CentOS6.5 64位安装openvpn
CentOS6.5 64位安装openvpn
1. 安装"EPEL"源
# wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm-Uvh epel-release-6-8.noarch.rpm
2. 安装openvpn
# yuminstall openvpn easy-rsa
3. easy-rsa配置
# mkdir-p /etc/openvpn/easy-rsa/keys
# cp -rf/usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
4. 创建CA证书和密钥
# vi/etc/openvpn/easy-rsa/vars
更改你自己的国家,省份,城市,邮箱等等
# cd/etc/openvpn/easy-rsa/
初始化证书的授权中心
# cpopenssl-1.0.0.cnf openssl.cnf
# source./vars
#./clean-all
创建CA证书和密钥
./build-ca
Generatinga 2048 bit RSA private key
......................................................+++
............................................................+++
writingnew private key to ‘ca.key‘
-----
Youare about to be asked to enter information that will be incorporated
intoyour certificate request.
Whatyou are about to enter is what is called a Distinguished Name or a DN.
Thereare quite a few fields but you can leave some blank
Forsome fields there will be a default value,
Ifyou enter ‘.‘, the field will be left blank.
-----
CountryName (2 letter code) [IN]: ----> Press Enter
Stateor Province Name (full name) [TN]: ----> Press Enter
LocalityName (eg, city) [Erode]: ----> Press Enter
OrganizationName (eg, company) [Unixmen]: ----> Press Enter
OrganizationalUnit Name (eg, section) [server]: ----> Press Enter
CommonName (eg, your name or your server‘s hostname)[...] ----> Press Enter
Name[...] ----> Press Enter
EmailAddress[...] ----> Press Enter
5. 创建服务端的证书和密钥
# ./build-key-serverserver
Generatinga 2048 bit RSA private key
....................+++
.............+++
writingnew private key to ‘server.key‘
-----
Youare about to be asked to enter information that will be incorporated
intoyour certificate request.
Whatyou are about to enter is what is called a Distinguished Name or a DN.
Thereare quite a few fields but you can leave some blank
Forsome fields there will be a default value,
Ifyou enter ‘.‘, the field will be left blank.
-----
CountryName (2 letter code) [IN]: ----> Press Enter
Stateor Province Name (full name) [TN]: ----> Press Enter
LocalityName (eg, city) [Erode]: ----> Press Enter
OrganizationName (eg, company) [Unixmen]: ----> Press Enter
OrganizationalUnit Name (eg, section) [server]: ----> Press Enter
CommonName (eg, your name or your server‘s hostname) [server]: ----> Press Enter
Name[EasyRSA]: ----> Press Enter
EmailAddress [[email protected]]: ----> Press Enter
Pleaseenter the following ‘extra‘ attributes
tobe sent with your certificate request
Achallenge password []: ----> Press Enter
Anoptional company name []: ----> Press Enter
Usingconfiguration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Checkthat the request matches the signature
Signatureok
TheSubject‘s Distinguished Name is as follows
countryName:PRINTABLE:‘IN‘
stateOrProvinceName:PRINTABLE:‘TN‘
localityName:PRINTABLE:‘Erode‘
organizationName:PRINTABLE:‘Unixmen‘
organizationalUnitName:PRINTABLE:‘server‘
commonName:PRINTABLE:‘server‘
name:PRINTABLE:‘EasyRSA‘
emailAddress:IA5STRING:‘[email protected]‘
Certificateis to be certified until Mar 23 12:21:34 2024 GMT (3650 days)
Signthe certificate? [y/n]:y ----> Type Y and Press Enter
1out of 1 certificate requests certified, commit? [y/n]y ----> Type Y andPress Enter
Writeout database with 1 new entries
DataBase Updated
6. 创建客户端的证书和密钥
#./build-keyclient
Generatinga 2048 bit RSA private key
.......+++
..................................................................................................+++
writingnew private key to ‘client.key‘
----
Youare about to be asked to enter information that will be incorporated
intoyour certificate request.
Whatyou are about to enter is what is called a Distinguished Name or a DN.
Thereare quite a few fields but you can leave some blank
Forsome fields there will be a default value,
Ifyou enter ‘.‘, the field will be left blank.
-----
CountryName (2 letter code) [IN]: ----> Press Enter
Stateor Province Name (full name) [TN]: ----> Press Enter
LocalityName (eg, city) [Erode]: ----> Press Enter
OrganizationName (eg, company) [Unixmen]: ----> Press Enter
OrganizationalUnit Name (eg, section) [server]: ----> Press Enter
CommonName (eg, your name or your server‘s hostname) [client]: ----> Press Enter
Name[EasyRSA]: ----> Press Enter
EmailAddress [[email protected]]: ----> Press Enter
Pleaseenter the following ‘extra‘ attributes
tobe sent with your certificate request
Achallenge password []: ----> Press Enter
Anoptional company name []: ----> Press Enter
Usingconfiguration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Checkthat the request matches the signature
Signatureok
TheSubject‘s Distinguished Name is as follows
countryName:PRINTABLE:‘IN‘
stateOrProvinceName:PRINTABLE:‘TN‘
localityName:PRINTABLE:‘Erode‘
organizationName:PRINTABLE:‘Unixmen‘
organizationalUnitName:PRINTABLE:‘server‘
commonName:PRINTABLE:‘client‘
name:PRINTABLE:‘EasyRSA‘
emailAddress:IA5STRING:‘[email protected]‘
Certificateis to be certified until Mar 23 12:23:44 2024 GMT (3650 days)
Signthe certificate? [y/n]:y ----> Type Y and Press Enter
1out of 1 certificate requests certified, commit? [y/n]y ----> Type Y andPress Enter
Writeout database with 1 new entries
DataBase Updated
7. 创建 迪菲 霍尔曼密钥交换参数
创建DH参数.
#./build-dh
拷贝服务端证书、秘钥等
# cd/etc/openvpn/easy-rsa/keys/
# cpdh2048.pem ca.crt server.crt server.key /etc/openvpn/
客户端证书秘钥:ca.crt client.crt client.key(编辑openvpn客户端配置文件会用到)
8. 配置VPN服务端
# cp/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf/etc/openvpn/
# vi/etc/openvpn/server.conf
#Substitute 2048 for 1024 if you are using
#2048 bit keys.
dhdh2048.pem
push"redirect-gateway def1 bypass-dhcp"
另外,也可以自己更改DNS,这里用的是谷歌的DNS。
push"dhcp-option DNS 8.8.8.8"
push"dhcp-option DNS 8.8.4.4"
usernobody
groupnobody
iptables配置
=====================
清空配置
# iptables-F
# iptables-X
查看确认
# iptables-L -n
允许ssh端口通过
# iptables-A INPUT -p tcp --dport 22 -j ACCEPT
# iptables-P OUTPUT ACCEPT
允许openvpn的端口连接
# iptables-A INPUT -p tcp --dport 1194 -j ACCEPT
配置openvpn的nat功能,将所有10.8.0.0网段的包转发到eth0口
# iptables-t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
开启系统的路由功能
# echo"1" > /proc/sys/net/ipv4/ip_forward
添加FORWARD白名单
iptables-A FORWARD -i tun+ -j ACCEPT
允许虚拟网段的所有连接
# iptables-A INPUT -s 10.8.0.0/24 -j ACCEPT
保持已经建立的连接
# iptables-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# serviceiptables save
serviceiptables start
启动服务
# serviceopenvpn start
这里可能报错,因为openvpn的启动脚本和发行版稍有差别,如果报错,编辑文件/etc/init.d/openvpn里面注释如下几行:
# Source networking configuration.
#. /etc/sysconfig/network
# Check that networking is up.
#if [ ${NETWORKING} = "no" ]
#then
# echo "Networking isdown"
# exit 0
#fi
9. 配置客户端
编辑客户端配置文件:client.ovpn,文件格式如下,注意改IP和端口号
--------------------------
client
dev tun
proto udp
remote 172.16.18.21 1194
resolv-retryinfinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
ca.crt的内容粘贴于此
</ca>
<cert>
client.crt的内容粘贴于此
</cert>
<key>
client.key的内容粘贴于此
</key>
--------------------------
安装openvpn-client.msi
双击client.ovpn
参考:
====================
http://blog.chinaunix.net/uid-29746173-id-4351133.html
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
http://www.tuicool.com/articles/N3Y3Afv
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
