i386
Answer:
yum install pam-devel
3. Copy the sample configuration files 按这个操作即可
#cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
#cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
4. Configure the CA
#cd /etc/openvpn/easy-rsa/
#vi vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=Beijing
export KEY_CITY=Beijing
export KEY_ORG=”VPN”
export KEY_EMAIL=”service@myemail”
#. ./vars
#./clean-all
./clean-all 只需要做一次哟!
下面开始建立ca证书
5. Build the root CA
#./build-ca
……++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [VPN]:
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server’s hostname) []:VPN
Email Address [vpn@myvpn.ca.mail]:
6. Build the server key and crt
#./build-key-server server
Generating a 1024 bit RSA private key
…..++++++
……………………++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [VPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:VPN
Email Address [service@myemail]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’Beijing’
localityName :PRINTABLE:’Beijing’
organizationName :PRINTABLE:’VPN’
organizationalUnitName:PRINTABLE:’’
commonName :PRINTABLE:’VPN’
emailAddress :IA5STRING:’service@myemail’
Certificate is to be certified until Jun 27 05:21:29 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
这里 Common Name 是必须要填的,其他默认即可,之后的建立 key ,Common Name都是要不同的,
7. Build the Diffie Hellman parameters
#./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
……….
8. Install the CA file which server request
#cp keys/ca.crt ../
#cp keys/dh1024.pem ../
#cp keys/ovpnsrv1.key ../
#cp keys/ovpnsrv1.crt ../
9. Setting the server configuration for OpenVPN
#cd ../
#vi server.conf
#proto tcp
proto udp
;dev tap
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 5
10. Startup the service
#service openvpn restart
#chkconfig openvpn on
11. edit iptables
#vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p udp -m udp –dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 1194 -j ACCEPT
#service iptables restart
==============
For Client
==============
1.在 linux server 上建立客户端需要的 key
vpn新建帐号方法
[lilyenglish@lilyCenter ~]$ su – ##################
Password:
[root@lilyCenter ~]# cd /etc/openvpn/easy-rsa/ #####################
[root@lilyCenter easy-rsa]# . ./vars #####################
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@lilyCenter easy-rsa]# ./build-key zb02 ############################
Generating a 1024 bit RSA private key
………….++++++
.++++++
writing new private key to ‘zb02.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [LILYVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:zb02 #################### 注意Common Name不能相同
Email Address [service@lilyenglish.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’Beijing’
localityName :PRINTABLE:’Beijing’
organizationName :PRINTABLE:’LILYVPN’
commonName :PRINTABLE:’zb02′
emailAddress :IA5STRING:’service@lilyenglish.com’
Certificate is to be certified until Dec 8 06:46:11 2018 GMT (3650 days)
Sign the certificate? [y/n]:y ############################
1 out of 1 certificate requests certified, commit? [y/n]y #######################
Write out database with 1 new entries
Data Base Updated
[root@lilyCenter easy-rsa]# cp ./keys/zb02* /home/lilyenglish/keys/ ####################
客户端设置
拷贝 client.ovpn ca.crt zb01.key zb01.crt 到 C:\Program Files\OpenVPN\config 下
修改 client.ovpn 内容 88 ~90 行
ca ca.crt
cert zb01.crt
key zb01.key
client.ovpn
client
dev tap
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert zb02.crt
key zb02.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 5
server.conf
port 1194
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.10.0 255.255.255.0”
client-config-dir ccd
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 4
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT –to-source 192.168.10.2
tcpdump -nn icmp -i tap0
openvpn –genkey –secret keys/ta.key
sever端 修改 server.conf文件
push “route 192.168.10.0 255.255.255.0”
就可以实现桥接了,跨网访问
#rpmbuild –rebuild lzo-1.08-4.rf.src.rpm 中 rebuild 前是两个 –