文档章节

CentOS6下搭建OpenVPN服务器

linuxprobe16
 linuxprobe16
发布于 2016/11/13 10:13
字数 1790
阅读 22
收藏 2

• OpenVPN简介

CentOS6下搭建OpenVPN服务器CentOS6下搭建OpenVPN服务器
OpenVPN是一个用于创建虚拟专用网络(Virtual Private Network)加密通道的免费开源软件。使用OpenVPN可以方便地在家庭、办公场所、住宿酒店等不同网络访问场所之间搭建类似于局域网的专用网络通道。OpenVPN使用方便,运行性能优秀,支持Solaris、Linux 2.2+(Linux 2.2+表示Linux 2.2及以上版本,下同)、OpenBSD 3.0+、FreeBSD、NetBSD、Mac OS X、Android和Windows 2000+的操作系统,并且采用了高强度的数据加密,再加上其开源免费的特性,使得OpenVPN成为中小型企业及个人的VPN首选产品。使用OpenVPN配合特定的代理服务器,可用于访问Youtube、FaceBook、Twitter等受限网站,也可用于突破公司的网络限制。

• 工具/原料

服务器端:CentOS6.5
客  户  端:Windows7
服务器端软件:epel-release-6-8.noarch.rpm,openvpn,easy-rsa
客户端软件: openvpn-install-2.3.4

• 服务器端安装及配置

1. 关闭SELINUX

setenforce 0            //暂时关闭
 sed  -i  '^SELINUX=/c\SELINUX=disabled'   /etc/selinux/config           //重启有效

2. 安装"EPEL"源

wget  http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm          //下载centos6 32位的EPEL源
 rpm -ivh epel-release-6-8.noarch.rpm          //安装EPEL源
 yum makecache          //更新本地缓存

3. 安装openvpn

yum -y install openvpn easy-rsa

4. easy-rsa配置

mkdir -p /etc/openvpn/easy-rsa/keys
 cp -rf/usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

5.  创建CA证书和密钥

vi /etc/openvpn/easy-rsa/vars                  //更改你自己的国家,省份,城市,邮箱等...
 source   ./vars                 //初始化证书的授权中心
 ./clean-all                      //清除keys目录下面的文件
 ./build-ca                  //创建ca证书

Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:

6.  创建服务端的证书和密钥

./build-key-server server

Generating a 1024 bit RSA private key
.....++++++
.................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:
Name [changeme]:
Email Address [mail@host.domain]:
  
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'HZ'
organizationName      :PRINTABLE:'HZ'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
  
  
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
Data Base Update

7. 创建客户端的证书和密钥

./build-key client1

Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [HZ]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [changeme]:
Email Address [mail@host.domain]:
  
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'HZ'
organizationName      :PRINTABLE:'HZ'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
  
  
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
Data Base Updated

8. 创建迪菲霍尔曼密钥交换参数

./build-dh

9. 拷贝服务端证书、秘钥等

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,dh2048.pem,ca.crt} /etc/openvpn

10. 配置VPN服务端

cp /usr/share/doc/openvpn-2.3.*/sample/sample-config-files/server.conf/etc/openvpn/     //复制配置文件到/etc/openvpn

修改服务端配置文件:

cat server.conf | grep "^[^#|^;]"                           //列出未注释的内容
local 10.17.1.20    #监听地址

 port 1194      #监听端口

 proto tcp      #监听协议

 dev tun      #采用路由隧道模式

 ca ca.crt  #ca证书路径

 cert server.crt    #服务器证书

 key server.key    # This file should be kept secret 服务器密钥

 dh dh2048.pem  #密钥交换协议文件

 server 10.8.0.0 255.255.255.0        #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同

 ifconfig-pool-persist ipp.txt

 push "route 192.168.20.0 255.255.255.0"  #允许客户端访问内网 20.0 的网段。

 push"dhcp-option DNS 8.8.8.8"              #dhcp分配dns

 client-to-client    #客户端之间互相通信

 keepalive 10 120  #存活时间,10秒ping一次,120 如未收到响应则视为断线

 comp-lzo        #传输数据压缩

 max-clients 100  #最多允许 100 客户端连接

 user nobody        #用户

 group nobody      #用户组

 persist-key

 persist-tun

 status        /var/log/openvpn/openvpn-status.log

 log        /var/log/openvpn/openvpn.log

 verb 3

11. iptables配置

清空iptables配置:

 iptables -F

 iptables -X

 配置openvpn的nat功能,将所有网段的包转发到eth0口:

 iptables -t nat -A POSTROUTING  -o eth0 -j MASQUERADE

 添加FORWARD白名单:

 iptables -A FORWARD -i tun+ -j ACCEPT

 开启系统的路由功能:

 echo "1" > /proc/sys/net/ipv4/ip_forward

 service iptables save               //保存iptables配置

 service iptables restart            //重启iptables

12. 启动openvpn

service openvpn start

13. 配置客户端

复制客户端配置文件client.ovpn:

cp /usr/share/doc/openvpn-2.3.*/sample/sample-config-files/client.conf   /etc/openvpn/client.ovpn

