Centos5.5安装OpenVPN

发表于: 2010-08-13  /  标签: ,

今天,有客户反应因为一些原因他的pptpd构建的VPN无法使用,需要用OpenVPN来搭建vpn,我们搜索了网上的一些资料,亲自在我们LINUX XEN VPS上测试,安装成功,并且本机能正常连接上网,现在我总结一下安装过程:
测试环境:
Linux Xen VPS Centos5.5 32bit PyGrub
VPS IP:173.231.13.202
Openvpn版本:2.1.1
本地机:Windows 7 中文版
第一步 下载安装所需软件包:
1 官方下载:

1
2
3
4

wget ftp://rpmfind.net/linux/epel/5/i386/pkcs11-helper-devel-1.07-2.el5.1.i386.rpm
wget ftp://rpmfind.net/linux/epel/5/i386/pkcs11-helper-1.07-2.el5.1.i386.rpm
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
wget http://openvpn.net/release/openvpn-2.1.1.tar.gz

2 本站下载:

1
2
3
4

wget http:/www.vpsyou.com/sources/pkcs11-helper-devel-1.07-2.el5.1.i386.rpm
wget http:/www.vpsyou.com/sources/pkcs11-helper-1.07-2.el5.1.i386.rpm
wget http:/www.vpsyou.com/sources/lzo-2.03.tar.gz
wget http:/www.vpsyou.com/sources/openvpn-2.1.1.tar.gz

第二部 使用 yum 程序安装所需开发包:

1

yum install -y openssl openssl-devel automake pkgconfig iptables

第三步:安装OpenVPN服务端
1.安装pkcs11-helper RPM包

1
2

rpm -ivh pkcs11-helper-1.07-2.el5.1.i386.rpm
rpm -ivh pkcs11-helper-1.07-2.el5.1.i386.rpm

2.安装 LZO

1
2
3
4
5
6
7

tar zxvf lzo-2.03.tar.gz
cd lzo-2.03/
./configure
make
make check
make install
cd ../

3.安装 OpenVPN 

1
2
3
4
5
6

tar zxvf openvpn-2.1.1.tar.gz
cd openvpn-2.1.1
./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib
make
make install
cd ../

4.生成证书Key

1
2
3
4
5
6
7
8
9
10
11
12

mkdir /etc/openvpn
cp -r easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN #国家 CN就行 
export KEY_PROVINCE=YN #省份 
export KEY_CITY=KM   #城市 
export KEY_ORG="vpsyou.com" #组织
export KEY_EMAIL="vpn@vpsyou.com" #邮箱

注意:如果没有export命令,请直接编辑vars;以上设置根据提示修改
接着执行:

1
2

./clean-all 
./build-ca

请按照提示设置,我们的设置示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

[root@test 2.0]# ./build-ca
Generating a 1024 bit RSA private key
............................++++++
..........................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN #国家 CN就行
State or Province Name (full name) [YN]:YN #省份
Locality Name (eg, city) [KM]:KM #城市
Organization Name (eg, company) [vpsyou.com]:vpsyou.com #公司
Organizational Unit Name (eg, section) []:vpsyou hosting @组织
Common Name (eg, your name or your server's hostname) [vpsyou.com CA]:vpsyou.com #名字或主机名
Name []:vpsyou
Email Address [vpn@vpsyou.com]:vpn@vpsyou.com #邮箱

5.建立 server key 代码:

1

./build-key-server server

请按照提示设置,我们的设置示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

 
[root@test 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
.......++++++
............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [YN]:YN
Locality Name (eg, city) [KM]:KM
Organization Name (eg, company) [vpsyou.com]:vpsyou.com
Organizational Unit Name (eg, section) []:vpsyou hosting
Common Name (eg, your name or your server's hostname) [server]:vpsyou hosting
Name []:vpsyou
Email Address [vpn@vpsyou.com]:vpn@vpsyou.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:vpsyou
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'YN'
localityName          :PRINTABLE:'KM'
organizationName      :PRINTABLE:'vpsyou.com'
organizationalUnitName:PRINTABLE:'vpsyou hosting'
commonName            :PRINTABLE:'vpsyou hosting'
name                  :PRINTABLE:'vpsyou'
emailAddress          :IA5STRING:'vpn@vpsyou.com'
Certificate is to be certified until Aug  9 15:19:35 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

