openvpn安装(linux)
来源:互联网 发布:面向切面编程横向纵向 编辑:程序博客网 时间:2024/06/06 04:46
系统环境:CentOS6.3 x64
部署环境:
1、开防火墙
2.关闭SELINUX
# setenforce 0
# vi /etc/sysconfig/selinux
---------------
SELINUX=disabled
---------------
server端:
一.网络设置
1.开启服务器端路由转发功能
# vi /etc/sysctl.conf
---------------------
net.ipv4.ip_forward = 1
---------------------
# sysctl -p
2.设置nat转发:
注:保证VPN地址池可路由出外网
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
3.设置openvpn端口通过:
iptables -A INPUT -p TCP --dport 61131 -j ACCEPT
#iptables -A INPUT -p UDP --dport 61131 -j ACCEPT(不用)
iptables -A INPUT -p TCP --dport 7505 -j ACCEPT
# iptables -A INPUT -p UDP --dport 7505 -j ACCEPT(不用)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
3.时间同步(重要):
# ntpdate asia.pool.ntp.org
二.安装依赖库
# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
三.安装openvpn:
# wget https://codeload.github.com/OpenVPN/easy-rsa-old/zip/master
# tar zxvf openvpn-2.3.0.tar.gz
# cd openvpn-2.3.0
# ./configure --prefix=/usr/local/openvpn
# make && make install
# mkdir -p /etc/openvpn
复制模板到openvpn配置目录:
# cp -rf sample /etc/openvpn/
复制openvpn配置文件到主目录:
# cp /etc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
四.下载easy-rsa:
注:该包用来制作ca证书,服务端证书,客户端证书,openvpn2.3.0该版本源码不包含easy-rsa,所以需要单独下载安装用来配合openvpn实现证书生成。
# wget https://codeload.github.com/OpenVPN/easy-rsa-old/zip/master
# unzip master
# mv easy-rsa-old-master easy-rsa
# cp -rf easy-rsa /etc/openvpn
# cd /etc/openvpn/easy-rsa/easy-rsa/2.0
# vi vars
修改如下参数
注:在后面生成服务端ca证书时,这里的配置会作为缺省配置
export KEY_COUNTRY="CN"
export KEY_PROVINCE="city"
export KEY_CITY="city"
export KEY_ORG="org"
export KEY_EMAIL="test@126.com"
export KEY_EMAIL=test2006@126.com
export KEY_CN=llb
export KEY_NAME=llb
export KEY_OU=llb
export PKCS11_MODULE_PATH=llb
export PKCS11_PIN=1234
---------------------
做SSL配置文件软链:
# ln -s openssl-1.0.0.cnf openssl.cnf
修改vars文件可执行并调用
# chmod +x vars
# source ./vars
-----------------
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/easy-rsa/2.0/keys
-----------------
注:也就是如果执行./clean-all,就会清空/etc/openvpn/easy-rsa/easy-rsa/2.0/keys下所有文件
开始配置证书:
1.清空原有证书:
# ./clean-all
注:下面这个命令在第一次安装时可以运行,以后在添加完客户端后慎用,因为这个命令会清除所有已经生成的证书密钥,和上面的提示对应
2.生成服务器端ca证书
./build-ca
注:由于之前做过缺省配置,这里一路回车即可
3.生成服务器端密钥证书, 后面这个openvpn.example.com就是服务器名,也可以自定义
./build-key-server openvpn.example.com
---------------------------
Generating a 2048 bit RSA private key
...................................................+++
..................................+++
writing new private key to 'openvpn.example.com.key'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [Xian]:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname)
[openvpn.example.com]:
Name [EasyRSA]:
Email Address [user01@example.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:设密码
An optional company name []:公司(前面设置过)
Using configuration from /etc/openvpn/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SX'
localityName :PRINTABLE:'Xian'
organizationName :PRINTABLE:'example'
commonName :PRINTABLE:'openvpn.example.com'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'user01@example.com'
Certificate is to be certified until Jun 10 21:58:49 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
---------------------------
4.生成所需客户端证书密钥文件:
# ./build-key client1
# ./build-key client2
注:这里与生成服务端证书配置类似,中间一步提示输入服务端密码,其他按照缺省提示一路回车即可。
5.再生成diffie hellman参数,用于增强openvpn安全性(生成需要漫长等待)
# ./build-dh
6.打包keys
# tar zcvf keys.tar.gz keys/
7.终端发送到客户端备用
# yum install lrzsz -y
# sz keys.tar.gz
五.配置openvpn server:
# vi /etc/openvpn/server.conf
注:可按照默认模板配置,本例为自定义配置文件:
--------------------------
port 61131
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/openvpn.example.com.crt
key /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/openvpn.example.com.key
dh /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.240
ifconfig-pool-persist ipp.txt
push "route 0.0.0.0 0.0.0.0"
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
--------------------------
创建日志目录:
# mkdir -p /var/log/openvpn/
启动openvpn server
# /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf &
设置开机启动:
# echo "/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf > /dev/null 2>&1 &" >> /etc/rc.local
六.安装WINDOWS客户端(WIN7 64bit)
1.下载客户端,并默认安装:
http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip
一定要装2.1.1版本的,要不报错!联接如果失效就从网上找
2.将服务端打包文件解压,并将包内ca.crt、client1.crt、client1.key复制到客户端C:\Program Files\OpenVPN\config下.
