linux下配置openVPN服务器

首先声明下环境，服务器是suse，我用的是自带的openvpn-2.0.9-143.31.x86_64.rpm

/media/SLES-11-SP2-DVD-x86_6407551/suse/x86_64 # ls -l|grep openvpn
-r--r--r-- 3 root root    72511 Apr  1  2011 NetworkManager-openvpn-0.7.1-3.5.1.x86_64.rpm
-r--r--r-- 3 root root    46793 Apr  1  2011 NetworkManager-openvpn-gnome-0.7.1-3.5.1.x86_64.rpm
-r--r--r-- 3 root root    39165 May 12  2010 NetworkManager-openvpn-kde4-0.9.svn1043876-1.1.97.x86_64.rpm
-r--r--r-- 3 root root   339065 Feb 26  2009 openvpn-2.0.9-143.31.x86_64.rpm
-r--r--r-- 3 root root    10665 Feb 26  2009 openvpn-auth-pam-plugin-2.0.9-143.31.x86_64.rpm

 

如果没有安装光盘的话就下载安装openvpn，有的话就直接rpm -Uvh openvpn-[version].rpm安装

下载链接：http://openvpn.net/index.php/open-source/downloads.html,

目前的版本是2.3.1:下载地址：http://swupdate.openvpn.org/community/releases/openvpn-2.3.1.tar.gz

tar xfz openvpn-[version].tar.gz
./configure
make
make install

susu默认安装在/usr/share/openvpn，如果各位不知道安装地址的话可以用命令whereis openvpn 查找openvpn安装路径。

安装完毕之后开始配置：

需要生成您自己的证书（ca）和openvpn服务器及客户端的证书和密钥

cd /usr/share/openvpn/easy-rsa文件夹

首先编辑vars文件

export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN #国家
export KEY_PROVINCE=JS #省份
export KEY_CITY=NJ   #城市
export KEY_ORG="eric.com.openvpn" #组织
export KEY_EMAIL="[email protected]" #邮箱

 

初始换PKI并生成主证书颁发机构（CA）证书和密钥

linux-root:/usr/share/openvpn/easy-rsa # . ./vars 
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/openvpn/easy-rsa/keys #提示用户下一步会清空掉keys中的文件
linux-root:/usr/share/openvpn/easy-rsa # ./clean-all 
linux-root:/usr/share/openvpn/easy-rsa # ./build-ca 

 其中./build-ca之后会提示用户输入

linux-root:/usr/share/openvpn/easy-rsa # ./build-ca 
Generating a 1024 bit RSA private key
......++++++
.........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [NJ]:
Organization Name (eg, company) [eric.com.openvpn]:
Organizational Unit Name (eg, section) []:it #自己输入
Common Name (eg, your name or your server's hostname) []:www.ducaijun.com #自己输入
Email Address [[email protected]]:

 

 a.生成服务器证书和密钥

具体命令如下：

linux-root:/usr/share/openvpn/easy-rsa # ./build-key-server server 
Generating a 1024 bit RSA private key
..........................++++++
.............................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [NJ]:
Organization Name (eg, company) [eric.com.openvpn]:
Organizational Unit Name (eg, section) []:it 
Common Name (eg, your name or your server's hostname) []:server 
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'JS'
localityName          :PRINTABLE:'NJ'
organizationName      :PRINTABLE:'eric.com.openvpn'
organizationalUnitName:PRINTABLE:'it'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Apr 12 06:22:09 2023 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

其中CommonName 时请输入"server"

 b.生成客户端证书和密钥

./build-key client1

./build-key client2

./build-key client3

同样其他默认输入就可以，但是Common Name时每个用户请输入不同的，如 "client1", "client2", 或"client3"等

 

生成的Diffie Hellman参数 

./build-dh

具体命令如下：

linux-root:/usr/share/openvpn/easy-rsa # ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......................+......+..................+..........................................................................................+..........+...+..............+.....+..................................................+...........................................................+..................................................+....................................................................................+...................................................+.............................................................................................................................................................................................................................+...............+.....................................+.............................................................+..............................................................+...............+.......................................................................................................................................................................+...........................+.....................+................................................................+.....+...........................................+.....................................................................................................................+...................................+.....................+................+.....+..................................+.......+..................................................................................................................................+......................................................................................................+..........................+........................................................................+.+...........................................................................+......................................................................................................+.............................................................................+.............................................+.............................+.........+.................................+......................................+........+..........................................+..+..........................................................................................................................................+................+........................................................................................................................................+...........................................................+................+....+....................................+.......+...........................+..........................+.....................................+...............................................................+...........................................................................................................+..........................+.........................+.............................................+.......................................................+....+......+.......+..................+..............+........................................+.................+..+...................+..........+..........+.....................+............................................................................................+...........................................................................................................................................................................................................................................................+..........................................................................................+.........+.......................+.+....................................................................+.........................................................................+..........+......+.................+......................................................................................................................................................................................................+............+.............+...........................+........................................................................+...+..................................................+....................+.............+............................+.................................................+...........................................................................+......................+.............................................................................................+..............................+................................................................+.......................................................................+..................................+...............................................+....+.....................+...................................................................+....................+.....................................+.................+......................................+.......................................................................+...................................................................................................+......................................+.............................................................................................................................................................+............................................................+...+.......+......................................................................+...........................................+..................+..............+...........................................+....+.......................................+...........................................................+........................+..............................................................................+...........................................+........................................................+.......................................+.......................................................+.....+........................................................................................................+..............+............+.........................+.......................................................................++*++*++*

