This article provides an overview of OpenVPN configuration under CentOS system.
Note: The relevant configurations and descriptions in this article are only used for examples and operation guidelines. Alibaba Cloud is not responsible for the results of related operations and the resulting problems.
OpenVPN configuration
Ready to work
1. Use the tool: update_source.sh to update the yum source to Alibaba Cloud's intranet yum source.
2. Install the dependent packages:
bash
yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
yum install -y pkcs11-helper pkcs11-helper-devel
Confirm that the installation is complete:
bash
rpm -qa lzolzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-devel
Install OpenVPN service
1. Download the source package of openvpn
2. Use rpmbuild to compile the source package into an rpm package for installation
rpmbuild -tb openvpn-2.2.2.tar.gz
After executing this command, the compilation will start normally. After the compilation is completed, the openvpn-2.2.2-1.x86_64.rpm installation package will be generated in the /root/rpmbuild/RPMS/x86_64 directory.
3. Execute rpm -ivh openvpn-2.2.2-1.x86_64.rpm to install as an rpm package:
Configure OpenVPN service (server side)
1. Initialize PKI
cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0
Go to the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0 directory, find the vars certificate environment file, and modify the parameter values defined by the following lines of export
bash
exportKEY_COUNTRY="CN" 所在的国家
export KEY_PROVINCE="BJ" 所在的省份
exportKEY_CITY="Hangzhou" 所在的城市
exportKEY_ORG="aliyun" 所属的组织
export KEY_EMAIL=my@test.com 邮件地址
The values of the above parameters can be customized and have no effect on the configuration.
2. Generate the server certificate:
Clear and delete all keys in the keys directory
bash
ln -s openssl-1.0.0.cnf openssl.cnf 做个软链接到openssl-1.0.0.cnf配置文件
source ./vars
./clean-all
To generate a CA certificate, you have just configured the default parameter values in the vars file, and you can complete it by pressing Enter multiple times:
./build-ca
Generate a server certificate, where aliyuntest is a custom name, keep pressing Enter, and there will be two interactions at the end, enter y to confirm, after completion, aliyuntest.key, aliyuntest.csr and aliyuntest.crt will be saved in the keys directory. document.
./build-key-server aliyuntest
3. Create user key and certificate
./build-key aliyunuser
Create a secret key and certificate with the user name aliyunuser, keep pressing Enter, there will be two confirmations at the end, just press y to confirm. After completion, generate 1024-bit RSA server keys aliyunuser.key, aliyunuser.crt and aliyunuser.csr files in the keys directory.
4. Generate Diffie Hellman parameters
./build-dh
After executing ./build-dh, the dh parameter file dh1024.pem will be generated in the keys directory. This file will be used for client authentication.
5. Copy all files in the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys directory to /etc/openvpn:
cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/
6. Copy the openvpn server configuration file server.conf to the /etc/openvpn/ directory:
cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
7. server.conf configuration
After the configuration is complete, the content is as follows:
bash
local 1.1.1.1 此处请填写用户自己的云服务器的公网IP地址
port 1194
proto udp
dev tun
ca ca.crt
cert aliyuntest.crt 此处crt以及下一行的key,请填写生成服务器端证书时用户自定义的名称
key aliyuntest.key
dh dh1024.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
8. Set up iptables
Make sure iptables is enabled and the /etc/sysconfig/iptables file exists before setting. Then turn on forwarding:
vi /etc/sysctl.conf
Modify the following:
net.ipv4.ip_forward = 1
Then make the kernel parameters take effect:
sysctl -p
Add iptables rules to ensure that the server can forward data packets to Alibaba Cloud intranet and intranet:
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
Save the iptables configuration:
service iptables save
Start OpenVPN
/etc/init.d/openvpn start
Check that port 1194 is listening by netstat -ano | grep 1194 to make sure openvpn is running.
Configuration for Windows PC clients
1. Download openvpn client
2. Installation: It is installed under Windows system, and the installation is completed according to the default settings.
3. Download the three files aliyunuser.key, aliyunuser.crt and aliyunuser.csr in the /etc/openvpn/ directory of the cloud server to the Windows client that needs to connect to openvpn (you can use the ftp tool to download).
The saving path is the \OpenVPN\config directory under the installation path of the openvpn software.
4. Configure client.opvn
Copy client.opvn in the \OpenVPN\sample-config\ directory under the openvpn installation path to the \OpenVPN\config directory under the openvpn installation path, and then modify the following parameters in the configuration file;
bash
proto udp 去掉前面的分号,采用与服务器端相同的udp协议
remote 1.1.1.1 1194 此处将1.1.1.1修改为用户的云服务器的公网IP地址,同时将该行前面的注释分号去掉
cert aliyunuser.crt
key aliyunuser.key
5. Go to the C:\Program Files (x86)\OpenVPN\bin directory, find the openvpn-gui-1.0.3.exe file, right-click and select run with administrator privileges (to avoid the failure of adding routes due to running by ordinary users):
6. After the connection is successful, confirm that you can access the Alibaba Cloud intranet through openvpn by visiting the Alibaba Cloud intranet mirror source http://mirrors.aliyuncs.com/ :
Visit ip.cn at the same time, and you can see that the exit public IP of the Windows PC has become the public IP address of the cloud server: