关闭

CentOS6 环境下的OpenVPN安装配置

标签: centosserveremaildatabaselinuxstring
20165人阅读 评论(1) 收藏 举报
分类:

1.   环境

1.1. Server端的环境

CentOS6, kernel版本: 2.6.32-71.el6
IP 为192.168.122.180,隧道IP为10.8.0.1

kernel 需要支持 tun 设备, 需要加载 iptables
检查 tun 是否安装:

# modinfo tun

filename:       /lib/modules/2.6.32-71.el6.i686/kernel/drivers/net/tun.ko
alias:          char-major-10-200
license:        GPL
author:         (C) 1999-2004 Max Krasnyansky
maxk@qualcomm.com
description:    Universal TUN/TAP device driver
srcversion:     7D2AAEF89C71C83BBFFA0DE
depends:       
vermagic:       2.6.32-71.el6.i686 SMP mod_unload modversions 686

1.2. 客户端环境

Win7 主机IP192.168.122.29

2.   安装

2.1. Linux

openVPN目前不能用yum直接安装,官网上有RPM安装包,可以直接下载,这个RPM需要依赖:

  • openssl
  • lzo
  • pam

此外, 如果我们自己编译源码包,还会依赖上述包的对应开发包:

  • openssl-devel
  • lzo-devel
  • pam-devel

幸运的是,所依赖的包,都可以直接通过yum获取安装

这里使用的是直接编译源码的方式,在一述依赖包全部安装完毕之后,解压下载下来的源码包:

http://openvpn.net/index.php/open-source/downloads.html下载最新版本的源码包。

#tar xfz openvpn-[version].tar.gz

然后进入源码所有的顶层目录,执行编译安装三步曲:

#./configure
#make
#make install

2.2. windows

http://openvpn.net/index.php/open-source/downloads.html下载最新的安装包,双击安装即可。

3.   证书和key文件

因为我的环境是以Linux为服务端的,所以证书生成也在Linux下完成。

如果OpenVPN是通过RPM包安装的,通常easy-rsa目录是在/usr/share/doc/packages/openvpn或/usr/share/doc/openvpn-version下,如果是用源码包编译OpenVPN的,easy-rsa就在源码包的顶层目录下。 (在编辑之前,最好把这整个easy-rsa目录拷贝到另一个地方,比如说/etc/openvpn,这样如果后面需要升级OpenVPN,就不会覆盖原有的配置了)。

先把easy-rsa拷贝到/etc/openvpn下:

#mkdir –p /etc/openvpn
#cp -R easy-rsa /etc/openvpn
#cd /etc/openvpn/easy-rsa/2.0

3.1. CA文件

用自己熟悉的编辑工具打开vars文件,根据实际情况修改以下几个变量:

export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”CA”
export KEY_CITY=”HZ”
export KEY_ORG=”MY_ORG”
export KEY_EMAIL="
yetyongjin#163.com"

配置openssl,根据系统所安装的openssl版本,把对应的openssl-version.cnf文件拷贝一份,目标文件名为openssl.cnf,或建个文件链接:

# rpm -q openssl
openssl-1.0.0-20.el6_2.2.i686
# cp openssl-1.0.0.cnf openssl.cnf

然后执行以下命令:

#. ./vars
#./clean-all
#./build-ca server

注意第一条命令有两个.

输出:

Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:
 
 

3.2. 生成server key

# ./build-key-server server

这里的server是指定的名字标签,如果没指定,执行过程中会提示输入。

Generating a 1024 bit RSA private key
.....++++++
.................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:
Name [changeme]:
Email Address [mail@host.domain]:
  
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'HZ'
organizationName      :PRINTABLE:'HZ'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
  
  
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
Data Base Update
请注意,表框里有些需要交互的内容,一般情况下用缺省值就可以了,标注红色的地方一定要输入的。
 

3.3. 生成clientkey

# ./build-key client1
其中client1是客户端的名字,如果有多个客户端,就需要生成多个key
Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [changeme]:
Email Address [mail@host.domain]:
  
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'HZ'
organizationName      :PRINTABLE:'HZ'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
  
  
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
Data Base Updated
请注意,表框里有些需要交互的内容,一般情况下用缺省值就可以了,标注红色的地方一定要输入的。
 

3.4. 生成Diffie Hellman参数

这一步在服务端需要,可能耗时比较长:
#./build-dh

3.5. 文件说明

到目前,我们已经建立了完整的密钥和证书文件,这些文件存放于easy-rsa目录下,一个名为keys的子目录中。下表是关于这些文件的一个简述:

Filename

Needed By

Purpose

Secret

ca.crt

server + all clients

Root CA certificate

NO

ca.key

key signing machine only

Root CA key

YES

dh{n}.pem

server only

Diffie Hellman parameters

NO

server.crt

server only

Server Certificate

NO

server.key

server only

Server Key

YES

client1.crt

client1 only

Client1 Certificate

NO

client1.key

client1 only

Client1 Key

YES

 
最后需要把keys目录下载下来,一些文件客户端需要用到。

4.   配置

OpenVPN自身携带了配置文件的模板,根据实际情况编辑所需要的配置项即可,配置模板存放于:
l        OpenVPN源码包中的sample-config-files子目录
l        RPM包中的/usr/share/doc/packages/openvpn或者/usr/share/doc/openvpn-version下的sample-config-files子目录
 

4.1. 服务端

编辑/etc/sysctl.conf,找到net.ipv4.ip_forward = 0改成net.ipv4.ip_forward = 1保存。然后执行:
#sysctl –p
 
添加路由规则:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.122.180
注意最后192.168.122.180改成你的VPS的IP地址。
完成后用/etc/init.d/iptables save保存iptables设置,然后/etc/init.d/iptables restart重新启动下。
 
把keys目录拷贝到/etc/openvpn下
反模板中的server.conf拷贝到/etc/openvpn下,根据自己的实际情况配置。下面是我的配置:
local 192.168.122.180
port 1194
proto udp 
dev tun 
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “dhcp-option DNS 202.101.172.35
client-to-client
keepalive 10 120 
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
 
启动OpenVPN
#openvpn --config /etc/openvpn/server.conf &

4.2. 客户端

打开下载下来的keys文件夹,把里面的ca.crt、client1.crt和client1.key三个文件拷贝到OpenVPN安装路径下的\config目录里。编辑配置文件client1.ovpn,内容参考模板里的client.conf。下面是我的客户端配置
client
dev tun 
proto udp 
remote 192.168.122.180 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
在win7下,以管理员身份运行OpenVPN GUI,点击连接按钮。一会,就可以看到连接成功的消息了。
0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:342266次
    • 积分:3620
    • 等级:
    • 排名:第9327名
    • 原创:53篇
    • 转载:10篇
    • 译文:7篇
    • 评论:85条
    文章分类
    最新评论