\u672c\u6587\u4ee5CentOS 6 \u4f5c\u4e3aOpenVPN\u670d\u52a1\u5668\uff0cWIN XP\u53caWIN 7\u4f5c\u4e3a\u5ba2\u6237\u7aef\u64cd\u4f5c\u7cfb\u7edf\u3002\u4ee5\u4e0b\u5185\u5bb9\u5927\u91cf\u501f\u9274\u4e86pcman\u5927\u4fa0\u7684\u6587\u7ae0\u3002\u5728\u6b64\u57fa\u7840\u4e0a\uff0c\u8001\u718a\u53c8\u6839\u636e\u5b9e\u9645\u7ecf\u9a8c\u6539\u5199\u4e86\u4e00\u4e9b\u914d\u7f6e\u9009\u9879\u3002<\/p>\n
\u5148\u8bf4\u670d\u52a1\u5668\u7aef<\/span> openvpn\u4e0d\u5728centos\u9ed8\u8ba4\u7684yum\u5b89\u88c5\u6e90\u5185\u3002\u9700\u8981\u5148\u5b89\u88c5Fedora\u7684EPEL\u6e90\u3002<\/p>\n \u5176\u4ed6\u66f4\u591a\u8f6f\u4ef6\u5305\u6765\u6e90\uff0c\u8bf7\u770bEPEL\u3001Remi\u3001RPMForge\u3001RPMFusion\u5b89\u88c5\u4ecb\u7ecd<\/a><\/p>\n 2. \u521d\u59cb\u5316<\/span><\/p>\n \u521d\u59cb\u5316\u4e3b\u8981\u662f\u914d\u7f6eopenvpn\u7684config\u6587\u4ef6\uff0c\u5e76\u8bbe\u7f6eopenvpn\u81ea\u52a8\u542f\u52a8\u3002 \u7f16\u8f91\/etc\/openvpn\/server.conf\uff0c\u4fee\u6539\u5982\u4e0b\u914d\u7f6e\uff0c vi \/etc\/sysctl.conf\u3002\u5728\u6700\u4e0b\u9762\u52a0\u5165\u5982\u4e0b\u5185\u5bb9\u3002 sysctl -p\u4f7f\u89c4\u5219\u751f\u6548<\/p>\n vi \/etc\/sysconfig\/iptables \u5728\u6700\u4e0a\u9762\u52a0\u4e0bnat\u8868 \u7136\u540e\u5728\u4e0b\u9762*filter\u8868\u91cc\uff0c\u6700\u540e\u4e00\u6761\u62d2\u7edd\u89c4\u5219\u524d\u9762\uff0c\u52a0\u4e0a<\/p>\n service iptables restart<\/p>\n 3. \u751f\u6210\u670d\u52a1\u5668\u7aef\u8bc1\u4e66<\/span> \u8fdb\u5165openvpn\u7684\u5bf9\u5e94\u5b89\u88c5\u76ee\u5f55\u3002\u5c06\u6240\u6709\u811a\u672c\u8bbe\u7f6e\u4e3a\u53ef\u6267\u884c\u5c5e\u6027<\/p>\n vi \/etc\/bashrc\uff0c\u5728\u6700\u4e0b\u9762\u52a0\u4e0a\u73af\u5883\u53d8\u91cf<\/p>\n \u5efa\u7acb\u5b58\u653ekey\u7684\u76ee\u5f55 mkdir cd \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa\/keys \u5f00\u59cb\u751f\u6210ca\u6587\u4ef6\u3002\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0cca\u4e00\u65e6\u751f\u6210\u5c31\u4e0d\u80fd\u66f4\u6362\u4e86\uff0c\u5426\u5219\u6240\u6709key\u90fd\u4f1a\u5931\u6548\uff0c\u8981\u91cd\u65b0\u7b7e\u7f72\u3002<\/p>\n \u751f\u6210server\u7aefkey\u548ccrt\u6587\u4ef6\u3002\u6ce8\u610f\uff0c\u5176\u4e2dCommon Name\u9879\u76ee\u5fc5\u987b\u586b\u5199<\/strong>\uff0c\u5176\u4f59\u9879\u76ee\u53ef\u76f4\u63a5\u6309\u56de\u8f66\u4f7f\u7528\u73af\u5883\u53d8\u91cf\u9884\u5148\u8bbe\u7f6e\u7684\u9ed8\u8ba4\u503c\u3002<\/p>\n \u8bc1\u4e66\u751f\u6210\u5b8c\u6bd5\u3002\u751f\u6210dh\u6587\u4ef6\u3002<\/p>\n \u73b0\u5728\u5c06\u521a\u624d\u751f\u6210\u7684\u8bc1\u4e66\u548c\u914d\u7f6e\u6587\u4ef6\u590d\u5236\u5230\u76f8\u5e94\u76ee\u5f55\u4e0b\u3002<\/p>\n 4. \u521b\u5efa\u65b0\u7684\u5ba2\u6237\u7aef<\/span> \u751f\u6210\u5b8c\u6bd5\u3002\u5728keys\u76ee\u5f55\u4e0b\u5373\u53ef\u627e\u5230client.key\u548cclient.crt\u3002<\/p>\n \u4e0b\u9762\u518d\u6765\u770b\u770b\u5ba2\u6237\u7aef<\/span> \u5b89\u88c5\u65f6\u6240\u6709\u7ec4\u4ef6\u5168\u88c5\u3002\u5b89\u88c5\u65f6\u4f1a\u88c5\u4e0a\u4e00\u4e2a\u865a\u62df\u7f51\u5361\uff0c\u7cfb\u7edf\u53ef\u80fd\u4f1a\u63d0\u793a\u4e0d\u517c\u5bb9\uff0c\u4e0d\u5b89\u5168\u4ec0\u4e48\u7684\u3002\u4e0d\u7528\u7ba1\uff0c\u7ee7\u7eed\u786e\u5b9a\u5b89\u88c5\u5373\u53ef\u3002<\/p>\n 6. \u521d\u59cb\u5316<\/span> \u9996\u5148\u83b7\u5f97\u8bc1\u4e66\u3002\u628a\u521a\u624d\u5347\u6210\u7684\u5ba2\u6237\u7aef\u8bc1\u4e66\u62f7\u8fc7\u6765\u30023\u4e2a\u6587\u4ef6! ca.crt, client.crt, client.key\u3002 ovpn\u6587\u4ef6\u5982\u4e0b\uff0c\u5176\u4ed6ca ca.crt\uff0ccert client.crt\uff0ckey