OpenVPN安装配置

转自 http://hi.baidu.com/dd_taiyangxue/item/43ea0731c3fbabc72e8ec252

OpenVPN安装配置

一. OpenVPN 安装环境

Server 端的环境

redhat, kernel版本: 2.6.18.8-128.el5, IP 为 192.168.0.166

kernel 需要支持 tun 设备, 需要加载 iptables 模块. 
检查 tun 是否安装: 
代码:

[root@sever160 ~]# modinfo tun

 

如果没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件,但是本机的确是tun.ko，如果你找不到tun.o，那么你可以查找tun.ko: 
代码:

 

检查iptables 模块, 查看是否有下列文件: 
/etc/init.d/iptables

更多版本：http://openvpn.net/release/

Client 端的环境: Windows XP PRO SP2

openvpn-2.0.9-install.exe,

可在http://openvpn.net/release/openvpn-2.0.9-install.exe 下载 
注意: openvpn-2.0.9-install.exe 的版本要和 OpenVPN Server 的版本配套. 
例如, 服务器装的是openvpn-2.0.9-, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.9-install.exe

OpenVPN GUI的所有历史版本: http://openvpn.se/files/install_packages/

二. OpenVPN 服务端安装过程

用 SecureCRT或者SSH登录到Linux服务器, 进入根目录

代码:

cd /usr/local/src/tarbag

下载 LZO，解压到lzo-2.02.

下载 OpenVPN, 解压到openvpn-2.0.9

安装 LZO 代码:

#tar -zxvf lzo-2.03.tar.gz -C ../software

#cd ../software/lzo-2.03 
#./configure –prefix=/usr/local/lzo //设置安装路径 
#make //编译 
#make check //编译检查 
#make install //安装

安装 OpenVPN

#tar -xzvf openvpn-2.0.9.tar.gz -C ../software/

#cd /usr/local/src/software/openvpn-2.0.9 
#./configure --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib

//以下为配置的输出内容

checking for ifconfig... /sbin/ifconfig

checking for ip... /sbin/ip

checking for route... /sbin/route

checking build system type... i686-pc-linux

checking host system type... i686-pc-linux

checking target system type... i686-pc-linux

checking for a BSD-compatible install... /usr/bin/install –c

………………

//检查LZO文件，如果这边没通过则无法安装OpenVPN

configure: checking for LZO Library and Header files...

checking lzo/lzo1x.h usability... yes

checking lzo/lzo1x.h presence... yes

checking for lzo/lzo1x.h... yes

checking for lzo1x_1_15_compress in -llzo2... yes

//检查SSL文件如果这边没通过则无法安装OpenVPN

configure: checking for OpenSSL Crypto Library and Header files...

checking openssl/evp.h usability... yes

checking openssl/evp.h presence... yes

checking for openssl/evp.h... yes

checking for EVP_CIPHER_CTX_init in -lcrypto... yes

//OpenSSL版本至少是0.9.6，如果不成功查查你的OpenSSL的版本

configure: checking that OpenSSL Library is at least version 0.9.6...

checking for EVP_CIPHER_CTX_set_key_length... yes

checking openssl/engine.h usability... yes

checking openssl/engine.h presence... yes

checking for openssl/engine.h... yes

checking for ENGINE_load_builtin_engines... yes

checking for ENGINE_register_all_complete... yes

checking for ENGINE_cleanup... yes

configure: checking for OpenSSL SSL Library and Header files...

checking openssl/ssl.h usability... yes

checking openssl/ssl.h presence... yes

checking for openssl/ssl.h... yes

checking for SSL_CTX_new in -lssl... yes

configure: creating ./config.status

config.status: creating Makefile

config.status: creating openvpn.spec

config.status: creating config-win32.h

config.status: creating install-win32/openvpn.nsi

config.status: creating config.h

config.status: executing depfiles commands 
#make //编译，输出的内容就不粘贴了 
#make install //最后一步，安装。

生成证书Key

初始化 PKI

代码:

