1、实验环境
| 操作系统 | ip地址 | 作用 |
| CentOS6.5 | public:192.168.80.129 private:192.168.10.10 | openvpn服务器 |
| Windows7 | 192.168.80.1 | openvpn客户端 |
2、关闭iptables和selinux
服务器端和客户端同时操作
1)关闭iptables
service iptables stop
chkconfig iptables off
不关闭也可以要让其端口通过防火墙
2)关闭selinux
临时关闭:
setenforce 0
永久性关闭:
vi /etc/selinux/config
把SELINUX=enforcing 改为SELINUX=disabled
3、配置时间同步
yum install ntp -y
ntpdate pool.ntp.org
4、安装依赖软件
[root@vpnserver openvpn-2.2.2]#yum install -y openssl openssl-devel
5、安装压缩模块与openvpn软件
[root@vpnserver package]# rz
[root@vpnserver package]# ll
total 1464
-rw-r--r-- 1 root root 583045Aug 8 2016 lzo-2.06.tar.gz
-rw-r--r-- 1 root root 911158Aug 8 2016 openvpn-2.2.2.tar.gz
[root@vpnserver package]# tar xflzo-2.06.tar.gz
[root@vpnserver package]# cdlzo-2.06
[root@vpnserver lzo-2.06]#./configure
[root@vpnserver lzo-2.06]# make&& make install
[root@vpnserver lzo-2.06]# cd ..
[root@vpnserver package]# tar xfopenvpn-2.2.2.tar.gz
[root@vpnserver package]# cdopenvpn-2.2.2
[root@vpnserver openvpn-2.2.2]#./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib
[root@vpnserver openvpn-2.2.2]#make && make install
[root@vpnserver openvpn-2.2.2]# cd..
[root@vpnserver package]# whichopenvpn
/usr/local/sbin/openvpn
6、在openvpn服务器上配置私有CA
[root@vpnserver package]# cdopenvpn-2.2.2/easy-rsa/2.0/
[root@vpnserver 2.0]# cp varsvars.bak
[root@vpnserver 2.0]# vim vars
64 exportKEY_COUNTRY="CN"
65 export KEY_PROVINCE="BJ"
66 export KEY_CITY="Beijing"
67 export KEY_ORG="EDU"
68 export KEY_EMAIL="me@edu.cn"
69 export KEY_EMAIL=mail@edu.cn
70 export KEY_CN=CN
71 export KEY_NAME=duanfei
72 export KEY_OU=Tech
73 export PKCS11_MODULE_PATH=changeme
74 export PKCS11_PIN=1234
[root@vpnserver 2.0]# . vars
[root@vpnserver 2.0]# ./clean-all
[root@vpnserver 2.0]# ./build-
build-ca build-inter build-key-pass build-key-server build-req-pass
build-dh build-key build-key-pkcs12 build-req
[root@vpnserver 2.0]# ./build-ca
Generating a 1024 bit RSA privatekey
.............................................++++++
....................++++++
writing new private key to'ca.key'
-----
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name)[BJ]:
Locality Name (eg, city)[Beijing]:
Organization Name (eg, company)[EDU]:
Organizational Unit Name (eg,section) [Tech]:
Common Name (eg, your name or yourserver's hostname) [CN]:vpnserver.edu.cn
Name [duanfei]:
Email Address [mail@edu.cn]:
[root@vpnserver 2.0]# ll keys/
total 12
-rw-r--r-- 1 root root 1318Aug 7 10:11 ca.crt
-rw------- 1 root root 916 Aug 7 10:11 ca.key
-rw-r--r-- 1 root root 0 Aug 7 10:10 index.txt
-rw-r--r-- 1 root root 3 Aug 7 10:10 serial
7、生成服务端证书
[root@vpnserver 2.0]#./build-key-server server
Generating a 1024 bit RSA privatekey
.............++++++
...........++++++
writing new private key to'server.key'
-----
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name)[BJ]:
Locality Name (eg, city)[Beijing]:
Organization Name (eg, company)[EDU]:
Organizational Unit Name (eg,section) [Tech]:
Common Name (eg, your name or yourserver's hostname) [server]:
Name [duanfei]:
Email Address [mail@edu.cn]:
Please enter the following 'extra'attributes
to be sent with your certificaterequest
A challenge password []:123456
An optional company name []:EDU
Using configuration from/package/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches thesignature
Signature ok
The Subject's Distinguished Nameis as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'EDU'
organizationalUnitName:PRINTABLE:'Tech'
commonName :PRINTABLE:'server'
name :PRINTABLE:'duanfei'
emailAddress :IA5STRING:'mail@edu.cn'
Certificate is to be certifieduntil Aug 5 02:16:33 2026 GMT (3650days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requestscertified, commit? [y/n]y
Write out database with 1 newentries
Data Base Updated
8、生成客户端证书
[root@vpnserver 2.0]# ./build-keytest
Generating a 1024 bit RSA privatekey
....++++++
..........................++++++
writing new private key to'test.key'
-----
