CentOS上OpenVPN的安装与使用
时间:2016-05-26 01:56 来源:linux.it.net.cn 作者:IT
一、安装准备
1
2
yum -y install openssl-devel openssl
yum -y install gcc gcc-c++
二、OpenVPN服务端安装过程
1.lzo下载与安装
1
2
3
4
5
cd /apps #安装目录
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz #下载lzo
tar zxvf lzo-2.04.tar.gz #解压
cd lzo-2.04
./configure ; make ; make install #编译与安装
2.openvpn下载与安装
1
2
3
4
5
cd /apps
wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz
tar zxvf openvpn-2.1_rc15.tar.gz
cd openvpn-2.1_rc15
./configure ; make ; make install
3.服务器端设置
1
cp -r /apps/openvpn-2.1_rc15/ /etc/openvpn #用easy-rsa生成服务器证书客户端证书
4.初始化参数
1
2
3
cd /etc/openvpn/easy-rsa/2.0
./vars
source vars
5.生成CA证书
1
2
./clean-all
./build-ca
6.建立server key(一直回车)
1
./build-key-server server
7.生成diffie hellman参数
1
./build-dh
8.复制ca证书,服务端证书到OpenVPN配置目录
1
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/
9.生成client key
1
./build-key client1 #与server key 设置一致
如要生成多个vpn账户,则与client1一样生成其他客户端证书如
1
2
./build-key client2
./build-key client3
10.生成客户端配置文件client1.ovpn
1
vi /etc/openvpn/easy-rsa/2.0/keys/client1.ovpn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
client
remote 192.168.80.129 1194
dev tun #说明连接方式是点对点的连接,如要以以太网的方式则可以将tun修改为tap
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
route-delay 2
route-method exe
verb 3
11.打包客户端配置文件证书等
1
2
tar czf keys.tgz ca.crt ca.key client1.crt client1.csr client1.key client1.ovpn
mv keys.tgz /root
12.创建并编辑服务器端配置文件server.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
port 1194
proto tcp
dev tun #说明连接方式是点对点的连接,如要以以太网的方式则可以将tun修改为tap
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
push "route 172.18.2.0 255.255.255.0" #路由转发到内网网段
push "dhcp-option DNS 172.18.2.1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
persist-key
persist-tun
client-to-client #如果不加则各个客户端之间将无法连接
13.对防火墙的相关设置
?
1
2
3
4
5
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
sed -i 's/eth0/venet0/g' /etc/sysconfig/iptables # dirty vz fix for iptables-save
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
如果VPN服务器上的内网ip不是网关那么必须加上下面这一句(如果不加则客户端无法连接其他内网机器):
?
1
iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 172.18.2.0/255.255.255.0 -j SNAT –to-source 172.18.2.30
14.启动openvpn
?
1
/usr/local/sbin/openvpn --config /etc/openvpn/server.conf
如要设置开机启动则执行命令:
?
1
echo “/usr/local/sbin/openvpn --config /etc/openvpn/server.conf ” >> /etc/rc.local
也可以做服务
?
1
2
3
4
cp /apps/openvpn-2.1_rc15/sample-scripts/openvpn.init /etc/init.d/openvpn
chmod 700 /etc/init.d/openvpn
chkconfig --add openvpn
chkconfig --level 345 openvpn on
?
1
service openvpn start
15.查看是否安装成功
?
1
lsof -i:1194
注意:以上是公司内网中有一台机器可以连接外网的情况,如果内网中都没有机器可连接外网,那么如果内网中该网段机器(假设为B子网网段为192.168.1.0/24)要想连接另一台也无外网ip的某个网段的机器(A ip为172.9.2.100)该怎么办呢?请往下看
找到一台可以随意设置的拥有外网ip的机器假设为C
将C设置成openVPN的服务器,然后将A和B设置为openVPN客户端
在C的配置文件中加上:
?
1
2
3
client-to-client
client-config-dir ccd
route 192.168.1.0 255.255.255.0
B在ccd中的配置为:
?
1
iroute 192.168.1.0 255.255.255.0
A在ccd中的配置为:
?
1
push "route 192.168.1.0 255.255.255.0"
B的SNAT配置:
?
