• 欢迎访问MACD实战投资网站,推荐使用最新版谷歌Chrome浏览器访问本网站,关注公众号 丁火甲木庚金 www.macd11.com/subscriptions

CentOS 5.5下OpenVPN和Windows下OpenVPN GUI安装笔记

未分类 丁火 15年前 (2010-05-27) 2110次浏览 0个评论

此笔记,基于 “程序员小辉”的安装笔记修改 ——————————————————————————————————————–

一. OpenVPN 安装环境

    Server 端的环境
  1. CentOS, kernel版本: 2.6.18, IP 为 221.233.59.16(ADSL拨号)
  2. kernel 需要支持 tun 设备, 需要加载 iptables 模块.
  3. 安装的 OpenVPN 的版本: 2.1.rc15.(目前最新版 可在http://openvpn.net 上下载).
    Client 端的环境:
  1. Windows XP SP2
  2. openvpn-2.1_rc15-install.exe(此版本集成了 OpenVPN GUI 客户端)

二. OpenVPN 服务端安装过程

  1. 用putty登录到CentOS
  2. 下载LZO和OpenVPN 2.1.rc15
    wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
    wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz
    yum install -y openssl-devel
  3. 安装LZO和OpenVPN
    tar zxvf lzo-2.03.tar.gz
    cd lzo-2.03
    ./configure
    make
    make install
    cd ..
    tar zxvf openvpn-2.1_rc15.tar.gz
    cd openvpn-2.1_rc15
    ./configure
    make
    make install
    cd ..
    cp /root/openvpn-2.1_rc15/easy-rsa/ -r /etc/openvpn
    
  4. 生成证书初始化PKI
    cd /etc/openvpn/2.0/#可以设置下OpenVPN参数(也可以修改vars文件来配置)
    export D=`pwd`
    export KEY_CONFIG=$D/openssl.cnf
    export KEY_DIR=$D/keys
    export KEY_SIZE=1024
    export KEY_COUNTRY=CN
    export KEY_PROVINCE=GD
    export KEY_CITY=SZ
    export KEY_ORG="dvdmaster"
    export KEY_EMAIL="support@cooldvd.com"
    #也可以不用设置直接执行下面的命令
    . vars
    

    创建证书颁发机构(CA)

    ./clean-all
    ./build-ca
    
    Generating a 1024 bit RSA private key
    ................++++++
    ........++++++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [CN]:
    State or Province Name (full name) [GD]:
    Locality Name (eg, city) [SZ]:
    Organization Name (eg, company) [dvdmaster]:
    Organizational Unit Name (eg, section) []:dvdmaster
    Common Name (eg, your name or your server's hostname) []:server
    Email Address [support@cooldvd.com]:
    

    建立server key

    ./build-key-server server
    
    Generating a 1024 bit RSA private key
    ......++++++
    ....................++++++
    writing new private key to 'server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [CN]:
    State or Province Name (full name) [GD]:
    Locality Name (eg, city) [SZ]:
    Organization Name (eg, company) [dvdmaster]:
    Organizational Unit Name (eg, section) []:dvdmaster
    Common Name (eg, your name or your server's hostname) []:server
    Email Address [support@cooldvd.com]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:abcd1234
    An optional company name []:dvdmaster
    Using configuration from /etc/openvpn/2.0/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'CN'
    stateOrProvinceName   :PRINTABLE:'GD'
    localityName          :PRINTABLE:'SZ'
    organizationName      :PRINTABLE:'dvdmaster'
    organizationalUnitName:PRINTABLE:'dvdmaster'
    commonName            :PRINTABLE:'server'
    emailAddress          :IA5STRING:'support@cooldvd.com'
    Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    

    生成客户端 key

    ./build-key client1
    Generating a 1024 bit RSA private key
    .....++++++
    ......++++++
    writing new private key to 'client1.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [CN]:
    State or Province Name (full name) [GD]:
    Locality Name (eg, city) [SZ]:
    Organization Name (eg, company) [dvdmaster]:
    Organizational Unit Name (eg, section) []:dvdmaster
    Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的client 生成的证书, 名字必须不同.
    Email Address [support@cooldvd.com]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:abcd1234
    An optional company name []:dvdmaster
    Using configuration from /etc/openvpn/2.0/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'CN'
    stateOrProvinceName   :PRINTABLE:'GD'
    localityName          :PRINTABLE:'SZ'
    organizationName      :PRINTABLE:'dvdmaster'
    organizationalUnitName:PRINTABLE:'dvdmaster'
    commonName            :PRINTABLE:'client1'
    emailAddress          :IA5STRING:'support@cooldvd.com'
    Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    

    以此类推建立其他客户端 key

    ./build-key client2
    ./build-key client3
    

    注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.

