CentOS6.5 64位安装openvpn
来源:互联网 发布:软件接口的分类 编辑:程序博客网 时间:2024/05/22 02:07
http://blog.csdn.net/defeattroy/article/details/42523175
1. 安装”EPEL”源
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm
- 安装openvpn
yum install openvpn easy-rsa
- easy-rsa配置
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf/usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
- 创建CA证书和密钥
vi /etc/openvpn/easy-rsa/vars
更改你自己的国家,省份,城市,邮箱等等
cd /etc/openvpn/easy-rsa/
初始化证书的授权中心
cp openssl-1.0.0.cnf openssl.cnf
source ./vars
./clean-all
创建CA证书和密钥
./build-ca
Generatinga 2048 bit RSA private key ......................................................+++ ............................................................+++ writingnew private key to 'ca.key' ----- Youare about to be asked to enter information that will be incorporated intoyour certificate request. Whatyou are about to enter is what is called a Distinguished Name or a DN. Thereare quite a few fields but you can leave some blank Forsome fields there will be a default value, Ifyou enter '.', the field will be left blank. ----- CountryName (2 letter code) [IN]: ----> Press Enter Stateor Province Name (full name) [TN]: ----> Press Enter LocalityName (eg, city) [Erode]: ----> Press Enter OrganizationName (eg, company) [Unixmen]: ----> Press Enter OrganizationalUnit Name (eg, section) [server]: ----> Press Enter CommonName (eg, your name or your server's hostname)[...] ----> Press Enter Name[...] ----> Press Enter EmailAddress[...] ----> Press Enter
- 创建服务端的证书和密钥
./build-key-server server
Generatinga 2048 bit RSA private key ....................+++ .............+++ writingnew private key to 'server.key' ----- Youare about to be asked to enter information that will be incorporated intoyour certificate request. Whatyou are about to enter is what is called a Distinguished Name or a DN. Thereare quite a few fields but you can leave some blank Forsome fields there will be a default value, Ifyou enter '.', the field will be left blank. ----- CountryName (2 letter code) [IN]: ----> Press Enter Stateor Province Name (full name) [TN]: ----> Press Enter LocalityName (eg, city) [Erode]: ----> Press Enter OrganizationName (eg, company) [Unixmen]: ----> Press Enter OrganizationalUnit Name (eg, section) [server]: ----> Press Enter CommonName (eg, your name or your server's hostname) [server]: ----> Press Enter Name[EasyRSA]: ----> Press Enter EmailAddress [sk@unixmen.com]: ----> Press Enter Pleaseenter the following 'extra' attributes tobe sent with your certificate request Achallenge password []: ----> Press Enter Anoptional company name []: ----> Press Enter Usingconfiguration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Checkthat the request matches the signature Signatureok TheSubject's Distinguished Name is as follows countryName:PRINTABLE:'IN' stateOrProvinceName:PRINTABLE:'TN' localityName:PRINTABLE:'Erode' organizationName:PRINTABLE:'Unixmen' organizationalUnitName:PRINTABLE:'server' commonName:PRINTABLE:'server' name:PRINTABLE:'EasyRSA' emailAddress:IA5STRING:'sk@unixmen.com' Certificateis to be certified until Mar 23 12:21:34 2024 GMT (3650 days) Signthe certificate? [y/n]:y ----> Type Y and Press Enter 1out of 1 certificate requests certified, commit? [y/n]y ----> Type Y andPress Enter Writeout database with 1 new entries DataBase Updated
- 创建客户端的证书和密钥
./build-key client
Generatinga 2048 bit RSA private key .......+++ ..................................................................................................+++ writingnew private key to 'client.key' ---- Youare about to be asked to enter information that will be incorporated intoyour certificate request. Whatyou are about to enter is what is called a Distinguished Name or a DN. Thereare quite a few fields but you can leave some blank Forsome fields there will be a default value, Ifyou enter '.', the field will be left blank. ----- CountryName (2 letter code) [IN]: ----> Press Enter Stateor Province Name (full name) [TN]: ----> Press Enter LocalityName (eg, city) [Erode]: ----> Press Enter OrganizationName (eg, company) [Unixmen]: ----> Press Enter OrganizationalUnit Name (eg, section) [server]: ----> Press Enter CommonName (eg, your name or your server's