client.key\uff0c\u6839\u636e\u81ea\u5df1\u7684\u6587\u4ef6\u540d\u6539\u3002<\/p>\n \u5c06\u8fd9\u51e0\u4e2a\u6587\u4ef6\u5168\u90e8\u590d\u5236\u5230OpenVPN\u7684\u5b89\u88c5\u76ee\u5f55\u4e0b\u7684\u201cconfig\u201d\u76ee\u5f55\u4e2d\u3002\u5982\uff1aC:\Program Files\OpenVPN\config<\/p>\n \u914d\u7f6e\u5b8c\u6210\u3002<\/p>\n","protected":false},"excerpt":{"rendered":" \u672c\u6587\u4ee5CentOS 6 \u4f5c\u4e3aOpenVPN\u670d\u52a1\u5668\uff0cWIN XP\u53caWIN 7\u4f5c\u4e3a\u5ba2\u6237\u7aef\u64cd\u4f5c\u7cfb\u7edf\u3002\u4ee5\u4e0b\u5185\u5bb9\u5927\u91cf\u501f\u9274 … \u7ee7\u7eed\u9605\u8bfbOpenVPN\u670d\u52a1\u5668\u53ca\u5ba2\u6237\u7aef\u914d\u7f6e<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[117],"tags":[78,110],"class_list":["post-405","post","type-post","status-publish","format-standard","hentry","category-network","tag-linux","tag-vpn"],"_links":{"self":[{"href":"https:\/\/ybzx.vip\/wp\/index.php?rest_route=\/wp\/v2\/posts\/405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ybzx.vip\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ybzx.vip\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ybzx.vip\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ybzx.vip\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=405"}],"version-history":[{"count":0,"href":"https:\/\/ybzx.vip\/wp\/index.php?rest_route=\/wp\/v2\/posts\/405\/revisions"}],"wp:attachment":[{"href":"https:\/\/ybzx.vip\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ybzx.vip\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ybzx.vip\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
1. \u5b89\u88c5openvpn<\/span><\/p>\nrpm -Uvh http:\/\/dl.fedoraproject.org\/pub\/epel\/6\/x86_64\/epel-release-6-7.noarch.rpm\r\nyum install openvpn -y<\/pre>\n
\u590d\u5236\u914d\u7f6e\u6587\u4ef6\u7684\u6837\u672c\u5230\/etc\/openvpn\u76ee\u5f55\u4e0b\u3002<\/p>\n[root@esojourn.org ~]# cp \/usr\/share\/doc\/openvpn-2.2.2\/sample-config-files\/server.conf \/etc\/openvpn\/ \r\n[root@esojourn.org ~]#<\/pre>\n
\u4f7f\u7528TCP\u534f\u8bae\u6765\u8fdb\u884c\u8bbf\u95ee\u3002\u6253\u5f00gateway\uff0c\u63a8\u9001dns\u7b49\u3002<\/p>\n#################################################\r\n# Sample OpenVPN 2.0 config file for #\r\n# multi-client server. #\r\n# #\r\n# This file is for the server side #\r\n# of a many-clients <-> one-server #\r\n# OpenVPN configuration. #\r\n# #\r\n# OpenVPN also supports #\r\n# single-machine <-> single-machine #\r\n# configurations (See the Examples page #\r\n# on the web site for more info). #\r\n# #\r\n# This config should work on Windows #\r\n# or Linux\/BSD systems. Remember on #\r\n# Windows to quote pathnames and use #\r\n# double backslashes, e.g.: #\r\n# "C:\\Program Files\\OpenVPN\\config\\foo.key" #\r\n# #\r\n# Comments are preceded with '#' or ';' #\r\n#################################################\r\n\r\n# Which local IP address should OpenVPN\r\n# listen on? (optional)\r\n;local a.b.c.d\r\n\r\n# Which TCP\/UDP port should OpenVPN listen on?\r\n# If you want to run multiple OpenVPN instances\r\n# on the same machine, use a different port\r\n# number for each one. You will need to\r\n# open up this port on your firewall.\r\nport 1194\r\n\r\n# TCP or UDP server?\r\nproto tcp\r\n# proto udp\r\n\r\n# "dev tun" will create a routed IP tunnel,\r\n# "dev tap" will create an ethernet tunnel.\r\n# Use "dev tap0" if you are ethernet bridging\r\n# and have precreated a tap0 virtual interface\r\n# and bridged it with your ethernet interface.