linux下的openvpn搭建

1.   环境
1.1. Server端的环境
CentOS6, kernel版本: 2.6.32-71.el6
IP 为192.168.122.180，隧道IP为10.8.0.1

kernel 需要支持 tun 设备, 需要加载 iptables
检查 tun 是否安装:

# modinfo tun

filename:      /lib/modules/2.6.32-71.el6.i686/kernel/drivers/net/tun.ko
alias:         char-major-10-200
license:       GPL
author:        (C) 1999-2004 Max Krasnyansky maxk@qualcomm.com
description:   Universal TUN/TAP device driver
srcversion:    7D2AAEF89C71C83BBFFA0DE
depends:       
vermagic:      2.6.32-71.el6.i686 SMP mod_unload modversions 686
 

1.2. 客户端环境
Win7 主机IP为192.168.122.29

2.   安装
2.1. Linux端
openVPN目前不能用yum直接安装，官网上有RPM安装包，可以直接下载，这个RPM需要依赖：

openssl
lzo
pam
此外, 如果我们自己编译源码包，还会依赖上述包的对应开发包：

openssl-devel
lzo-devel
pam-devel
幸运的是，所依赖的包，都可以直接通过yum获取安装

这里使用的是直接编译源码的方式，在一述依赖包全部安装完毕之后，解压下载下来的源码包：

从http://openvpn.net/index.php/open-source/downloads.html下载最新版本的源码包。

#tar xfz openvpn-[version].tar.gz然后进入源码所有的顶层目录，执行编译安装三步曲：

#./configure
#make
#make install2.2. windows端
从http://openvpn.net/index.php/open-source/downloads.html下载最新的安装包，双击安装即可。

3.   证书和key文件
因为我的环境是以Linux为服务端的，所以证书生成也在Linux下完成。

如果OpenVPN是通过RPM包安装的，通常easy-rsa目录是在/usr/share/doc/packages/openvpn或/usr/share/doc/openvpn-version下，如果是用源码包编译OpenVPN的，easy-rsa就在源码
包的顶层目录下。(在编辑之前，最好把这整个easy-rsa目录拷贝到另一个地方，比如说/etc/openvpn,这样如果后面需要升级OpenVPN,就不会覆盖原有的配置了)。

先把easy-rsa拷贝到/etc/openvpn下：

#mkdir –p /etc/openvpn#cp -R easy-rsa /etc/openvpn#cd/etc/openvpn/easy-rsa/2.03.1. CA文件
用自己熟悉的编辑工具打开vars文件，根据实际情况修改以下几个变量：

export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”CA”
export KEY_CITY=”HZ”
export KEY_ORG=”MY_ORG”
export KEY_EMAIL="yetyongjin#163.com"
 

配置openssl，根据系统所安装的openssl版本，把对应的openssl-version.cnf文件拷贝一份，目标文件名为openssl.cnf，或建个文件链接：

# rpm -q opensslopenssl-1.0.0-20.el6_2.2.i686# cpopenssl-1.0.0.cnf openssl.cnf然后执行以下命令：

#. ./vars
#./clean-all
#./build-ca server注意第一条命令有两个.

输出：

Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will beincorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Nameor a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname)[changeme]:
Name [changeme]:
Email Address [mail@host.domain]:

  3.2. 生成server key
# ./build-key-server server这里的server是指定的名字标签，如果没指定，执行过程中会提示输入。

Generating a 1024 bit RSA private key
.....++++++
.................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will beincorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Nameor a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname)[server]:
Name [changeme]:
Email Address [mail@host.domain]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'CN'
stateOrProvinceName  :PRINTABLE:'CA'
localityName         :PRINTABLE:'HZ'
organizationName     :PRINTABLE:'HZ'
organizationalUnitName:PRINTABLE:'changeme'
commonName           :PRINTABLE:'server'
name                 :PRINTABLE:'changeme'
emailAddress         :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650days)
Sign the certificate? [y/n]:y
 
 
  1 out of 1 certificate requests certified,commit? [y/n]y
  Write out database with 1 new entries
Data Base Update

请注意，表框里有些需要交互的内容，一般情况下用缺省值就可以了，标注红色的地方一定要输入的。 3.3.生成client端key
# ./build-key client1其中client1是客户端的名字，如果有多个客户端，就需要生成多个keyGeneratinga 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will beincorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Nameor a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname)[client1]:
Name [changeme]:
Email Address [mail@host.domain]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'CN'
stateOrProvinceName  :PRINTABLE:'CA'
localityName         :PRINTABLE:'HZ'
organizationName     :PRINTABLE:'HZ'
organizationalUnitName:PRINTABLE:'changeme'
commonName           :PRINTABLE:'client1'
name                 :PRINTABLE:'changeme'
emailAddress         :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650days)
Sign the certificate? [y/n]:y
 
 
  1 out of 1 certificate requests certified,commit? [y/n]y
  Write out database with 1 new entries
Data Base Updated

请注意，表框里有些需要交互的内容，一般情况下用缺省值就可以了，标注红色的地方一定要输入的。 3.4. 生成DiffieHellman参数
这一步在服务端需要，可能耗时比较长：#./build-dh3.5. 文件说明
到目前，我们已经建立了完整的密钥和证书文件，这些文件存放于easy-rsa目录下，一个名为keys的子目录中。下表是关于这些文件的一个简述：

Filename                                          NeededBy                                        Purpose                                 Secret
 
ca.crt                                           server + allclients                         Root CAcertificate                        NO
 
ca.key                                  key signing machineonly                        Root CAkey                                YES
 
dh{n}.pem                                        serveronly                          Diffie Hellmanparameter                    NO
 
server.crt                                      serveronly                                     ServerCertificat                              NO
 
server.key                                     serveronly                                       ServerKey                                    YES
 
client1.crt                                    client1only                                    Client1Certificate                          NO
 
client1.key                                   client1only                                         Client1Key                               YES
 

 最后需要把keys目录下载下来，一些文件客户端需要用到。4.  配置
OpenVPN自身携带了配置文件的模板，根据实际情况编辑所需要的配置项即可，配置模板存放于：l       OpenVPN源码包中的sample-config-files子目录l       RPM包中的/usr/share/doc/packages
/openvpn或者/usr/share/doc/openvpn-version下的sample-config-files子目录4.1. 服务端编辑/etc/sysctl.conf，找到net.ipv4.ip_forward =0改成net.ipv4.ip_forward = 1保存。然后执行：
#sysctl –p 添加路由规则：#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -jSNAT --to-source192.168.122.180注意最后192.168.122.180改成你的VPS的IP地址。完成后用/etc/init.d/
iptables save保存iptables设置，然后/etc/init.d/iptables restart重新启动下。把keys目录拷贝到/etc/openvpn下反模板中的server.conf拷贝到/etc/openvpn下，根据自己的实际情况配置。
下面是我的配置：
local 192.168.122.180
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This fileshould be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “dhcp-option DNS 202.101.172.35
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4 启动OpenVPN#openvpn --config /etc/openvpn/server.conf&

4.2. 客户端（windows）
打开下载下来的keys文件夹，把里面的ca.crt、client1.crt和client1.key三个文件拷贝到OpenVPN安装路径下的\config目录里。编辑配置文件client1.ovpn，内容参考模板里的client.conf。
下面是我的客户端配置
client
dev tun
proto udp
remote 192.168.122.180 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

在win7下，以管理员身份运行OpenVPN GUI，点击连接按钮。一会，就可以看到连接成功的消息了。

4.3客户端（linux）

所需软件（源码包）：lzo-2.06.tar.gz和openvpn-2.0.9.tar.gz
tar zxf lzo-2.06.tar.gz
cd lzo-2.06
./configure
make
make install

tar zxf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9
./configure
make
make install

[root@tech sample-config-files]# pwd
/root/openvpn/openvpn-2.0.9/sample-config-files
[root@tech sample-config-files]#mkdir /etc/openvpn
[root@tech sample-config-files]# cp client.conf /etc/openvpn/
[root@tech openvpn]# vim client.conf
client
dev tun
proto udp
remote 192.168.0.239 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

server端：
再生成密钥：client2
[root@mail 2.0]# ./build-key client2
Generating a 1024 bit RSA private key
.++++++
............................++++++
writing new private key to 'client2.key'
-----
You are about to be asked to enter information that will beincorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Nameor a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [HD]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname)[client2]:
Email Address [hitb@dcw.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from/etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'CN'
stateOrProvinceName  :PRINTABLE:'BJ'
localityName         :PRINTABLE:'HD'
organizationName     :PRINTABLE:'OpenVPN'
commonName           :PRINTABLE:'client2'
emailAddress         :IA5STRING:'hitb@dcw.com'
Certificate is to be certified until Jun 23 08:32:00 2022 GMT (3650days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail 2.0]# ls keys/
01.pem ca.key      client2.crt index.txt          serial     server.key
02.pem  client1.crt client2.csr index.txt.attr     serial.old
03.pem  client1.csr client2.key  index.txt.attr.old server.crt
ca.crt  client1.key dh1024.pem  index.txt.old      server.csr

[root@mail keys]# scp ca.crt client2.crt client2.key192.168.0.2:/etc/openvpn

客户端2：
[root@tech openvpn]# openvpn --config /etc/openvpn/client.conf&
[1] 7697
[root@tech openvpn]# Mon Jun 25 16:27:49 2012 OpenVPN 2.0.9i686-pc-linux [SSL] [LZO] [EPOLL] built on Jun 25 2012
Mon Jun 25 16:27:49 2012 IMPORTANT: OpenVPN's default port numberis now 1194, based on an official port number assignment byIANA.  OpenVPN 2.0-beta16 and earlier used 5000 asthe default port.
Mon Jun 25 16:27:49 2012 LZO compression initialized
Mon Jun 25 16:27:49 2012 Control Channel MTU parms [ L:1542 D:138EF:38 EB:0 ET:0 EL:0 ]
Mon Jun 25 16:27:49 2012 Data Channel MTU parms [ L:1542 D:1450EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jun 25 16:27:49 2012 Local Options hash (VER=V4):'41690919'
Mon Jun 25 16:27:49 2012 Expected Remote Options hash (VER=V4):'530fdded'
Mon Jun 25 16:27:49 2012 UDPv4 link local: [undef]
Mon Jun 25 16:27:49 2012 UDPv4 link remote:192.168.0.239:1194
Mon Jun 25 16:27:49 2012 TLS: Initial packet from192.168.0.239:1194, sid=ce319771 c1200ee1
Mon Jun 25 16:27:49 2012 VERIFY OK: depth=1,/C=CN/ST=BJ/L=HD/O=OpenVPN/CN=ca/emailAddress=hitb@dcw.com
Mon Jun 25 16:27:49 2012 VERIFY OK: nsCertType=SERVER
Mon Jun 25 16:27:49 2012 VERIFY OK: depth=0,/C=CN/ST=BJ/L=HD/O=OpenVPN/CN=server/emailAddress=hitb@dcw.com
Mon Jun 25 16:27:49 2012 Data Channel Encrypt: Cipher 'BF-CBC'initialized with 128 bit key
Mon Jun 25 16:27:49 2012 Data Channel Encrypt: Using 160 bitmessage hash 'SHA1' for HMAC authentication
Mon Jun 25 16:27:49 2012 Data Channel Decrypt: Cipher 'BF-CBC'initialized with 128 bit key
Mon Jun 25 16:27:49 2012 Data Channel Decrypt: Using 160 bitmessage hash 'SHA1' for HMAC authentication
Mon Jun 25 16:27:49 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jun 25 16:27:49 2012 [server] Peer Connection Initiated with192.168.0.239:1194
Mon Jun 25 16:27:50 2012 SENT CONTROL [server]: 'PUSH_REQUEST'(status=1)
Mon Jun 25 16:27:50 2012 PUSH: Received control message:'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.8.0.0255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.1010.8.0.9'
Mon Jun 25 16:27:50 2012 OPTIONS IMPORT: timers and/or timeoutsmodified
Mon Jun 25 16:27:50 2012 OPTIONS IMPORT: --ifconfig/up optionsmodified
Mon Jun 25 16:27:50 2012 OPTIONS IMPORT: route optionsmodified
Mon Jun 25 16:27:51 2012 TUN/TAP device tun0 opened
Mon Jun 25 16:27:51 2012 /sbin/ifconfig tun0 10.8.0.10 pointopoint10.8.0.9 mtu 1500
Mon Jun 25 16:27:51 2012 /sbin/route add -net 192.168.2.0 netmask255.255.255.0 gw 10.8.0.9
Mon Jun 25 16:27:51 2012 /sbin/route add -net 10.8.0.0 netmask255.255.255.0 gw 10.8.0.9
Mon Jun 25 16:27:51 2012 Initialization Sequence Completed

[root@tech openvpn]# ifconfig
eth0     Link encap:Ethernet  HWaddr00:E0:4C:C1:E9:8A 
         inet addr:192.168.0.2 Bcast:192.168.0.255  Mask:255.255.255.0
         inet6 addr: fe80::2e0:4cff:fec1:e98a/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1
         RX packets:1322826304 errors:0 dropped:0 overruns:0 frame:0
         TX packets:1153197230 errors:0 dropped:0 overruns:5 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:4142823868 (3.8 GiB)  TX bytes:1710187995(1.5 GiB)
         Interrupt:169 Base address:0xc00

lo       Link encap:Local Loopback 
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436 Metric:1
         RX packets:473689547 errors:0 dropped:0 overruns:0 frame:0
         TX packets:473689547 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:15651228 (14.9 MiB)  TX bytes:15651228(14.9 MiB)

tun0     Link encap:UNSPEC  HWaddr00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
         inet addr:10.8.0.10 P-t-P:10.8.0.9  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500  Metric:1
         RX packets:3 errors:0 dropped:0 overruns:0 frame:0
         TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100
         RX bytes:252 (252.0 b)  TX bytes:252 (252.0 b)

 

 

实现openvpn中的两个客户端的通信：
vim /etc/openvpn/server.conf
client-to-client