CentOS6 环境下的OpenVPN安装配置

原创 2012年03月30日 17:23:04

1.   环境

1.1. Server端的环境

CentOS6, kernel版本: 2.6.32-71.el6
IP 为192.168.122.180,隧道IP为10.8.0.1

kernel 需要支持 tun 设备, 需要加载 iptables
检查 tun 是否安装:

# modinfo tun

filename:       /lib/modules/2.6.32-71.el6.i686/kernel/drivers/net/tun.ko
alias:          char-major-10-200
license:        GPL
author:         (C) 1999-2004 Max Krasnyansky
maxk@qualcomm.com
description:    Universal TUN/TAP device driver
srcversion:     7D2AAEF89C71C83BBFFA0DE
depends:       
vermagic:       2.6.32-71.el6.i686 SMP mod_unload modversions 686

1.2. 客户端环境

Win7 主机IP192.168.122.29

2.   安装

2.1. Linux

openVPN目前不能用yum直接安装,官网上有RPM安装包,可以直接下载,这个RPM需要依赖:

  • openssl
  • lzo
  • pam

此外, 如果我们自己编译源码包,还会依赖上述包的对应开发包:

  • openssl-devel
  • lzo-devel
  • pam-devel

幸运的是,所依赖的包,都可以直接通过yum获取安装

这里使用的是直接编译源码的方式,在一述依赖包全部安装完毕之后,解压下载下来的源码包:

http://openvpn.net/index.php/open-source/downloads.html下载最新版本的源码包。

#tar xfz openvpn-[version].tar.gz

然后进入源码所有的顶层目录,执行编译安装三步曲:

#./configure
#make
#make install

2.2. windows

http://openvpn.net/index.php/open-source/downloads.html下载最新的安装包,双击安装即可。

3.   证书和key文件

因为我的环境是以Linux为服务端的,所以证书生成也在Linux下完成。

如果OpenVPN是通过RPM包安装的,通常easy-rsa目录是在/usr/share/doc/packages/openvpn或/usr/share/doc/openvpn-version下,如果是用源码包编译OpenVPN的,easy-rsa就在源码包的顶层目录下。 (在编辑之前,最好把这整个easy-rsa目录拷贝到另一个地方,比如说/etc/openvpn,这样如果后面需要升级OpenVPN,就不会覆盖原有的配置了)。

先把easy-rsa拷贝到/etc/openvpn下:

#mkdir –p /etc/openvpn
#cp -R easy-rsa /etc/openvpn
#cd /etc/openvpn/easy-rsa/2.0

3.1. CA文件

用自己熟悉的编辑工具打开vars文件,根据实际情况修改以下几个变量:

export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”CA”
export KEY_CITY=”HZ”
export KEY_ORG=”MY_ORG”
export KEY_EMAIL="
yetyongjin#163.com"

配置openssl,根据系统所安装的openssl版本,把对应的openssl-version.cnf文件拷贝一份,目标文件名为openssl.cnf,或建个文件链接:

# rpm -q openssl
openssl-1.0.0-20.el6_2.2.i686
# cp openssl-1.0.0.cnf openssl.cnf

然后执行以下命令:

#. ./vars
#./clean-all
#./build-ca server

注意第一条命令有两个.

输出:

Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:
 
 

3.2. 生成server key

# ./build-key-server server

这里的server是指定的名字标签,如果没指定,执行过程中会提示输入。

Generating a 1024 bit RSA private key
.....++++++
.................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:
Name [changeme]:
Email Address [mail@host.domain]:
  
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'HZ'
organizationName      :PRINTABLE:'HZ'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
  
  
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
Data Base Update
请注意,表框里有些需要交互的内容,一般情况下用缺省值就可以了,标注红色的地方一定要输入的。
 

3.3. 生成clientkey

# ./build-key client1
其中client1是客户端的名字,如果有多个客户端,就需要生成多个key
Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [changeme]:
Email Address [mail@host.domain]:
  
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'HZ'
organizationName      :PRINTABLE:'HZ'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
  
  
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
Data Base Updated
请注意,表框里有些需要交互的内容,一般情况下用缺省值就可以了,标注红色的地方一定要输入的。
 

3.4. 生成Diffie Hellman参数

这一步在服务端需要,可能耗时比较长:
#./build-dh

3.5. 文件说明

到目前,我们已经建立了完整的密钥和证书文件,这些文件存放于easy-rsa目录下,一个名为keys的子目录中。下表是关于这些文件的一个简述:

