转自 http://hi.baidu.com/dd_taiyangxue/item/43ea0731c3fbabc72e8ec252
OpenVPN安装配置
一. OpenVPN 安装环境
Server 端的环境
redhat, kernel版本: 2.6.18.8-128.el5, IP 为 192.168.0.166
kernel 需要支持 tun 设备, 需要加载 iptables 模块.
检查 tun 是否安装:
代码:
[root@sever160 ~]# modinfo tun
如果没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件,但是本机的确是tun.ko,如果你找不到tun.o,那么你可以查找tun.ko:
代码:
检查iptables 模块, 查看是否有下列文件:
/etc/init.d/iptables
更多版本:http://openvpn.net/release/
Client 端的环境: Windows XP PRO SP2
openvpn-2.0.9-install.exe,
可在http://openvpn.net/release/openvpn-2.0.9-install.exe 下载
注意: openvpn-2.0.9-install.exe 的版本要和 OpenVPN Server 的版本配套.
例如, 服务器装的是openvpn-2.0.9-, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.9-install.exe
OpenVPN GUI的所有历史版本: http://openvpn.se/files/install_packages/
二. OpenVPN 服务端安装过程
用 SecureCRT或者SSH登录到Linux服务器, 进入根目录
代码:
cd /usr/local/src/tarbag
下载 LZO,解压到lzo-2.02.
下载 OpenVPN, 解压到openvpn-2.0.9
安装 LZO 代码:
#tar -zxvf lzo-2.03.tar.gz -C ../software
#cd ../software/lzo-2.03
#./configure –prefix=/usr/local/lzo //设置安装路径
#make //编译
#make check //编译检查
#make install //安装
安装 OpenVPN
#tar -xzvf openvpn-2.0.9.tar.gz -C ../software/
#cd /usr/local/src/software/openvpn-2.0.9
#./configure --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib
//以下为配置的输出内容
checking for ifconfig... /sbin/ifconfig
checking for ip... /sbin/ip
checking for route... /sbin/route
checking build system type... i686-pc-linux
checking host system type... i686-pc-linux
checking target system type... i686-pc-linux
checking for a BSD-compatible install... /usr/bin/install –c
………………
//检查LZO文件,如果这边没通过则无法安装OpenVPN
configure: checking for LZO Library and Header files...
checking lzo/lzo1x.h usability... yes
checking lzo/lzo1x.h presence... yes
checking for lzo/lzo1x.h... yes
checking for lzo1x_1_15_compress in -llzo2... yes
//检查SSL文件如果这边没通过则无法安装OpenVPN
configure: checking for OpenSSL Crypto Library and Header files...
checking openssl/evp.h usability... yes
checking openssl/evp.h presence... yes
checking for openssl/evp.h... yes
checking for EVP_CIPHER_CTX_init in -lcrypto... yes
//OpenSSL版本至少是0.9.6,如果不成功查查你的OpenSSL的版本
configure: checking that OpenSSL Library is at least version 0.9.6...
checking for EVP_CIPHER_CTX_set_key_length... yes
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking for ENGINE_load_builtin_engines... yes
checking for ENGINE_register_all_complete... yes
checking for ENGINE_cleanup... yes
configure: checking for OpenSSL SSL Library and Header files...
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking for SSL_CTX_new in -lssl... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating openvpn.spec
config.status: creating config-win32.h
config.status: creating install-win32/openvpn.nsi
config.status: creating config.h
config.status: executing depfiles commands
#make //编译,输出的内容就不粘贴了
#make install //最后一步,安装。
生成证书Key
初始化 PKI
代码:
#cd /usr/local/src/software/openvpn-2.0.9/easy-rsa/2.0
#vi vars
修改以下内容
-------------开始------------------
export EASY_RSA="`pwd`"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_CONFIG=$EASY_RSA/openssl.cnf
export KEY_DIR=$EASY_RSA/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=FJ
export KEY_CITY=FZ
export KEY_ORG="netgaming"
export KEY_EMAIL=""
-----------结束-------------------
Build:
代码:
#source ./vars
#./clean-all //删除keys文件夹
#./build-ca //建立根证书
代码:
[root@sever160 2.0]# ./build-ca
Generating a 1024 bit RSA private key
..++++++
...........................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [FJ]:FJ
Locality Name (eg, city) [FZ]:FZ
Organization Name (eg, company) [netgaming]:netgaming
Organizational Unit Name (eg, section) []:766
Common Name (eg, your name or your server's hostname) [netgaming CA]:server
Email Address [[email protected]]:[email protected]
# 建立 server key 代码:
代码:
#./build-key-server server
[root@sever160 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
....................++++++
.............................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [FJ]:FJ
Locality Name (eg, city) [FZ]:FZ
Organization Name (eg, company) [netgaming]:netgaming
Organizational Unit Name (eg, section) []:766
Common Name (eg, your name or your server's hostname) [server]:server
Email Address [[email protected]]:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:ty12245^Hc1
An optional company name []:766
Using configuration from /usr/local/src/software/openvpn-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'FJ'
