1. 环境
1.1. Server端的环境
CentOS6, kernel版本: 2.6.32-71.el6
IP 为192.168.122.180,隧道IP为10.8.0.1
kernel 需要支持 tun 设备, 需要加载 iptables
检查 tun 是否安装:
# modinfo tun
|
filename: /lib/modules/2.6.32-71.el6.i686/kernel/drivers/net/tun.ko
alias: char-major-10-200
license: GPL
author: (C) 1999-2004 Max Krasnyansky maxk@qualcomm.com
description: Universal TUN/TAP device driver
srcversion: 7D2AAEF89C71C83BBFFA0DE
depends:
vermagic: 2.6.32-71.el6.i686 SMP mod_unload modversions 686
|
1.2. 客户端环境
Win7 主机IP为192.168.122.29
2. 安装
2.1. Linux端
openVPN目前不能用yum直接安装,官网上有RPM安装包,可以直接下载,这个RPM需要依赖:
此外, 如果我们自己编译源码包,还会依赖上述包的对应开发包:
-
openssl-devel
-
lzo-devel
-
pam-devel
幸运的是,所依赖的包,都可以直接通过yum获取安装
这里使用的是直接编译源码的方式,在一述依赖包全部安装完毕之后,解压下载下来的源码包:
从http://openvpn.net/index.php/open-source/downloads.html下载最新版本的源码包。
#tar xfz openvpn-[version].tar.gz
然后进入源码所有的顶层目录,执行编译安装三步曲:
#./configure
#make
#make install
2.2. windows端
从http://openvpn.net/index.php/open-source/downloads.html下载最新的安装包,双击安装即可。
3. 证书和key文件
因为我的环境是以Linux为服务端的,所以证书生成也在Linux下完成。
如果OpenVPN是通过RPM包安装的,通常easy-rsa目录是在/usr/share/doc/packages/openvpn或/usr/share/doc/openvpn-version下,如果是用源码包编译OpenVPN的,easy-rsa就在源码包的顶层目录下。 (在编辑之前,最好把这整个easy-rsa目录拷贝到另一个地方,比如说/etc/openvpn,这样如果后面需要升级OpenVPN,就不会覆盖原有的配置了)。
先把easy-rsa拷贝到/etc/openvpn下:
#mkdir –p /etc/openvpn
#cp -R easy-rsa /etc/openvpn
#cd /etc/openvpn/easy-rsa/2.0
3.1. CA文件
用自己熟悉的编辑工具打开vars文件,根据实际情况修改以下几个变量:
|
export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”CA”
export KEY_CITY=”HZ”
export KEY_ORG=”MY_ORG”
export KEY_EMAIL="yetyongjin#163.com"
|
配置openssl,根据系统所安装的openssl版本,把对应的openssl-version.cnf文件拷贝一份,目标文件名为openssl.cnf,或建个文件链接:
# rpm -q openssl
openssl-1.0.0-20.el6_2.2.i686
# cp openssl-1.0.0.cnf openssl.cnf
然后执行以下命令:
#. ./vars
#./clean-all
#./build-ca server
注意第一条命令有两个.
输出:
Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:
|
3.2. 生成server key
# ./build-key-server server
这里的server是指定的名字标签,如果没指定,执行过程中会提示输入。
Generating a 1024 bit RSA private key
.....++++++
.................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'HZ'
organizationName :PRINTABLE:'HZ'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'server'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Update
|
请注意,表框里有些需要交互的内容,一般情况下用缺省值就可以了,标注红色的地方一定要输入的。
3.3. 生成client端key
# ./build-key client1
其中client1是客户端的名字,如果有多个客户端,就需要生成多个key
Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'HZ'
organizationName :PRINTABLE:'HZ'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'client1'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
|
请注意,表框里有些需要交互的内容,一般情况下用缺省值就可以了,标注红色的地方一定要输入的。
3.4. 生成Diffie Hellman参数
这一步在服务端需要,可能耗时比较长:
#./build-dh
3.5. 文件说明
到目前,我们已经建立了完整的密钥和证书文件,这些文件存放于easy-rsa目录下,一个名为keys的子目录中。下表是关于这些文件的一个简述:
|
Filename
|
Needed By
|
Purpose
|
Secret
|
|
ca.crt
|
server + all clients
|
Root CA certificate
|
NO
|
|
ca.key
|
key signing machine only
|
Root CA key
|
YES
|
|
dh{n}.pem
|
server only
|
Diffie Hellman parameters
|
NO
|
|
server.crt
|
server only
|
Server Certificate
|
NO
|
|
server.key
|
server only
|
Server Key
|
YES
|
|
client1.crt
|
client1 only
|
Client1 Certificate
|
NO
|
|
client1.key
|
client1 only
|
Client1 Key
|
YES
|
最后需要把keys目录下载下来,一些文件客户端需要用到。
4. 配置
OpenVPN自身携带了配置文件的模板,根据实际情况编辑所需要的配置项即可,配置模板存放于:
l OpenVPN源码包中的sample-config-files子目录
l RPM包中的/usr/share/doc/packages/openvpn或者/usr/share/doc/openvpn-version下的sample-config-files子目录
4.1. 服务端
编辑/etc/sysctl.conf,找到net.ipv4.ip_forward = 0改成net.ipv4.ip_forward = 1保存。然后执行:
#sysctl –p
添加路由规则:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.122.180
注意最后192.168.122.180改成你的VPS的IP地址。
完成后用/etc/init.d/iptables save保存iptables设置,然后/etc/init.d/iptables restart重新启动下。
把keys目录拷贝到/etc/openvpn下
反模板中的server.conf拷贝到/etc/openvpn下,根据自己的实际情况配置。下面是我的配置:
local 192.168.122.180
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “dhcp-option DNS 202.101.172.35
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
启动OpenVPN
#openvpn --config /etc/openvpn/server.conf &
|
4.2. 客户端
打开下载下来的keys文件夹,把里面的ca.crt、client1.crt和client1.key三个文件拷贝到OpenVPN安装路径下的\config目录里。编辑配置文件client1.ovpn,内容参考模板里的client.conf。下面是我的客户端配置
client
dev tun
proto udp
remote 192.168.122.180 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
|
在win7下,以管理员身份运行OpenVPN GUI,点击连接按钮。一会,就可以看到连接成功的消息了。
(责任编辑:IT) |
