CentOS安装OpenVPN服务端和windows客户端配置

首先

#yum install openvpn easy-rsa

装完之后查看以下装到哪里了

# whereis openvpn
openvpn: /usr/sbin/openvpn /etc/openvpn /usr/lib/openvpn /usr/share/openvpn /usr/share/man/man8/openvpn.8.gz

进入 /usr/share/easy-rsa/2.0,编辑vars文件修改下email之类的内容,. vars 执行一下vars导出变量到当前环境(或source vars),然后清理一下 ./clean-all,然后创建证书颁发机构(CA)

# ./build-ca server
Generating a 1024 bit RSA private key
...............................++++++
.....................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:phpdr.net
Name []:
Email Address [ares@phpdr.net]:

生成服务器证书 ./build-key-server server

# ./build-key-server server
Generating a 1024 bit RSA private key
....++++++
......................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [ares@phpdr.net]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'ares@phpdr.net'
Certificate is to be certified until Sep 16 13:36:51 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

接下来生成客户端证书./build-key client1,client1是客户端的名字随便起,生成过程和服务端证书基本一样就不列出来了。

最后需要生成Diffie Hellman参数,Diffie Hellman参数必须生成。关于Diffie Hellman的详细介绍见这里

./build-dh

实例配置文件在 /usr/share/doc/openvpn-2.1.4/sample/sample-config-files,拷贝server.conf到/etc/openvpn目录下,拷贝刚才生成的证书等内容

cp -R /usr/share/easy-rsa/2.0/keys /etc/openvpn/

编辑/etc/openvpn/server.conf,主要是证书路径那几项需要修改,其他需要修改的地方请看注释

ca /etc/openvpn/keys/ca.crt 
cert /etc/openvpn/keys/server.crt 
key /etc/openvpn/keys/server.key 
dh /etc/openvpn/keys/dh1024.pem

编辑vi /etc/sysctl.conf,设置net.ipv4.ip_forward = 1,保存退出,sysctl -p使修改生效。
防火墙规则  iptables -A INPUT -p udp --dport 1194 -j ACCEPT
开启NAT:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source x.x.x.x 最后面的IP是服务器IP。
可以设置为开机启动 chkconfig --level 235 openvpn on
服务器端的配置到此已经结束,到http://openvpn.net/下载安装openvpn客户端,然后下载ca.crt、client1.crt和client1.key到本地,把这三个文件放到OpenVPN安装目录的config/client1目录里面,同时在这里面新建一个名字为“client1.ovpn”的配置文件,配置样本参考/usr/share/doc/openvpn-2.1.4/sample/sample-config-files/client.conf

官方HOWTO:http://openvpn.net/howto.html

发表评论

电子邮件地址不会被公开。

CAPTCHA

*