openvpn安装

环境：

操作系统：CentOS 6.6

软件：lzo-2.0.6.tar.gz、openvpn-2.2.2.tar.gz

服务器IP：192.168.1.12

安装前的准备工作

1.关闭防火墙

[root@openvpn ~]# /etc/init.d/iptables stop#临时关闭iptables: Setting chains to policy ACCEPT: filter          [  OK  ]iptables: Flushing firewall rules:                         [  OK  ]iptables: Unloading modules:                               [  OK  ][root@openvpn ~]# chkconfig iptables off#永久关闭

2.关闭SELINUX

[root@openvpn ~]# setenforce 0#临时关闭[root@openvpn ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#' /etc/selinux/config#永久关闭[root@openvpn ~]# getenforce#查看状态Permissive

3.同步时间（每5分钟自动与时间服务器同步）

[root@openvpn ~]# echo '*/5 * * * * /usr/sbin/ntpdate s2c.time.edu.cn >/dev/null 2>&1'>>/var/spool/cron/root[root@openvpn ~]# crontab -l*/5 * * * * /usr/sbin/ntpdate s2c.time.edu.cn >/dev/null 2>&1

4.安装依赖包

[root@openvpn ~]# yum install -y lrzsz openssl* gcc-c++

5.下载软件包（lzo-2.0.6.tar.gz、openvpn-2.2.2.tar.gz，从百度上搜索一下）并上传到服务器上

在服务器上创建软件目录，并将下载的软件上传到这里。

[root@openvpn ~]# mkdir /tools[root@openvpn ~]# cd /tools[root@openvpn tools]# rz

开始安装

1.安装lzo

[root@openvpn tools]# lltotal 1464-rw-r--r--. 1 root root 583045 Feb 15  2017 lzo-2.06.tar.gz-rw-r--r--. 1 root root 911158 Jul 21  2016 openvpn-2.2.2.tar.gz[root@openvpn tools]# tar zxf lzo-2.06.tar.gz [root@openvpn tools]# cd lzo-2.06[root@openvpn lzo-2.06]# ./configure [root@openvpn lzo-2.06]# make[root@openvpn lzo-2.06]# make install[root@openvpn lzo-2.06]# cd ..

2.安装openvpn

[root@openvpn tools]# tar zxf openvpn-2.2.2.tar.gz[root@openvpn tools]# cd openvpn-2.2.2[root@openvpn openvpn-2.2.2]# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib[root@openvpn openvpn-2.2.2]# make[root@openvpn openvpn-2.2.2]# make install[root@openvpn openvpn-2.2.2]# which openvpn              #查看OPENVPN目录/usr/local/sbin/openvpn

配置openvpn服务端

[root@openvpn openvpn-2.2.2]# cd /tools/openvpn-2.2.2/easy-rsa/2.0[root@openvpn 2.0]# vim vars #修改最后12行

#根据实际情况修改

export KEY_COUNTRY="CN"export KEY_PROVINCE="BJ"export KEY_CITY="Beijing"export KEY_ORG="test"export KEY_EMAIL="test@test.com"export KEY_EMAIL=mail@host.domainexport KEY_CN=changemeexport KEY_NAME=changemeexport KEY_OU=changemeexport PKCS11_MODULE_PATH=changemeexport PKCS11_PIN=1234

创建证书

[root@openvpn 2.0]# source varsNOTE: If you run ./clean-all, I will be doing a rm -rf on /tools/openvpn-2.2.2/easy-rsa/2.0/keys[root@openvpn 2.0]#  ./clean-all

1.创建CA证书

[root@openvpn 2.0]# ./build-caGenerating a 1024 bit RSA private key..................++++++.....................................++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [BJ]:Locality Name (eg, city) [Beijing]:Organization Name (eg, company) [test]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [changeme]:Name [changeme]:Email Address [mail@host.domain]:

