CentOS6.5 64位安装openvpn

http://blog.csdn.net/defeattroy/article/details/42523175
1. 安装”EPEL”源

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

rpm -Uvh epel-release-6-8.noarch.rpm

1. 安装openvpn

yum install openvpn easy-rsa

1. easy-rsa配置

mkdir -p /etc/openvpn/easy-rsa/keys

cp -rf/usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

1. 创建CA证书和密钥

vi /etc/openvpn/easy-rsa/vars

更改你自己的国家，省份，城市，邮箱等等

cd /etc/openvpn/easy-rsa/

初始化证书的授权中心

cp openssl-1.0.0.cnf openssl.cnf

source ./vars

./clean-all

创建CA证书和密钥

./build-ca

     Generatinga 2048 bit RSA private key     ......................................................+++     ............................................................+++     writingnew private key to 'ca.key'     -----     Youare about to be asked to enter information that will be incorporated     intoyour certificate request.     Whatyou are about to enter is what is called a Distinguished Name or a DN.     Thereare quite a few fields but you can leave some blank     Forsome fields there will be a default value,     Ifyou enter '.', the field will be left blank.     -----     CountryName (2 letter code) [IN]: ----> Press Enter     Stateor Province Name (full name) [TN]: ----> Press Enter     LocalityName (eg, city) [Erode]: ----> Press Enter     OrganizationName (eg, company) [Unixmen]: ----> Press Enter     OrganizationalUnit Name (eg, section) [server]: ----> Press Enter     CommonName (eg, your name or your server's hostname)[...] ----> Press Enter     Name[...]   ----> Press Enter     EmailAddress[...] ----> Press Enter

1. 创建服务端的证书和密钥

./build-key-server server

     Generatinga 2048 bit RSA private key     ....................+++     .............+++     writingnew private key to 'server.key'     -----     Youare about to be asked to enter information that will be incorporated     intoyour certificate request.     Whatyou are about to enter is what is called a Distinguished Name or a DN.     Thereare quite a few fields but you can leave some blank     Forsome fields there will be a default value,     Ifyou enter '.', the field will be left blank.     -----     CountryName (2 letter code) [IN]: ----> Press Enter     Stateor Province Name (full name) [TN]: ----> Press Enter     LocalityName (eg, city) [Erode]: ----> Press Enter     OrganizationName (eg, company) [Unixmen]: ----> Press Enter     OrganizationalUnit Name (eg, section) [server]: ----> Press Enter     CommonName (eg, your name or your server's hostname) [server]: ----> Press Enter     Name[EasyRSA]: ----> Press Enter     EmailAddress [sk@unixmen.com]: ----> Press Enter     Pleaseenter the following 'extra' attributes     tobe sent with your certificate request     Achallenge password []: ----> Press Enter     Anoptional company name []: ----> Press Enter     Usingconfiguration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf     Checkthat the request matches the signature     Signatureok     TheSubject's Distinguished Name is as follows     countryName:PRINTABLE:'IN'      stateOrProvinceName:PRINTABLE:'TN'     localityName:PRINTABLE:'Erode'     organizationName:PRINTABLE:'Unixmen'     organizationalUnitName:PRINTABLE:'server'     commonName:PRINTABLE:'server'     name:PRINTABLE:'EasyRSA'     emailAddress:IA5STRING:'sk@unixmen.com'     Certificateis to be certified until Mar 23 12:21:34 2024 GMT (3650 days)     Signthe certificate? [y/n]:y ----> Type Y and Press Enter     1out of 1 certificate requests certified, commit? [y/n]y ----> Type Y andPress Enter     Writeout database with 1 new entries     DataBase Updated

1. 创建客户端的证书和密钥

./build-key client

     Generatinga 2048 bit RSA private key     .......+++     ..................................................................................................+++     writingnew private key to 'client.key'     ----     Youare about to be asked to enter information that will be incorporated     intoyour certificate request.     Whatyou are about to enter is what is called a Distinguished Name or a DN.     Thereare quite a few fields but you can leave some blank     Forsome fields there will be a default value,     Ifyou enter '.', the field will be left blank.     -----     CountryName (2 letter code) [IN]: ----> Press Enter     Stateor Province Name (full name) [TN]: ----> Press Enter     LocalityName (eg, city) [Erode]: ----> Press Enter     OrganizationName (eg, company) [Unixmen]: ----> Press Enter     OrganizationalUnit Name (eg, section) [server]: ----> Press Enter     CommonName (eg, your name or your server's hostname) [client]: ----> Press Enter     Name[EasyRSA]: ----> Press Enter     EmailAddress [sk@unixmen.com]: ----> Press Enter     Pleaseenter the following 'extra' attributes     tobe sent with your certificate request     Achallenge password []: ----> Press Enter     Anoptional company name []: ----> Press Enter     Usingconfiguration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf     Checkthat the request matches the signature     Signatureok     TheSubject's Distinguished Name is as follows     countryName:PRINTABLE:'IN'     stateOrProvinceName:PRINTABLE:'TN'     localityName:PRINTABLE:'Erode'     organizationName:PRINTABLE:'Unixmen'     organizationalUnitName:PRINTABLE:'server'     commonName:PRINTABLE:'client'     name:PRINTABLE:'EasyRSA'     emailAddress:IA5STRING:'sk@unixmen.com'     Certificateis to be certified until Mar 23 12:23:44 2024 GMT (3650 days)     Signthe certificate? [y/n]:y ----> Type Y and Press Enter     1out of 1 certificate requests certified, commit? [y/n]y ----> Type Y andPress Enter     Writeout database with 1 new entries     DataBase Updated

1. 创建 迪菲 霍尔曼密钥交换参数

创建DH参数.