 这里需要稍等一会啊，如果vars里面的KEY_SIZE=1024的值更大时花的时间会更多，完成后会生成dh1024.pem文件

查看一下keys文件列表及用处：

Filename	Needed By			Purpose				Secret
ca.crt		server + all clients		Root CA certificate		NO
ca.key		key signing machine only	Root CA key			YES
dh{n}.pem	server only			Diffie Hellman parameters	NO
server.crt	server only			Server Certificate		NO
server.key	server only			Server Key			YES
client1.crt	client1 only			Client1 Certificate		NO
client1.key	client1 only			Client1 Key			YES
client2.crt	client2 only			Client2 Certificate		NO
client2.key	client2 only			Client2 Key			YES
client3.crt	client3 only			Client3 Certificate		NO
client3.key	client3 only			Client3 Key			YES

 

创建服务器和客户端的配置文件

最好使用OpenVPN的示例配置文件作为自己的配置的一个基础。 这些文件也可以在下面的文件夹下：

如果你安装一个RPM或DEB包，sample-config-files在目录/usr/share/doc/packages/openvpn或/usr/share/doc/openvpn

在Windows操作系统sample-config-files在开始菜单- >所有程序- > OpenVPN- >  OpenVPN Sample Configuration Files

需要注意的是，在Linux，BSD，或unix-like的操作系统，示例配置文件被命名为server.conf和client.conf 在Windows被命名为server.ovpn的client.ovpn

命令运行如下：

linux-root:/etc/openvpn # cp /usr/share/doc/packages/openvpn/sample-config-files/server.conf /etc/openvpn/

 把ca.crt、dh{n}.pem、server.crt和server.key移到server.conf配置制定路径，默认与server.conf同级

linux-root:/usr/share/openvpn/easy-rsa/keys # cp ca.crt /etc/openvpn/
linux-root:/usr/share/openvpn/easy-rsa/keys # cp server.crt /etc/openvpn/
linux-root:/usr/share/openvpn/easy-rsa/keys # cp server.key /etc/openvpn/
linux-root:/usr/share/openvpn/easy-rsa/keys # cp dh1024.pem /etc/openvpn/

 

编辑server.conf文件

如无特殊要求则全部安装默认即可，端口是1194、协议是udp、路由模式，分配的ip是10.8.0.0网段，

因为装openvpn的linux网段是192.168.1.0，把server.conf的124行;push "route 192.168.10.0 255.255.255.0"改为push "route 192.168.10.0 255.255.255.0"，注意需要去掉全面的“;”

push "route 192.168.10.0 255.255.255.0" #124行
push "dhcp-option DNS 10.8.0.1" #187行
push "dhcp-option WINS 10.8.0.1" #188行
log         /etc/openvpn/openvpn.log #276行
log-append  /etc/openvpn/openvpn.log #277行

 

然后安装openvpn-client,下载地址是http://swupdate.openvpn.net/downloads/openvpn-client.msi，win7默认安装在C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client

 然后把/usr/share/doc/packages/openvpn/sample-config-files/client.conf下载到本地，修改后缀名为.ovpn，然后把修改后的client.ovpn和用户证书文件还有ca文件一起拷贝到C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\etc\profile文件夹下,以client1为例子：

需要编辑client.ovpn文件，更改第89及90行，修改为cert client1.crt 和key client1.key 即可.

在C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\etc\profile文件夹下的文件列表如下：

ca.crt
client.ovpn
client1.crt
client1.key

 然后启动OpenVPN Client客户端，点击添加连接配置，选择本地文件导入，然后导入刚刚创建的client.opvn文件.

 

 

 默认名称点击save，然后界面上会出现一个Client1选项，点击即可登录

 登录成功后，ping一下10.8.0.1如果能通表示openvpn搭建完毕，最好看看能不能ping通192.168.1.0网段，为了的是验证server.conf配置124行push "route 192.168.10.0 255.255.255.0"是否有效。

至此，整个OpenVPN的安装过程就已经完成了。