3.在C:\Program Files\OpenVPN\config下创建client.ovpn文件
内容如下:
-----------------------
client
dev tun
proto tcp
remote example.com 61131
resolv-retry infinite
nobind
#user nobody
#group nobody
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
redirect-gateway def1
-----------------------
5.连接:
在右下角的openvpn图标上右击,选择“Connect”,若能正常分配IP,则连接成功。
部署环境:
1、开防火墙
2.关闭SELINUX
# setenforce 0
# vi /etc/sysconfig/selinux
---------------
SELINUX=disabled
---------------
server端:
一.网络设置
1.开启服务器端路由转发功能
# vi /etc/sysctl.conf
---------------------
net.ipv4.ip_forward = 1
---------------------
# sysctl -p
2.设置nat转发:
注:保证VPN地址池可路由出外网
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
3.设置openvpn端口通过:
iptables -A INPUT -p TCP --dport 61131 -j ACCEPT
#iptables -A INPUT -p UDP --dport 61131 -j ACCEPT(不用)
iptables -A INPUT -p TCP --dport 7505 -j ACCEPT
# iptables -A INPUT -p UDP --dport 7505 -j ACCEPT(不用)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
3.时间同步(重要):
# ntpdate asia.pool.ntp.org
二.安装依赖库
# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
三.安装openvpn:
# wget https://codeload.github.com/OpenVPN/easy-rsa-old/zip/master
# tar zxvf openvpn-2.3.0.tar.gz
# cd openvpn-2.3.0
# ./configure --prefix=/usr/local/openvpn
# make && make install
# mkdir -p /etc/openvpn
复制模板到openvpn配置目录:
# cp -rf sample /etc/openvpn/
复制openvpn配置文件到主目录:
# cp /etc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
四.下载easy-rsa:
注:该包用来制作ca证书,服务端证书,客户端证书,openvpn2.3.0该版本源码不包含easy-rsa,所以需要单独下载安装用来配合openvpn实现证书生成。
# wget https://codeload.github.com/OpenVPN/easy-rsa-old/zip/master
# unzip master
# mv easy-rsa-old-master easy-rsa
# cp -rf easy-rsa /etc/openvpn
# cd /etc/openvpn/easy-rsa/easy-rsa/2.0
# vi vars
修改如下参数
注:在后面生成服务端ca证书时,这里的配置会作为缺省配置
export KEY_COUNTRY="CN"
export KEY_PROVINCE="city"
export KEY_CITY="city"
export KEY_ORG="org"
export KEY_EMAIL="test@126.com"
export KEY_EMAIL=test2006@126.com
export KEY_CN=llb
export KEY_NAME=llb
export KEY_OU=llb
export PKCS11_MODULE_PATH=llb
export PKCS11_PIN=1234
---------------------
做SSL配置文件软链:
# ln -s openssl-1.0.0.cnf openssl.cnf
修改vars文件可执行并调用
# chmod +x vars
# source ./vars
-----------------
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/easy-rsa/2.0/keys
-----------------
注:也就是如果执行./clean-all,就会清空/etc/openvpn/easy-rsa/easy-rsa/2.0/keys下所有文件
开始配置证书:
1.清空原有证书:
# ./clean-all
注:下面这个命令在第一次安装时可以运行,以后在添加完客户端后慎用,因为这个命令会清除所有已经生成的证书密钥,和上面的提示对应
2.生成服务器端ca证书
./build-ca
注:由于之前做过缺省配置,这里一路回车即可
3.生成服务器端密钥证书, 后面这个openvpn.example.com就是服务器名,也可以自定义
./build-key-server openvpn.example.com
---------------------------
Generating a 2048 bit RSA private key
...................................................+++
..................................+++
writing new private key to 'openvpn.example.com.key'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [Xian]:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname)
[openvpn.example.com]:
