openvpn搭建过程

这个写的有点乱，自己随便搭着玩的，测试是没问题的。server.conf和client。conf设置装备摆设文件巨匠最好清算清嚣张了再去搭建，这样一般就不会犯错了。openvpn搭建及平安性设定：情形：centos 5.51、筹备软件：# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz# wget http://openvpn.net/release/openvpn-2.1_rc22.tar.gz2、安装安装lzotar xvzf lzo-2.04.tar.gzcd lzo-2.04./configure –prefix=/usr/local/lzomake make checkmake testmake install安装openVPNtar xvzf openvpn-2.1_rc22.tar.gzcd openvpn-2.1_rc22ln -s /usr/local/lzo/include/* /usr/include/ln -s /usr/local/lzo/lib/* /usr/lib/./configure –prefix=/usr/local/openvpnmake 　make installcp /root/vpn/openvpn-2.1_rc22/easy-rsa/2.0 -r　/etc/openvpn/etc/openvpncd /etc/openvpn/openvpnvim varsexport KEY_COUNTRY=CN #中国export KEY_PROVINCE=JIANGSU #省份export KEY_CITY=SUZHOU #市export KEY_ORG=vpn #组织单元export KEY_EMAIL=vpn@123.com #email其余默认保留退出。刷新变量：source vars断根所有密钥（仅刚安装完时执行）：./clean-all建树处事器端ca证书：./build-ca[root@longray openvpn]# ./build-caGenerating a 1024 bit RSA private key.++++++………….++++++writing new private key to ‘ca.key’—–You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [CN]:State or Province Name (full name) [JS]:Locality Name (eg, city) [SZ]:Organization Name (eg, company) [17U]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server’s hostname) [17U CA]:serverName []:Email Address [newyue01@163.com]:建树处事器端密钥证书：./build-server-key server[root@longray openvpn]# ./build-key-server serverGenerating a 1024 bit RSA private key..++++++………++++++writing new private key to ‘server.key’—–You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [CN]:State or Province Name (full name) [JS]:Locality Name (eg, city) [SZ]:Organization Name (eg, company) [17U]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server’s hostname) [server]:serverName []:Email Address [newyue01@163.com]:Please enter the following ‘extra’ attributesto be sent with your certificate requestA challenge password []:111111An optional company name []:111111Using configuration from /etc/openvpn/openssl.cnfCheck that the request matches the signatureSignature okThe Subject’s Distinguished Name is as followscountryName RINTABLE:’CN’stateOrProvinceName RINTABLE:’JS’localityName RINTABLE:’SZ’organizationName RINTABLE:’17U’commonName RINTABLE:’server’emailAddress :IA5STRING:’newyue01@163.com’Certificate is to be certified until Mar 27 17:09:33 2021 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated#建树客户端所需密钥证书文件：./build-key mark[root@longray openvpn]# ./build-key markGenerating a 1024 bit RSA private key.++++++………………………………..++++++writing new private key to ‘mark.key’—–You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [CN]:State or Province Name (full name) [JS]:Locality Name (eg, city) [SZ]:Organization Name (eg, company) [17U]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server’s hostname) [mark]:markName []:Email Address [newyue01@163.com]:Please enter the following ‘extra’ attributesto be sent with your certificate requestA challenge password []:111111An optional company name []:111111Using configuration from /etc/openvpn/openssl.cnfCheck that the request matches the signatureSignature okThe Subject’s Distinguished Name is as followscountryName RINTABLE:’CN’stateOrProvinceName RINTABLE:’JS’localityName RINTABLE:’SZ’organizationName RINTABLE:’17U’commonName RINTABLE:’mark’emailAddress :IA5STRING:’newyue01@163.com’Certificate is to be certified until Mar 27 17:12:17 2021 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated#再生成 diffie hellman 参数 : ./build-dh#建树并编纂处事器端设置装备摆设文件:内容如下：local 公网IP地址。port 11947proto udpdev tunca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtkey /etc/openvpn/keys/server.key # This file should be kept secretdh /etc/openvpn/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist /root/ipp.txtclient-config-dir ccdroute 10.8.0.0 255.255.255.252client-to-clientkeepalive 10 60comp-lzouser nobodygroup nobodypersist-keypersist-tunstatus openvpn-status.logverb 4push redirect-gatewaypush dhcp-option DNS 10.8.0.1push dhcp-option DNS 8.8.8.8script-security 3打包keys目录并下载至本机。防火墙设置：1、开启IP转发。vim /etc/sysctl.conf此处net.ipv4.ip_forward = 0改为net.ipv4.ip_forward = 1#/sbin/sysctl -p2、设置nat转发。iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT –to-source 202.131.78.234service iptables saveservice iptables restartvim /etc/sysconfig/iptables添加下面两行-A RH-Firewall-1-INPUT -p udp -m state –state NEW -m udp –dport 11947 -j ACCEPT-A RH-Firewall-1-INPUT -i tun0 -j ACCEPT保留重启。service iptables restart客户端client.conf下载至本机后，改削名称为client.ovpn改削其设置装备摆设文件为：clientdev tunproto udpremote 公网IP地址 11947resolv-retry infinitenobinduser nobodygroup nobodypersist-keypersist-tunca ca.crtcert mark.crtkey mark.keyns-cert-type servercomp-lzoverb 3redirect-gateway def1route-method exeroute-delay 2保留后，点击connection毗连即可。本文出自 “Mark的收集糊口” 博客，请务必保留此出处http://newyue.blog.51cto.com/174760/530925