++++++++++++++++++++++++++++++++++++++++++++
秀脱之vpn之openvpn实战笔记
QQ: 6541657
Email: xiutuo@gmail.com
---------------------------
环境:
centos5
openvpn服务器:openvpn-2.0.9
openvpn客户端:
windows--openvpn-2.0.9-gui-1.0.3-install.exe
linux----openvpn-2.0.9
++++++++++++++++++++++++++++++++++++++++++++
一.安装openvpn依赖的软件包
openssl
openssl-devel
lzo
lzo-devel
pam
pam-devel
a.检测以上软件包是否安装
# rpm -qa | grep openssl
openssl-devel-0.9.8b-8.3.el5_0.2
openssl-0.9.8b-8.3.el5_0.2
# rpm -qa | grep lzo
# rpm -qa | grep pam
pam-0.99.6.2-3.26.el5
pam-devel-0.99.6.2-3.26.el5
二.安装lzo
下载lzo-2.03.tar.gz到/home/xiutuo/software
# cd /home/xiutuo/software
# tar -zxvf lzo-2.03.tar.gz
# cd lzo-2.03
# ./configure
# make
# make install
三.安装openvpn
下载openvpn-2.0.9.tar.gz到/home/xiutuo/software
# cd /home/xiutuo/software
# tar -zxvf openvpn-2.0.9.tar.gz
# cd openvpn-2.0.9
# ./configure
# make
# make install
四.配置openvpn,官方推荐使用routed VPN方式。这里以配置routed vpn为列
---------------------
Determining whether to use a routed or bridged VPN
See FAQ for an overview of Routing vs. Ethernet Bridging.
See also the OpenVPN Ethernet Bridging page for more notes and details on bridging.
Overall, routing is probably a better choice for most people,
as it is more efficient and easier to set up (as far as the OpenVPN configuration itself)
than bridging. Routing also provides a greater ability
to selectively control access rights on a client-specific basis.
I would recommend using routing unless you need a specific feature which requires bridging,
such as:
the VPN needs to be able to handle non-IP protocols such as IPX,
you are running applications over the VPN which rely on network broadcasts (such as LAN games),
or you would like to allow browsing of Windows file shares across the VPN without
setting up a Samba or WINS server.
-------------------------
1.生成 pki (public key infrastructure)
a.编辑/home/xiutuo/openvpn-2.0.9/easy-rsa/vars,设置这些参数
KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL 不能有空格
# cd /home/xiutuo/openvpn-2.0.9/easy-rsa/
# vi vars 内容如下
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=GZ
export KEY_ORG="OpenVPN-XT"
export KEY_EMAIL="xiutuo@gmail.com"
# . ./vars
# ./clean-all
# ./build-ca
2.在服务端为openvpn服务器生成certificate & key
# cd /home/xiutuo/openvpn-2.0.9/easy-rsa/
# ./build-key-server server
3.在服务端为openvpn客户端生成certificates & keys(假设有n个客户端)
# cd /home/xiutuo/openvpn-2.0.9/easy-rsa/
# ./build-key client1
# ./build-key client2
# ./build-key client3
……
# ./build-key clientN
4.在服务端为openvpn服务器生成dh (Diffie Hellman),dh必须生成。
Diffie Hellman parameters must be generated for the OpenVPN server.
