Fedora 安装 Openvpn

http://fedoraproject.org/wiki/Openvpn

这是fedora 的官方说明文档。就是有点老了，好久没更新了，许多命令需要进行相应的更改才能正确执行。

OpenVPN

For more information, see https://community.openvpn.net/.

Working with systemd

With the transition to systemd, OpenVPN no longer has a single monolithic init script, where every connection with a configuration file in /etc/openvpn/ is started automatically. Instead, individual connections can be started and stopped with systemctl.

For example, to start a connection, run systemctl start openvpn@foo.service, where the connection is defined in/etc/openvpn/foo.conf.

For more information, see Systemd#How_do_I_start.2Fstop_or_enable.2Fdisable_services.3F.

Setting up an OpenVPN server

1. yum install openvpn.$HOSTTYPE easy-rsa
2. Copy /usr/share/openvpn/easy-rsa/2.0 somewhere (like root's home directory with cp -ai /usr/share/openvpn/easy-rsa/2.0 ~/easy-rsa).
3. cd ~/easy-rsa
4. Edit vars appropriately.
5. . vars
6. ./clean-all
7. Before continuing, make sure the system time is correct. Preferably, set up NTP .
8. ./build-ca
9. ./build-inter $( hostname | cut -d. -f1 )
10. ./build-dh
11. mkdir /etc/openvpn/keys
12. cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/
13. cp -ai /usr/share/doc/openvpn-*/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf
14. Edit /etc/openvpn/server.conf appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
15. Fix selinux context of files:
16. restorecon -Rv /etc/openvpn
17. If you have feodra 15 or earlier:
18. chkconfig --level 2345 openvpn on
19. service openvpn start
20. If you have fedora 16 or later (Note that 'server' corresponds with the configuration name in /etc/openvpn/ such as server.conf):
21. ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
22. systemctl -f enable openvpn@server.service
23. systemctl start openvpn@server.service
24. Verify that firewall rules allow traffic in from tun+, out from the LAN to tun+, and in from the outside on UDP port 1194.

The following should work (assuming an outside interface is eth1 and an inside interface is eth0):

iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

Or for genfw (my firewall-generation script, not currently available in Fedora), this in /etc/sysconfig/genfw/rules:

append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
append INPUT -i tun+ -j ACCEPT
append FORWARD -i tun+ -j ACCEPT
append FORWARD -i eth0 -o tun+ -j ACCEPT
append FORWARD -i eth1 -o tun+ -j established

Or for system-config-firewall, you can add these custom rules:

-A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT
-A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

Create a file iptables-rules in /etc/sysconfig and add the above contents, then in system-config-firewall, choose the "Custom Rules" choice, click "Add", choose IPV4 for the protocol type, and filter for the firewall table. Then select /etc/sysconfig/iptables-rules for the File: choice. Then Apply the changes.

Setting up a Linux OpenVPN client

You need to generate new keys (or use existing other client/username keys) for the new client/username

On the server:

1. cd easy-rsa
2. . vars
3. ./build-key username

On the Fedora 15 (or earlier) client:

1. Copy username.key, username.crt and ca.crt from server to /etc/openvpn/keys/.
2. cp -ai /usr/share/doc/openvpn-*/sample-config-files/roadwarrior-client.conf /etc/openvpn/client.conf
3. Edit /etc/openvpn/client.conf appropriately to set your configuration (just like server configuration, port, compression,..) and key paths.
4. chkconfig --level 2345 openvpn on
5. service openvpn start

On the Fedora 16 (or later) client (with systemd):

• In the following, replace MyClient with a descriptive vpn connection name.

1. Copy username.key, username.crt and ca.crt from server to /etc/openvpn/keys/.
2. cp -ai /usr/share/doc/openvpn-*/sample-config-files/client.conf /etc/openvpn/MyClient.conf
3. Edit /etc/openvpn/MyClient.conf appropriately to set your configuration (just like server configuration, port, compression,..) and key paths.
4. cd /lib/systemd/system
5. ln openvpn@.service openvpn@MyClient.service
6. systemctl enable openvpn@MyClient.service
7. systemctl start openvpn@MyClient.service

check /var/log/messages if things didn't work as expected

Alternatively, on the client, after copying the keys onto the client machine, you can use NetworkManager to add a vpn connection. Make sure you have the NetworkManager-openvpn package installed. Then just add a new VPN connection.