#cd /usr/local/src/software/openvpn-2.0.9/easy-rsa/2.0

#vi vars

修改以下内容

-------------开始------------------ 
export EASY_RSA="`pwd`" 
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` 
export KEY_CONFIG=$EASY_RSA/openssl.cnf 
export KEY_DIR=$EASY_RSA/keys

export KEY_SIZE=1024 
export KEY_COUNTRY=CN 
export KEY_PROVINCE=FJ 
export KEY_CITY=FZ 
export KEY_ORG="netgaming" 
export KEY_EMAIL=""

-----------结束-------------------

Build:

代码:

#source ./vars

#./clean-all //删除keys文件夹 
#./build-ca //建立根证书

代码： 
[root@sever160 2.0]# ./build-ca

Generating a 1024 bit RSA private key

..++++++

...........................................++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:CN

State or Province Name (full name) [FJ]:FJ

Locality Name (eg, city) [FZ]:FZ

Organization Name (eg, company) [netgaming]:netgaming

Organizational Unit Name (eg, section) []:766

Common Name (eg, your name or your server's hostname) [netgaming CA]:server

Email Address [[email protected]]:[email protected]

# 建立 server key 代码:

代码:

#./build-key-server server 
[root@sever160 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key

....................++++++

.............................++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:CN

State or Province Name (full name) [FJ]:FJ

Locality Name (eg, city) [FZ]:FZ

Organization Name (eg, company) [netgaming]:netgaming

Organizational Unit Name (eg, section) []:766

Common Name (eg, your name or your server's hostname) [server]:server

Email Address [[email protected]]:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:ty12245^Hc1

An optional company name []:766

Using configuration from /usr/local/src/software/openvpn-2.0.9/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'FJ'

localityName :PRINTABLE:'FZ'

organizationName :PRINTABLE:'netgaming'

organizationalUnitName:PRINTABLE:'766'

commonName :PRINTABLE:'server'

emailAddress :IA5STRING:'[email protected]'

Certificate is to be certified until Sep 1 06:11:47 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

#生成客户端 key

代码:

#./build-key client1 
[root@sever160 2.0]# ./build-key client1

Generating a 1024 bit RSA private key

...........................................++++++

.......++++++

writing new private key to 'client1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:CN

State or Province Name (full name) [FJ]:FJ

Locality Name (eg, city) [FZ]:FZ

Organization Name (eg, company) [netgaming]:netgaming

Organizational Unit Name (eg, section) []:766

Common Name (eg, your name or your server's hostname) [client1]:client1

Email Address [[email protected]]:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:ty12245^Hc1

An optional company name []:766

Using configuration from /usr/local/src/software/openvpn-2.0.9/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'FJ'

localityName :PRINTABLE:'FZ'

organizationName :PRINTABLE:'netgaming'

organizationalUnitName:PRINTABLE:'766'

commonName :PRINTABLE:'client1'

emailAddress :IA5STRING:'[email protected]'

Certificate is to be certified until Sep 1 06:19:03 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

依次类推生成其他客户端证书/key

代码:

#./build-key client2 //和client1的做法相同 
#./build-key client3 //和client1的做法相同

注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.

build:

代码: 
./build-dh //这步很重要

[root@sever160 2.0]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

...+...........................................+.....+......+.+....................+.....................................................................+.......................+................+..+..................+.+.............................................................+.+..............+........................................................+...+.........................................+.................++*++*++*

使用ssh的FTP功能将keys下的所有文件下载到本地，以及把keys拷贝到/usr/local/openvpn/keys中

创建服务端配置文件

从样例文件创建:

代码:

#cd sample-config-files/ //进入源代码解压目录下的sample-config-files子目录

#mkdir /usr/local/openvpn/etc //新建openvpn配置文件存放目录 
#cp server.conf /usr/local/openvpn/etc //cp服务器配置文件到/usr/local/etc 
#vi /usr/local/openvpn/etc/server.conf

我建立的server.conf 的内容稍后另附.

创建客户端配置文件

代码:

#cd sample-config-files/ #进入源代码解压目录下的sample-config-files子目录 
#cp client.conf /usr/local/etc #cp客户端配置文件到/usr/local/etc 
#vi /usr/local/etc/client.conf

我建立的client.conf 的内容稍后另附.