  5. 生成Diffie Hellman参数
    ./build-dh
    
  6. 将 keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等……)
    tar zcvf yskeys.tar.gz keys/
    
  7. 创建服务端配置文件
    mkdir /etc/openvpn/2.0/conf
    cp /root/openvpn-2.1_rc15/sample-config-files/server.conf /etc/openvpn/2.0/conf/server.conf
    

    服务端配置文件(server.conf)样例

    port 1194
    
    proto udp
    
    dev tun
    
    ca /etc/openvpn/2.0/keys/ca.crt
    cert /etc/openvpn/2.0/keys/ovpnser.crt
    key /etc/openvpn/2.0/keys/ovpnser.key  # This file should be kept secret
    
    dh /etc/openvpn/2.0/keys/dh1024.pem
    
    server 10.8.0.0 255.255.255.0
    
    ifconfig-pool-persist ipp.txt
    
    push "redirect-gateway def1 bypass-dhcp"
    
    push "dhcp-option DNS 10.8.0.1"
    push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址
    push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址
    
    client-to-client
    
    keepalive 10 120
    
    comp-lzo
    
    user nobody
    group nobody
    
    persist-key
    persist-tun
    
    status openvpn-status.log
    
    verb 3
    
  8. 启动OpenVPN
    /usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &
    

三. OpenVPN GUI For Windows 客户端安装过程

  1. 下载 openvpn-2.1_rc15-install.exe(此版本集成 OpenVPN  GUI)官方下载地址:http://openvpn.net/release/openvpn-2.1_rc15-install.exe
  2. 依屏幕指示安装OpenVPN GUI
  3. 配置 openvpn gui将上面第6步打包的yskeys.tar.gz中的下列证书文件解压到 你的OpenVPN GUI安装路径\OpenVPN\config文件夹下
    ca.crt
    ca.key
    client1.crt
    client1.csr
    client1.key
    
  4. 修改client.ovpn把你的OpenVPN GUI安装路径\OpenVPN\sample-config下的client.ovpn文件复制到你的OpenVPN GUI安装路径\OpenVPN\config文件夹下,用记事本打开client.ovpn
    #找到remote my-server-1 1194,把my-server-1改成你的ip地址
    remote 221.233.59.16 1194
    
  5. 双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.

三. OpenVPN 访问外网的设置

  1. 开启CentOS 5 的路由转发功能
    echo 1 > /proc/sys/net/ipv4/ip_forward
    #为了使CentOS重启后仍然开启路由转发功能我们需要再执行下列命令
    sysctl -w net.ipv4.ip_forward=1
    
  2. 添加iptables转发规则
    #因为我那天CentOS是ADSL拨号上网,所以把出口设置成ppp0,请根据实际情况设置
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE
    
  3. 必须保证server.conf配置中,有下面三个配置
    push "dhcp-option DNS 10.8.0.1"
    push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址
    push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址
    

    当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:

    Ethernet adapter 本地连接 2:
    
            Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . : TAP-Win32 Adapter V9
            Physical Address. . . . . . . . . : 00-FF-F2-1A-44-BD
            Dhcp Enabled. . . . . . . . . . . : Yes
            Autoconfiguration Enabled . . . . : Yes
            IP Address. . . . . . . . . . . . : 10.8.0.6
            Subnet Mask . . . . . . . . . . . : 255.255.255.252
            Default Gateway . . . . . . . . . : 10.8.0.5
            DHCP Server . . . . . . . . . . . : 10.8.0.5
            DNS Servers . . . . . . . . . . . : 10.8.0.1
                                                202.103.44.150
                                                202.103.24.68
            Lease Obtained. . . . . . . . . . : 2009年5月8日 23:55:06
            Lease Expires . . . . . . . . . . : 2010年5月8日 23:55:06

四. 设置 OpenVPN 服务器 reboot后自动启动 openvpn

执行

vi /etc/rc.local

然后在最后面加入此行:

/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &

五.OpenVPN 测试

连接成功之后,去www.ip138.com上看看外网ip是多少,如果是CentOS系统的外网ip那说明测试成功了~




macd11.com 和 丁火甲木庚金 公众号版权所有丨如未注明 , 均为原创丨转载请注明原文链接。
喜欢 (0)
[sp91@qq.com]
分享 (0)

您必须 登录 才能发表评论!