ubuntu10.04搭建openvpn服务器教程详解

ubuntu 10.04系统中安装与配置openvpn服务器的方法

需求：
项目中两个模块需要搭建到三台服务器上，要求三台服务器通过vpn分配私有ip地址进行链接，使用私有ip通道。

搭建模式
采用了c/s架构，也就是单机--站点的实现方式

1、安装openvpn

sudo apt-get install openvpn

2、设置认证机构，产生证书：

sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/
cd /etc/openvpn/
sudo mv 2.0/ conf/

3、编辑vars文件：

export KEY_SIZE=2048

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BeiJing"
export KEY_CITY="chaoyang"
export KEY_ORG="cleaderwin"
export KEY_EMAIL="wzy@cleaderwin.com"

4、生成证书：
sudo su #提权成为root用户

source ./vars
./clean-all
./build-ca
./build-key-server haolianxi #(haolianxi是servername，可根据自己的需求指定)
./build-key yourname
./build-dh

openvpn --genkey --secret ta.key #生成ta.key，防止ddos攻击，client和server同时存储
说明：这是第一次产生证书的正确操作，其中build-ca是创建根证书。build-key-server创建server证书，build-key创建client证书

5、配置Server端
创建并编辑 /etc/openvpn/server.conf文件

port    11198
proto   udp
dev tun

ca /etc/openvpn/conf/keys/ca.crt
cert /etc/openvpn/conf/keys/haolianxi.crt
key /etc/openvpn/conf/keys/haolianxi.key
dh /etc/openvpn/conf/keys/dh2048.pem

# OpenVPN网络地址池(分配的可用ip地址从10.4.4.0～10.4.5.254)
server 10.4.4.0 255.255.254.0

# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# 以下配置会导致客户端的默认网关修改为VPN服务器IP
;push "redirect-gateway"
;push "dhcp-option DNS 8.8.8.8"

# 允许所有的OpenVPN客户端相互可见
client-to-client

keepalive 10 120
tls-auth /etc/openvpn/conf/keys/ta.key 0

# 启用传输压缩，客户端也需要启用该参数
comp-lzo

user nobody
group nogroup
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

log /var/log/openvpn/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
#
mute 20

# 定义管理IP和管理端口
management 127.0.0.1 9229

#client-config-dir定义的配置文件中没有找到匹配的用户名（Common Name>）则认证失败
ccd-exclusive

# 定义合法客户端的个性化配置文件（当前主要用于配合ccd-exclusive指令做客户端白名单认证）
client-config-dir /etc/openvpn/conf/white-clients/

6、重启openvpn

/etc/init.d/openvpn restart

7、配置客户端
添加一个新用户

cd /etc/openvpn/conf
sudo su
source vars
./build-key [新用户名]

生成的证书在keys目录下，举例说明证书的作用

ca.crt # 服务器公钥证书
ta.key #服务器tls加密预共享的静态私钥，请妥善保存
client.key # 用户个人私钥，请妥善保存
client.crt # 用户个人公钥，请妥善保存

8、openvpn连接
client-openvpn.ovpn编辑

复制代码代码示例:

	client  

	dev tun  

	proto udp  

	port 11198  

	remote $serverip  

	resolv-retry 3  

	nobind  

	persist-key  

	persist-tun  

	ca ca.crt  

	cert $client.crt  

	key $client.key  

	ns-cert-type server  

	tls-auth ta.key 1  

	comp-lzo  

	verb 3  

	route-method exe  

	route-delay 2

注意：$变量需要根据实际情况做替换。

命令行启动：

sudo /etc/init.d/openvpn start

(责任编辑：IT)

搜索

热门标签:

ubuntu10.04搭建openvpn服务器教程详解