This article briefly explains how to configure OpenVPN on CentOS systems and how to configure Windows PC client.
Description: This configuration is only an example and instructions and operational guidelines, Ali cloud the issue and not related to operating results resulting in charge.
Configure OpenVPN
-
Ready to work
-
Install OpenVPN service
-
Configure OpenVPN service (server)
-
Start OpenVPN
Ready to work
Before installing OpenVPN service, make sure you have performed the following work:
-
Use tools: update_source.sh update yum source Ali cloud network yum source.
-
Install dependent packages:
bash
yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
yum install -y pkcs11-helper pkcs11-helper-devel
-
Confirm that the package has been installed:
bash
rpm -qa lzolzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-devel
Install OpenVPN service
Please install OpenVPN service by following these steps:
-
Download OpenVPN source
# wget http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gz
package: . -
Use rpmbuild command to compile the source package install an rpm:
# rpmbuild -tb openvpn-2.2.2.tar.gz
. Rpmbuild command execution and then began to compile, after the compilation is complete,/root/rpmbuild/RPMS/x86_64
the directory will generate the installation package called openvpn-2.2.2-1.x86_64.rpm of. -
Performed
# rpm -ivh openvpn-2.2.2-1.x86_64.rpm
in a manner rpm package installation:
Configure OpenVPN service (server)
Configure OpenVPN services are divided into four phases:
- initialization
- Generate certificates, keys and parameter files
- Copy certificates, keys and parameter files
- Set iptables
initialization
Run the initialization PKI: cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0
, then enter the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0
directory and find the environment vars certificate file, modify the parameter values defined in the following five lines of export:
bash
export KEY_COUNTRY="CN" 所在的国家
export KEY_PROVINCE="BJ" 所在的省份
export KEY_CITY="Hangzhou" 所在的城市
export KEY_ORG="aliyun" 所属的组织
export KEY_EMAIL=my@test.com 邮件地址
Note: You can customize settings for the value of the parameter does not result in abnormal OpenVPN configuration appears.
Generate certificates, keys and parameter files
Please generate the required certificates, keys, and parameter files, follow these steps:
- Execute the following command to generate a certificate server and remove
keys
all the key directory:bash
ln -s openssl-1.0.0.cnf openssl.cnf 软链接到openssl-1.0.0.cnf配置文件
source ./vars
./clean-all
-
Execute the following command to generate a CA certificate. At initialization, you have configured the default parameter values in the environment vars certificate file, consecutive press Enter In this step, you can complete the configuration.
`./build-ca`
-
Execute the following command to generate the server certificate, which
aliyuntest
is a custom name, continuous press Enter, and finally there will be two interactive inputy
confirmation. Upon completion,keys
the directory will generatealiyuntest.key
,aliyuntest.csr
andaliyuntest.crt
three files../build-key-server aliyuntest
-
Execute the following command to create a secret key and certificate, which
aliyunuser
is a user name, press Enter in a row, the last two will interact inputy
confirmation. Upon completion,keys
the directory server will generate a 1024-bit RSA keysaliyunuser.key
,aliyunuser.crt
andaliyunuser.csr
three files../build-key aliyunuser
-
Execute the following command to generate Diffie Hellman parameters for client authentication, after completion,
keys
the directory will generate dh parameter filedh1024.pem
../build-dh
Copy certificates, keys and parameter files
Please follow the steps below to copy the generated certificate, keys and parameters file to the specified location:
-
Execute the following command to
/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys
copy all the files in the directory to/etc/openvpn
the directory:cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/
-
Execute the following command, the OpenVPN server configuration file
server.conf
is copied to/etc/openvpn/
the directory:cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
-
Once configured,
server.conf
the contents of the file are as follows:bash
$ egrep -v "^$|^#|^;" server.conf
local 1.1.1.1 请在此处填写您的云服务器的公网IP地址
port 1194
proto udp
dev tun
ca ca.crt
cert aliyuntest.crt 请在此处填写生成服务器端证书时您自定义的crt名称
key aliyuntest.key 请在此处填写生成服务器端证书时您自定义的key名称
dh dh1024.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
Set iptables
Before setting iptables, iptables has been turned on and make sure the /etc/sysconfig/iptables
file already exists, and then complete the setup by following these steps:
-
Activate the internal routing and forwarding:
vi /etc/sysctl.conf
-
Modify the following parameters to enable IPv4 forwarding:
net.ipv4.ip_forward = 1
-
The kernel parameters to take effect:
sysctl -p
-
Add iptables rules to ensure the server can forward the packet to Ali cloud network and external networks:
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
-
Save the iptables configuration:
service iptables save
Start OpenVPN
Execute the command to start OpenVPN: /etc/init.d/openvpn start
, then execute the command: netstat -ano | grep 1194
see 1194 port is listening, to ensure that OpenVPN is running.
Configuring Windows PC Client
Configure Windows PC client, follow these steps:
-
Download the Windows PC client.
-
Execute Windows PC client setup, installation is completed in accordance with the default settings.
-
The cloud server
/etc/openvpn/
directoryaliyunuser.key
,aliyunuser.crt
andaliyunuser.csr
download the three files need to be connected to a Windows PC client OpenVPN (you can use ftp tool download), save path for the next installation of OpenVPN path\OpenVPN\config
directory. -
Configuration
client.opvn
. In OpenVPN installation path, the\OpenVPN\sample-config\
directory isclient.opvn
copied into\OpenVPN\config
the directory, and then modify the following parameters in the configuration file:bash
proto udp 去掉前面的分号,采用udp协议,与服务器端保持一致
remote 1.1.1.1 1194 请在此处将1.1.1.1修改为您的云服务器的公网IP地址,同时去掉该行前面的注释分号
cert aliyunuser.crt
key aliyunuser.key
-
Open the
C:\Program Files (x86)\OpenVPN\bin
directory, right-click theopenvpn-gui-1.0.3.exe
file and select Run as Administrator (A) (avoid adding routes lead to failure). -
Once connected, access Ali cloud network mirror source , confirm that you can access the network through the cloud Ali OpenVPN: then access ip.cn, you can see at this time of the exit end Windows PC public IP has become a cloud server public IP address: