Posted by zuzhihui in vps技术 on 2009/05/08 with 1 Comment
此笔记,基于 “程序员小辉”的安装笔记修改 ——————————————————————————————————————–
Server 端的环境
Client 端的环境:
二. OpenVPN 服务端安装过程
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2. 03.tar.gz wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz
yum install -y openssl-devel
tar zxvf lzo-2.03.tar.gz
cd lzo-2.03
./configure
make
make install
cd ..
tar zxvf openvpn-2.1_rc15.tar.gz
cd openvpn-2.1_rc15
./configure
make
make install
cd ..
cp /root/openvpn-2.1_rc15/easy-rsa/ -r /etc/openvpn
初始化PKI
cd /etc/openvpn/2.0/#可以设置下OpenVPN参数(也可以修改vars文件来配置)
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="dvdmaster"
export KEY_EMAIL="support@cooldvd.com"
#也可以不用设置直接执行下面的命令
. vars
创建证书颁发机构(CA)
./clean-all
./build-ca
Generating a 1024 bit RSA private key
................
........
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:server
Email Address [support@cooldvd.com]:
建立server key
./build-key-server server
Generating a 1024 bit RSA private key
......
....................
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:server
Email Address [support@cooldvd.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:dvdmaster
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName ::'CN'
stateOrProvinceName ::'GD'
localityName ::'SZ'
organizationName ::'dvdmaster'
organizationalUnitName::'dvdmaster'
commonName ::'server'
emailAddress ::'support@cooldvd.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
生成客户端 key
./build-key client1
Generating a 1024 bit RSA private key
.....
......
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的client 生成的证书, 名字必须不同.
Email Address [support@cooldvd.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:dvdmaster
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName ::'CN'
stateOrProvinceName ::'GD'
localityName ::'SZ'
organizationName ::'dvdmaster'
organizationalUnitName::'dvdmaster'
commonName ::'client1'
emailAddress ::'support@cooldvd.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以此类推建立其他客户端 key
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.
./build-dh
tar zcvf yskeys.tar.gz keys/
mkdir /etc/openvpn/2.0/conf
cp /root/openvpn-2.1_rc15/sample-config-files/server.conf /etc/openvpn/2.0/conf/server.conf
服务端配置文件(server.conf)样例
port 1194
proto udp
dev tun
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/ovpnser.crt
key /etc/openvpn/2.0/keys/ovpnser.key # This file should be kept secret
dh /etc/openvpn/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址
push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &
三. OpenVPN GUI For Windows 客户端安装过程
官方下载地址:http://openvpn.net/release/openvpn-2.1_rc15-install.exe
将上面第6步打包的yskeys.tar.gz中的下列证书文件解压到 你的OpenVPN GUI安装路径\OpenVPN\config文件夹下
ca.crt
ca.key
client1.crt
client1.csr
client1.key
把你的OpenVPN GUI安装路径\OpenVPN\sample-config下的client.ovpn文件复制到你的OpenVPN GUI安装路径\OpenVPN\config文件夹下,用记事本打开client.ovpn
#找到remote my-server-1 1194,把my-server-1改成你的ip地址
remote 221.233.59.16 1194
三. OpenVPN 访问外网的设置
echo 1 > /proc/sys/net/ipv4/ip_forward
#为了使CentOS重启后仍然开启路由转发功能我们需要再执行下列命令
sysctl -w net.ipv4.ip_forward=1
#因为我那天CentOS是ADSL拨号上网,所以把出口设置成ppp0,请根据实际情况设置
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 202.103.44.150" #客户端获得的DNS地址
push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址
当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:
Ethernet adapter 本地连接 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-F2-1A-44-BD
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.5
DHCP Server . . . . . . . . . . . : 10.8.0.5
DNS Servers . . . . . . . . . . . : 10.8.0.1
202.103.44.150
202.103.24.68
Lease Obtained. . . . . . . . . . : 2009年5月8日 23:55:06
Lease Expires . . . . . . . . . . : 2010年5月8日 23:55:06
执行
vi /etc/rc.local
然后在最后面加入此行:
/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server.conf &
连接成功之后,去ip138.com上看看外网ip是多少,如果是CentOS系统的外网ip那说明测试成功了~
要发表评论,您必须先登录。
lingkingno101 on 2012/12/07 ·
其他部分都顺利通过 但是在最后启动时遇到
Cannot load certificate file /etc/openvpn/2.0/keys/ovpnser.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
./clean-all以后在key文件夹下就已经没有该文件,请问怎么能生成呢?