qiaoqiangv 2012-09-16
一. OpenVPN 安装环境
Server 端的环境
#[root@localhost ~]# lsb_release -a
LSB Version: :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 5.7 (Final)
Release: 5.7
Codename: Final
You have mail in /var/spool/mail/root
#[root@localhost ~]# uname -a
Linux localhost 2.6.18-274.el5 #1 SMP Fri Jul 22 04:43:29 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
kernel 需要支持 tun 设备, 需要加载 iptables 模块.
检查 tun 是否安装:
代码:
#[root@localhost ~]# modinfo tun
filename: /lib/modules/2.6.18-274.el5/kernel/drivers/net/tun.ko
alias: char-major-10-200
license: GPL
author: (C) 1999-2004 Max Krasnyansky <[email protected]>
description: Universal TUN/TAP device driver
srcversion: 17940217002AD4038411C8A
depends:
vermagic: 2.6.18-274.el5 SMP mod_unload gcc-4.1
module_sig: 883f3504e294164ec40b13698f67516112fbd209b4eb89a65845ffc9c8882b8d87523fb596a3984b09f5774d4c2abbabfb3813b25c47ae78eca819942
如果没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件:
代码:
检查iptables 模块, 查看是否有下列文件:
/etc/init.d/iptables
OpenSSL。如果需要启用 SSL 连接,则需要先安装 OpenSSL。安装 OpenSSL 的方法在这里不做介绍,具体可以用 Google 搜索。CentOS 下可以用 yum install:
#yum install openssl
#yum install openssl-devel
安装的 OpenVPN 的版本: 2.0.5. 现在似乎已经有一个更新的版本了. 可在http://openvpn.net 上下载.
Client 端的环境:
Windows XP PRO SP2
OpenVPN GUI For windows 1.0.3 , 可在 openvpn.se 下载
注意: OpenVPN GUI for windows 的版本要和 OpenVPN Server 的版本配套.
例如, 服务器装的是 OpenVPN 2.0.5, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe
OpenVPN GUI的所有历史版本: http://openvpn.se/files/install_packages/
二. OpenVPN 服务端安装过程
下载 LZO,解压到lzo-2.02.
地址: http://www.oberhumer.com/opensource/lzo/download/ 代码:
#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
下载 OpenVPN, 解压到openvpn-2.0.5
地址: http://openvpn.net/download.html 代码:
#wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
安装 LZO 代码:
#cd /lzo-2.02
#./configure
#make
#make check
#make install
安装 OpenVPN
代码:
#cd /openvpn-2.0.5
#./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib
#make
#make install
生成证书Key
初始化 PKI
(如果没有 export 命令也可以用 setenv [name] [value] 命令)
代码:
#cd /openvpn-2.0.5/easy-rsa/2.0
#vim vars
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BEIJING
export KEY_CITY=BEIJING
export KEY_ORG="yijiaxin.com"
export KEY_EMAIL="[email protected]"
#source vars
#./clean-all
#./build-ca
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [yijiaxin.com]:
Organizational Unit Name (eg, section) []:yijiaxin.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [[email protected]]:
# 建立 server key 代码: 代码:
#./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [yijiaxin.com]:
Organizational Unit Name (eg, section) []:yijiaxin.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:yijiaxin
An optional company name []:yijiaxin.com
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BEIJING'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'yijiaxin.com'
organizationalUnitName:PRINTABLE:'yijiaxin.com'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成客户端 key
代码:
#./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [yijiaxin.com]:
Organizational Unit Name (eg, section) []:yijiaxin.com
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:yijiaxin
An optional company name []:yijiaxin.com
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BEIIING'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'yijiaxin.com'
organizationalUnitName:PRINTABLE:'yijiaxin.com'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次类推生成其他客户端证书/key
代码:
#./build-key client2
#./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
生成 Diffie Hellman 参数 。代码:
#./build-dh
将 keys 下的所有文件打包下载到本地
创建服务端配置文件
从样例文件创建:
代码:
#cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
#cp server.conf /usr/local/etc # cp服务器配置文件到/usr/local/etc
#vi /usr/local/etc/server.conf
我建立的server.conf 的内容
# cat server.conf | grep -v ^$ | grep -v ^# | grep -v ^\;
local 192.168.11.27
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh /usr/local/etc/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push "dhcp-option DNS 202.106.0.20"
#需要将ca.crt、server.crt、server.key、dh1024.pem从keys目录下拷贝到server.conf的同目录
创建客户端配置文件
代码:
#cd $dir/sample-config-files/ #进入源代码解压目录下的sample-config-files子目录
#cp client.conf /usr/local/etc #cp客户端配置文件到/usr/local/etc
#vi /usr/local/etc/client.conf
client
dev tun
proto udp
remote 192.168.11.27 1194
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
#cd openvpn-2.0.5/easy-rsa/2.0/keys
#cp ca.* server.key dh1024.pem /usr/local/etc/ #负责证书文件
启动Openvpn: openvpn [server config file] 代码:
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf &
三. OpenVPN GUI For Windows 客户端安装过程
安装 OpenVPN GUI For Windows, 到 http://openvpn.se 下载. 目前的版本是 1.0.3. 注意: OpenVPN GUI 的版本要和 OpenVPN Server 的版本配套. 详见第一节一. 安装环境中的说明.
依屏幕指示安装openvpn gui.
配置 openvpn gui
安装结束后, 进入安装文件夹下的 config 目录, 然后将上面的 client.conf 文件从 server 上下载到此文件夹, 并更名为 client.ovpn
同时, 将server服务器上的如下密钥拷贝到本地
ca.crt
ca.key 改名
client1.crt ----->client.crt
client1.csr ----->client.csr
client1.key ----->client.key
然后双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.
如果双击 client.ovpn 没有反应, 则在任务栏点 OpenVPN GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 然后再点右键中的 connect即可.
如果需要第二台机器上使用 vpn , 进行同样的配置, 只需要将 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.ovpn 中的对应key文件值改掉.