hostname) [client]: ----> Press Enter Name[EasyRSA]: ----> Press Enter EmailAddress [sk@unixmen.com]: ----> Press Enter Pleaseenter the following 'extra' attributes tobe sent with your certificate request Achallenge password []: ----> Press Enter Anoptional company name []: ----> Press Enter Usingconfiguration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Checkthat the request matches the signature Signatureok TheSubject's Distinguished Name is as follows countryName:PRINTABLE:'IN' stateOrProvinceName:PRINTABLE:'TN' localityName:PRINTABLE:'Erode' organizationName:PRINTABLE:'Unixmen' organizationalUnitName:PRINTABLE:'server' commonName:PRINTABLE:'client' name:PRINTABLE:'EasyRSA' emailAddress:IA5STRING:'sk@unixmen.com' Certificateis to be certified until Mar 23 12:23:44 2024 GMT (3650 days) Signthe certificate? [y/n]:y ----> Type Y and Press Enter 1out of 1 certificate requests certified, commit? [y/n]y ----> Type Y andPress Enter Writeout database with 1 new entries DataBase Updated
- 创建 迪菲 霍尔曼密钥交换参数
创建DH参数.
./build-dh
拷贝服务端证书、秘钥等
cd /etc/openvpn/easy-rsa/keys/
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
客户端证书秘钥:ca.crt client.crt client.key(编辑openvpn客户端配置文件会用到)
- 配置VPN服务端
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf/etc/openvpn/
vi /etc/openvpn/server.conf
#Substitute 2048 for 1024 if you are using #2048 bit keys. dhdh2048.pem push"redirect-gateway def1 bypass-dhcp" 另外,也可以自己更改DNS,这里用的是谷歌的DNS。 push"dhcp-option DNS 8.8.8.8" push"dhcp-option DNS 8.8.4.4" usernobody groupnobody
iptables配置
=====================
清空配置
iptables -F
iptables -X
查看确认
iptables -L -n
允许ssh端口通过
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -P OUTPUT ACCEPT
允许openvpn的端口连接
iptables -A INPUT -p tcp –dport 1194 -j ACCEPT
配置openvpn的nat功能,将所有10.8.0.0网段的包转发到eth0口
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
开启系统的路由功能
echo “1” > /proc/sys/net/ipv4/ip_forward
添加FORWARD白名单
iptables -A FORWARD -i tun+ -j ACCEPT
允许虚拟网段的所有连接
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
保持已经建立的连接
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
service iptables save
service iptables start
启动服务
service openvpn start
这里可能报错,因为openvpn的启动脚本和发行版稍有差别,如果报错,编辑文件/etc/init.d/openvpn里面注释如下几行:
Source networking configuration.
. /etc/sysconfig/network
Check that networking is up.
if [ ${NETWORKING} = “no” ]
then
echo “Networking isdown”
exit 0
fi
- 配置客户端
编辑客户端配置文件:client.ovpn,文件格式如下,注意改IP和端口号
client
dev tun
proto udp
remote 172.16.18.21 1194
resolv-retryinfinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca.crt的内容粘贴于此
client.crt的内容粘贴于此
client.key的内容粘贴于此
安装openvpn-client.msi
双击client.ovpn
相关说明:
================================================================================================
Generate certificate & key for server
Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix:
./build-key-server server
On Windows:
build-key-server server
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter “server”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”.
Generate certificates & keys for 3 clients
Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:
./build-key client1
./build-key client2
./build-key client3
On Windows:
build-key client1
build-key client2
build-key client3
If you would like to password-protect your client keys, substitute the build-key-pass script.
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, “client2”, or “client3”. Always use a unique common name for each client.
Key Files
Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:
Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES
Creating configuration files for server and clients
Getting the sample config files
It’s best to use the OpenVPN sample configuration files as a starting point for your own configuration. These files can also be found in
the sample-config-files directory of the OpenVPN source distribution
the sample-config-files directory in /usr/share/doc/packages/openvpn or/usr/share/doc/openvpn if you installed from an RPM or DEB package
Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files on Windows
Note that on Linux, BSD, or unix-like OSes, the sample configuration files are named server.conf andclient.conf. On Windows they are named server.ovpn and client.ovpn.