Name [EasyRSA]:
Email Address [user01@example.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:设密码
An optional company name []:公司(前面设置过)
Using configuration from /etc/openvpn/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SX'
localityName :PRINTABLE:'Xian'
organizationName :PRINTABLE:'example'
commonName :PRINTABLE:'openvpn.example.com'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'user01@example.com'
Certificate is to be certified until Jun 10 21:58:49 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
---------------------------
4.生成所需客户端证书密钥文件:
# ./build-key client1
# ./build-key client2
注:这里与生成服务端证书配置类似,中间一步提示输入服务端密码,其他按照缺省提示一路回车即可。
5.再生成diffie hellman参数,用于增强openvpn安全性(生成需要漫长等待)
# ./build-dh
6.打包keys
# tar zcvf keys.tar.gz keys/
7.终端发送到客户端备用
# yum install lrzsz -y
# sz keys.tar.gz
五.配置openvpn server:
# vi /etc/openvpn/server.conf
注:可按照默认模板配置,本例为自定义配置文件:
--------------------------
port 61131
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/openvpn.example.com.crt
key /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/openvpn.example.com.key
dh /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.240
ifconfig-pool-persist ipp.txt
push "route 0.0.0.0 0.0.0.0"
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
--------------------------
创建日志目录:
# mkdir -p /var/log/openvpn/
启动openvpn server
# /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf &
设置开机启动:
# echo "/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf > /dev/null 2>&1 &" >> /etc/rc.local
六.安装WINDOWS客户端(WIN7 64bit)
1.下载客户端,并默认安装:
http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip
一定要装2.1.1版本的,要不报错!联接如果失效就从网上找
2.将服务端打包文件解压,并将包内ca.crt、client1.crt、client1.key复制到客户端C:\Program Files\OpenVPN\config下.
3.在C:\Program Files\OpenVPN\config下创建client.ovpn文件
内容如下:
-----------------------
client
dev tun
proto tcp
remote example.com 61131
resolv-retry infinite
nobind
#user nobody
#group nobody
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
redirect-gateway def1
-----------------------
5.连接:
在右下角的openvpn图标上右击,选择“Connect”,若能正常分配IP,则连接成功。
0 0
- openvpn安装(linux)
- linux安装openvpn手记
- Linux中安装OpenVPN
- linux 下openvpn安装
- openvpn 2.4.3安装-linux
- Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记
- Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记
- Linux下安装openvpn安装,配置
- openvpn在linux下的安装
- Redhat Linux企业版4 OpenVPN安装过程
- Linux openvpn客户端的安装的使用方法
- Linux vpn-OpenVPN服务器端安装配置
- linux环境下安装openvpn客户端
- Centos7(Linux)版OpenVPN安装、配置教程
- Centos7(Linux)版OpenVPN安装、配置教程
- Linux下OpenVPN比较详细安装
- Linux环境下OpenVPN服务端安装
- Linux版OpenVPN安装、配置教程
- crontab计划任务(linux)
- 个人整理XenServer常用命令
- Oracle数据库-存储过程
- UIView的,翻转、旋转,偏移,翻页,缩放,取反的动画效果
- 用二维数组打印杨辉三角(c/c++)
- openvpn安装(linux)
- c++指针解析
- UVA10006 - Carmichael Numbers(筛选构造素数表+快速幂)
- dropbear证书生成和使用
- 22_绑定的方式调用服务的方法
- svn搭建(linux)
- PAT basic1006-1010(Python版)
- MD5算法---java源代码
- opengl(mesa) for ubuntu14.04