Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记.docx
《Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记.docx》由会员分享,可在线阅读,更多相关《Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记.docx(15页珍藏版)》请在冰豆网上搜索。
Linux下OpenVPN安装和WindowsOpenVPNGUI安装笔记
Linux下OpenVPN安装和WindowsOpenVPNGUI安装笔记
今天正好又有一个朋友问及OpenVPN安装的事情,于是我重新整理一下这篇Linux下OpenVPN安装和WindowsOpenVPNGUI安装笔记(希望对大家有所帮助。
当时在安装OpenVPN的时候,得到了WenZK的指导帮助。
在此表示感谢。
一.OpenVPN安装环境
Server端的环境
1.redhat,kernel版本:
2.4.20-31.9,IP为70.8.7.6
2.kernel需要支持tun设备,需要加载iptables模块.
检查tun是否安装:
代码:
3.root@a[/]#modinfotun
4.filename:
/lib/modules/2.4.20-31.9/kernel/drivers/net/tun.o
5.description:
6.author:
7.license:
"GPL"
如果没有modinfo命令,直接找一下,看看kernel里是否有tun.o文件:
代码:
find-nametun.o
./lib/modules/2.4.20/kernel/drivers/net/tun.o
检查iptables模块,查看是否有下列文件:
/etc/init.d/iptables
8.OpenSSL。
如果需要启用SSL连接,则需要先安装OpenSSL。
安装 OpenSSL的方法在这里不做介绍,具体可以用Google搜索。
CentOS下可以用yuminstall:
9.yuminstallopenssl
yuminstallopenssl-devel
10.安装的OpenVPN的版本:
2.0.5.现在似乎已经有一个更新的版本了.可在上下载.
Client端的环境:
1.WindowsXPPROSP2
2.OpenVPNGUIForwindows1.0.3,可在openvpn.se下载
注意:
OpenVPNGUIforwindows的版本要和OpenVPNServer的版本配套.
例如,服务器装的是OpenVPN2.0.5,那么下载的OpenVPNGUIfowwindows应该是:
openvpn-2.0.5-gui-1.0.3-install.exe
OpenVPNGUI的所有历史版本:
http:
//openvpn.se/files/install_packages/
二.OpenVPN服务端安装过程
1.用SecureCRT登录到host,进入根目录代码:
cd/
2.下载LZO,解压到lzo-2.02.
地址:
代码:
wget
3.下载OpenVPN,解压到openvpn-2.0.5
地址:
代码:
wget
4.安装LZO代码:
5.cd/lzo-2.02
6../configure
7.make
8.makecheck
makeinstall
9.安装OpenVPN
代码:
cd/openvpn-2.0.5
./configure
#或用指定dir:
(注:
下述命令,应该在一行写完.为了方便显示,这里分成了四行)
#./configure--with-lzo-headers=/usr/local/include
#--with-lzo-lib=/usr/local/lib
#--with-ssl-headers=/usr/local/include/openssl
#--with-ssl-lib=/usr/local/lib
make
makeinstall
10.生成证书Key
初始化PKI
(如果没有export命令也可以用setenv[name][value]命令)
代码:
cd/openvpn-2.0.5/easy-rsa
exportD=`pwd`
exportKEY_CONFIG=$D/f
exportKEY_DIR=$D/keys
exportKEY_SIZE=1024
exportKEY_COUNTRY=CN
exportKEY_PROVINCE=GD
exportKEY_CITY=SZ
exportKEY_ORG=""
exportKEY_EMAIL="your-email[at]"
Build:
代码:
./clean-all
./build-ca
Generatinga1024bitRSAprivatekey
................++++++
........++++++
writingnewprivatekeyto'ca.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[GD]:
LocalityName(eg,city)[SZ]:
OrganizationName(eg,company)[]:
OrganizationalUnitName(eg,section)[]:
CommonName(eg,yournameoryourserver'shostname)[]:
server
EmailAddress[your-email[at]]:
#建立serverkey代码:
代码:
./build-key-serverserver
Generatinga1024bitRSAprivatekey
......++++++
....................++++++
writingnewprivatekeyto'server.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[GD]:
LocalityName(eg,city)[SZ]:
OrganizationName(eg,company)[]:
OrganizationalUnitName(eg,section)[]:
CommonName(eg,yournameoryourserver'shostname)[]:
server
EmailAddress[your-email[at]]:
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
abcd1234
Anoptionalcompanyname[]:
Usingconfigurationfrom/openvpn-2.0.5/easy-rsa/f
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDistinguishedNameisasfollows
countryName:
PRINTABLE:
'CN'
stateOrProvinceName:
PRINTABLE:
'GD'
localityName:
PRINTABLE:
'SZ'
organizationName:
PRINTABLE:
''
organizationalUnitName:
PRINTABLE:
''
commonName:
PRINTABLE:
'server'
emailAddress:
IA5STRING:
'your-email[at]'
CertificateistobecertifieduntilMar1908:
15:
312016GMT(3650days)
Signthecertificate?
[y/n]:
y
1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
#生成客户端key
代码:
./build-keyclient1
Generatinga1024bitRSAprivatekey
.....++++++
......++++++
writingnewprivatekeyto'client1.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[CN]:
StateorProvinceName(fullname)[GD]:
LocalityName(eg,city)[SZ]:
OrganizationName(eg,company)[]:
OrganizationalUnitName(eg,section)[]:
CommonName(eg,yournameoryourserver'shostname)[]:
client1#重要:
每个不同的client生成的证书,名字必须不同.
EmailAddress[your-email[at]]:
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
abcd1234
Anoptionalcompanyname[]:
Usingconfigurationfrom/openvpn-2.0.5/easy-rsa/f
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDistinguishedNameisasfollows
countryName:
PRINTABLE:
'CN'
stateOrProvinceName:
PRINTABLE:
'GD'
localityName:
PRINTABLE:
'SZ'
organizationName:
PRINTABLE:
''
organizationalUnitName:
PRINTABLE:
''
commonName:
PRINTABLE:
'client1'
emailAddress:
IA5STRING:
'your-email[at]'
CertificateistobecertifieduntilMar1908:
22:
002016GMT(3650days)
Signthecertificate?
[y/n]:
y
1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
依次类推生成其他客户端证书/key
代码:
./build-keyclient2
./build-keyclient3
注意在进入CommonName(eg,yournameoryourserver'shostname)[]:
的输入时,每个证书输入的名字必须不同.
11.生成DiffieHellman参数。
代码:
./build-dh
12.将keys下的所有文件打包下载到本地
代码:
tar-cfmykeys.tar/openvpn-2.0.5/easy-rsa/keys
cpmykeys.tar/home/sys/public_html/mykeys.tar
将mykeys.tar移到webpublic(绝对路径因人而异)上,然后用方式将其下载到本地保存,然后将其从server删除:
代码:
rm/home/sys/public_html/mykeys.tar
也可以用其他方法把keyfile搞到本地,例如ftp.
13.创建服务端配置文件
从样例文件创建:
代码:
cd$dir/sample-config-files/#进入源代码解压目录下的sample-config-files子目录
cpserver.conf/usr/local/etc#cp服务器配置文件到/usr/local/etc
vi/usr/local/etc/server.conf
我建立的server.conf的内容稍后另附.
14.创建客户端配置文件
代码:
cd$dir/sample-config-files/#进入源代码解压目录下的sample-config-files子目录
cpclient.conf/usr/local/etc#cp客户端配置文件到/usr/local/etc
vi/usr/local/etc/client.conf
我建立的client.conf的内容稍后另附.
15.启动Openvpn:
openvpn[serverconfigfile]代码:
/usr/local/sbin/openvpn--config/usr/local/etc/server.conf
三.OpenVPNGUIForWindows客户端安装过程
1.安装OpenVPNGUIForWindows,到http:
//openvpn.se下载.目前的版本是1.0.3.注意:
OpenVPNGUI的版本要和OpenVPNServer的版本配套.详见第一节一.安装环境中的说明.
2.依屏幕指示安装openvpngui.
3.配置openvpngui
安装结束后,进入安装文件夹下的config目录,然后将上面第10步建立的client.conf文件从server上下载到此文件夹,并更名为client.ovpn
同时,将第8步打包的mykeys.tar中的下列证书文件解压到此文件夹:
代码:
ca.crt
ca.key
client1.crt
client1.csr
client1.key
然后双击client.ovpn即可启动openvpn,或者通过OpenVPNGUI的控制启动VPN.
如果双击client.ovpn没有反应,则在任务栏点OpenVPNGUI的小图标右键,选择editconfig,将内容复制过去再保存.然后再点右键中的connect即可.
如果需要第二台机器上使用vpn,进行同样的配置,只需要将client1.crt,client1.csr,client1.key换成对应的client2.xxx即可,然后将client.ovpn中的对应key文件值改掉.
四.OpenVPN配置样例文件
1.OpenVPN服务端:
server.conf
代码:
local70.8.7.6
port1194
protoudp
devtun
ca/openvpn-2.0.5/easy-rsa/keys/ca.crt
cert/openvpn-2.0.5/easy-rsa/keys/server.crt
key/openvpn-2.0.5/easy-rsa/keys/server.key#Thisfileshouldbekeptsecret
dh/openvpn-2.0.5/easy-rsa/keys/dh1024.pem
server10.8.0.0255.255.255.0
client-to-client
keepalive10120
comp-lzo
persist-key
persist-tun
status/openvpn-2.0.5/easy-rsa/keys/openvpn-status.log
verb4
push"dhcp-optionDNS10.8.0.1"
push"dhcp-optionDNS70.88.98.10"#nameserver地址,如何获取见随后说明
push"dhcp-optionDNS70.88.99.11"#nameserver地址,如何获取见随后说明
说明:
有些domain被GFW封掉了,这时,如果要访问这些网站,应该将server上的DNSpush到client.上面示例中的dnsip:
70.88.98.10,70.88.99.10,可以在/etc/resolv.conf中找到:
代码:
vi/etc/resolv.conf
nameserver70.88.98.10
nameserver70.88.99.11
2.OpenVPN客户端:
client.ovpn
代码:
client
devtun
protoudp
remote70.8.7.61194
persist-key
persist-tun
caca.crt
certclient1.crt
keyclient1.key
ns-cert-typeserver
comp-lzo
verb3
redirect-gatewaydef1
五.OpenVPN访问外网的设置
1.打开路由VPN连接成功后,还需要设置路由,才能透过VPN访问Internet.在linuxhost上添加路由:
代码:
2.iptables-tnat-APOSTROUTING-s10.8.0.0/24-oeth0-jSNAT--to-source70.8.7.6
3./etc/init.d/iptablessave
/etc/init.d/iptablesrestart
不同的机器,-oeth0参数可能不一样,具体可输入ifconfig查看,搞清ip(70.8.7.6)所在的网卡号.
同时,需要将ipforward打开.不要用