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name)[BJ]:
Locality Name (eg, city)[Beijing]:
Organization Name (eg, company)[EDU]:
Organizational Unit Name (eg,section) [Tech]:
Common Name (eg, your name or yourserver's hostname) [test]:
Name [duanfei]:
Email Address [mail@edu.cn]:
Please enter the following 'extra'attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:EDU
Using configuration from/package/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches thesignature
Signature ok
The Subject's Distinguished Nameis as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'EDU'
organizationalUnitName:PRINTABLE:'Tech'
commonName :PRINTABLE:'test'
name :PRINTABLE:'duanfei'
emailAddress :IA5STRING:'mail@edu.cn'
Certificate is to be certifieduntil Aug 5 02:34:59 2026 GMT (3650days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requestscertified, commit? [y/n]y
Write out database with 1 newentries
Data Base Updated
9、生成带密码的客户端证书文件
[root@vpnserver 2.0]#./build-key-pass test1
Generating a 1024 bit RSA privatekey
............................................++++++
........++++++
writing new private key to'test1.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name)[BJ]:
Locality Name (eg, city)[Beijing]:
Organization Name (eg, company)[EDU]:
Organizational Unit Name (eg,section) [Tech]:
Common Name (eg, your name or yourserver's hostname) [test1]:
Name [duanfei]:
Email Address [mail@edu.cn]:
Please enter the following 'extra'attributes
to be sent with your certificaterequest
A challenge password []:123456
An optional company name []:EDU
Using configuration from/package/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches thesignature
Signature ok
The Subject's Distinguished Nameis as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'EDU'
organizationalUnitName:PRINTABLE:'Tech'
commonName :PRINTABLE:'test1'
name :PRINTABLE:'duanfei'
emailAddress :IA5STRING:'mail@edu.cn'
Certificate is to be certifieduntil Aug 5 02:40:09 2026 GMT (3650days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requestscertified, commit? [y/n]y
Write out database with 1 newentries
Data Base Updated
10、生成传输进行密钥交换时用到的密钥交换文件(Diffie Hellman):
[root@vpnserver 2.0]# ./build-dh
Generating DH parameters, 1024 bitlong safe prime, generator 2
This is going to take a long time
..........+...........+.......+.......+...+.....................................................................+........+...................................+.......................+......+................................................................+.....................+...........................................................+....+..............................+..........................+..........+.......................................+.......+..............................................................................................+.........................+.....+........................................................+....+.......................................+.....................................................................................+....+....+...................................................+...+...........+.................+............++*++*++*
1)查看生成这个文件;
[root@vpnserver 2.0]# ll ./keys/dh1024.pem
-rw-r--r-- 1 root root 245Aug 7 10:43 ./keys/dh1024.pem
2)生成防止DDOS洪水攻击的文件;
[root@vpnserver 2.0]# ll ./keys/dh1024.pem
-rw-r--r-- 1 root root 245Aug 7 10:43 ./keys/dh1024.pem
[root@vpnserver 2.0]# openvpn --genkey --secret keys/ta.key
[root@vpnserver 2.0]# ll./keys/ta.key
-rw------- 1 root root 636 Aug 7 10:48 ./keys/ta.key
11、配置openvpn
1)建立openvpn配置文件及证书存放路径
[root@vpnserver 2.0]# mkdir/etc/openvpn
[root@vpnserver 2.0]# cp -ap keys/etc/openvpn/
[root@vpnserver 2.0]# cd/package/openvpn-2.2.2/sample-config-files/
[root@vpnserversample-config-files]# cp client.conf server.conf /etc/openvpn/
[root@vpnserversample-config-files]# cd /etc/openvpn/
[root@vpnserver openvpn]#
[root@vpnserver openvpn]# tree
.