Should also test automatic starting at boot up, with password protected key files and maybe even --auth-user-pass. OpenVPN supports systemd's password passing if build with --enable-systemd via ./configure

Setting up a Windows OpenVPN client

On the server:

1. cd easy-rsa
2. . vars
3. ./build-key username

On the client:

1. Install the OpenVPN GUI or the stand-alone OpenVPN client.
2. Copy username.crt, username.key, and ca.crt to C:\Program Files\OpenVPN\config\ on the client.
3. Drop roadwarrior-client.conf into C:\Program Files\OpenVPN\config\ as whatever.ovpn and edit appropriately.
4. Either use the GUI to start the connection, start the OpenVPN service manually, or set the OpenVPN service to start automatically.

Ideally the client should do some verification on the server key with tls-remote in the whatever.ovpn configuration file.

我更改修正后的安装方法如下：

1. Setting up an OpenVPN server

    安装openvpn 和证书工具

    sudo yum install openvpn easy-rsa

    复制证书工具到自己的目录

    cp -r /usr/share/easy-rsa/2.0 ~/easy-rsa
    cd ~/easy-rsa

    制作证书

    . vars
    ./clean-all
                 
    ./build-ca
    ./build-inter $( hostname | cut -d. -f1 )
    ./build-dh

    建立证书存放目录keys 复制证书到该目录

    sudo mkdir /etc/openvpn/keys
    sudo cp -ai keys/bogon.{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/
    复制openvpn server的配置文件到相应目录
    sudo cp -ai /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server.conf

Edit /etc/openvpn/server.conf appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
    修改配置文件使其适应自己的环境
    sudo vi /etc/openvpn/server.conf

    Fix selinux context of files:
    如果有selinux需要更改selinux授权， 否则无法成功启动openvpn服务
    sudo restorecon -Rv /etc/openvpn

    sudo ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service

    如果需要使openvpn 服务开机后自动开启，可使用下面的命令
    sudo systemctl enable openvpn@server.service

    手动启动openvpn，使用下面的命令
    sudo systemctl start openvpn@server.service

    查看openvpn的状态
    systemctl status openvpn@server.service

     有防火墙的还需要打开相应的端口。

     fedora的防火墙可以直接执行下面的命令即可

     是防火墙可通过openvpn服务，这是暂时性的，重启后就没用了

    sudo firewall-cmd --add-service=openvpn

     这是永久性的

    sudo firewall-cmd --permanent --add-service=openvpn

2. Setting up a Linux OpenVPN client

You need to generate new keys (or use existing other client/username keys) for the new client/username

On the server:

    在服务端所在的主机上制作好客服端的证书后传给客户端的主机

    cd easy-rsa
    . vars
    ./build-key username 

On the Fedora client:
    在客户端的主机上，复制客户端证书到 /etc/openvpn/keys 目录

   Copy username.key, username.crt and ca.crt from server to /etc/openvpn/keys/ .

     cp -ai keys/kuaile.{crt,key} keys/ca.crt ~/kuaile

    sudo cp -ai /usr/share/doc/openvpn/sample/sample-config-files/roadwarrior-client.conf /etc/openvpn/Myclient.conf
    更改配置文件，主要修改要连接的ip为配置好的服务端主机的ip，其他的根据需要修改。
    sudo vi /etc/openvpn/MyClient.conf

    In the following, replace MyClient with a descriptive vpn connection name. 

    Copy username.key, username.crt and ca.crt from server to /etc/openvpn/keys/.
    
    sudo cp -ai keys/kuaile.{key,crt} keys/ca.crt /etc/openvpn/keys

    cp -ai /usr/share/doc/openvpn/sample-config-files/client.conf /etc/openvpn/MyClient.conf


    Edit /etc/openvpn/MyClient.conf appropriately to set your configuration (just like server configuration, port, compression,..) and key paths.
    cd /lib/systemd/system

    创建openvpn的硬链接，MyClient 是配置文件的名称，
    sudo ln openvpn@.service openvpn@MyClient.service

    使openvpn 开机自动启动
    sudo systemctl enable openvpn@MyClient.service

    手动启动openvpn
    sudo systemctl start openvpn@MyClient.service