OpenVpn配置笔记

鄙视现在网上各种流传的笔记,都不全。。

按的网络上的文档做了N次没成功,同事哗啦啦的东拼西凑+自己的经验弄出来了

特地把文档贴出了~以后慢慢用

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm

rpm -Uvh lzo-*.rpm

rpm -Uvh rpmforge-release*

yum install openvpn -y

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/


修改/etc/openvpn/easy-rsa/2.0/vars 29行
export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf


cd /etc/openvpn/easy-rsa/2.0/
chmod 755 ./*
source ./vars
./vars
./clean-all


./build-ca
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter

./build-key-server server

Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: OpenVpnServerTt!@#1
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y

OpenSSL CA Pass:OpenVpnServerTt!@#1

生成客户端
./build-key client
#创建client用户
#方法和创建服务器秘钥一样

./build-dh

创建OpenVpnServer配置文件:
vim /etc/openvpn/server.conf
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

service openvpn start(如果提示 ip link add link DEV [ name ] NAME 就请检查主机TUN是否启用)

修改/etc/sysctl.conf(开启ipv4端口转发功能)
net.ipv4.ip_forward = 0
↓
net.ipv4.ip_forward = 1

sysctl -p (OpenVZ架构的主机,如果报 ip6tables is an unknown key 请做以下修改,然后执行sysctl -p)
modprobe bridge
lsmod|grep bridge

如果还报错就执行这个
rm -f /sbin/modprobe
rm -f /sbin/sysctl
ln -s /bin/true /sbin/modprobe
ln -s /bin/true /sbin/sysctl


创建一个账号
useradd opentest -M -s /bin/false
passwd opentest

添加iptables地址转换
OpenVZ:iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 1.1.1.1(为公网地址)
Xen and KVM:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE(eth0为公网网卡)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 1.1.1.1(为公网地址)



然后吧keys目录下面的ca.crt、client.crt、client.key复制到客户机OpenVpn GUI安装目录的config目录里面,
在建立一个名字叫client.ovpn的文件
里面的内容写

client
dev tun
proto tcp #服务端配置的什么协议就写什么协议
port 80 #你服务端的端口,默认1194
remote 191.96.4.122 18950 # - 你服务端IP和端口,端口默认1194
float
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
auth-nocache
comp-lzo
reneg-sec 0
verb 3

 

标签: 无
返回文章列表 文章二维码
本页链接的二维码
打赏二维码
添加新评论