Filename

Needed By

Purpose

Secret

ca.crt

server + all clients

Root CA certificate

NO

ca.key

key signing machine only

Root CA key

YES

dh{n}.pem

server only

Diffie Hellman parameters

NO

server.crt

server only

Server Certificate

NO

server.key

server only

Server Key

YES

client1.crt

client1 only

Client1 Certificate

NO

client1.key

client1 only

Client1 Key

YES

 
最后需要把keys目录下载下来,一些文件客户端需要用到。

4.   配置

OpenVPN自身携带了配置文件的模板,根据实际情况编辑所需要的配置项即可,配置模板存放于:
l        OpenVPN源码包中的sample-config-files子目录
l        RPM包中的/usr/share/doc/packages/openvpn或者/usr/share/doc/openvpn-version下的sample-config-files子目录
 

4.1. 服务端

编辑/etc/sysctl.conf,找到net.ipv4.ip_forward = 0改成net.ipv4.ip_forward = 1保存。然后执行:
#sysctl –p
 
添加路由规则:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.122.180
注意最后192.168.122.180改成你的VPS的IP地址。
完成后用/etc/init.d/iptables save保存iptables设置,然后/etc/init.d/iptables restart重新启动下。
 
把keys目录拷贝到/etc/openvpn下
反模板中的server.conf拷贝到/etc/openvpn下,根据自己的实际情况配置。下面是我的配置:
local 192.168.122.180
port 1194
proto udp 
dev tun 
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “dhcp-option DNS 202.101.172.35
client-to-client
keepalive 10 120 
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
 
启动OpenVPN
#openvpn --config /etc/openvpn/server.conf &

4.2. 客户端

打开下载下来的keys文件夹,把里面的ca.crt、client1.crt和client1.key三个文件拷贝到OpenVPN安装路径下的\config目录里。编辑配置文件client1.ovpn,内容参考模板里的client.conf。下面是我的客户端配置
client
dev tun 
proto udp 
remote 192.168.122.180 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
在win7下,以管理员身份运行OpenVPN GUI,点击连接按钮。一会,就可以看到连接成功的消息了。

相关文章推荐

centos6.5下搭建openvpn服务,访问内网服务器

1 简介     VPN(Virtual Private Network)直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道。     OpenVPN无疑是Linux下...

CENTOS6.5下的OpenVPN的配置

一、安装准备 1、安装openssl、gcc、libpam #yum -y install openssl-devel openssl #yum -y install gcc gcc-c++ ...

CentOS连接OpenVPN教程(Linux下OpenVPN客户端配置教程)

一般来说,提供Web服务的Linux服务器是很少需要连接OpenVPN的,但是个人Linux计算机在很多时候就需要连接OpenVPN了。比如以Linux为开发环境,需要连接公司的OpenVPN等等。 ...

CentOS6.5/7.0 上 OpenVPN的安装

CentOS 上 OpenVPN的安装: 一、安装准备 ? 1、安装openssl、gcc、libpam #yum -y install openssl-devel openssl ...
  • rdcxuly
  • rdcxuly
  • 2017年02月07日 14:23
  • 1560

CentOS6.5 64位安装openvpn

CentOS6.5 64位安装openvpn   1.        安装"EPEL"源 # wgethttp://dl.fedoraproject.org/pub/epel/6/i386/epel-...

centos7搭建openvpn服务器

转载:http://blog.csdn.net/skykingf/article/details/50611061 这篇文章描述了如何在CentOS 7 服务器上安装与配置OpenVPN服务器,以及如...

CentOS6.4安装OpenVPN 部署文档

1    OpenVPN简介 1.1     什么是VPN IP机制仿真出一个私有的广域网"是通过私有的隧道技术在公共数据网络上仿真一条点到点的专线技术。所谓虚拟,是指用户不再需要拥有实际的长途数...

[运维]centos7安装openvpn2.3.14

前言其实我搭了5遍才成功,所以我其实用了很多种方法来搭建,下面的文章里面,只写最后一种成功的,所以,这种方法可能看起来比较傻,或者麻烦了一点,不过可以保证安装成功,当然你也可以安装其他版本的,安装和配...

在CentOS下搭建OpenVPN

国内网络环境不怎么好,为了更好地在互联网中学习和娱乐,弄部梯子也是有必要的,当然市售的有很多,但不折腾下怎么能睡得着觉呢 ^_^ 那梯子各式各样,为什么用OpenVPN而不用PPTP或是更简单的SSH...

linux安装VPN server之openvpn

接上篇的PPTP vpn,本篇博客也是介绍的VPN。只是这次是openvpn,这次介绍的openvpn的安装环境包括两个,一个centos7,另一个还是raspberry(差不多就是和Ubuntu是同...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:CentOS6 环境下的OpenVPN安装配置
举报原因:
原因补充:

(最多只允许输入30个字)