修改客户端配置文件:

cat server.conf | grep "^[^#|^;]"
client
 dev tun
 proto tcp     //改为tcp
 remote 203.195.xxx.xxx 1194       //OpenVPN服务器的外网IP和端口
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 ca ca.crt    //client1的证书
 cert client.crt
 key client.key    //client1的密钥
 ns-cert-type server
 comp-lzo
 verb 3

• OpenVPN客户端配置

1. 拷贝服务器端/etc/openvpn/easy-rsa/keys/{ca.crt,client.crt,client,key}和/etc/openvpn/client.ovpn到Windows7客户端
2. 下载openvpn客户端安装
下载地址: http://pan.baidu.com/s/1ZsgpS
3. 把刚才复制过来的几个文件拷贝到openvpn客户端安装目录下面的config目录里面(C:\Program Files\OpenVPN\config)
4. 启动OpenVPN GUI
在电脑右下角的openvpn图标上右击,选择“Connect”。正常情况下应该能够连接成功,分配正常的IP。

免费提供最新Linux技术教程书籍,为开源技术爱好者努力做得更多更好:http://www.linuxprobe.com/

本文转载自:http://www.linuxprobe.com/centos6-setup-openvpn.html

共有 人打赏支持
linuxprobe16
粉丝 11
博文 814
码字总数 183722
作品 0
河东
私信 提问
centos6安装openvpn2.3.6教程

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm rpm -Uvh epel-release-6-8.noarch.rpm yum install openvpn wget https://github.com/OpenVPN/easy-rsa/ar......

果树啊
2015/03/02
0
0
CentOS6.7安装OpenVPN服务端

本文主要讲述如何在Linux(以CentOS6.7为例)环境中搭建VPN(OpenVPN)服务器。 OpenVPN基本介绍: OpenVPN是开源的VPN守护进程(daemon),easy-RSA提供一些简易的CA证书工具。 VPN原理: ...

技术小胖子
2017/11/08
0
0
CentOS搭建OpenVPN服务

安装OpenVPN软件包 默认的Centos软件源里面没有OpenVPN的软件包,我们可以添加rpmforge的repo,从而实现yum安装openvpn 针对CentOS 5 rpm -ivh http://apt.sw.be/redhat/el5/en/x8664/rpmfor...

张旭0512
2014/07/08
0
0
搭建基于证书认证登录的OpenVPN服务器

一、OpenVPN简介 OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。 OpenVPN允许参与建立VPN的单点使用共享金钥,电子证书,或者用户名/密码来进行身...

技术小胖子
2017/11/02
0
0
ubuntu server 搭建openvpn(路由模式) 笔记

OpenVPN 是由ubuntu库提供的私人虚拟网络(VPN)解决方案. 具有灵活,易用,可靠,安全的特点. OpenVpn分两种模式,即桥接模式与路由模式,本次是路由模式。 实验环境:服务器:ubuntu server 11....

伪码农eric
2012/06/05
0
0

没有更多内容

加载失败,请刷新页面

加载更多

初识flask

文档 0.10.1版本 http://www.pythondoc.com/flask/index.html 1.0.2版本 https://dormousehole.readthedocs.io/en/latest/ 安装flask $ pip3 install flaskCollecting flask Downloading......

yimingkeji
昨天
0
0
Akka系统《sixteen》译

Actor是一个封装状态(state)和行为(behavior)的对象,它们只通过交换消息通信(放入收件人邮箱的邮件)。从某种意义上说,Actor是最严格的面向对象编程形式,但它更适合将他们视为人:在与Act...

woshixin
昨天
0
0
技术工坊|如何开发一款以太坊钱包(深圳)

【好消息!】HiBlock区块链技术工坊已经成功举办了26期,其中北京1期,西安1期,成都2期,上海22期。经常有社区的小伙伴问定期举办技术工坊的除了上海以外,其他城市有没有?现在区块链技术工...

HiBlock
昨天
1
0
Redis 梳理笔记

安装 安装gccyum install gcc-c++下载传输到服务器上解压tar -xzvf *.tar.gzcd redis-3.2.9编译make安装 make PREFIX=/usr/local/redis install将配置文件拷贝出来cp redis...

晨猫
昨天
0
0
聊聊storm TridentWindowManager的pendingTriggers

序 本文主要研究一下storm TridentWindowManager的pendingTriggers TridentBoltExecutor.finishBatch storm-core-1.2.2-sources.jar!/org/apache/storm/trident/topology/TridentBoltExecut......

go4it
昨天
1
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部