./build-dh

拷贝服务端证书、秘钥等

cd /etc/openvpn/easy-rsa/keys/

cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/

客户端证书秘钥：ca.crt client.crt client.key（编辑openvpn客户端配置文件会用到）

1. 配置VPN服务端

cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf/etc/openvpn/

vi /etc/openvpn/server.conf

     #Substitute 2048 for 1024 if you are using     #2048 bit keys.     dhdh2048.pem     push"redirect-gateway def1 bypass-dhcp"     另外，也可以自己更改DNS，这里用的是谷歌的DNS。     push"dhcp-option DNS 8.8.8.8"     push"dhcp-option DNS 8.8.4.4"     usernobody     groupnobody

iptables配置

=====================

清空配置

iptables -F

iptables -X

查看确认

iptables -L -n

允许ssh端口通过

iptables -A INPUT -p tcp –dport 22 -j ACCEPT

iptables -P OUTPUT ACCEPT

允许openvpn的端口连接

iptables -A INPUT -p tcp –dport 1194 -j ACCEPT

配置openvpn的nat功能，将所有10.8.0.0网段的包转发到eth0口

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

开启系统的路由功能

echo “1” > /proc/sys/net/ipv4/ip_forward

添加FORWARD白名单

iptables -A FORWARD -i tun+ -j ACCEPT

允许虚拟网段的所有连接

iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT

保持已经建立的连接

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

service iptables save

service iptables start

启动服务

service openvpn start

这里可能报错，因为openvpn的启动脚本和发行版稍有差别，如果报错，编辑文件/etc/init.d/openvpn里面注释如下几行：

Source networking configuration.

. /etc/sysconfig/network

Check that networking is up.

if [ ${NETWORKING} = “no” ]

then

echo “Networking isdown”

exit 0

fi

1. 配置客户端

编辑客户端配置文件：client.ovpn，文件格式如下，注意改IP和端口号

---

client

dev tun

proto udp

remote 172.16.18.21 1194

resolv-retryinfinite

nobind

persist-key

persist-tun

comp-lzo

verb 3

ca.crt的内容粘贴于此

client.crt的内容粘贴于此

client.key的内容粘贴于此

---

安装openvpn-client.msi

双击client.ovpn

相关说明：

================================================================================================

Generate certificate & key for server
Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix:

./build-key-server server
On Windows:

build-key-server server
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter “server”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”.

Generate certificates & keys for 3 clients
Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:

./build-key client1
./build-key client2
./build-key client3
On Windows:

build-key client1
build-key client2
build-key client3
If you would like to password-protect your client keys, substitute the build-key-pass script.

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, “client2”, or “client3”. Always use a unique common name for each client.

Key Files
Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES

Creating configuration files for server and clients
Getting the sample config files
It’s best to use the OpenVPN sample configuration files as a starting point for your own configuration. These files can also be found in

the sample-config-files directory of the OpenVPN source distribution
the sample-config-files directory in /usr/share/doc/packages/openvpn or/usr/share/doc/openvpn if you installed from an RPM or DEB package
Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files on Windows
Note that on Linux, BSD, or unix-like OSes, the sample configuration files are named server.conf andclient.conf. On Windows they are named server.ovpn and client.ovpn.

Editing the server configuration file
The sample server configuration file is an ideal starting point for an OpenVPN server configuration. It will create a VPN using a virtual TUN network interface (for routing), will listen for client connections onUDP port 1194 (OpenVPN’s official port number), and distribute virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

Before you use the sample configuration file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above.

At this point, the server configuration file is usable, however you still might want to customize it further:

If you are using Ethernet bridging, you must use server-bridge and dev tap instead of server anddev tun.
If you want your OpenVPN server to listen on a TCP port instead of a UDP port, use proto tcpinstead of proto udp (If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances).
If you want to use a virtual IP address range other than 10.8.0.0/24, you should modify the serverdirective. Remember that this virtual IP address range should be a private range which is currently unused on your network.
Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server.
If you are using Linux, BSD, or a Unix-like OS, you can improve security by uncommenting out theuser nobody and group nobody directives.
If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:

Use a different port number for each instance (the UDP and TCP protocols use different port spaces so you can run one daemon listening on UDP-1194 and another on TCP-1194).
If you are using Windows, each OpenVPN configuration taneeds to have its own TAP-Windows adapter. You can add additional adapters by going to Start Menu -> All Programs -> TAP-Windows -> Add a new TAP-Windows virtual ethernet adapter.
If you are running multiple OpenVPN instances out of the same directory, make sure to edit directives which create output files so that multiple instances do not overwrite each other’s output files. These directives include log, log-append, status, and ifconfig-pool-persist.
Editing the client configuration files
The sample client configuration file (client.conf on Linux/BSD/Unix or client.ovpn on Windows) mirrors the default directives set in the sample server configuration file.

Like the server configuration file, first edit the ca, cert, and key parameters to point to the files you generated in the PKI section above. Note that each client should have its own cert/key pair. Only the cafile is universal across the OpenVPN server and all clients.

Next, edit the remotedirective to point to the hostname/IP address and port number of the OpenVPN server (if your OpenVPN server will be running on a single-NIC machine behind a firewall/NAT-gateway, use the public IP address of the gateway, and a port number which you have configured the gateway to forward to the OpenVPN server).

Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the dev (tun or tap) and proto (udp or tcp) directives are consistent. Also make sure that comp-lzo and fragment, if used, are present in both client and server config files.

参考：

====================

https://openvpn.net/index.php/open-source/documentation/howto.html
http://blog.chinaunix.net/uid-29746173-id-4351133.html

https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6

http://www.tuicool.com/articles/N3Y3Afv