1
iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SNAT –-to-source 172.9.2.100
三、openvpn客户端安装(Windows)
四、参考的网站
1.http://farlee.info/archives/burstnet-vps-openvz-install-openvpn-config-vpn-centos.html
2.http://www.efish.tk/安装openvpn配置服务器和客户端.html
3.http://os.51cto.com/art/201011/234004.htm
4.http://mirrors.sohu.com/ebook/vpn/openvpn集合.pdf
5.http://www.amcoding.com/news/openvpn-gui-客户端安装步骤/
6.http://blog.wuxinan.net/archives/78
安装OpenVPN脚本 install_OpenVPN.sh
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/bin/bash
# Quick and dirty OpenVPN install script
# Tested on Centos 5.x 32bit, openvz minimal CentOS OS templates
# Please submit feedback and questions at support@vpsnoc.com
# John Malkowski vpsnoc.com 01/04/2010
ip=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-venet0:0 | awk -F= '{print $2}'`
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -iv rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rm -rf rpmforge-release-0.3.6-1.el5.rf.i386.rpm
yum -y install openvpn openssl openssl-devel
cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.2.0/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
./vars
./clean-all
source ./vars
echo -e "\n\n\n\n\n\n\n" | ./build-ca
clear
echo "####################################"
echo "Feel free to accept default values"
echo "Wouldn't recommend setting a password here"
echo "Then you'd have to type in the password each time openVPN starts/restarts"
echo "####################################"
./build-key-server server
./build-dh
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/
clear
echo "####################################"
echo "Feel free to accept default values"
echo "This is your client key, you may set a password here but it's not required"
echo "####################################"
./build-key client1
cd keys/
client="
client
remote $ip 1194
dev tun
comp-lzo
ca ca.crt
cert client1.crt
key client1.key
route-delay 2
route-method exe
redirect-gateway def1
dhcp-option DNS 10.8.0.1
verb 3"
echo "$client" > $HOSTNAME.ovpn
tar czf keys.tgz ca.crt ca.key client1.crt client1.csr client1.key $HOSTNAME.ovpn
mv keys.tgz /root
opvpn='
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group nobody
daemon'
echo "$opvpn" > /etc/openvpn/openvpn.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
sed -i 's/eth0/venet0/g' /etc/sysconfig/iptables # dirty vz fix for iptables-save
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
/etc/init.d/openvpn start
clear
echo "OpenVPN has been installed
Download /root/keys.tgz using winscp or other sftp/scp client such as filezilla
Create a directory named vpn at C:\Program Files\OpenVPN\config\ and untar the content of keys.tgz there
Start openvpn-gui, right click the tray icon go to vpn and click connect
For support/bug reports email us at support@vpsnoc.com"
(责任编辑:IT)
一、安装准备
二、OpenVPN服务端安装过程
2.openvpn下载与安装
3.服务器端设置
4.初始化参数
5.生成CA证书
6.建立server key(一直回车)
7.生成diffie hellman参数
8.复制ca证书,服务端证书到OpenVPN配置目录
9.生成client key
如要生成多个vpn账户,则与client1一样生成其他客户端证书如
10.生成客户端配置文件client1.ovpn
11.打包客户端配置文件证书等
12.创建并编辑服务器端配置文件server.conf
13.对防火墙的相关设置
?
如果VPN服务器上的内网ip不是网关那么必须加上下面这一句(如果不加则客户端无法连接其他内网机器):
?
14.启动openvpn
?
如要设置开机启动则执行命令:
?
也可以做服务
?
?
15.查看是否安装成功
?
注意:以上是公司内网中有一台机器可以连接外网的情况,如果内网中都没有机器可连接外网,那么如果内网中该网段机器(假设为B子网网段为192.168.1.0/24)要想连接另一台也无外网ip的某个网段的机器(A ip为172.9.2.100)该怎么办呢?请往下看
?
B在ccd中的配置为:
?
A在ccd中的配置为:
?
B的SNAT配置:
?
三、openvpn客户端安装(Windows)
四、参考的网站
安装OpenVPN脚本 install_OpenVPN.sh
?
(责任编辑:IT) |