Openvpn服务端安装
安装openvpn需要先安装下面3个软件包
openssl-devel
lzo-devel
pam-devel
lzo-2.05.tar.gz 下载地址 http://www.oberhumer.com/opensource/lzo/download/
openvpn-2.1.4.tar.gz 下载地址 http://openvpn.net/index.php/open-source/downloads.html
安装lzo
tar zxvf lzo-2.05.tar.gz
cd lzo-2.05
./configure --prefix=/usr/local/lzo
Make && make install
安装 openvpn
tar zxvf openvpn-2.1.4.tar.gz
cd openvpn-2.1.4
./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib
Make && make install
生产CA证书:
Cd /openvpn-2.1.4/easy-rsa/2.0
source vars
./clean-all
./build-ca
./build-ca时会提示输入一些信息,可以都直接回车按默认信息。
生成服务器端证书和密钥,server为名字可以自定义:
./build-key-server server
此步也是会提示输入一些信息,前面的信息直接回车按默认信息,提示Sign the certificate? [y/n]:时输入y,提示1 out of 1 certificate requests certified, commit? [y/n] 也是输入y。
生成客户端证书和密钥,client为名字可以自定义,注意前面的./build-key-server与./build-key client输入的名字不能相同:
./build-key client
前面的信息直接回车按默认信息,提示Sign the certificate? [y/n]:时输入y,提示1 out of 1 certificate requests certified, commit? [y/n] 也是输入y
生成其他的客户端就是执行:./build-key 你想添加的客户端的名字。
生成的证书和密钥存放在/etc/openvpn/easy-rsa/2.0/keys/下面。
生成Diffie Hellman参数:
./build-dh
服务器端配置文件
Vi /usr/local/openvpn/etc/server.conf
port 1194
proto tcp
ca /usr/local/openvpn/etc/keys/ca.crt
cert /usr/local/openvpn/etc/keys/server.crt
key /usr/local/openvpn/etc/keys/server.key # This file should be kept secret
dh /usr/local/openvpn/etc/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /usr/local/openvpn/etc/keys/openvpn-status.log
verb 4
dev tap
dev tun
server 10.8.0.0 255.255.255.0 #服务器IP
#ifconfig-pool-persist ipp.txt
push "route 10.8.0.0 255.255.255.0" #设置的路由
push "route 192.168.0.0 255.255.255.0" #设置的路由
push "route 172.16.0.0 255.255.255.0" #设置的路由
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
client-config-dir /usr/local/openvpn/etc/ccd #cdd目录下存放的是单台的ip配置文件ifconfig-push 10.8.0.10 10.8.0.11)
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
拷贝生成的证书
把下列文件拷贝到/usr/local/openvpn/etc/keys/ 目录下
ca.crt ca.key dh1024.pem server.crt server.csr server.key
把openvpn 添加到Init.d(复制红色部分)
