# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
# cd ..
四.下载easy-rsa:
easy-rsa-release-2.x.zip 网上找到资源,其他的有时候我没有试验成功。
unzip easy-rsa-release-2.x.zip -d /user/local/openvpn
cd /user/local/openvpn/easy-rsa-release-2.x
cp easy-rsa ../
cd 2.0/
编辑 vars
vi vars
export KEY_SIZE=2048
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GD"
export KEY_CITY="SZ"
export KEY_ORG="SZ1CARD1-WDG"
export KEY_EMAIL="18664782531@163.com"
export KEY_OU="SZ1CARD1_OPS"
保存推迟后给予x权限
chmod +x vars
./vars
./clean-all #清除文件
./build-ca server #生成服务端
./build-key-server server #生成服务端证书
./build-key client ##此处定义为客户端名字 任意
./build-dh
openvpn --genkey --secert keys/ta.key ##用户名密码认证时需要
以上生成文件时都可以一路回车过去
生成的文件在keys文件夹中:
mkdir -p /usr/local/openvpn/config
cd keys/
cp * /usr/local/openvpn/config
cd /usr/local/openvpn/config
cp /usr/local/src/openvpn-2.3.0/sample/sample-config-files/server.conf /usr/local/openvpn/config ##copy配置文件
vi server.conf
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 172.30.25.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
push "route 10.1.10.0 255.255.255.192"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
如果证书文件没有放在config目录,那么配置文件中要写绝对路径
/usr/local/openvpn/sbin/openvpn /usr/local/openvpn/config/server.conf &
看到Initialization Sequence Completed 即启动成功。
client配置:
https://openvpn.net/index.php/open-source/downloads.html
以上路径下载客户端 Windows版本
安装完毕后将路径中sample-config的client.ovpn拷贝到config文件夹中
编辑config文件夹中的client.ovpn
client
dev tun
proto tcp
remote 172.30.25.0 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
保存后重启openVPN服务然后点击OpenVPN GUI启动就可以连接成功并分配一个IP。且此时可以ping通172.30.25.111
注意:有时候会提示All TAP-Windows adapters on this system are currently in use
其实是网络适配器没有空闲。应当启用本地连接2
然后重连就可以了。
用户名密码验证:
修改server.conf:
tls-auth ta.key 0 # This file is secret
auth-user-pass-verify /usr/local/openvpn/config/checkpsw.sh via-env
client-cert-not-required
username-as-common-name
script-security 3
注:如果加上client-cert-not-required则代表只使用用户名密码方式验证登录,如果不加,则代表需要证书和用户名密码双重验证登录!
在cofnig目录中创建脚本
vi checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/usr/local/openvpn/config/psw-file"
LOG_FILE="/usr/local/openvpn/var/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
给予权限:chmod +x checkpsw.sh
编写密码文件:
vi psw-file
client sz1card1
chmod 777 psw-file
chown nobody.nobody psw-file
修改客户端配置文件:client.conf(或者client.ovpn)
注销掉这两行
#cert client1.crt#key client1.key
再添加这一行,添加这行,就会提示输入用户名和密码
auth-user-pass
tls-auth ta.key 1