\r\n# If you want to control access policies\r\n# over the VPN, you must create firewall\r\n# rules for the the TUN\/TAP interface.\r\n# On non-Windows systems, you can give\r\n# an explicit unit number, such as tun0.\r\n# On Windows, use "dev-node" for this.\r\n# On most systems, the VPN will not function\r\n# unless you partially or fully disable\r\n# the firewall for the TUN\/TAP interface.\r\n;dev tap\r\ndev tun\r\n\r\n# Windows needs the TAP-Win32 adapter name\r\n# from the Network Connections panel if you\r\n# have more than one. On XP SP2 or higher,\r\n# you may need to selectively disable the\r\n# Windows firewall for the TAP adapter.\r\n# Non-Windows systems usually don't need this.\r\n;dev-node MyTap\r\n\r\n# SSL\/TLS root certificate (ca), certificate\r\n# (cert), and private key (key). Each client\r\n# and the server must have their own cert and\r\n# key file. The server and all clients will\r\n# use the same ca file.\r\n#\r\n# See the "easy-rsa" directory for a series\r\n# of scripts for generating RSA certificates\r\n# and private keys. Remember to use\r\n# a unique Common Name for the server\r\n# and each of the client certificates.\r\n#\r\n# Any X509 key management system can be used.\r\n# OpenVPN can also use a PKCS #12 formatted key file\r\n# (see "pkcs12" directive in man page).\r\nca ca.crt\r\ncert server.crt\r\nkey server.key # This file should be kept secret\r\n\r\n# Diffie hellman parameters.\r\n# Generate your own with:\r\n# openssl dhparam -out dh1024.pem 1024\r\n# Substitute 2048 for 1024 if you are using\r\n# 2048 bit keys.\r\ndh dh1024.pem\r\n\r\n# Configure server mode and supply a VPN subnet\r\n# for OpenVPN to draw client addresses from.\r\n# The server will take 10.8.0.1 for itself,\r\n# the rest will be made available to clients.\r\n# Each client will be able to reach the server\r\n# on 10.8.0.1. Comment this line out if you are\r\n# ethernet bridging. See the man page for more info.\r\nserver 10.8.0.0 255.255.255.0\r\n\r\n# Maintain a record of client <-> virtual IP address\r\n# associations in this file. If OpenVPN goes down or\r\n# is restarted, reconnecting clients can be assigned\r\n# the same virtual IP address from the pool that was\r\n# previously assigned.\r\nifconfig-pool-persist ipp.txt\r\n\r\n# Configure server mode for ethernet bridging.\r\n# You must first use your OS's bridging capability\r\n# to bridge the TAP interface with the ethernet\r\n# NIC interface. Then you must manually set the\r\n# IP\/netmask on the bridge interface, here we\r\n# assume 10.8.0.4\/255.255.255.0. Finally we\r\n# must set aside an IP range in this subnet\r\n# (start=10.8.0.50 end=10.8.0.100) to allocate\r\n# to connecting clients. Leave this line commented\r\n# out unless you are ethernet bridging.\r\n;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100\r\n\r\n# Configure server mode for ethernet bridging\r\n# using a DHCP-proxy, where clients talk\r\n# to the OpenVPN server-side DHCP server\r\n# to receive their IP address allocation\r\n# and DNS server addresses. You must first use\r\n# your OS's bridging capability to bridge the TAP\r\n# interface with the ethernet NIC interface.\r\n# Note: this mode only works on clients (such as\r\n# Windows), where the client-side TAP adapter is\r\n# bound to a DHCP client.\r\n;server-bridge\r\n\r\n# Push routes to the client to allow it\r\n# to reach other private subnets behind\r\n# the server. Remember that these\r\n# private subnets will also need\r\n# to know to route the OpenVPN client\r\n# address pool (10.8.0.0\/255.255.255.0)\r\n# back to the OpenVPN server.