如何在Centos下安裝OpenVPN

一. OpenVPN 安裝環境

Server 端的環境

1. CentOS, kernel版本: 2.6.18, IP 為 192.168.1.254（虛擬機 6.5）

2. kernel 需要支持 tun 設備, 需要加載 iptables 模塊.

3. 安裝的 OpenVPN 的版本: 2.1.rc15.(目前最新版 可在http://openvpn.net 上下載).

Client 端的環境:

1. Windows XP SP2

2. openvpn-2.0.9-gui-1.0.3-install.exe

二. OpenVPN 服務端安裝過程

1. 用putty登錄到CentOS

2. 下載OpenVPN 2.1.rc15

wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz

lzo-2.03.tar.gz

3. 安裝LZO和OpenVPN

tar zxvf lzo-2.03.tar.gz

cd lzo-2.03

./configure

make

make install

cd ..

tar zxvf openvpn-2.1_rc15.tar.gz

cd openvpn-2.1_rc15

./configure

make

make install

拷貝配置文件：

cp –rf /root/openvpn-2.1_rc15/ /etc/openvpn

生成證書

初始化PKI

編輯/etc/openvpn/easy-rsa/2.0/vars

添加以下內容：

export KEY_COUNTRY="CN"

export KEY_PROVINCE="CN"

export KEY_CITY="beijing"

export KEY_ORG="beijing"

export [email protected]

保存

三．創建證書頒發機構(CA)

Cd /etc/openvpn/easy-rsa/2.0

[root@server 2.0]# ./clean-all

[root@server 2.0]# ./build-ca

Generating a 1024 bit RSA private key

.............++++++

........................++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [CN]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [test]:beijing

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [test CA]:

Name []:

Email Address [[email protected]]:

四．建立server key

執行./build-key-server server

[root@server 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key

.....++++++

...............................................................................................................................++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [CN]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [test]:beijing

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [server]:

Name []:

Email Address [[email protected]]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'CN'

localityName :PRINTABLE:'beijing'

organizationName :PRINTABLE:'beijing'

commonName :PRINTABLE:'server'

emailAddress :IA5STRING:'[email protected]'

Certificate is to be certified until Aug 12 14:55:28 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@server 2.0]#

五．生成客戶端 key

[root@server 2.0]# ./build-key test

Generating a 1024 bit RSA private key

.........................++++++

..................++++++

writing new private key to 'test.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [CN]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [test]:beijing

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [test]:

Name []:

Email Address [[email protected]]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'CN'

localityName :PRINTABLE:'beijing'

organizationName :PRINTABLE:'beijing'

commonName :PRINTABLE:'test'

emailAddress :IA5STRING:'[email protected]'

Certificate is to be certified until Aug 12 14:57:18 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@server 2.0]#

以此類推建立其他客戶端 key

./build-key test2

./build-key test3

生成Diffie Hellman參數

執行

./build-dh

將 keys 下的所有文件打包下載到本地(可以通過winscp,http,ftp等等……)

創建服務端配置文件

cp /root/openvpn-2.1_rc15/sample-config-files/server.conf /etc/openvpn

port 1194

proto udp

dev tun

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt

cert /etc/openvpn/easy-rsa/2.0/keys/server.crt

key /etc/openvpn/easy-rsa/2.0/keys/server.key

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3

客戶端：

3.2 Client

# 下載並安裝 openvpn (GUI 版本)

http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe

# 設定環境

進入 "c:\Program Files\OpenVPN\easy-rsa"目錄中

將 openssl.cnf.sample 另存為openssl.cnf

將vars.bat.sample 另存為vars.bat

編輯 vars.bat

set KEY_COUNTRY="CN"

set KEY_PROVINCE="CN"

set KEY_CITY="beijing"

set KEY_ORG="beijing"

set KEY_EMAIL="[email protected]"

(內容必須與server 一至, 尤其 KEY_ORG 項目.)

安裝 CA 文件 //在客戶端操作

進入c:\Program Files\OpenVPN\config目錄中

把服務器上的XXX.crt（客戶端證書名稱）和ca.crt 下載到本地的OpenVPN的config目錄

# 復制 sample 目錄下的client.ovpn:

復制

c:\Program Files\OpenVPN\config\sample-config\client.ovpn

到c:\Program Files\OpenVPN\config 目錄中

# 配置 client

右下角(OpenVPN GUI)

右鍵--> Edit Config (沒提及的, 請保持原貌)

dev tap

;dev tun

remote remote 192.168.1.254 1194

ca ca.crt

cert test.crt

key test.key

雙點擊桌面右下角的openvpn-gui的圖標就會彈出界面，正在連接

測試：cmd --> ipconfig /all

Ping 10.8.0.1

給客戶端制定具體的ip地址而不是自動分配，需要以下操作：

進入/etc/openvpn/ccd中，

Vi client1 並寫入ifconfig-push 10.8.0.X 255.255.255.0

綁定虛擬ip。

本文出自 “影子騎士” 博客，請務必保留此出處http://andylhz2009.blog.51cto.com/728703/192520