yum搭建Key形式openvpn v2.3.3
1. 安装openvpn 2.3(需要EPEL更新源)
cd /etc/yum.repos.d
wget http://repos.openvpn.net/repos/yum/conf/repos.openvpn.net-CentOS6-snapshots.repo
yum install openssl lzo pkcs11-helper openvpn
2. 生成Key文件
下载easy-rsa
cd /opt
yum install git
git clone git://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easy-rsa/2.0
修改配置文件
vi vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain
生成Key文件
. vars
./clean-all
./build-ca
若出现
No /usr/share/openvpn/easy-rsa/2.0/openssl.cnf file could be found
Further invocations will fail
则执行
cp openssl-1.0.0.cnf openssl.cnf
./bulid-key-server XXXXXX[假定server,可修改]
./build-key XXXXXX[假定client,可修改]
./build-dh
拷贝Key文件
cd keys
cp ca.crt server.crt server.key dh2048.pem /etc/openvpn
3. server配置文件,在/etc/openvpn目录下创建server.conf,并写入如下内容,此处原始官方参考server配置文件/usr/share/doc/openvpn-2.3.0/sample-config-files/server.conf
cp /usr/share/doc/openvpn-2.2.1/sample-config-files/server.conf /etc/openvpn
vi /etc/openvpnserver.conf
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist /var/log/ipp.txt
push "route 10.8.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log #此处注释掉可以直接在控制台下查看错误
verb 3
mute 20
4. 开启端口转发
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
5. iptables设置
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/etc/init.d/iptables save
service iptables restart
6. 测试启动,键入命令,若看到Initialization Sequence Completed,表明成功。
openvpn --config /etc/openvpn/server.conf
7. client配置文件,在openvpn安装目录config文件夹下创建client.ovpn,并写入如下内容,此处原始官方文件C:\Program Files\OpenVPN\sample-config\client.conf,同时需要将easy-rsa/easy-rsa/2.0/keys/文件夹下client.crt client.key ca.crt文件下载到config文件夹下。
client
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node OpenVPN
;proto tcp
proto udp
remote server-ip 1194
;remote my-server-2 1194
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
mute 20
然后进行连接测试,可以参考服务器端和客户端调试信息,具体请百度。
8. 若测试成功,后续步骤
8.1 openvpn加入后台
openvpn --daemon --config /etc/openvpn/server.conf
8.2 添加开机自启动,修改/etc/rc.d/rc.local文件,添加如下
openvpn --daemon --config /etc/openvpn/server.conf
9. 添加新openvpn用户
cd easy-rsa/easy-rsa/2.0
./build-ca
./build-key XXXXXX
同样将XXXXXX.crt XXXXXX.key ca.crt以及client.ovpn文件拷贝到config文件夹下。