Editing the server configuration file
The sample server configuration file is an ideal starting point for an OpenVPN server configuration. It will create a VPN using a virtual TUN network interface (for routing), will listen for client connections onUDP port 1194 (OpenVPN’s official port number), and distribute virtual addresses to connecting clients from the 10.8.0.0/24 subnet.
Before you use the sample configuration file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above.
At this point, the server configuration file is usable, however you still might want to customize it further:
If you are using Ethernet bridging, you must use server-bridge and dev tap instead of server anddev tun.
If you want your OpenVPN server to listen on a TCP port instead of a UDP port, use proto tcpinstead of proto udp (If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances).
If you want to use a virtual IP address range other than 10.8.0.0/24, you should modify the serverdirective. Remember that this virtual IP address range should be a private range which is currently unused on your network.
Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server.
If you are using Linux, BSD, or a Unix-like OS, you can improve security by uncommenting out theuser nobody and group nobody directives.
If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:
Use a different port number for each instance (the UDP and TCP protocols use different port spaces so you can run one daemon listening on UDP-1194 and another on TCP-1194).
If you are using Windows, each OpenVPN configuration taneeds to have its own TAP-Windows adapter. You can add additional adapters by going to Start Menu -> All Programs -> TAP-Windows -> Add a new TAP-Windows virtual ethernet adapter.
If you are running multiple OpenVPN instances out of the same directory, make sure to edit directives which create output files so that multiple instances do not overwrite each other’s output files. These directives include log, log-append, status, and ifconfig-pool-persist.
Editing the client configuration files
The sample client configuration file (client.conf on Linux/BSD/Unix or client.ovpn on Windows) mirrors the default directives set in the sample server configuration file.
Like the server configuration file, first edit the ca, cert, and key parameters to point to the files you generated in the PKI section above. Note that each client should have its own cert/key pair. Only the cafile is universal across the OpenVPN server and all clients.
Next, edit the remotedirective to point to the hostname/IP address and port number of the OpenVPN server (if your OpenVPN server will be running on a single-NIC machine behind a firewall/NAT-gateway, use the public IP address of the gateway, and a port number which you have configured the gateway to forward to the OpenVPN server).
Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the dev (tun or tap) and proto (udp or tcp) directives are consistent. Also make sure that comp-lzo and fragment, if used, are present in both client and server config files.
参考:
====================
https://openvpn.net/index.php/open-source/documentation/howto.html
http://blog.chinaunix.net/uid-29746173-id-4351133.html
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
http://www.tuicool.com/articles/N3Y3Afv
- CentOS6.5 64位安装openvpn
- CentOS6.5 64位安装openvpn
- CentOS6.5 64位安装OpenVPN+Windows客户端配置
- centOS6.5安装配置openVPN
- 安装CentOS6.5 64位
- CentOS6.5/7.0 上 OpenVPN的安装
- Centos6.6 安装Openvpn
- centOS6.5搭建openvpn
- Centos6.5 安装 Oracle11gR2(64位)
- centos6.6 64位安装cuda6.5
- centos6.5 64位安装MySQL5.6
- centos6.5 jdk7 ant 64位安装
- 64位CentOS6.5下安装hive
- linux centos6.5 64位 安装nginx
- Centos6.5 64位系统安装zabbix
- VMware Workstation10 安装Centos6.5(64位)
- Centos6.5 64位安装lvs
- VMwareWorkstation10 中安装Centos6.5(64位)
- 常用的几种VS编程插件
- 想象力
- Android.mk详解
- Python入门
- Timer的schedule()方法
- CentOS6.5 64位安装openvpn
- iframe
- OCP-V13-487
- HTTP协议 : 协议的完整的通信过程
- android uri用法
- Java 线程中的几个重要方法
- 在二叉树中,找到距离最远的两个节点的距离
- 杭电acm-2045
- 8 - 列表