OPENVPN 安装教程

来源：互联网发布：公司怎么封端口编辑：程序博客网时间：2024/05/18 07:20

1.openvpn 服务端

检查 tun 设备是否可用

$ cat /dev/net/tun cat: /dev/net/tun: File descriptor in bad state

安装

$ yum install -y openssl$ yum install -y openvpn$ yum install -y easy-rsa

生成证书

$ cd /usr/share/easy-rsa/2.0$ touch chenliujin$ vim chenliujinexport D=`pwd`export KEY_CONFIG=$D/openssl.cnfexport KEY_DIR=$D/keysexport KEY_SIZE=1024export KEY_COUNTRY=CNexport KEY_PROVINCE=GDexport KEY_CITY=SZexport KEY_ORG="chenliujin.com"export KEY_EMAIL="liujin.chen@qq.com"export OPENSSL=/usr/bin/openssl$ source chenliujin$ rpm -q opensslopenssl-1.0.0-20.el6.x86_64$ cp openssl-1.0.0.cnf openssl.cnf$ ./clean-all$ ./build-ca......Country Name (2 letter code) [CN]:回车State or Province Name (full name) [GD]:回车Locality Name (eg, city) [SZ]:回车Organization Name (eg, company) [chenliujin.com]:回车Organizational Unit Name (eg, section) []:chenliujinCommon Name (eg, your name or your server's hostname) [chenliujin.com CA]:chenliujin.comName []:chenliujinEmail Address [liujin.chen@qq.com]:回车

生成 server key

$ ./build-key-server server ......Country Name (2 letter code) [CN]:回车State or Province Name (full name) [GD]:回车Locality Name (eg, city) [SZ]:回车Organization Name (eg, company) [chenliujin.com]:回车Organizational Unit Name (eg, section) []:chenliujinCommon Name (eg, your name or your server's hostname) [server]:chenliujin.comName []:chenliujinEmail Address [liujin.chen@qq.com]:回车......A challenge password []:123456An optional company name []:chenliujin.com......Sign the certificate? [y/n]:y......1 out of 1 certificate requests certified, commit? [y/n]y

生成 Diffie Hellman 参数

$ ./build-dh

生成客户端 key

$ ./build-key *.209.114.115 ......Country Name (2 letter code) [CN]:State or Province Name (full name) [GD]:Locality Name (eg, city) [SZ]:Organization Name (eg, company) [chenliujin.com]:Organizational Unit Name (eg, section) []:chenliujinCommon Name (eg, your name or your server's hostname) [114115]:Name []:chenliujinEmail Address [liujin.chen@qq.com]:......A challenge password []:123456An optional company name []:chenliujin.com......Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y

配置

$ cd /etc/openvpn$ touch server.conf$ vim server.conf port 1194proto udpdev tunca /usr/share/easy-rsa/2.0/keys/ca.crtcert /usr/share/easy-rsa/2.0/keys/server.crtkey /usr/share/easy-rsa/2.0/keys/server.keydh /usr/share/easy-rsa/2.0/keys/dh1024.pem server 10.10.20.0 255.255.255.0 client-to-clientkeepalive 10 120 comp-lzo persist-keypersist-tunstatus /usr/share/easy-rsa/2.0/keys/openvpn-status.logverb 4 push "dhcp-option DNS 10.10.20.1"push "dhcp-option DNS 8.8.8.8"push "dhcp-option DNS 8.8.4.4"

启动服务

$ mkdir -p /var/log/openvpn$ openvpn --config /etc/openvpn/server.conf >> /var/log/openvpn/server.log 2>&1 &

自动启动

$ vim /etc/rc.local openvpn --config /etc/openvpn/server.conf >> /var/log/openvpn/server.log 2>&1 &

校验

$ netstat -an | grep 1194

防火墙

$ iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT

共享上网

* 启用NAT映射

$ iptables -t nat -A POSTROUTING -s 10.10.20.0/255.255.255.0 -o eth0 -j MASQUERADE$ iptables -t nat -L -n --line-numbers

* 开启数据转发

$ sysctl -w net.ipv4.ip_forward=1

* Notice

上面的设置会引起 Nginx 502 Bad Gateway 错误，upstream prematurely closed connection while reading response header from upstream, upstream: "fastcgi://127.0.0.1:9000", 问题暂未解决，慎重设置。

取消 NAT 映射

$ iptables -t nat -D POSTROUTING -s 10.10.20.0/255.255.255.0 -o eth0 -j MASQUERADE$ iptables -t nat -L -n --line-numbers

2.openvpn 客户端

* Win7

安装

请参考：http://wenku.baidu.com/view/b43f4fe8172ded630b1cb6f9.html

http://code.google.com/p/vpntech/downloads/detail?name=openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip&can=2&q=

配置

* CentOS

安装

$ yum install -y openvpn

配置

$ vim /etc/openvpn/*.239.114.115/*.239.114.115.ovpn client dev tunproto udp remote *.239.114.115 1194persist-keypersist-tunca /etc/openvpn/*.239.114.115/ca.crtcert /etc/openvpn/*.239.114.115/*.239.114.115.crtkey /etc/openvpn/*.239.114.115/*.239.114.115.keyns-cert-type servercomp-lzoverb 3 redirect-gateway def1route-method exeroute-delay 2 mssfix 1300tun-mtu-extra 32 $ cd /etc/openvpn/*.239.114.115$ rsync root@*.239.114.115:/usr/share/easy-rsa/2.0/keys/ca.crt ./$ rsync root@*.239.114.115:/usr/share/easy-rsa/2.0/keys/*.239.114.115.crt ./$ rsync root@*.239.114.115:/usr/share/easy-rsa/2.0/keys/*.239.114.115.key ./

启动

$ 8

开机启动

openvpn 非常智能，在连接异常中断、无法连接服务器、断网的情况下，它会自动重连。

$ mkdir -p /var/log/openvpn$ vim /etc/rc.local nohup openvpn /etc/openvpn/*.239.114.115/*.239.114.115.ovpn >> /var/log/openvpn/client.log 2>&1 &

不能访问外网 => 不是在客户端配置，要在服务端配置

$ vim /etc/sysctl.conf  net.ipv4.ip_forward = 1 $ iptables -t nat -A POSTROUTING -j MASQUERADE$ iptables -t nat -D POSTROUTING -j MASQUERADE #删除$ iptables -t nat -L -n --line-numbers

测试

Server

$ ifconfig -a tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00          inet addr:10.10.20.1  P-t-P:10.10.20.2  Mask:255.255.255.255          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1          RX packets:6307 errors:0 dropped:0 overruns:0 frame:0          TX packets:174 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:100          RX bytes:463880 (453.0 KiB)  TX bytes:15622 (15.2 KiB)

Client

$ ifconfig -a tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00          inet addr:10.10.20.6  P-t-P:10.10.20.5  Mask:255.255.255.255          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1          RX packets:0 errors:0 dropped:0 overruns:0 frame:0          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:100          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b) $ ping 10.10.20.1$ ssh 10.10.20.1$ traceroute *.239.114.115$ traceroute 10.10.20.1

3.参考文献

OpenVPN安装与配置实践: http://heylinux.com/archives/555.html
centos 5 yum 安装 openvpn 一对多客户端: http://blog.chinaunix.net/uid-22646981-id-3028863.html
搭建OpenVPN Server路由模式、证书认证：http://kerry.blog.51cto.com/172631/315437
OpenVPN的高级路由技术-内部路由：http://www.oschina.net/question/234345_47442
巧用route解决使用vpn的小烦恼：http://blog.csdn.net/iiprogram/article/details/2220492