源码编译搭建Key形式openvpn v2.1.3

1. 编译并安装openvpn

下载源码
wget http://openvpn.net/release/openvpn-2.1.3.tar.gz
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz

解压源码及补丁

tar -zxvf [openvpn-2.1.3.tar.gz路径]

tar -zxvf [lzo-2.06.tar.gz路径]

编译lzo
cd /opt/lzo-2.06/

./configure && make && make install

编译ipv6 openvpn
./configure --build=i386-redhat-linux-gnu --host=i386-redhat-linux-gnu --target=i686-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-password-save --enable-iproute2 --with-ifconfig-path=/sbin/ifconfig --with-iproute-path=/sbin/ip --with-route-path=/sbin/route

make && make install

安装openssl
yum install -y openssl

2. 生成Key文件

下载easy-rsa

cd /opt

yum install git

git clone git://github.com/OpenVPN/easy-rsa.git

cd easy-rsa/easy-rsa/2.0

修改配置文件
vi vars

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain

生成Key文件
. vars

./clean-all

./build-ca

若出现
  No /usr/share/openvpn/easy-rsa/2.0/openssl.cnf file could be found
  Further invocations will fail
则执行
cp openssl-1.0.0.cnf openssl.cnf


./bulid-key-server XXXXXX[假定server，可修改]

./build-key XXXXXX[假定client，可修改]

./build-dh

拷贝Key文件

cd keys

cp ca.crt server.crt server.key dh2048.pem /etc/openvpn

3. server配置文件，在/etc/openvpn目录下创建server.conf，并写入如下内容，此处原始官方参考server配置文件/usr/share/doc/openvpn-2.3.0/sample-config-files/server.conf

cp /usr/share/doc/openvpn-2.2.1/sample-config-files/server.conf /etc/openvpn

vi /etc/openvpnserver.conf

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

port 1194

;proto tcp
proto udp

;dev tap
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret

dh /etc/openvpn/dh2048.pem

server 10.8.1.0 255.255.255.0

ifconfig-pool-persist /var/log/ipp.txt

push "route 10.8.1.0 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-to-client

duplicate-cn

keepalive 10 120

comp-lzo

user nobody
group nobody

persist-key
persist-tun

status /var/log/openvpn-status.log

log-append  /var/log/openvpn.log #此处注释掉可以直接在控制台下查看错误

verb 3

mute 20

4. 开启端口转发

vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

sysctl -p

5. iptables设置

iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

/etc/init.d/iptables save

service iptables restart

6. 测试启动，键入命令，若看到Initialization Sequence Completed，表明成功。

openvpn --config /etc/openvpn/server.conf

7. client配置文件，在openvpn安装目录config文件夹下创建client.ovpn，并写入如下内容，此处原始官方文件C:\Program Files\OpenVPN\sample-config\client.conf，同时需要将easy-rsa/easy-rsa/2.0/keys/文件夹下client.crt client.key ca.crt文件下载到config文件夹下。

client

;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node OpenVPN

;proto tcp
proto udp

remote server-ip 1194
;remote my-server-2 1194

resolv-retry infinite

nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key

ns-cert-type server

comp-lzo

verb 3

mute 20

然后进行连接测试，可以参考服务器端和客户端调试信息，具体请百度。

8. 若测试成功，后续步骤

8.1 openvpn加入后台

openvpn --daemon --config /etc/openvpn/server.conf

8.2 添加开机自启动，修改/etc/rc.d/rc.local文件，添加如下

openvpn --daemon --config /etc/openvpn/server.conf

9. 添加新openvpn用户

cd easy-rsa/easy-rsa/2.0

./build-ca

./build-key XXXXXX

同样将XXXXXX.crt XXXXXX.key ca.crt以及client.ovpn文件拷贝到config文件夹下。