6.生成客户端 key

1

./build-key client1 #client1可以改名 但要以下面步骤一致

请按照提示设置,我们的设置示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

[root@test 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
.....................++++++
...............++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [YN]:YN
Locality Name (eg, city) [KM]:KM
Organization Name (eg, company) [vpsyou.com]:vpsyou.com
Organizational Unit Name (eg, section) []:vpsyou hosting
Common Name (eg, your name or your server's hostname) [client1]:client1 <strong>#重要: 每个不同的 client 生成的证书, 名字必须不同.</strong>
Name []:vpsyou
Email Address [vpn@vpsyou.com]:vpn@vpsyou.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:vpsyou
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'YN'
localityName          :PRINTABLE:'KM'
organizationName      :PRINTABLE:'vpsyou.com'
organizationalUnitName:PRINTABLE:'vpsyou hosting'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'vpsyou'
emailAddress          :IA5STRING:'vpn@vpsyou.com'
Certificate is to be certified until Aug  9 15:21:18 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

重复上面步骤可以生成客户端证书/key 但注意client1得不同 包括上面提示的
Common Name (eg, your name or your server’s hostname) [client1]:client1
可以是client2,client3….
7.生成 Diffie Hellman 参数
首先修改vi build-dh,把$OPENSSL 改成openssl,然后执行

1

./build-dh

8.将 keys 下的所有文件打包下载到本地

1

tar -cf  keys.tar keys

你可以移动到你的web目录下载,也可以使用ftp(winscp)下载到本地!
9.创建服务端配置文件

1

vi /usr/local/etc/server.conf

内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

local 173.231.13.202  #请换成你自己的ip
port 1194 
proto udp 
 
dev tun 
 
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
 
server 10.8.0.0 255.255.255.0 
 
client-to-client 
keepalive 10 120 
 
comp-lzo 
 
persist-key 
persist-tun 
status /etc/openvpn/easy-rsa/2.0/keys/openvpn-status.log 
verb 4 
 
push "dhcp-option DNS 10.8.0.1" 
push "dhcp-option DNS 8.8.8.8"  
push "dhcp-option DNS 8.8.4.4"

10.创建客户端配置文件 

1

vi /usr/local/etc/client.conf

内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

client 
 
dev tun 
proto udp 
 
remote 173.231.13.202 1194 #请换成自己ip

persist-key 
persist-tun 
ca ca.crt 
cert client1.crt 
key client1.key 
ns-cert-type server 
comp-lzo 
verb 3 
 
redirect-gateway def1 
route-method exe
route-delay 2

11.启动Openvpn: openvpn [server config file] 执行

1

/usr/local/sbin/openvpn --config /usr/local/etc/server.conf

12.设置 OpenVPN 服务器 reboot后自动启动 openvpn,编辑

1

vi /etc/rc.local

加入:

1

/usr/local/sbin/openvpn --config /usr/local/etc/server.conf > /dev/null 2>&1 &

第四步:OpenVPN GUI For Windows 客户端安装
请到 http://openvpn.se下载OpenVPN GUI For Windows 客户端,请按照提示安装到你的本机
请到C:Program FilesOpenVPNconfig目录,用编辑器新建文件,文件名为:client.ovpn,内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

client 
 
dev tun 
proto udp 
 
remote 173.231.13.202 1194 #请换成自己ip

persist-key 
persist-tun 
ca ca.crt 
cert client1.crt 
key client1.key 
ns-cert-type server 
comp-lzo 
verb 3 
 
redirect-gateway def1 
route-method exe
route-delay 2

其实就是上面的client.conf 文件!
然后把你下载到的keys.tar 解压,把所有内容放到C:Program FilesOpenVPNconfig 目录
第五步 OpenVPN 访问外网的设置
1.打开路由 VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet. 在 linux host 上添加路由: 代码:

1
2
3

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 173.231.13.202 #请注意换成你自己的ip 
/etc/init.d/iptables save 
/etc/init.d/iptables restart

不同的服务器,-o eth0 参数可能不一样,具体可输入 ifconfig 查看,搞清 ip(173.231.13.202 )所在的网卡号.
同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效.
请执行:

1

sysctl -w net.ipv4.ip_forward=1

产品线

产品周边

用户必读

业务办理