# cd /home/xiutuo/openvpn-2.0.9/easy-rsa/
# ./build-dh
5. 为openvpn服务器生成配置文件
a.建立配置文件目录,openvpn程序自动会在/etc/openvpn/搜索他的配置文件
# mkdir -p /etc/openvpn/
# 把以下文件复制到/etc/openvpn/目录下
ca.crt
ca.key
dh1024.pem
serial
server.crt
server.csr
server.key
把/home/xiutuo/openvpn-2.0.9/sample-config-files/server.conf复制到/etc/openvpn/目录下
b.配置指定客户端
建立客户端配置目录
# mkdir -p /etc/openvpn/ccd (指定vpn客户端ip时候需要建立该目录)
五.配置openvpn开机自动运行
# cp /home/xiutuo/openvpn-2.0.9/sample-scripts/openvpn.init /etc/init.d/openvpn
# cd /etc/init.d/
# chmod 755 openvpn
# chkconfig --add openvpn
# chkconfig --level openvpn 2345 on
六.启动/停止openvpn
# service openvpn start
# service openvpn stop
七.安装openvpn客户端
1.linux下
a.安装:客户端安装跟openvpn服务器安装方式一样。
只是把vpnserver端的openvpn-2.0.9/easy-rsa/keys/客户端对应的crt、csr、key和vca.crt 拷贝到
/etc/openvpn/下
把/home/xiutuo/openvpn-2.0.9/sample-config-files/client.conf
修改相关内容为:其中N代表1,2,3……n客户端的数值中的其中一个数,即其中一个openvpn的客户端啦
remote my-server-1 1194
# my-server-1修改成vpn服务器的ip(公网)
cert clientN.crt
key clientN.key
b.启动
# openvpn /etc/openvpn/client.conf
2.windows下,
a.安装:下载openvpn-2.0.9-gui-1.0.3-install.exe,并安装。
只是要把vpnserver端的openvpn-2.0.9/easy-rsa/keys/客户端对应的crt、csr、key和vca.crt 拷贝到
windows_openvpn_setupdir/config/下
其中N代表1,2,3……n客户端的数值中的其中一个数,即其中一个openvpn的客户端啦
ca.crt
clientN.crt
clientN.csr
clientN.key
其中服务器端的ca.crt必须要有
cp windows_openvpn_setupdir/sample-config/client.ovpn windows_openvpn_setupdir/config/
修改相关内容为:其中N代表1,2,3……n客户端的数值中的其中一个数,即其中一个openvpn的客户端啦
remote my-server-1 1194
# my-server-1修改成vpn服务器的ip(公网)
cert clientN.crt
key clientN.key
b.启动,打开openvpn的客户端,点击connect。
八:让客户端访问server服务端的局域网
1. 打开ip转发
开启ip转发
在centos系统中设置:
# echo 1 > /proc/sys/net/ipv4/ip_forward
或者
-----------------------
# vi /etc/sysctl ,
把 net.ipv4.ip_forward = 0 改成net.ipv4.ip_forward = 1
使设置生效
# sysctl -p
-----------------------
2.打开tun和tap转发
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT
# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT
# service iptables save
# service iptables restart
3. vi /etc/openvpn/server.conf
push "route vpn服务器端局域网段ip 255.255.255.0"
4.其他更详细的访问方式,参考
http://openvpn.net/index.php/open-source/documentation/howto.html#examples
[root@xt openvpn-2.0.9]# ./configure -h
`configure' configures OpenVPN 2.0.9 to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc. You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--datadir=DIR read-only architecture-independent data [PREFIX/share]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--infodir=DIR info documentation [PREFIX/info]
--mandir=DIR man documentation [PREFIX/man]
Program names:
--program-prefix=PREFIX prepend PREFIX to installed program names
--program-suffix=SUFFIX append SUFFIX to installed program names
--program-transform-name=PROGRAM run sed PROGRAM on installed program names
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
--target=TARGET configure for building compilers for TARGET [HOST]
Optional Features:
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--disable-lzo Disable LZO compression support
--disable-crypto Disable OpenSSL crypto support
--disable-ssl Disable OpenSSL SSL support for TLS-based key exchange
--disable-multi Disable client/server support (--mode server + client mode)
--disable-server Disable server support only (but retain client support)
--disable-plugins Disable plug-in support
--disable-management Disable management server support
--disable-socks Disable Socks support
--disable-http Disable HTTP proxy support
--disable-fragment Disable internal fragmentation support (--fragment)
--disable-debug Disable debugging support (disable gremlin and verb 7+ messages)
--enable-small Enable smaller executable size (disable OCC, usage message, and verb 4 parm list)
--enable-pthread Enable pthread support (Experimental for OpenVPN 2.0)
--enable-password-save Allow --askpass and --auth-user-pass passwords to be read from a file
--enable-iproute2 Enable support for iproute2
--enable-strict Enable strict compiler warnings (debugging option)
--enable-pedantic Enable pedantic compiler warnings, will not generate a working executable (debugging option)
--enable-profiling Enable profiling (debugging option)
--enable-strict-options Enable strict options check between peers (debugging option)
--disable-dependency-tracking speeds up one-time build
--enable-dependency-tracking do not reject slow dependency extractors
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-ssl-headers=DIR Crypto/SSL Include files location
--with-ssl-lib=DIR Crypto/SSL Library location
--with-lzo-headers=DIR LZO Include files location
--with-lzo-lib=DIR LZO Library location
--with-ifconfig-path=PATH Path to ifconfig tool
--with-iproute-path=PATH Path to iproute tool
--with-route-path=PATH Path to route tool
--with-mem-check=TYPE Build with debug memory checking, TYPE = dmalloc or valgrind
Some influential environment variables:
CC C compiler command
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
CPPFLAGS C/C++ preprocessor flags, e.g. -I<include dir> if you have
headers in a nonstandard directory <include dir>
CPP C preprocessor
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to <openvpn-users@lists.sourceforge.net>.