#!/bin/sh
#
# openvpn This shell script takes care of starting and stopping
# openvpn on RedHat or other chkconfig-based system.
#
# chkconfig: 345 24 76
#
# description: OpenVPN is a robust and highly flexible tunneling application that
# uses all of the encryption, authentication, and certification features
# of the OpenSSL library to securely tunnel IP networks over a single
# UDP port.
#
# Contributed to the OpenVPN project by
# Douglas Keller <[email protected]>
# 2002.05.15
# To install:
# copy this file to /etc/rc.d/init.d/openvpn
# shell> chkconfig --add openvpn
# shell> mkdir /etc/openvpn
# make .conf or .sh files in /etc/openvpn (see below)
# To uninstall:
# run: chkconfig --del openvpn
# Author's Notes:
#
# I have created an /etc/init.d init script and enhanced openvpn.spec to
# automatically register the init script. Once the RPM is installed you
# can start and stop OpenVPN with "service openvpn start" and "service
# openvpn stop".
#
# The init script does the following:
#
# - Starts an openvpn process for each .conf file it finds in
# /etc/openvpn.
#
# - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes
# it before starting openvpn (useful for doing openvpn --mktun...).
#
# - In addition to start/stop you can do:
#
# service openvpn reload - SIGHUP
# service openvpn reopen - SIGUSR1
# service openvpn status - SIGUSR2
#
# Modifications:
#
# 2003.05.02
# * Changed == to = for sh compliance (Bishop Clark).
# * If condrestart|reload|reopen|status, check that we were
# actually started (James Yonan).
# * Added lock, piddir, and work variables (James Yonan).
# * If start is attempted twice, without an intervening stop, or
# if start is attempted when previous start was not properly
# shut down, then kill any previously started processes, before
# commencing new start operation (James Yonan).
# * Do a better job of flagging errors on start, and properly
# returning success or failure status to caller (James Yonan).
#
# 2005.04.04
# * Added openvpn-startup and openvpn-shutdown script calls
# (James Yonan).
#
# Location of openvpn binary
openvpn=""
openvpn_locations="/usr/sbin/openvpn /usr/local/openvpn/sbin/openvpn"
for location in $openvpn_locations
do
if [ -f "$location" ]
then
openvpn=$location
fi
done
# Lockfile
lock="/var/lock/subsys/openvpn"
# PID directory
piddir="/var/run/openvpn"
# Our working directory
work=/usr/local/openvpn/etc #这里的目录要根据实际情况改一下
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
echo "Networking is down"
exit 0
fi
# Check that binary exists
if ! [ -f $openvpn ]
then
echo "openvpn binary not found"
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n $"Starting openvpn: "
/sbin/modprobe tun >/dev/null 2>&1
# From a security perspective, I think it makes
# sense to remove this, and have users who need
# it explictly enable in their --up scripts or
# firewall setups.
#echo 1 > /proc/sys/net/ipv4/ip_forward
# Run startup script, if defined
if [ -f $work/openvpn-startup ]; then
$work/openvpn-startup
fi
if [ ! -d $piddir ]; then
mkdir $piddir
fi
if [ -f $lock ]; then
# we were not shut down correctly
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
if [ -s $pidf ]; then
kill `cat $pidf` >/dev/null 2>&1
fi
rm -f $pidf
done
rm -f $lock
sleep 2
fi
rm -f $piddir/*.pid
cd $work
# Start every .conf in $work and run .sh if exists
errors=0
successes=0
for c in `/bin/ls *.conf 2>/dev/null`; do
bn=${c%%.conf}
if [ -f "$bn.sh" ]; then
. $bn.sh
fi
rm -f $piddir/$bn.pid
$openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work
if [ $? = 0 ]; then
successes=1
else
errors=1
fi
done
if [ $errors = 1 ]; then
failure; echo
else
success; echo
fi
if [ $successes = 1 ]; then
touch $lock
fi
;;
stop)
echo -n $"Shutting down openvpn: "
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
if [ -s $pidf ]; then
kill `cat $pidf` >/dev/null 2>&1
fi
rm -f $pidf
done
# Run shutdown script, if defined
if [ -f $work/openvpn-shutdown ]; then
$work/openvpn-shutdown
fi
success; echo
rm -f $lock
;;
restart)
$0 stop
sleep 2
$0 start
;;
reload)
if [ -f $lock ]; then
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
if [ -s $pidf ]; then
kill -HUP `cat $pidf` >/dev/null 2>&1
fi
done
else
echo "openvpn: service not started"
exit 1
fi
;;
reopen)
if [ -f $lock ]; then
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
if [ -s $pidf ]; then
kill -USR1 `cat $pidf` >/dev/null 2>&1
fi
done
else
echo "openvpn: service not started"
exit 1
fi
;;
condrestart)
if [ -f $lock ]; then
$0 stop
# avoid race
sleep 2
$0 start
fi
;;
status)
if [ -f $lock ]; then
for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
if [ -s $pidf ]; then
kill -USR2 `cat $pidf` >/dev/null 2>&1
fi
done
echo "Status written to /var/log/messages"
else
echo "openvpn: service not started"
exit 1
fi
;;
*)
echo "Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}"
exit 1
;;
esac
exit 0
安装客户端
安装lzo
tar zxvf lzo-2.05.tar.gz
cd lzo-2.05
./configure --prefix=/usr/local/lzo
Make && make install
安装 openvpn
tar zxvf openvpn-2.1.4.tar.gz
cd openvpn-2.1.4
./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib
Make && make install
配置客户端
Mkdir /usr/local/openvpn/etc /keys
Vi /usr/local/openvpn/etc/client.conf (添加下面红色部分)
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
[root@server2 etc]# cat client.conf
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 192.168.23.126 1194 #服务器地址
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /usr/local/openvpn/etc/keys/ca.crt #证书文件
cert /usr/local/openvpn/etc/keys/192.168.23.121.crt #证书文件
key /usr/local/openvpn/etc/keys/192.168.23.121.key #证书文件
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 4
# Silence repeating messages
;mute 20
拷贝服务器上面生成的证书文件
拷贝服务器上生成的下列文件到客户端的/usr/local/openvpn/etc/keys目录下
192.168.23.120.crt 192.168.23.120.csr 192.168.23.120.key ca.crt ca.key
启动客户端
/usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/etc/client.conf
也可以用服务方式服务在init.d下添加角本
应该注意的问题
1服务器和客户端之间时间是否一致
2.在服务器配置文件中push "redirect-gateway" 这个要注掉,如果不注掉的话所有的路由都指向VPN的路由
Openvpn服务端安装
猜你喜欢
转载自genius-shaobin.iteye.com/blog/1751214
今日推荐
周排行