OpenVPN在安全性上比PPTP,L2TP和IPsec都高,因為它通過三個證書的安全驗證,實現了整個通信鏈路的完整加密。
安裝步驟:
一、首先檢查VPS上的tun設備是否可用,如果不可用需要聯系客服打開,否則OpenVPN無法啟用。
通過root用戶登陸,執行
復制代碼代碼如下:
#cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state
如果現實結果如上所示,則表示tun設備可用,其它則表示設備異常,無法安裝OpenVPN。
二、下載安裝所需軟件包:
復制代碼代碼如下:
wget ftp://rpmfind.net/linux/epel/5/i386/pkcs11-helper-devel-1.07-2.el5.1.i386.rpm
wget ftp://rpmfind.net/linux/epel/5/i386/pkcs11-helper-1.07-2.el5.1.i386.rpm
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz
wget http://swupdate.openvpn.net/community/releases/openvpn-2.1.4.tar.gz
三、使用yum安裝程序所需開發包
復制代碼代碼如下:
yum install -y openssl openssl-devel automake pkgconfig iptables
四、安裝OpenVPN服務端
1.安裝pkcs11-helper RPM包
復制代碼代碼如下:
rpm -ivh pkcs11-helper-1.07-2.el5.1.i386.rpm
rpm -ivh pkcs11-helper-devel-1.07-2.el5.1.i386.rpm
2.安裝 LZO
復制代碼代碼如下:
tar zxvf lzo-2.04.tar.gz
cd lzo-2.04/
./configure –prefix=/opt/lzo
make
make check
make install
cd ../
3.安裝 OpenVPN
復制代碼代碼如下:
tar zxvf openvpn-2.1.4.tar.gz
cd openvpn-2.1.4
./configure –prefix=/opt/openvpn –with-lzo-headers=/opt/lzo/include –with-lzo-lib=/opt/lzo/lib –with-ssl-headers=/usr/include/openssl –with-ssl-lib=/usr/lib
make
make install
然後,下面就開始key證書文件的創建,總共需要創建三個,即ca,server key,client key。
4.生成證書Key
復制代碼代碼如下:
cp -r easy-rsa /opt/openvpn/
cd /opt/openvpn/easy-rsa/2.0/
vim export_new_var
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN #國家
export KEY_PROVINCE=BJ #省份
export KEY_CITY=BJ #城市
export KEY_ORG=”btschina.com” #組織
export KEY_EMAIL=”[email protected]” #郵箱
source export_new_var
./clean-all
./build-ca
Generating a 1024 bit RSA private key
..++++++
………..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [btschina.com]:
Organizational Unit Name (eg, section) []:btschina
Common Name (eg, your name or your server’s hostname) [btschina.com CA]:btschina
.com
Name []:btschina
Email Address [[email protected]]:
5.建立 server key
復制代碼代碼如下:
[root@centos 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
……………………….++++++
……….++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [btschina.com]:
Organizational Unit Name (eg, section) []:btschina
Common Name (eg, your name or your server’s hostname) [server]:btschina.com
Name []:btschina
Email Address [[email protected]]:</p>
<p>Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:btschina.com
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :P RINTABLE:’CN’
stateOrProvinceName :P RINTABLE:’BJ’
localityName :P RINTABLE:’BJ’
organizationName :P RINTABLE:’btschina.com’
organizationalUnitName:PRINTABLE:’btschina’
commonName :P RINTABLE:’btschina.com’
name :P RINTABLE:’btschina’
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Apr 12 08:21:52 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
6.生成客戶端 key
復制代碼代碼如下:
[root@centos 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
……………………………………………………………………..
