CentOS 5 下 OpenVPN 和 Windows 下 OpenVPN GUI 安装笔记

Posted by zuzhihui in vps技术 on 2009/05/08 with 2 Comments

此笔记,基于 “程序员小辉”的安装笔记修改 ——————————————————————————————————————–

一. OpenVPN 安装环境

Server 端的环境

  1. CentOS, kernel版本: 2.6.18, IP 为 221.233.59.16(ADSL拨号)
  2. kernel 需要支持 tun 设备, 需要加载 iptables 模块.
  3. 安装的 OpenVPN 的版本: 2.1.rc15.(目前最新版 可在http://openvpn.net 上下载).

Client 端的环境:

  1. Windows XP SP2
  2. openvpn-2.1_rc15-install.exe(此版本集成了 OpenVPN GUI 客户端)

二. OpenVPN 服务端安装过程

    1. 用putty登录到CentOS
    2. 下载LZO和OpenVPN 2.1.rc15
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz
yum install -y openssl-devel
    1. 安装LZO和OpenVPN
tar zxvf lzo-2.03.tar.gz
cd lzo-2.03
./configure
make
make install
cd ..
tar zxvf openvpn-2.1_rc15.tar.gz
cd openvpn-2.1_rc15
./configure
make
make install
cd ..
cp /root/openvpn-2.1_rc15/easy-rsa/ -r /etc/openvpn
    1. 生成证书

初始化PKI

cd /etc/openvpn/2.0/#可以设置下OpenVPN参数(也可以修改vars文件来配置)
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="dvdmaster"
export KEY_EMAIL="support@cooldvd.com"
#也可以不用设置直接执行下面的命令
. vars

创建证书颁发机构(CA)

./clean-all
./build-ca

Generating a 1024 bit RSA private key
................      
........      
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:server
Email Address [support@cooldvd.com]:

建立server key

./build-key-server server

Generating a 1024 bit RSA private key
......      
....................      
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:server
Email Address [support@cooldvd.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:dvdmaster
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           ::'CN'
stateOrProvinceName   ::'GD'
localityName          ::'SZ'
organizationName      ::'dvdmaster'
organizationalUnitName::'dvdmaster'
commonName            ::'server'
emailAddress          ::'support@cooldvd.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

生成客户端 key

./build-key client1
Generating a 1024 bit RSA private key
.....      
......      
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的client 生成的证书, 名字必须不同.
Email Address [support@cooldvd.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:dvdmaster
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           ::'CN'
stateOrProvinceName   ::'GD'
localityName          ::'SZ'
organizationName      ::'dvdmaster'
organizationalUnitName::'dvdmaster'
commonName            ::'client1'
emailAddress          ::'support@cooldvd.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

以此类推建立其他客户端 key

./build-key client2
./build-key client3

注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.

  • 生成Diffie Hellman参数

./build-dh

  • 将 keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等……)

tar zcvf yskeys.tar.gz keys/

  • 创建服务端配置文件

mkdir /etc/openvpn/2.0/conf
cp /root/openvpn-2.1_rc15/sample-config-files/server.conf /etc/openvpn/2.0/conf/server.conf

服务端配置文件(server.conf)样例

port 1194

proto udp

dev tun

ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/ovpnser.crt
key /etc/openvpn/2.0/keys/ovpnser.key  # This file should be kept secret

dh /etc/openvpn/2.0/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址
push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址

client-to-client

keepalive 10 120

comp-lzo

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

verb 3

  • 启动OpenVPN

/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &

三. OpenVPN GUI For Windows 客户端安装过程

    1. 下载 openvpn-2.1_rc15-install.exe(此版本集成 OpenVPN  GUI)

官方下载地址:http://openvpn.net/release/openvpn-2.1_rc15-install.exe

  • 依屏幕指示安装OpenVPN GUI
  • 配置 openvpn gui

将上面第6步打包的yskeys.tar.gz中的下列证书文件解压到 你的OpenVPN GUI安装路径\OpenVPN\config文件夹下

ca.crt
ca.key
client1.crt
client1.csr
client1.key

  • 修改client.ovpn

把你的OpenVPN GUI安装路径\OpenVPN\sample-config下的client.ovpn文件复制到你的OpenVPN GUI安装路径\OpenVPN\config文件夹下,用记事本打开client.ovpn

#找到remote my-server-1 1194,把my-server-1改成你的ip地址
remote 221.233.59.16 1194

  • 双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.

三. OpenVPN 访问外网的设置

    1. 开启CentOS 5 的路由转发功能
echo 1 > /proc/sys/net/ipv4/ip_forward
#为了使CentOS重启后仍然开启路由转发功能我们需要再执行下列命令
sysctl -w net.ipv4.ip_forward=1
    1. 添加iptables转发规则
#因为我那天CentOS是ADSL拨号上网,所以把出口设置成ppp0,请根据实际情况设置
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE
    1. 必须保证server.conf配置中,有下面三个配置
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址
push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址

当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:

Ethernet adapter 本地连接 2:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : TAP-Win32 Adapter V9
        Physical Address. . . . . . . . . : 00-FF-F2-1A-44-BD
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.8.0.6
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 10.8.0.5
        DHCP Server . . . . . . . . . . . : 10.8.0.5
        DNS Servers . . . . . . . . . . . : 10.8.0.1
                                            202.103.44.150
                                            202.103.24.68
        Lease Obtained. . . . . . . . . . : 2009年5月8日 23:55:06
        Lease Expires . . . . . . . . . . : 2010年5月8日 23:55:06

四. 设置 OpenVPN 服务器 reboot后自动启动 openvpn

执行

vi /etc/rc.local

然后在最后面加入此行:

/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &

五.OpenVPN 测试

连接成功之后,去ip138.com上看看外网ip是多少,如果是CentOS系统的外网ip那说明测试成功了~

标签:,

2 Comments

lingkingno101 on 2012/12/07  · 

其他部分都顺利通过 但是在最后启动时遇到

Cannot load certificate file /etc/openvpn/2.0/keys/ovpnser.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib

./clean-all以后在key文件夹下就已经没有该文件,请问怎么能生成呢?

basdkt on 2016/01/12  · 

How Long Xanax Stays In Software Buy Xanax Online Without Rx Xanax And Drug Test Results order alprazolam online. Xanax And Pepcid Ac Xanax Legal In Canada Mylan A4 Xanax No Prescription Overnight Doctor Consultation Xanax Addiction Moe Medical_authorities . Flexeril Xanax Side Effects Xanax Hangover Symptoms . Circuit From Klonopin To Xanax Xanax Fatal Withdrawal Symptoms Rush Limbaugh Xanax Xanax Dosage Addiction Xanax Metabolism Panic Disorder Xanax Tramadol Panic Disorder

Leave a Comment

Back to Top

2007-2013 © 北京瑞豪开源科技有限公司 京ICP备13004995号-2