启动Openvpn:

#cd /usr/local/openvpn/sbin/

#./openvpn --daemon --config /usr/local/openvpn/etc/server.conf

三. OpenVPN For Windows 客户端安装过程

安装 OpenVPN For Windows, 到 http://openvpn.se 下载. 目前的版本是 1.0.3. 注意: OpenVPN 的版本要和 OpenVPN Server 的版本配套.

配置 openvpn gui

安装结束后, 进入安装文件夹下的 config 目录, 然后将上面第 10 步建立的 client.conf 文件从 server 上下载到此文件夹, 并更名为 client.ovpn

同时, 将第8 步打包的 mykeys.tar 中的下列证书文件解压到此文件夹:

代码:

ca.crt 
ca.key 
client1.crt 
client1.csr 
client1.key

然后双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.

如果双击 client.ovpn 没有反应, 则在任务栏点 OpenVPN GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 然后再点右键中的 connect即可.

如果需要第二台机器上使用 vpn , 进行同样的配置, 只需要将 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.ovpn 中的对应key文件值改掉.

四. OpenVPN 配置样例文件

OpenVPN 服务端：server.conf

代码:

local 192.168.50.160

port 1194 
proto udp 
dev tun 
ca /usr/local/openvpn/keys/ca.crt

cert /usr/local/openvpn/keys/server.crt

key /usr/local/openvpn/keys/server.key # This file should be kept secret

dh /usr/local/openvpn/keys/dh1024.pem

server 10.8.0.0 255.255.255.0 
client-to-client 
keepalive 10 120 
comp-lzo 
persist-key 
persist-tun 
status /usr/local/openvpn/openvpn-status.log 
verb 4 
push "dhcp-option DNS 218.85.157.99" # name server 地址, 如何获取见随后说明 
push "dhcp-option DNS 218.85.152.99" # name server 地址, 如何获取见随后说明

上面示例中的 dns ip: 218.85.157.99, 218.85.152.99, 可以在 /etc/resolv.conf 中找到

#vi /etc/resolv.conf 
nameserver 218.85.157.99 
nameserver 218.85.152.99

OpenVPN 客户端: client.ovpn

代码:

client 
dev tun 
proto udp 
remote 218.66.36.119 1194 
persist-key 
persist-tun 
ca ca.crt 
cert client1.crt //可以换成相应的client2.crt 
key client1.key //可以换成相应的client2.key 
ns-cert-type server 
comp-lzo 
verb 3 
redirect-gateway def1 //这个非常重要，前几次一直失败的原因

五. OpenVPN 访问外网的设置

打开路由 VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet. 在 linux服务器上添加路由：

（备注：如果openvpn服务器不是直接接外网，只是接在局域网交换机上的一台普通线路上，则需要在路由器上添加一条到192.168.50.160的1194端口映射）

代码:

#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.50.160 （出口IP地址，和server.conf中local 192.168.50.160这个IP相同） 
#/etc/init.d/iptables save 
#/etc/init.d/iptables restart

不同的机器，-o eth0 参数可能不一样，具体可输入 ifconfig 查看，搞清 ip(192.168.50.160)所在的网卡号.

同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下:

代码:

#sysctl -a | grep for 
#查看结果: 
net.ipv4.conf.tun0.mc_forwarding = 0 
net.ipv4.conf.tun0.forwarding = 1 
net.ipv4.conf.eth0.mc_forwarding = 0 
net.ipv4.conf.eth0.forwarding = 1 
net.ipv4.conf.lo.mc_forwarding = 0 
net.ipv4.conf.lo.forwarding = 1 
net.ipv4.conf.default.mc_forwarding = 0 
net.ipv4.conf.default.forwarding = 1 
net.ipv4.conf.all.mc_forwarding = 0 
net.ipv4.conf.all.forwarding = 1 
net.ipv4.ip_forward = 1

如果你的主机上列数值（*.forwarding）不是为1, 则要将其改成1。

代码:

#sysctl -w net.ipv4.conf.tun0.forwarding = 1

#sysctl -w net.ipv4.conf.eth0.forwarding = 1

#sysctl -w net.ipv4.conf.lo.forwarding = 1

#sysctl -w net.ipv4.conf.default.forwarding = 1

#sysctl -w net.ipv4.conf.all.forwarding = 1

#sysctl -w net.ipv4.ip_forward=1

（系统重启后所有forwarding又重置为0，所以把这些命令加入rc.local中）

//以下内容766可选

-----------开始--------------

开启域名服务器

如果你需要访问一些已经被GFW封掉了域名的网站, 但你的 OpenVPN 服务器没有被封的话，那么你需要在你的主机上开启 name server, 并将 dns push 给 client。 一般的独立主机, 都带有 private dns server.