|-- client.conf
|-- keys
| |-- 01.pem
| |-- 02.pem
| |-- 03.pem
| |-- ca.crt
| |-- ca.key
| |-- dh1024.pem
| |-- index.txt
| |-- index.txt.attr
| |-- index.txt.attr.old
| |-- index.txt.old
| |-- serial
| |-- serial.old
| |-- server.crt
| |-- server.csr
| |-- server.key
| |-- ta.key
| |-- test.crt
| |-- test.csr
| |-- test.key
| |-- test1.crt
| |-- test1.csr
| `-- test1.key
`-- server.conf
1 directory, 24 files
[root@vpnserver openvpn]# cpserver.conf server.conf.bak
[root@vpnserver openvpn]# cpclient.conf client.conf.bak
2)查看配置文件参数;
[root@vpnserver openvpn]# grep -vE";|#|^$" server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
3)修改配置文件如下;
local 192.168.80.129
port 1194
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.10.0255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn
log /var/log/openvpn.log
4)打开内核转发
[root@vpnserver keys]# echo"1" >> /proc/sys/net/ipv4/ip_forward
[root@vpnserver keys]# cat /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
1
5)启动openvpn
[root@vpnserver openvpn]#/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &
[1] 18393
[root@vpnserver openvpn]# netstat-tunlp | grep openvpn
tcp 0 0 192.168.80.129:1194 0.0.0.0:* LISTEN 18393/openvpn
6)查看网卡参数
[root@vpnserver openvpn]# ifconfig
tun0 Link encap:UNSPEC HWaddr00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARPMULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0overruns:0 frame:0
TX packets:0 errors:0 dropped:0overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
这个虚拟的网卡就是openvpn这个服务启动之后产生的。
12、配置客户端
1)下载客户端证书及配置文件
[root@vpnserver keys]# pwd
/package/openvpn-2.2.2/easy-rsa/2.0/keys
[root@vpnserver keys]# ll
total 88
-rw-r--r-- 1 root root 3987Aug 7 10:16 01.pem
-rw-r--r-- 1 root root 3863Aug 7 10:35 02.pem
-rw-r--r-- 1 root root 3864Aug 7 10:40 03.pem
-rw-r--r-- 1 root root 1318Aug 7 10:11 ca.crt
-rw------- 1 root root 916 Aug 7 10:11 ca.key
-rw-r--r-- 1 root root 245 Aug 7 10:43 dh1024.pem
-rw-r--r-- 1 root root 333 Aug 7 10:40 index.txt
-rw-r--r-- 1 root root 21 Aug 7 10:40 index.txt.attr
-rw-r--r-- 1 root root 21 Aug 7 10:35 index.txt.attr.old
-rw-r--r-- 1 root root 222 Aug 7 10:35 index.txt.old
-rw-r--r-- 1 root root 3 Aug 7 10:40 serial
-rw-r--r-- 1 root root 3 Aug 7 10:35 serial.old
-rw-r--r-- 1 root root 3987Aug 7 10:16 server.crt
-rw-r--r-- 1 root root 753 Aug 7 10:16 server.csr
-rw------- 1 root root 916 Aug 7 10:16 server.key
-rw------- 1 root root 636 Aug 7 10:48 ta.key
-rw-r--r-- 1 root root 3863Aug 7 10:35 test.crt
-rw-r--r-- 1 root root 753 Aug 7 10:34 test.csr
-rw------- 1 root root 916 Aug 7 10:34 test.key
-rw-r--r-- 1 root root 3864Aug 7 10:40 test1.crt
-rw-r--r-- 1 root root 753 Aug 7 10:40 test1.csr
-rw------- 1 root root 1041Aug 7 10:40 test1.key
[root@vpnserver keys]# sz -yca.crt test.crt test.key /etc/open
openldap/ openvpn/
[root@vpnserver keys]# sz -yca.crt test.crt test.key /etc/openvpn/client.conf
2)配置客户端
安装openvpn客户端,将客户端配置文件,证书文件复制到新建文件test当中,并将文件夹放入openvpn客户端安装目录下的config文件夹中,在test文件夹创建test文件,并以”.ovpn”为扩展名,添加以下内容到test.ovpn文件中
client
dev tun
proto tcp
remote 192.168.80.129 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert test.crt
key test.key
ns-cert-type server
comp-lzo
verb 3
3)连接openvpn
双击windows客户端openvpn快捷方式,在任务栏图标上右击,然后点击连接
这样产生绿×××标就表示连接成功,并且获取到ip地址。
