安装epel源
rpm -ivh http://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
安装
yum install openvpn easy-rsa
配置过程
cd /etc/openvpn cp -rv /usr/share/easy-rsa/ ./ vi /etc/openvpn/easy-rsa/2.0/vars source vars ./clean-all ./build-ca ./build-key-server server ./build-key client1 ./build-dh 生成 dm2048 信息
#vi /etc/openvpn/easy-rsa/2.0/vars 修改以下变量 export KEY_COUNTRY="CN" export KEY_PROVINCE="bj" export KEY_CITY="bj" export KEY_ORG="someorg" export KEY_EMAIL="[email protected]" export KEY_OU="MyOrganizationalUnit" #变量生效 source vars
#./build-key-server server ./build-key-server server Generating a 2048 bit RSA private key .....+++ ......................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [bj]: Locality Name (eg, city) [bj]: Organization Name (eg, company) [someorg]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'bj' localityName :PRINTABLE:'bj' organizationName :PRINTABLE:'someorg' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 27 06:38:24 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
添加服务器配置
cp /usr/share/doc/openvpn-2.3.10/sample/sample-config-files/server.conf /etc/openvpn #将server.conf改为如下内容 port 443 #使用443 https端口以免被防火墙封端口 proto tcp dev tun ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem server 172.16.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3
启动
/usr/sbin/openvpn --config /etc/openvpn/server.conf &
打包三个证书到本地 ca.crt client.crt client.key zip client.zip ca.crt client.crt client.key
客户端配置文件
#client.ovpn client dev tun proto tcp remote remoteserver 443 #服务器IP resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server comp-lzo verb 3
客户端安装openvpn客户端
http://openvpn.ustc.edu.cn/
Installer (32-bit), Windows XP openvpn-install-2.3.10-I001-i686.exe
Installer (64-bit), Windows XP openvpn-install-2.3.10-I001-x86_64.exe
Installer (32-bit), Windows Vista and later openvpn-install-2.3.10-I601-i686.exe
Installer (64-bit), Windows Vista and later openvpn-install-2.3.10-I601-x86_64.exe
将证书和配置文件放到OpenVPN\config文件夹下
ca.crt
client.crt
client.key
client.ovpn
打开VPN连接即可