1.
环境
1.1. Server端的环境
CentOS6, kernel版本: 2.6.32-71.el6
IP 为192.168.122.180,隧道IP为10.8.0.1
kernel 需要支持 tun 设备, 需要加载 iptables
检查 tun 是否安装:
# modinfo tun
filename: /lib/modules/2.6.32-71.el6.i686/kernel/drivers/net/tun.ko |
1.2. 客户端环境
Win7 主机IP为192.168.122.29
2.
安装
2.1. Linux端
openVPN目前不能用yum直接安装,官网上有RPM安装包,可以直接下载,这个RPM需要依赖:
- openssl
- lzo
- pam
此外, 如果我们自己编译源码包,还会依赖上述包的对应开发包:
- openssl-devel
- lzo-devel
- pam-devel
幸运的是,所依赖的包,都可以直接通过yum获取安装
这里使用的是直接编译源码的方式,在一述依赖包全部安装完毕之后,解压下载下来的源码包:
从http://openvpn.net/index.php/open-source/downloads.html下载最新版本的源码包。
#tar xfz openvpn-[version].tar.gz
然后进入源码所有的顶层目录,执行编译安装三步曲:
#./configure #make #make install
2.2. windows端
从http://openvpn.net/index.php/open-source/downloads.html下载最新的安装包,双击安装即可。
3.
证书和key文件
因为我的环境是以Linux为服务端的,所以证书生成也在Linux下完成。
如果OpenVPN是通过RPM包安装的,通常easy-rsa目录是在/usr/share/doc/packages/openvpn或/usr/share/doc/openvpn-version下,如果是用源码包编译OpenVPN的,easy-rsa就在源码包的顶层目录下。
(在编辑之前,最好把这整个easy-rsa目录拷贝到另一个地方,比如说/etc/openvpn,这样如果后面需要升级OpenVPN,就不会覆盖原有的配置了)。
先把easy-rsa拷贝到/etc/openvpn下:
#mkdir –p /etc/openvpn
#cp -R easy-rsa /etc/openvpn
#cd /etc/openvpn/easy-rsa/2.0
3.1. CA文件
用自己熟悉的编辑工具打开vars文件,根据实际情况修改以下几个变量:
export KEY_COUNTRY=”CN” |
配置openssl,根据系统所安装的openssl版本,把对应的openssl-version.cnf文件拷贝一份,目标文件名为openssl.cnf,或建个文件链接:
# rpm -q openssl
openssl-1.0.0-20.el6_2.2.i686
# cp openssl-1.0.0.cnf openssl.cnf
然后执行以下命令:
#. ./vars #./clean-all #./build-ca server
注意第一条命令有两个.
输出:
Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:
|
3.2. 生成server key
# ./build-key-server server
这里的server是指定的名字标签,如果没指定,执行过程中会提示输入。
Generating a 1024 bit RSA private key .....++++++ .................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [CA]: Locality Name (eg, city) [HZ]: Organization Name (eg, company) [HZ]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [server]: Name [changeme]: Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'HZ' organizationName :PRINTABLE:'HZ' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'server' name :PRINTABLE:'changeme' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Update |
请注意,表框里有些需要交互的内容,一般情况下用缺省值就可以了,标注红色的地方一定要输入的。
3.3. 生成client端key
# ./build-key client1
其中client1是客户端的名字,如果有多个客户端,就需要生成多个key
Generating a 1024 bit RSA private key ...++++++ ...............++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [CA]: Locality Name (eg, city) [HZ]: Organization Name (eg, company) [HZ]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [client1]: Name [changeme]: Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'HZ' organizationName :PRINTABLE:'HZ' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'client1' name :PRINTABLE:'changeme' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
请注意,表框里有些需要交互的内容,一般情况下用缺省值就可以了,标注红色的地方一定要输入的。
3.4. 生成Diffie Hellman参数
这一步在服务端需要,可能耗时比较长:
#./build-dh
3.5. 文件说明
到目前,我们已经建立了完整的密钥和证书文件,这些文件存放于easy-rsa目录下,一个名为keys的子目录中。下表是关于这些文件的一个简述:
Filename |
Needed By |
Purpose |
Secret |
ca.crt |
server + all clients |
Root CA certificate |
NO |
ca.key |
key signing machine only |
Root CA key |
YES |
dh{n}.pem |
server only |
Diffie Hellman parameters |
NO |
server.crt |
server only |
Server Certificate |
NO |
server.key |
server only |
Server Key |
YES |
client1.crt |
client1 only |
Client1 Certificate |
NO |
client1.key |
client1 only |
Client1 Key |
YES |
最后需要把keys目录下载下来,一些文件客户端需要用到。
4.
配置
OpenVPN自身携带了配置文件的模板,根据实际情况编辑所需要的配置项即可,配置模板存放于:
l OpenVPN源码包中的sample-config-files子目录
l RPM包中的/usr/share/doc/packages/openvpn或者/usr/share/doc/openvpn-version下的sample-config-files子目录
4.1. 服务端
编辑/etc/sysctl.conf,找到net.ipv4.ip_forward = 0改成net.ipv4.ip_forward = 1保存。然后执行:
#sysctl –p
添加路由规则:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.122.180
注意最后192.168.122.180改成你的VPS的IP地址。
完成后用/etc/init.d/iptables save保存iptables设置,然后/etc/init.d/iptables restart重新启动下。
把keys目录拷贝到/etc/openvpn下
反模板中的server.conf拷贝到/etc/openvpn下,根据自己的实际情况配置。下面是我的配置:
local 192.168.122.180
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “dhcp-option DNS 202.101.172.35
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
|
4.2. 客户端
打开下载下来的keys文件夹,把里面的ca.crt、client1.crt和client1.key三个文件拷贝到OpenVPN安装路径下的\config目录里。编辑配置文件client1.ovpn,内容参考模板里的client.conf。下面是我的客户端配置
client
dev tun
proto udp
remote 192.168.122.180 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
|
在win7下,以管理员身份运行OpenVPN GUI,点击连接按钮。一会,就可以看到连接成功的消息了。