………++++++
………………….++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [btschina.com]:
Organizational Unit Name (eg, section) []:btschina
Common Name (eg, your name or your server’s hostname) [client1]:
Name []:btschina
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:btschina.com
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :P RINTABLE:’CN’
stateOrProvinceName :P RINTABLE:’BJ’
localityName :P RINTABLE:’BJ’
organizationName :P RINTABLE:’btschina.com’
organizationalUnitName:PRINTABLE:’btschina’
commonName :P RINTABLE:’client1′
name :P RINTABLE:’btschina’
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Apr 12 08:24:33 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
如果想生成多個client key的話,重復以上步驟,修改client1為client2,client3……即可。
至此,所有的key都已經生成完畢,如果你想刪除這些key,重新生成的話,執行以下命令。
復制代碼代碼如下:
source var
./clean-all
7.生成 Diffie Hellman 參數
復制代碼代碼如下:
./build-dh
8.將 keys 下的所有文件打包下載到本地
復制代碼代碼如下:
tar -cf keys.tar keys
9.創建服務端配置文件
復制代碼代碼如下:
vi /opt/openvpn/etc/server.conf
內容如下:
port 1194
proto udp
dev tun
ca /opt/openvpn/easy-rsa/2.0/keys/ca.crt
cert /opt/openvpn/easy-rsa/2.0/keys/server.crt
key /opt/openvpn/easy-rsa/2.0/keys/server.key
dh /opt/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.10.20.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /opt/openvpn/easy-rsa/2.0/keys/openvpn-status.log
verb 4
push “dhcp-option DNS 10.10.20.1″
push “dhcp-option DNS 8.8.8.8″
push “dhcp-option DNS 8.8.4.4″
10.創建客戶端配置文件
復制代碼代碼如下:
vi /opt/openvpn/etc/client.conf
內容如下
client
dev tun
proto udp
remote 204.74.215.57 1194 #請換成自己ip
persist-key
persist-tun
ca /opt/openvpn/easy-rsa/2.0/keys/ca.crt
cert /opt/openvpn/easy-rsa/2.0/keys/client1.crt
key /opt/openvpn/easy-rsa/2.0/keys/client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
route-method exe
route-delay 2
12.設置 OpenVPN 服務器 reboot後自動啟動 openvpn
復制代碼代碼如下:
vi /etc/rc.local
加入:
復制代碼代碼如下:
/opt/openvpn/sbin/openvpn –config /opt/openvpn/etc/server.conf > /dev/null 2>&1 &
運行OpenVPN服務端
復制代碼代碼如下:
/opt/openvpn/sbin/openvpn –config /opt/openvpn/etc/server.conf > /dev/null 2>&1 &
檢查服務端是否啟動
執行
復制代碼代碼如下:netstat -lnp
如果看到有 0.0.0.0:1194 則證明服務端已經成功啟動。
五、防火牆規則設置
1.開放OpenVPN服務器端口
復制代碼代碼如下:
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1194 -j ACCEPT
2.啟用NAT映射,實現共享上網
復制代碼代碼如下:
iptables -t nat -A POSTROUTING -s 10.10.20.0/255.255.255.0 -o eth0 -j MASQUERADE
3.開啟數據轉發
復制代碼代碼如下:
sysctl -w net.ipv4.ip_forward=1
六、OpenVPN GUI for Windows 客戶端安裝
1.下載並安裝 .NET Framwork 3.5 SP1
由於OpenVPN客戶端需要 .NET Framwork 3.5 SP1 以上的支持,所以很遺憾,我們不得不先安裝它。
下載地址:http://www.microsoft.com/downloads/zh-cn/details.aspx?FamilyID=333325fd-ae52-4e35-b531-508d977d32a6&DisplayLang=zh-cn
2.下載並安裝OpenVPN客戶端
下載地址:http://swupdate.openvpn.net/downloads/openvpn-client.msi
3.創建客戶端配置文件
進入程序目錄,C:\Program Files\OpenVPN Technologies\OpenVPN Client\etc\profile
創建配置文件client.ovpn,內容如下:
client
dev tun
proto udp
remote 204.74.215.57 1194 #請換成自己ip
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
route-method exe
route-delay 2
4.將所需的證書等文件放入客戶端目錄
將之前壓縮的keys.tar壓縮文件解壓,並將目錄下的所有文件移動到目錄:
C:\Program Files\OpenVPN Technologies\OpenVPN Client\etc\profile
5.啟動OpenVPN客戶端
啟動OpenVPN客戶端軟件,點擊添加連接配置,選擇本地文件導入,然後導入剛剛創建的client.ovpn文件。
如下圖所示:
然後界面上會出現一個Client1選項,點擊即可登錄
登錄成功
至此,整個OpenVPN的安裝過程就已經完成了,如果你也是國外的VPS主機的話,那就開始體驗翻過GFW的快樂吧。
七、卸載OpenVPN
如果你覺得OpenVPN用起來太過於麻煩或其它原因想卸載OpenVPN,那麼,請執行以下操作。
復制代碼代碼如下:
killall openvpn
rpm -e pkcs11-helper-1.07-2.el5.1.i386.rpm
rpm -e pkcs11-helper-devel-1.07-2.el5.1.i386.rpm
rm -rf /opt/lzo
rm -rf /opt/openvpn
