鄙视现在网上各种流传的笔记,都不全。。
按的网络上的文档做了N次没成功,同事哗啦啦的东拼西凑+自己的经验弄出来了
特地把文档贴出了~以后慢慢用
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release* yum install openvpn -y cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/ 修改/etc/openvpn/easy-rsa/2.0/vars 29行 export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA' export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf cd /etc/openvpn/easy-rsa/2.0/ chmod 755 ./* source ./vars ./vars ./clean-all ./build-ca Country Name: may be filled or press enter State or Province Name: may be filled or press enter City: may be filled or press enter Org Name: may be filled or press enter Org Unit Name: may be filled or press enter Common Name: your server hostname Email Address: may be filled or press enter ./build-key-server server Almost the same with ./build.ca but check the changes and additional Common Name: server A challenge password: [email protected]#1 Optional company name: fill or enter sign the certificate: y 1 out of 1 certificate requests: y OpenSSL CA Pass:[email protected]#1 生成客户端 ./build-key client #创建client用户 #方法和创建服务器秘钥一样 ./build-dh 创建OpenVpnServer配置文件: vim /etc/openvpn/server.conf port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3 service openvpn start(如果提示 ip link add link DEV [ name ] NAME 就请检查主机TUN是否启用) 修改/etc/sysctl.conf(开启ipv4端口转发功能) net.ipv4.ip_forward = 0 ↓ net.ipv4.ip_forward = 1 sysctl -p (OpenVZ架构的主机,如果报 ip6tables is an unknown key 请做以下修改,然后执行sysctl -p) modprobe bridge lsmod|grep bridge 如果还报错就执行这个 rm -f /sbin/modprobe rm -f /sbin/sysctl ln -s /bin/true /sbin/modprobe ln -s /bin/true /sbin/sysctl
创建一个账号 useradd opentest -M -s /bin/false passwd opentest 添加iptables地址转换 OpenVZ:iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 1.1.1.1(为公网地址) Xen and KVM:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE(eth0为公网网卡) iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 1.1.1.1(为公网地址) 然后吧keys目录下面的ca.crt、client.crt、client.key复制到客户机OpenVpn GUI安装目录的config目录里面, 在建立一个名字叫client.ovpn的文件 里面的内容写 client dev tun proto tcp #服务端配置的什么协议就写什么协议 port 80 #你服务端的端口,默认1194 remote 191.96.4.122 18950 # - 你服务端IP和端口,端口默认1194 float resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass auth-nocache comp-lzo reneg-sec 0 verb 3