详解Centos6.5 Openvpn的安装与配置

linux  /  管理员 发布于 7年前   451

一、安装准备

yum -y install openssl-devel opensslyum -y install gcc gcc-c++

二、OpenVPN服务端安装过程

1.lzo下载与安装

cd /apps  #安装目录wget ftp://www.wudonghang.com/soft/openvpn-2.1_rc15.tar.gz #下载lzotar zxvf lzo-2.04.tar.gz  #解压cd lzo-2.04./configure ; make ; make install  #编译与安装 

2.openvpn下载与安装

cd /appswget http://openvpn.net/release/openvpn-2.1_rc15.tar.gztar zxvf openvpn-2.1_rc15.tar.gzcd openvpn-2.1_rc15./configure ; make ; make install

3.服务器端设置

cp -r /apps/openvpn-2.1_rc15/ /etc/openvpn #用easy-rsa生成服务器证书客户端证书 

4.初始化参数

将解压目录的easy-rsa目录复制到 /etc/openvpn下

cd /etc/openvpn/easy-rsa/2.0./varssource vars 

5.生成CA证书

./clean-all./build-ca 

6.建立server key(一直回车）

./build-key-server server

7.生成diffie hellman参数

./build-dh 

8.复制ca证书，服务端证书到OpenVPN配置目录

复制代码 代码如下:
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/

9.生成client key

./build-key client1 #与server key 设置一致

如要生成多个vpn账户，则与client1一样生成其他客户端证书如

./build-key client2./build-key client3

10.生成客户端配置文件client1.ovpn

vi /etc/openvpn/easy-rsa/2.0/keys/client1.ovpn

clientremote 192.168.80.129 1194dev tun #说明连接方式是点对点的连接，如要以以太网的方式则可以将tun修改为tapproto tcpresolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client1.crtkey client1.keyns-cert-type servercomp-lzoroute-delay 2route-method exeverb 3

11.打包客户端配置文件证书等

tar czf keys.tgz ca.crt ca.key client1.crt client1.csr client1.key client1.ovpnmv keys.tgz /root 

12.创建并编辑服务器端配置文件server.conf

port 1194proto tcpdev tun #说明连接方式是点对点的连接，如要以以太网的方式则可以将tun修改为tapca /etc/openvpn/easy-rsa/2.0/keys/ca.crtcert /etc/openvpn/easy-rsa/2.0/keys/server.crtkey /etc/openvpn/easy-rsa/2.0/keys/server.keydh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway"push "route 172.18.2.0 255.255.255.0" #路由转发到内网网段push "dhcp-option DNS 172.18.2.1"push "dhcp-option DNS 8.8.8.8"keepalive 10 120comp-lzopersist-keypersist-tunclient-to-client #如果不加则各个客户端之间将无法连接 

13.对防火墙的相关设置

echo 1 > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADEiptables-save > /etc/sysconfig/iptablessed -i 's/eth0/venet0/g' /etc/sysconfig/iptables # dirty vz fix for iptables-saveecho "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

如果VPN服务器上的内网ip不是网关那么必须加上下面这一句（如果不加则客户端无法连接其他内网机器）：

复制代码 代码如下:
iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 172.18.2.0/255.255.255.0 -j SNAT Cto-source 172.18.2.30

14.启动openvpn

/usr/local/sbin/openvpn --config /etc/openvpn/server.conf

如要设置开机启动则执行命令：

复制代码 代码如下:
echo “/usr/local/sbin/openvpn --config /etc/openvpn/server.conf ” >> /etc/rc.local

也可以做服务

cp /apps/openvpn-2.1_rc15/sample-scripts/openvpn.init /etc/init.d/openvpnchmod 700 /etc/init.d/openvpnchkconfig --add openvpnchkconfig --level 345 openvpn on 

service openvpn start

15.查看是否安装成功

lsof -i:1194

注意：以上是公司内网中有一台机器可以连接外网的情况，如果内网中都没有机器可连接外网，那么如果内网中该网段机器（假设为B子网网段为192.168.1.0/24）要想连接另一台也无外网ip的某个网段的机器(A ip为172.9.2.100)该怎么办呢？请往下看
找到一台可以随意设置的拥有外网ip的机器假设为C

将C设置成openVPN的服务器，然后将A和B设置为openVPN客户端

在C的配置文件中加上:

client-to-clientclient-config-dir ccdroute 192.168.1.0 255.255.255.0

B在ccd中的配置为：

iroute 192.168.1.0 255.255.255.0

A在ccd中的配置为：

push "route 192.168.1.0 255.255.255.0"

B的SNAT配置：

复制代码 代码如下:
iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SNAT C-to-source 172.9.2.100
  

三、openvpn客户端安装(Windows)

安装OpenVPN脚本 install_OpenVPN.sh 

#!/bin/bash# Quick and dirty OpenVPN install script# Tested on Centos 5.x 32bit, openvz minimal CentOS OS templates# Please submit feedback and questions at [email protected] # John Malkowski vpsnoc.com 01/04/2010 ip=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-venet0:0 | awk -F= '{print $2}'` wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpmrpm -iv rpmforge-release-0.3.6-1.el5.rf.i386.rpmrm -rf rpmforge-release-0.3.6-1.el5.rf.i386.rpm yum -y install openvpn openssl openssl-develcd /etc/openvpn/cp -R /usr/share/doc/openvpn-2.2.0/easy-rsa/ /etc/openvpn/cd /etc/openvpn/easy-rsa/2.0/chmod +rwx *./vars./clean-allsource ./vars echo -e "\n\n\n\n\n\n\n" | ./build-caclearecho "####################################"echo "Feel free to accept default values"echo "Wouldn't recommend setting a password here"echo "Then you'd have to type in the password each time openVPN starts/restarts"echo "####################################"./build-key-server server./build-dhcp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/ clearecho "####################################"echo "Feel free to accept default values"echo "This is your client key, you may set a password here but it's not required"echo "####################################"./build-key client1cd keys/ client="clientremote $ip 1194dev tuncomp-lzoca ca.crtcert client1.crtkey client1.keyroute-delay 2route-method exeredirect-gateway def1dhcp-option DNS 10.8.0.1verb 3" echo "$client" > $HOSTNAME.ovpn tar czf keys.tgz ca.crt ca.key client1.crt client1.csr client1.key $HOSTNAME.ovpnmv keys.tgz /root opvpn='dev tunserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtca ca.crtcert server.crtkey server.keydh dh1024.pempush "route 10.8.0.0 255.255.255.0"push "redirect-gateway"comp-lzokeepalive 10 60ping-timer-rempersist-tunpersist-keygroup nobodydaemon' echo "$opvpn" > /etc/openvpn/openvpn.conf echo 1 > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADEiptables-save > /etc/sysconfig/iptablessed -i 's/eth0/venet0/g' /etc/sysconfig/iptables # dirty vz fix for iptables-saveecho "net.ipv4.ip_forward=1" >> /etc/sysctl.conf /etc/init.d/openvpn startclear echo "OpenVPN has been installedDownload /root/keys.tgz using winscp or other sftp/scp client such as filezillaCreate a directory named vpn at C:\Program Files\OpenVPN\config\ and untar the content of keys.tgz thereStart openvpn-gui, right click the tray icon go to vpn and click connectFor support/bug reports email us at [email protected]"

以上就是本文的全部内容，希望对大家的学习有所帮助，也希望大家多多支持。