xdays

openvpn构建VPN

简介

openvpn是一种ssl vpn。它最大的优势是构建在tcp或udp，所以可以穿越proxy，nat，firewalls；此外还可以向client端推送ip地址，路由和一些关于连接的选项。

安装

安装依赖库

yum install gcc openssl-devel
cd /usr/local/src
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz
tar xzvf lzo-2.04.tar.gz
cd lzo-2.04
./configure && make && make check && make test && make install

安装openvpn

cd /usr/local/src
wget http://swupdate.openvpn.net/community/releases/openvpn-2.1.4.zip
unzip openvpn-2.1.4/zip
cd openvpn-2.1.4
./configure && make && make install

生成证书

生成工具

mkdir -p /etc/openvpn
mv /usr/local/src/openvpn-2.1.4/easy-rsa/ /etc/openvpn/
chmod a+x /etc/openvpn/easy-rsa/2.0/*
cd /etc/openvpn/easy-rsa/2.0

编辑变量文件

vi  /etc/openvpn/easy-rsa/2.0/vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BJ"
export KEY_ORG="www.xdays.info"
export KEY_EMAIL="xdays@xdays.info"
source /etc/openvpn/easy-rsa/2.0/vars

生成cert

./clean-all
./build-ca 一串回车，建立root ca
./build-key-server server 一串回车 两个yes，建立server ca
./build-key client1 一串回车两个yes，建立client1 ca
./build-key client2 一串回车两个yes，建立client2 ca
./build-dh

注意：./build-key client1 命令建立三个文件，client端需要ca.crt，client1.crt和client1.key

配置openvpn

vi  /etc/openvpn/server.conf

桥接方式配置

port 443
proto tcp
dev tun
status /var/log/openvpn/servertcp.log
management localhost 7505
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
client-to-client
#server dhcp pool
server 10.9.9.0 255.255.255.0
ifconfig-pool-persist servertcplist.txt
#duplicate-cn
#push "dhcp-option DNS 8.8.8.8"
#push "redirect-gateway"
#push route
push "route 192.168.61.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

路由模式配置

port 443
proto tcp
dev tun
status /var/log/openvpn/servertcp.log
management localhost 7505
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
client-to-client
#server dhcp pool
server 10.9.9.0 255.255.255.0
ifconfig-pool-persist servertcplist.txt
#duplicate-cn
#push dns
push "dhcp-option DNS 8.8.8.8"
#push default gateway
push "redirect-gateway"
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

再修改server端iptables做nat：

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

client端配置

windows安装OpenVPN GUI默认安装到C盘，将server端生成的ca.crt，client1.crt和client1.key三个文件拷到openvpn安装目录下的config目录下，再新建文件client.ovpn，内容如下：

client
port 443
proto tcp
dev tun
remote 192.168.60.66 443
resolv-retry infinite
nobind
ca ca.crt
cert client1.crt
key client1.key
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

Filed under:server No Comments »

一	二	三	四	五	六	日
« 十二
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29