OpenVPN 配置文档
Published on 2015 - 05 - 28
Server配置
一、安装openvpn
Yum install –y lzo openvpn
二、生成证书
yum install –y easy-rsa
cd /etc/openvpn/easy-rsa/2.0
vi vars
#以下为配置文件内容
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="PHP"
export KEY_PROVINCE="CA"
export KEY_CITY="eastwood"
export KEY_ORG="9street"
export KEY_EMAIL="rich.zhu@9street.org"
export KEY_OU="IT"
export KEY_NAME="EasyRSA"
#以上为配置文件内容
三、让配置文件生效
source vars
四、配置并生成证书
./clean-all
./build-ca ca
./build-key-server server #生成server.key
./build-dh #生成Diffie Hellman参数
openvpn --genkey --secret keys/ta.key #生成一个openvpn server tls验证key:
./build-key certname #生成client key
五、拷贝并配置server端文件
cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn/conf/server.conf
vi server.conf
#以下为配置文件内容
local 119.9.73.105
port 9000
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 119.9.73.105 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
;client-to-client
duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
;mute 20
#以上为配置文件内容
六、启动OpenVPN服务
service openvpn start
七、设置开机启动
chkconfig openvpn on
八、开启内核转发,并应用更改
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1 #把0改成1
sysctl -p
Client端配置
一、安装OpenVPN
yum install openvpn
二、导入证书及配置文件
yum install openssh-clients #安装scp
scp root@119.9.73.105:/etc/openvpn/easy-rsa/2.0/keys/xingzheng.crt .
scp root@119.9.73.105:/etc/openvpn/easy-rsa/2.0/keys/xingzheng.key .
scp root@119.9.73.105:/etc/openvpn/easy-rsa/2.0/keys/ca.crt .
scp root@119.9.73.105:/usr/share/doc/openvpn-2.3.6/sample/sample-config-files/client.conf .
三、修改client.conf 配置文件
cd /etc/openvpn
vi client.conf
#以下为配置文件内容
client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
remote 119.9.73.105 9000
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/xingzheng.crt
key /etc/openvpn/xingzheng.key
remote-cert-tls server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20
#以上为配置文件内容
四、开启内核转发,并应用更改
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1 #把0改成1
sysctl -p
五、启懂openvpn服务:
/usr/sbin/openvpn --cd /etc/openvpnClient/ --config client.conf
Iptables 规则配置
Server 端规则
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Client 端规则
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE