OpenVPN 配置文档

Published on 2015 - 05 - 28

Server配置

一、安装openvpn

Yum install –y lzo openvpn

二、生成证书

yum install –y easy-rsa
cd /etc/openvpn/easy-rsa/2.0
vi vars

    #以下为配置文件内容
    export EASY_RSA="`pwd`"
    export OPENSSL="openssl"
    export PKCS11TOOL="pkcs11-tool"
    export GREP="grep"
    export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
    export KEY_DIR="$EASY_RSA/keys"
    echo NOTE: If you run ./clean-all, I will be doing a rm -rf on    $KEY_DIR
    export PKCS11_MODULE_PATH="dummy"
    export PKCS11_PIN="dummy"
    export KEY_SIZE=2048
    export CA_EXPIRE=3650
    export KEY_EXPIRE=3650
    export KEY_COUNTRY="PHP"
    export KEY_PROVINCE="CA"
    export KEY_CITY="eastwood"
    export KEY_ORG="9street"
    export KEY_EMAIL="rich.zhu@9street.org"
    export KEY_OU="IT"
    export KEY_NAME="EasyRSA"
    #以上为配置文件内容

三、让配置文件生效

source vars

四、配置并生成证书

./clean-all
./build-ca ca
./build-key-server server               #生成server.key
./build-dh                              #生成Diffie Hellman参数
openvpn --genkey --secret keys/ta.key   #生成一个openvpn server tls验证key:
./build-key certname                    #生成client key

五、拷贝并配置server端文件

cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn/conf/server.conf
vi server.conf

#以下为配置文件内容
local 119.9.73.105
port 9000
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 119.9.73.105 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
;client-to-client
duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3
;mute 20
#以上为配置文件内容

六、启动OpenVPN服务

service openvpn start

七、设置开机启动

chkconfig openvpn on

八、开启内核转发,并应用更改

    vi /etc/sysctl.conf
    net.ipv4.ip_forward = 1 #把0改成1
    sysctl -p

Client端配置

一、安装OpenVPN

yum install openvpn

二、导入证书及配置文件

yum install openssh-clients #安装scp
scp root@119.9.73.105:/etc/openvpn/easy-rsa/2.0/keys/xingzheng.crt .
scp root@119.9.73.105:/etc/openvpn/easy-rsa/2.0/keys/xingzheng.key .
scp root@119.9.73.105:/etc/openvpn/easy-rsa/2.0/keys/ca.crt .
scp root@119.9.73.105:/usr/share/doc/openvpn-2.3.6/sample/sample-config-files/client.conf .

三、修改client.conf 配置文件

cd /etc/openvpn
vi client.conf

#以下为配置文件内容
client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
remote 119.9.73.105 9000
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/xingzheng.crt
key /etc/openvpn/xingzheng.key
remote-cert-tls server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20
#以上为配置文件内容

四、开启内核转发,并应用更改

vi /etc/sysctl.conf
net.ipv4.ip_forward = 1 #把0改成1
sysctl -p

五、启懂openvpn服务:

/usr/sbin/openvpn --cd /etc/openvpnClient/ --config client.conf

Iptables 规则配置

Server 端规则

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Client 端规则

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i tun0 -j ACCEPT 
-A INPUT -i eth0 -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A FORWARD -i tun0 -o eth0 -j ACCEPT 
-A FORWARD -i eth0 -o tun0 -j ACCEPT 
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE