linux 下 Openvpn 配置

openvpn phone   openvpn配置   openvpn for linux   系统服务  

系统环境: CentOS 6.4

下载软件
  • 服务端
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
wget http://openvpn.net/release/openvpn-2.1.3.tar.gz
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz

  • 客户端(下载最新的)

    Windows: OpenVPNPortable
    iphone: openvpn

安装过程

1、安装所需的源代码包放到/open文件夹下(路径可以随便定),解压代码包。

#ls 
openssl-1.0.1c.tar.gz  openvpn-2.1.3.tar.gz  lzo-2.06.tar.gz 
#for a in *gz;do tar zxf $a;done
#ls
openssl-1.0.1c openvpn-2.1.3 lzo-2.06

2、安装openssl

cd openssl-1.0.1c
./configure --prefix=/usr/local/openssl   
make 
make install 

3、安装lzo

cd lzo-2.03
./configure --prefix=/usr/local/lzo 
make 
make check
make test
make install

4、安装openvpn

cd openvpn-2.1.3
./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/lzo/include/ --with-lzo-lib=/usr/local/lzo/lib/ --with-ssl-headers=/usr/local/openssl/include/ --with-ssl-lib=/usr/local/openssl/lib/
make && make install
    
5、生成证书
mkdir /usr/local/openvpn/etc
cp –R easy-rsa/ /usr/local/openvpn/etc/    #拷贝openvpn-2.1.3目录下的easy-rsa
cd /usr/local/openvpn/etc/easy-rsa/2.0
vim vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GD"
export KEY_CITY="GuangZhou"
export KEY_ORG="leoiceo"
export KEY_EMAIL="admin@imdst.com"     
./clean-all                    # 清除旧的  
. vars or source vars          # 建立环境变量  

6、创建证书、密钥等文件

./build-ca                     # 生成CA证书 创建CA的公钥和私钥  
./ build-key-server server     # 生成服务端  
./build-key client1            # 生成客户端,生成多个重复此步,建议以使用人名为客户端名字

7、生成 Diffie Hellman 参数
./build-dh

8、创建服务端配置文
vim /usr/local/openvpn/etc/server.conf

local 0.0.0.0
port 1194            #由于网络运营商的封锁可以修改为合适的端口或者采用UDP协议
proto tcp
dev tun
ca /usr/local/openvpn/etc/easy-rsa/2.0/keys/ca.crt
cert /usr/local/openvpn/etc/easy-rsa/2.0/keys/server.crt
key /usr/local/openvpn/etc/easy-rsa/2.0/keys/server.key  # This file should be kept secret
dh /usr/local/openvpn/etc/easy-rsa/2.0/keys/dh1024.pem
server 10.8.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3
mute 20     

9、防火墙上开放1194(只针对自己的网络开放)

-A POSTROUTING -o eth1 -j MASQUERADE
-A RH-Firewall-1-INPUT -s 10.8.0.0/255.255.0.0 -i tun0 -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT

10、启动openvpn服务
cd /usr/local/openvpn/sbin
./openvpn --config ../etc/server.conf &

11、关闭服务
ps aux |grep open|grep nobody|awk '{print $2}'|xargs kill -9


openvpn Windows客户端配置

下载最新的OpenVPNPortable客户端
直接默认安装 d:\OpenVPNPortable\data\config
1. 在服务器上下载 ca.crt client.crt clinet.key 到当前目录
2. 新建一个文件client.ovpn,插入以下内容

remote vpn.imdst.com 1194                #openvpn服务器地址和端口
proto tcp     
client
dev tun
resolv-retry infinite
nobind
user nobody 
group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt                             #下载的证书名
key client.key
ns-cert-type server
;route 10.0.0.0 255.255.0.0 10.0.26.254     #如果是企业用可能有多个网络可以适当添加静态路由  
redirect-gateway def1
#cipher BF-CBC
#com-lzo
verb 3
mute 20                 
    

openvpn 手机端配置
1. iphone 在appstore安装好openvpn
2. 使用itunes连接手机,在iTunes识别到iOS设备之后,点 应用程序,下拉到 文件共享
3. 将ca.crt client.crt client.key client.ovpn 专用OpenVPN配置文件添加到OpenVPN应用程序里。
4. 手机启动软件会自动载入配置