Ubuntu Linux 服务器搭建OpenVPN服务器

话说，最近在学校做毕设，寝室的ChinaNet被学校水产了，说是要登记才能使用。自己试验的时候发现，登录成功后，几十秒内还可访问网页，之后网页就上不去了，显示连接被重置（是不是像某墙？），但是QQ神马的依然可以正常使用，而且已经建立的TCP长连接不会被中断。于是考虑服务器端针对TCP的三次握手进行了攻击，导致无法正常访问网页。之前记得VPN常用的拨号方式主要有PPTP、L2TP和OpenVPN，后两种方式支持底层使用UDP方式通讯。在Linux上，开源社区的OpenVPN自然是不二的选择。

配置OpenVPN的步骤，大致包括两部分，首先是服务器端的OpenVPN服务，其次是客户端的OpenVPN软件。首先我们在Ubuntu 10.04 TLS上配置OpenVPN服务器端。

1. 配置OpenVPN服务器

首先请使用root账户登录系统，若没有开启root，请使用sudo暂转为root模式：

sudo -i

从软件仓库安装openvpn及其相关软件包：

apt-get install openvpn udev lzop -y

完成安装后，复制证书配置模板信息：

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/<br>cd /etc/openvpn/easy-rsa/2.0/<br>source vars 

先清除已有的证书信息：

./clean-all

创建CA根证书：

#./build-ca<br>Generating a 1024 bit RSA private key<br>................++++++<br>........++++++<br>writing new private key to 'ca.key'<br>-----<br>You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>If you enter '.', the field will be left blank.<br>-----<br>Country Name (2 letter code) [CN]:<br>State or Province Name (full name) [GD]:<br>Locality Name (eg, city) [SZ]:<br>Organization Name (eg, company) []:<br>Organizational Unit Name (eg, section) []:soa<br>Common Name (eg, your name or your server's hostname) []:starlight36.com<br>Email Address [your-email [at] starlight36.com]:

创建服务器端key：

#./build-key-server server<br>Generating a 1024 bit RSA private key<br>......++++++<br>....................++++++<br>writing new private key to 'server.key'<br>-----<br>You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>If you enter '.', the field will be left blank.<br>-----<br>Country Name (2 letter code) [CN]:<br>State or Province Name (full name) [LN]:<br>Locality Name (eg, city) [DL]:<br>Organization Name (eg, company) [starlight36.com]:<br>Organizational Unit Name (eg, section) []:starlight36.com<br>Common Name (eg, your name or your server's hostname) []:server<br>Email Address [your-email [at] starlight36.com]:<br>... ...

创建客户端key

#./build-key client<br>Generating a 1024 bit RSA private key<br>......++++++<br>....................++++++<br>writing new private key to 'server.key'<br>-----<br>You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>If you enter '.', the field will be left blank.<br>-----<br>Country Name (2 letter code) [CN]:<br>State or Province Name (full name) [LN]:<br>Locality Name (eg, city) [DL]:<br>Organization Name (eg, company) [starlight36.com]:<br>Organizational Unit Name (eg, section) []:starlight36.com<br>Common Name (eg, your name or your server's hostname) []:client<br>Email Address [your-email [at] starlight36.com]:<br>... ... 

过程和创建服务器端Key基本一致，但是需要注意的是，Common Name (eg, your name or your server’s hostname)这一项每个客户端key之间不能重名，和server key的设置也不能重名，否则会导致生成失败。

生成 Diffie Hellman信息：

./build-dh

这时，服务器证书的配置就完成了，我们需要把服务器上刚才生成的ca.crt client.crt client.key三个文件下载下来，客户端连接时需要用到。