localityName :PRINTABLE:'FZ'
organizationName :PRINTABLE:'netgaming'
organizationalUnitName:PRINTABLE:'766'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Sep 1 06:11:47 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成客户端 key
代码:
#./build-key client1
[root@sever160 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
...........................................++++++
.......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [FJ]:FJ
Locality Name (eg, city) [FZ]:FZ
Organization Name (eg, company) [netgaming]:netgaming
Organizational Unit Name (eg, section) []:766
Common Name (eg, your name or your server's hostname) [client1]:client1
Email Address [[email protected]]:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:ty12245^Hc1
An optional company name []:766
Using configuration from /usr/local/src/software/openvpn-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'FJ'
localityName :PRINTABLE:'FZ'
organizationName :PRINTABLE:'netgaming'
organizationalUnitName:PRINTABLE:'766'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Sep 1 06:19:03 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次类推生成其他客户端证书/key
代码:
#./build-key client2 //和client1的做法相同
#./build-key client3 //和client1的做法相同
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
build:
代码:
./build-dh //这步很重要
[root@sever160 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...+...........................................+.....+......+.+....................+.....................................................................+.......................+................+..+..................+.+.............................................................+.+..............+........................................................+...+.........................................+.................++*++*++*
使用ssh的FTP功能将keys下的所有文件下载到本地,以及把keys拷贝到/usr/local/openvpn/keys中
创建服务端配置文件
从样例文件创建:
代码:
#cd sample-config-files/ //进入源代码解压目录下的sample-config-files子目录
#mkdir /usr/local/openvpn/etc //新建openvpn配置文件存放目录
#cp server.conf /usr/local/openvpn/etc //cp服务器配置文件到/usr/local/etc
#vi /usr/local/openvpn/etc/server.conf
我建立的server.conf 的内容稍后另附.
创建客户端配置文件
代码:
#cd sample-config-files/ #进入源代码解压目录下的sample-config-files子目录
#cp client.conf /usr/local/etc #cp客户端配置文件到/usr/local/etc
#vi /usr/local/etc/client.conf
我建立的client.conf 的内容稍后另附.
启动Openvpn:
#cd /usr/local/openvpn/sbin/
#./openvpn --daemon --config /usr/local/openvpn/etc/server.conf
三. OpenVPN For Windows 客户端安装过程
安装 OpenVPN For Windows, 到 http://openvpn.se 下载. 目前的版本是 1.0.3. 注意: OpenVPN 的版本要和 OpenVPN Server 的版本配套.
配置 openvpn gui
安装结束后, 进入安装文件夹下的 config 目录, 然后将上面第 10 步建立的 client.conf 文件从 server 上下载到此文件夹, 并更名为 client.ovpn
同时, 将第8 步打包的 mykeys.tar 中的下列证书文件解压到此文件夹:
代码:
ca.crt
ca.key
client1.crt
client1.csr
client1.key
然后双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.
如果双击 client.ovpn 没有反应, 则在任务栏点 OpenVPN GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 然后再点右键中的 connect即可.
如果需要第二台机器上使用 vpn , 进行同样的配置, 只需要将 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.ovpn 中的对应key文件值改掉.
四. OpenVPN 配置样例文件
OpenVPN 服务端:server.conf
代码:
local 192.168.50.160
port 1194
proto udp
dev tun
ca /usr/local/openvpn/keys/ca.crt
cert /usr/local/openvpn/keys/server.crt
key /usr/local/openvpn/keys/server.key # This file should be kept secret
dh /usr/local/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /usr/local/openvpn/openvpn-status.log
verb 4
push "dhcp-option DNS 218.85.157.99" # name server 地址, 如何获取见随后说明
push "dhcp-option DNS 218.85.152.99" # name server 地址, 如何获取见随后说明
上面示例中的 dns ip: 218.85.157.99, 218.85.152.99, 可以在 /etc/resolv.conf 中找到
#vi /etc/resolv.conf
nameserver 218.85.157.99
nameserver 218.85.152.99
OpenVPN 客户端: client.ovpn
代码:
client
dev tun
proto udp
remote 218.66.36.119 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt //可以换成相应的client2.crt
key client1.key //可以换成相应的client2.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1 //这个非常重要,前几次一直失败的原因
五. OpenVPN 访问外网的设置
打开路由 VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet. 在 linux服务器上添加路由:
(备注:如果openvpn服务器不是直接接外网,只是接在局域网交换机上的一台普通线路上,则需要在路由器上添加一条到192.168.50.160的1194端口映射)
代码:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.50.160 (出口IP地址,和server.conf中local 192.168.50.160这个IP相同)
#/etc/init.d/iptables save
#/etc/init.d/iptables restart
不同的机器,-o eth0 参数可能不一样,具体可输入 ifconfig 查看,搞清 ip(192.168.50.160)所在的网卡号.
