最近需要在一个网络比较严格的环境中搭建vpn,只有8090这个端口可以用,而且只能使用tcp协议。pptp安装和使用都很简单,具体详见之前我写的这篇文章《Ubuntu服务器中搭建PPTP VPN》,http://www.sijitao.net/1287.html。不过这次如果再使用pptp估计会折腾很久,所以最后我选择了openvpn。
服务端(非bridge模式)
1、安装openvpn
apt-get install openvpn bridge-utils
2、生成证书文件
a.复制文件
mkdir /etc/openvpn/easy-rsa/
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
b.编辑/etc/openvpn/easy-rsa/vars
vi /etc/openvpn/easy-rsa/vars
根据实际情况修改如下配置内容,也可以随便设。
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=me@myhost.mydomain
c.安装CA和创建服务器证书
cd /etc/openvpn/easy-rsa/
chown -R root:admin . ## make this directory writable by the system administrators
chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool –initca ## creates ca cert and key
./pkitool –server server ## creates a server cert and key
## If you get this error:
## “The correct version should have a comment that says: easy-rsa version 2.x”
## Try This:
## sudo ln -s openssl-1.0.0.cnf openssl.cnf
## Refer to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/998918
cd keys
openvpn –genkey –secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
查看需要的证书是否都在/etc/openvpn/目录中。
3、编辑server配置文件
vi /etc/openvpn/server.conf
可以按照下面内容进行修改,各个配置信息详见说明或官方文档。配置模板也可以从这里(/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz)复制,然后修改。
;local a.b.c.d
port 8090
proto tcp
;proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
;server 10.8.0.0 255.255.255.0
server 172.30.178.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push “route 192.168.10.0 255.255.255.0″
;push “route 192.168.20.0 255.255.255.0″
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push “redirect-gateway def1 bypass-dhcp”
push “redirect-gateway def1″
push “dhcp-option DNS 114.114.114.114″
;push “dhcp-option DNS 208.67.220.220″
client-to-client
duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
log-append openvpn.log
verb 3
;mute 20
如果报这个错误WARN: could not open database for 4096 bits.,运行以下命令即可。
touch /usr/share/openssl-blacklist/blacklist.RSA-4096
4、服务器相关配置
设置IP转发
iptables -t nat -A POSTROUTING -s 172.30.178.0/24 -o br0 -j MASQUERADE
命令中网段和网卡信息需要根据实际情况修改。
修改/etc/sysctl.conf的内容
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
重新载入/etc/sysctl.conf使其生效,sysctl –p 。
端口转发
如果openvpn是安装在kvm虚拟机中且网络是nat类型,需要设置下端口转发,具体命令如下所示。
iptables -D FORWARD 5 -t filter
iptables -D FORWARD 4 -t filter
iptables -t nat -A PREROUTING -p tcp –dport 8090 -j DNAT –to-destination 192.168.122.100:8090
iptables -t nat -A POSTROUTING -p tcp –dport 8090 -d 192.168.122.100 -j SNAT –to 192.168.122.1
重启openvpn,/etc/init.d/openvpn restart 。
客户端
1、生成客户端证书和密钥
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
source ./vars ## execute the vars file
./pkitool client ## create a cert and key named “client”
## Note: if you get a ‘TXT_DB error number 2′ error you may need to specify
## a unique KEY_CN, for example: KEY_CN=client ./pkitool client
2、客户端配置文件Client.ovpn参考设置如下所示
client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 122.227.230.84 8090
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20
3、生成客户端的配置文件
把下面几个文件打包,放入客户端安装目录中的config目录中。
client.ovpn
ca.crt
client.crt
client.key
ta.key
参考网址:
1、https://help.ubuntu.com/community/OpenVPN
2、http://wuliyasutai.blog.51cto.com/1544421/1348521
(责任编辑:IT) |