创建server端证书

[root@openvpn 2.0]# ./build-key-server testserver#testserver为证书名称，根据实际情况修改Generating a 1024 bit RSA private key....................++++++...................++++++writing new private key to 'testserver.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [BJ]:Locality Name (eg, city) [Beijing]:Organization Name (eg, company) [test]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [testserver]:Name [changeme]:Email Address [mail@host.domain]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /tools/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'CN'stateOrProvinceName   :PRINTABLE:'BJ'localityName          :PRINTABLE:'Beijing'organizationName      :PRINTABLE:'test'organizationalUnitName:PRINTABLE:'changeme'commonName            :PRINTABLE:'testserver'name                  :PRINTABLE:'changeme'emailAddress          :IA5STRING:'mail@host.domain'Certificate is to be certified until Oct 31 08:11:59 2027 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

创建客户端证书

[root@openvpn 2.0]# ./build-key testclient#不带密码Generating a 1024 bit RSA private key..++++++.............................++++++writing new private key to 'testclient.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [BJ]:Locality Name (eg, city) [Beijing]:Organization Name (eg, company) [test]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [testclient]:Name [changeme]:Email Address [mail@host.domain]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /tools/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'CN'stateOrProvinceName   :PRINTABLE:'BJ'localityName          :PRINTABLE:'Beijing'organizationName      :PRINTABLE:'test'organizationalUnitName:PRINTABLE:'changeme'commonName            :PRINTABLE:'testclient'name                  :PRINTABLE:'changeme'emailAddress          :IA5STRING:'mail@host.domain'Certificate is to be certified until Oct 31 08:16:56 2027 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

创建迪菲·赫尔曼密钥

[root@openvpn 2.0]# ./build-dhGenerating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time

拷贝key及配置文件

[root@openvpn 2.0]# mkdir -p /etc/openvpn[root@openvpn 2.0]# cd /tools/openvpn-2.2.2/easy-rsa/2.0[root@openvpn 2.0]# cp -ap keys /etc/openvpn[root@openvpn 2.0]# cd /tools/openvpn-2.2.2/sample-config-files/[root@openvpn sample-config-files]# cp client.conf server.conf /etc/openvpn

修改配置文件

[root@openvpn sample-config-files]# vim server.conf local 192.168.1.20#本机IPport 1194#使用的端口号proto udp#使用的协议dev tunca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtdh /etc/openvpn/keys/dh1024.pemkey /etc/openvpn/keys/server.keyserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "route 172.16.0.0 255.255.255.0"#连接VPN后需要访问的IP段，根据实际需求修改duplicate-cnclient-to-clientkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-status.loglog /var/log/openvpn.logverb 3

打开内核转发

[root@openvpn sample-config-files]# vim /etc/sysctl.confnet.ipv4.ip_forward = 1#0改为1[root@openvpn sample-config-files]# sysctl -pnet.ipv4.ip_forward = 1net.ipv4.conf.default.rp_filter = 1net.ipv4.conf.default.accept_source_route = 0kernel.sysrq = 0kernel.core_uses_pid = 1net.ipv4.tcp_syncookies = 1error: "net.bridge.bridge-nf-call-ip6tables" is an unknown keyerror: "net.bridge.bridge-nf-call-iptables" is an unknown keyerror: "net.bridge.bridge-nf-call-arptables" is an unknown keykernel.msgmnb = 65536kernel.msgmax = 65536kernel.shmmax = 68719476736kernel.shmall = 4294967296

后台启动OPENVPN

[root@openvpn sample-config-files]# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf &

设置NAT转换

[root@openvpn sample-config-files]# /sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE  

客户端安装（windows）

下载OPENVPN软件，双击安装，一路下一步，直到完成。完成后，进入"X:\Program Files (x86)\OpenVPN\config “这个目录，将压缩包内的4个文件，放在config这个文件夹里。（X为安装的盘符）

右键点击屏幕右下角的图标，选择connect后，系统自动连接，完成后会出现提示，

此时VPN已连接完成。

 

注意：

1.下载的版本是32位的，如果是64位的，则证书文件放在X:\Program Files\OpenVPN\config这个文件内。（注意括号内的X86）

2.软件安装完成后，系统会自动多一个虚拟网卡，如果没有，请重新安装。