一、OpenVPN 的安装环境
1、Server 端的环境
Red Hat Enterprise Linux AS release 4 (Nahant Update 8)
Kernel:2.6.27.48
Ip:192.168.0.1
2、Client 端的环境
Windows XP PRO SP2
Ip:192.168.0.2
二、OpenVPN 服务端安装过程
1、检查 kernel 需要支持 tun 设备,需要加载 iptables 模块。
检查 tun 是否安装:
代码:
[root@localhost ~]# modinfo tun
filename: /lib/modules/2.6.27.48/kernel/drivers/net/tun.ko
description: Universal TUN/TAP device driver
author: (C) 1999-2004 Max Krasnyansky <[email protected]>
license: GPL
alias: char-major-10-200
vermagic: 2.6.27.48 SMP mod_unload modversions 686 4KSTACKS
depends:
|
2、检查OpenSSL
如果需要启用 SSL 连接,则需要先安装 OpenSSL。默认rhel4内都安装了 OpenSSL ,如果没有请自行安装。
3、下载安装 Lzo
从 http://www.oberhumer.com/opensource/lzo/download/ 下载最新版 lzo-2.03.tar.gz
代码:
[root@localhost src]# tar zxvf lzo-2.03.tar.gz
[root@localhost src]# cd lzo-2.03
[root@localhost lzo-2.03]# ./configure
[root@localhost lzo-2.03]# make
[root@localhost lzo-2.03]# make check (运行检查,此步骤可以省略)
[root@localhost lzo-2.03]# make test (运行全面测试,此步骤可以省略)
[root@localhost lzo-2.03]# make install (试用root身份安装)
|
4、下载安装 OpenVPN
从 http://openvpn.net/download.html 下载最新版本 openvpn-2.1.2.tar.gz
代码:
[root@localhost src]# tar zxvf openvpn-2.1.2.tar.gz
[root@localhost src]# cd openvpn-2.1.2
[root@localhost openvpn-2.1.2]# ./configure --prefix=/usr/local/openvpn \
--with-lzo-lib=/usr/local/lib \
--with-ssl-headers=/usr/include/openssl \
--with-ssl-lib=/lib
[root@localhost openvpn-2.1.2]# make
[root@localhost openvpn-2.1.2]# make install
|
5、生成 vpn 服务端和客户端的证书和密钥
设置环境变量
方法一:export 声明变量
代码:
[root@localhost openvpn-2.1.2]# cd easy-rsa/2.0
[root@localhost 2.0]# export D=`pwd`
[root@localhost 2.0]# export KEY_CONFIG=$D/openssl.cnf
[root@localhost 2.0]# export KEY_DIR=$D/keys
[root@localhost 2.0]# export KEY_SIZE=1024
[root@localhost 2.0]# export KEY_COUNTRY=CN
[root@localhost 2.0]# export KEY_PROVINCE=SH
[root@localhost 2.0]# export KEY_CITY=SH
[root@localhost 2.0]# export KEY_ORG="dzh.com"
[root@localhost 2.0]# export KEY_EMAIL="[email protected]"
|
方法二:编辑环境变量文件 vars
代码:
[root@localhost 2.0]# vi vars (按照上面的内容修改变量文件里的相应变量值)
[root@localhost 2.0]# . vars
|
清理以前的ca证书和密钥
代码:
[root@localhost 2.0]# ./clean-all
|
生成 CA
代码:
[root@localhost 2.0]# ./build-ca
Generating a 1024 bit RSA private key
...............++++++
.....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [Shanghai]:
Organization Name (eg, company) [dzh.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [dzh.com CA]:
Name []:
Email Address [[email protected]]:
因为已经在变量里设置过了,所以直接回车就是默认值了。
|
为 openvpn 服务端生成key
代码:
[root@localhost 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
.........................................++++++
.........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [Shanghai]:
Organization Name (eg, company) [dzh.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [[email protected]]: Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/src/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'Shanghai'
organizationName :PRINTABLE:'dzh.com'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Aug 17 07:20:17 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
|
为客户端生成key
代码:
[root@localhost 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
....................................++++++
........++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [Shanghai]:
Organization Name (eg, company) [dzh.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address [[email protected]]: Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/src/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'Shanghai'
organizationName :PRINTABLE:'dzh.com'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Aug 17 07:24:46 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
|
如果有多个客户端,可以使用 ./build-key 依次生成不同的客户端key。
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同。
生成 Diffie Hellman 参数
代码:
[root@localhost 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................+....+..........................+..............................................................+............+..............+.................................................................+.......................................+............................................+...........+..............+..........................................................................+.......................+.......................................+................................+...........................+........+....................+.+.+........................................+....++*++*++*
|
6、为服务器端生成配置文件和服务启动脚本
代码:
[root@localhost openvpn-2.1.2]# mkdir /etc/openvpn
[root@localhost openvpn-2.1.2]# cp sample-config-files/server.conf /etc/openvpn
[root@localhost openvpn-2.1.2]# cp sample-scripts/openvpn.init /etc/init.d/openvpnd
注意:这个默认的 openvpn.init 脚本里的openvpn应用程序的路径可能跟你实际安装的不一样,需要更改的。
[root@localhost openvpn-2.1.2]# vi /etc/init.d/openvpnd
将脚本里:openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn" 修改成实际安装的路径,比如:openvpn_locations="/usr/local/openvpn/sbin/openvpn"
[root@localhost openvpn-2.1.2]# chkconfig --add openvpnd
[root@localhost openvpn-2.1.2]# cp easy-rsa/2.0/keys/ca.crt /etc/openvpn/
[root@localhost openvpn-2.1.2]# cp easy-rsa/2.0/keys/server.crt /etc/openvpn/
[root@localhost openvpn-2.1.2]# cp easy-rsa/2.0/keys/server.key /etc/openvpn/
[root@localhost openvpn-2.1.2]# cp easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/
|
7、启动 openvpn 服务端
代码:
[root@localhost openvpn-2.1.2]# service openvpnd start
Starting openvpn: [ OK ]
[root@localhost openvpn-2.1.2]# tail /var/log/messages
Aug 20 15:50:29 localhost openvpn[20961]: OpenVPN 2.1.2 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 20 2010
Aug 20 15:50:29 localhost openvpn[20961]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Aug 20 15:50:29 localhost openvpn[20961]: Diffie-Hellman initialized with 1024 bit key
Aug 20 15:50:29 localhost openvpn[20961]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Aug 20 15:50:29 localhost openvpn[20961]: Socket Buffers: R=[109568->131072] S=[109568->131072]
Aug 20 15:50:29 localhost openvpn[20961]: ROUTE default_gateway=222.73.34.190
Aug 20 15:50:29 localhost openvpn[20961]: TUN/TAP device tun0 opened
Aug 20 15:50:29 localhost openvpn[20961]: TUN/TAP TX queue length set to 100
Aug 20 15:50:29 localhost openvpn[20961]: /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Aug 20 15:50:29 localhost kernel: tun0: Disabled Privacy Extensions
Aug 20 15:50:29 localhost openvpn[20961]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Aug 20 15:50:29 localhost openvpn[20961]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Aug 20 15:50:29 localhost openvpn[20966]: UDPv4 link local (bound): [undef]:1194
Aug 20 15:50:29 localhost openvpn[20966]: UDPv4 link remote: [undef]
Aug 20 15:50:29 localhost openvpn[20966]: MULTI: multi_init called, r=256 v=256
Aug 20 15:50:29 localhost openvpnd: succeeded
Aug 20 15:50:29 localhost openvpn[20966]: IFCONFIG POOL: base=10.8.0.4 size=62
Aug 20 15:50:29 localhost openvpn[20966]: IFCONFIG POOL LIST
Aug 20 15:50:29 localhost openvpn[20966]: Initialization Sequence Completed
Aug 20 15:50:34 localhost udevd[1278]: udev done! [root@localhost openvpn-2.1.2]# ifconfig -a
Link encap:Ethernet HWaddr 00:26:55:1E:D8:9A
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::226:55ff:fe1e:d89a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:526 (526.0 b)
Interrupt:193 Memory:fa000000-fa012100 lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1754296 errors:0 dropped:0 overruns:0 frame:0
TX packets:1754296 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:165016597 (157.3 MiB) TX bytes:165016597 (157.3 MiB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
|
看到上面的信息就说明 openvpn 服务起来了,openvpn 服务端配置完毕了。
三、OpenVPN GUI For Windows 客户端安装过程
1、下载安装OpenVPN GUI For Windows
从 http://openvpn.net/index.php/open-source/downloads.html 下载 openvpn-2.1.2-install.exe
注意: OpenVPN GUI 的版本要和 OpenVPN Server 的版本配套。
Windows下的安装过程就不具体说了,安装大家都会的。我使用默认路径安装在C:\Program Files\OpenVPN下了。
2、配置客户端配置文件
复制 sample-config 目录下的 client.ovpn 到 config 目录下。
用记事本打开配置文件 client.ovpn ,修改一下部分:
remote my-server-1 1194 改为 remote 192.168.0.1 1194
cert client.crt 改为 cert client1.crt
key client.key 改为 key client1.key
|
把服务器端的认证证书下载下来
把 ca.crt client1.crt client1.key 这三个文件从服务端下载到客户端的 config 目录里。
3、启动客户端GUI
打开“开始”菜单----->“程序”----->“openvpn”----->“openvpn gui”,在出来的程序界面里点击“链接”按钮
代码:
C:\Documents and Settings\office>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : office Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No Ethernet adapter vpn: Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-FF-5D-70-E6
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.5
Lease Obtained. . . . . . . . . . : 2010年8月20日 16:47:39
Lease Expires . . . . . . . . . . : 2011年8月20日 16:47:39 Ethernet adapter local: Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Eth
ernet NIC
Physical Address. . . . . . . . . : 00-1B-B9-5F-C3-58
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.9.21.74
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.9.21.254
DHCP Server . . . . . . . . . . . : 10.9.21.254
DNS Servers . . . . . . . . . . . : 114.80.136.14
114.80.157.11
Lease Obtained. . . . . . . . . . : 2010年8月20日 12:41:54
Lease Expires . . . . . . . . . . : 2010年8月21日 12:41:54
|
上面vpn 链接获取正确的ip地址,就说明客户端已经和服务端链接成功了。要是需要客户端操作系统启动就能自动链接到服务端,可以在windows的服务里找到openvpn服务,设置为“自动”就可以了。