代码:

rpm -qa | grep bind 
/etc/init.d/named start

另外, 必须保证 server.conf 配置中, 有这三个配置:

代码:

push "dhcp-option DNS 10.8.0.1" 
push "dhcp-option DNS 218.85.157.99" # name server 地址 
push "dhcp-option DNS 218.85.152.99" # name server 地址

--------结束-------------

当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:

代码:

Ethernet adapter 本地连接 4:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : TAP-Win32 Adapter V8

Physical Address. . . . . . . . . : 00-FF-2B-EA-C0-89

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.8.0.26

Subnet Mask . . . . . . . . . . . : 255.255.255.252

Default Gateway . . . . . . . . . : 10.8.0.25

DHCP Server . . . . . . . . . . . : 10.8.0.25

DNS Servers . . . . . . . . . . . : 218.85.157.99

218.85.152.99

Lease Obtained. . . . . . . . . . : 2009年9月4日星期五 9:15:42

Lease Expires . . . . . . . . . . : 2010年9月4日星期六 9:15:42六. 设置 OpenVPN 服务器 reboot后自动启动 openvpn

执行命令:

代码:

vi /etc/rc.local 然后在最后面加入此行:

代码:

#/usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/etc/server.conf > /dev/null 2>&1 &

七. OpenVPN 测试

1、你可以用 VPN 登录上去之后, 测试 MSN, QQ, IE 等网络应用, 也可以尝试访问一些被 GFW 禁掉的网站, 当然, 前提是你的 VPN 服务器不在境内.

2、不连接VPN，打开www.ip138.com查看本机IP外网ip地址，然后连接VPN再打开一次，对比两次的IP地址。

七、常见问题：

1、 客户端本地连接没有网关

检查client.ovpn配置文件中是否有redirect-gateway def1

2、 可以拨内网的IP地址192.168.50.160，无法拨通218.66.36.119

检查客户端是否被限制访问外部网络

3、 提示证书无效

检查openvpn服务器的时间是否正确，如果不正确，请在修改时间后重新制作证书

4、 如何检查所有网络是否走VPN线路

Windows下使用命令tracert 218.85.157.99或者pathping 218.85.157.99

例如：

C:\>tracert 218.85.157.99

Tracing route to FJ-DNS.fz.fj.cn [218.85.157.99]

over a maximum of 30 hops:

1 1 ms <1 ms <1 ms 10.8.0.1

（第一跳是VPN服务器网关，如果不是这个说明失败）

2 1 ms 1 ms 1 ms 192.168.50.254（VPN所在网络网关）

3 2 ms 2 ms 2 ms 218.66.36.254

4 4 ms 1 ms 1 ms 220.160.92.105

5 2 ms 2 ms 2 ms 202.109.204.161

6 2 ms 1 ms 2 ms 218.85.156.90

7 * * * Request timed out.

8 3 ms 3 ms 4 ms FJ-DNS.fz.fj.cn [218.85.157.99]

Trace complete.

Linux下使用命令tracert 218.85.157.99或者tracertpaht 218.85.157.99

5、 为什么我在不同的电脑上拨VPN客户端得ip地址都是一样的呢？

检查你是否使用了同一个客户端证书

6、 为什么一台电脑拨号可以正常使用，当两台同时拨号就不行呢？

检查你是否使用了同一个客户端证书。

7、 断开VPN马上连接发现连接不上？

连接还未释放所以连不上，你修改本机的ip地址就能重新连接VPN了。

8、 OPENVPN有段时间没有使用，今天重新建证书，一切完毕之后发现连接上了却无法上网

现在的IP地址从160修改为222，NAT没有重新设置，于是打开/etc/sysconfig/iptables把NAT转发规则从：

-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.50.160

改为：

-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.50.222

搞定~~~~~