安装open-v-p-n软件

版权声明：版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/qq_40195432/article/details/84952431

bj-vpn–server配置

安装openvpn软件
CA配置
自签名证书
为 bj-vpnserver 签发证书
为 运维人员签发证书［可以复用］
bj-vpnserver配置

一、安装软件
[root@bj-vpnserver ~]# yum install openvpn

1.安装编译工具gcc g++
yum install gcc
yum install gcc-c++2.安装lzo库
cd /home/download/
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
tar -xvzf lzo-2.03.tar.gz
#cd lzo-2.03
./configure -prefix=/usr/local/lzo && make && make install
vi /etc/ld.so.conf

编辑完ld.so.conf,执行

ldconfig

使动态库生效

3.安装openssl
cd /home/download/
wget http://www.openssl.org/source/openssl-0.9.8.tar.gz
#tar -xvzf openssl-0.9.8.tar.gz
./config -prefix=/usr/local/openssl && make && make install4.安装openvpn

cd /home/download/
wget http://www.openvpn.net/release/openvpn-2.0.9.tar.gz
tar -xvzf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9
./configure -prefix=/usr/local/openvpn && make && make install

一、CA配置
[root@bj-vpnserver ~]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/
[root@bj-vpnserver ~]# chmod +x *
[root@bj-vpnserver ~]# vim vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG=“bj-vpnserver”
export KEY_EMAIL="[email protected]"

[root@bj-vpnserver easy-rsa]# source vars
[root@bj-vpnserver easy-rsa]# ./clean-all
[root@bj-vpnserver easy-rsa]# ./build-ca //生成ca私钥和证书
Common Name (eg, your name or your server’s hostname) []:ca

二、为 bj-vpnserver 签发证书
[root@bj-vpnserver easy-rsa]# ./build-key-server server //server自定义证书名
Common Name (eg, your name or your server’s hostname) []:bj-server

三、为 vpnclient 签发证书
[root@bj-vpnserver easy-rsa]# ./build-key client1 //client1自定义证书名
Common Name (eg, your name or your server’s hostname) []:client1

四、查看证书
创建密钥协商文件 迪菲·赫尔曼密钥
[root@bj-vpnserver easy-rsa]# ./build-dh

查看相关的证书和私钥
[root@bj-vpnserver easy-rsa]# ls keys/
01.pem ca.key client1.key index.txt.attr serial server.csr
02.pem client1.crt dh1024.pem index.txt.attr.old serial.old server.key
ca.crt client1.csr index.txt index.txt.old server.crt

五、配置bj-vpnserver
1、检查相应的密钥文件
[root@bj-vpnserver keys]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[root@bj-vpnserver keys]# cp ca.crt server.key server.crt dh1024.pem /etc/openvpn/
[root@bj-vpnserver keys]# ls /etc/openvpn/
ca.crt dh1024.pem server.crt server.key

2. server.conf [自定义]
   [root@bj-vpnserver keys]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
   [root@bj-vpnserver keys]# vim /etc/openvpn/server.conf
   local 20.20.20.1 //vpn服务器提供服务的IP
   port 1194
   proto udp
   dev tun
   ca ca.crt
   cert server.crt
   key server.key
   dh dh1024.pem
   server 10.8.0.0 255.255.255.0 //隧道tun网络
   ifconfig-pool-persist ipp.txt
   ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
   push “route 192.168.10.0 255.255.255.0” //为所有客户添加到北京内网1的路由
   push “route 192.168.20.0 255.255.255.0” //为所有客户添加到北京内网2的路由
   client-config-dir ccd
   ;route 10.9.0.0 255.255.255.252
   ;learn-address ./script
   ;push “redirect-gateway”
   ;push “dhcp-option DNS 10.8.0.1”
   ;push “dhcp-option WINS 10.8.0.1”
   ;client-to-client
   ;duplicate-cn //是否允许证书复用
   keepalive 10 120
   ;tls-auth ta.key 0 # This file is secret
   ;cipher BF-CBC # Blowfish (default)
   ;cipher AES-128-CBC # AES
   ;cipher DES-EDE3-CBC # Triple-DES
   comp-lzo
   max-clients 100
   user nobody
   group nobody
   persist-key
   persist-tun
   status openvpn-status.log
   log openvpn.log
   verb 3
   mute 20

3. 路由转发
   [root@bj-vpnserver ~]# vim /etc/sysctl.conf
   net.ipv4.ip_forward = 1
   [root@bj-vpnserver ~]# sysctl -p

4. 启动bj-vpnserver
   [root@bj-vpnserver ~]# service openvpn start
   [root@bj-vpnserver ~]# chkconfig openvpn on

[root@bj-vpnserver ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:ea:e7:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.254/24 brd 192.168.10.255 scope global eth0
inet6 fe80::5054:ff:feea:e7d3/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:5f:6b:73 brd ff:ff:ff:ff:ff:ff
inet 20.20.20.1/24 brd 20.20.20.255 scope global eth1
inet6 fe80::5054:ff:fe5f:6b73/64 scope link
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0