同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下:
代码:
#sysctl -a | grep for
#查看结果:
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1
如果你的主机上列数值(*.forwarding)不是为1, 则要将其改成1。
代码:
#sysctl -w net.ipv4.conf.tun0.forwarding = 1
#sysctl -w net.ipv4.conf.eth0.forwarding = 1
#sysctl -w net.ipv4.conf.lo.forwarding = 1
#sysctl -w net.ipv4.conf.default.forwarding = 1
#sysctl -w net.ipv4.conf.all.forwarding = 1
#sysctl -w net.ipv4.ip_forward=1
(系统重启后所有forwarding又重置为0,所以把这些命令加入rc.local中)
//以下内容766可选
-----------开始--------------
开启域名服务器
如果你需要访问一些已经被GFW封掉了域名的网站, 但你的 OpenVPN 服务器没有被封的话,那么你需要在你的主机上开启 name server, 并将 dns push 给 client。 一般的独立主机, 都带有 private dns server.
代码:
rpm -qa | grep bind
/etc/init.d/named start
另外, 必须保证 server.conf 配置中, 有这三个配置:
代码:
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 218.85.157.99" # name server 地址
push "dhcp-option DNS 218.85.152.99" # name server 地址
--------结束-------------
当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:
代码:
Ethernet adapter 本地连接 4:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-2B-EA-C0-89
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.26
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.25
DHCP Server . . . . . . . . . . . : 10.8.0.25
DNS Servers . . . . . . . . . . . : 218.85.157.99
218.85.152.99
Lease Obtained. . . . . . . . . . : 2009年9月4日星期五 9:15:42
Lease Expires . . . . . . . . . . : 2010年9月4日星期六 9:15:42六. 设置 OpenVPN 服务器 reboot后自动启动 openvpn
执行命令:
代码:
vi /etc/rc.local 然后在最后面加入此行:
代码:
#/usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/etc/server.conf > /dev/null 2>&1 &
七. OpenVPN 测试
1、你可以用 VPN 登录上去之后, 测试 MSN, QQ, IE 等网络应用, 也可以尝试访问一些被 GFW 禁掉的网站, 当然, 前提是你的 VPN 服务器不在境内.
2、不连接VPN,打开www.ip138.com查看本机IP外网ip地址,然后连接VPN再打开一次,对比两次的IP地址。
七、常见问题:
1、 客户端本地连接没有网关
检查client.ovpn配置文件中是否有redirect-gateway def1
2、 可以拨内网的IP地址192.168.50.160,无法拨通218.66.36.119
检查客户端是否被限制访问外部网络
3、 提示证书无效
检查openvpn服务器的时间是否正确,如果不正确,请在修改时间后重新制作证书
4、 如何检查所有网络是否走VPN线路
Windows下使用命令tracert 218.85.157.99或者pathping 218.85.157.99
例如:
C:\>tracert 218.85.157.99
Tracing route to FJ-DNS.fz.fj.cn [218.85.157.99]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 10.8.0.1
(第一跳是VPN服务器网关,如果不是这个说明失败)
2 1 ms 1 ms 1 ms 192.168.50.254(VPN所在网络网关)
3 2 ms 2 ms 2 ms 218.66.36.254
4 4 ms 1 ms 1 ms 220.160.92.105
5 2 ms 2 ms 2 ms 202.109.204.161
6 2 ms 1 ms 2 ms 218.85.156.90
7 * * * Request timed out.
8 3 ms 3 ms 4 ms FJ-DNS.fz.fj.cn [218.85.157.99]
Trace complete.
Linux下使用命令tracert 218.85.157.99或者tracertpaht 218.85.157.99
5、 为什么我在不同的电脑上拨VPN客户端得ip地址都是一样的呢?
检查你是否使用了同一个客户端证书
6、 为什么一台电脑拨号可以正常使用,当两台同时拨号就不行呢?
检查你是否使用了同一个客户端证书。
7、 断开VPN马上连接发现连接不上?
连接还未释放所以连不上,你修改本机的ip地址就能重新连接VPN了。
8、 OPENVPN有段时间没有使用,今天重新建证书,一切完毕之后发现连接上了却无法上网
现在的IP地址从160修改为222,NAT没有重新设置,于是打开/etc/sysconfig/iptables把NAT转发规则从:
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.50.160
改为:
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.50.222
搞定~~~~~