\r\npush "route 10.8.0.0 255.255.255.0"\r\npush "route 192.168.5.0 255.255.255.0"\r\n;push "route 192.168.20.0 255.255.255.0"\r\n\r\n# To assign specific IP addresses to specific\r\n# clients or if a connecting client has a private\r\n# subnet behind it that should also have VPN access,\r\n# use the subdirectory "ccd" for client-specific\r\n# configuration files (see man page for more info).\r\n\r\n# EXAMPLE: Suppose the client\r\n# having the certificate common name "Thelonious"\r\n# also has a small subnet behind his connecting\r\n# machine, such as 192.168.40.128\/255.255.255.248.\r\n# First, uncomment out these lines:\r\n;client-config-dir ccd\r\n;route 192.168.40.128 255.255.255.248\r\n# Then create a file ccd\/Thelonious with this line:\r\n# iroute 192.168.40.128 255.255.255.248\r\n# This will allow Thelonious' private subnet to\r\n# access the VPN. This example will only work\r\n# if you are routing, not bridging, i.e. you are\r\n# using "dev tun" and "server" directives.\r\n\r\n# EXAMPLE: Suppose you want to give\r\n# Thelonious a fixed VPN IP address of 10.9.0.1.\r\n# First uncomment out these lines:\r\n;client-config-dir ccd\r\n;route 10.9.0.0 255.255.255.252\r\n# Then add this line to ccd\/Thelonious:\r\n# ifconfig-push 10.9.0.1 10.9.0.2\r\n\r\n# Suppose that you want to enable different\r\n# firewall access policies for different groups\r\n# of clients. There are two methods:\r\n# (1) Run multiple OpenVPN daemons, one for each\r\n# group, and firewall the TUN\/TAP interface\r\n# for each group\/daemon appropriately.\r\n# (2) (Advanced) Create a script to dynamically\r\n# modify the firewall in response to access\r\n# from different clients. See man\r\n# page for more info on learn-address script.\r\n;learn-address .\/script\r\n\r\n# If enabled, this directive will configure\r\n# all clients to redirect their default\r\n# network gateway through the VPN, causing\r\n# all IP traffic such as web browsing and\r\n# and DNS lookups to go through the VPN\r\n# (The OpenVPN server machine may need to NAT\r\n# or bridge the TUN\/TAP interface to the internet\r\n# in order for this to work properly).\r\n;push "redirect-gateway def1 bypass-dhcp"\r\npush "redirect-gateway"\r\n# Certain Windows-specific network settings\r\n# can be pushed to clients, such as DNS\r\n# or WINS server addresses. CAVEAT:\r\n# http:\/\/openvpn.net\/faq.html#dhcpcaveats\r\n# The addresses below refer to the public\r\n# DNS servers provided by opendns.com.\r\npush "dhcp-option DNS 60.195.250.225"\r\npush "dhcp-option DNS 8.8.8.8"\r\n\r\n# Uncomment this directive to allow different\r\n# clients to be able to "see" each other.\r\n# By default, clients will only see the server.\r\n# To force clients to only see the server, you\r\n# will also need to appropriately firewall the\r\n# server's TUN\/TAP interface.\r\n;client-to-client\r\n\r\n# Uncomment this directive if multiple clients\r\n# might connect with the same certificate\/key\r\n# files or common names. This is recommended\r\n# only for testing purposes. For production use,\r\n# each client should have its own certificate\/key\r\n# pair.\r\n#\r\n# IF YOU HAVE NOT GENERATED INDIVIDUAL\r\n# CERTIFICATE\/KEY PAIRS FOR EACH CLIENT,\r\n# EACH HAVING ITS OWN UNIQUE "COMMON NAME",\r\n# UNCOMMENT THIS LINE OUT.\r\n;duplicate-cn\r\n\r\n# The keepalive directive causes ping-like\r\n# messages to be sent back and forth over\r\n# the link so that each side knows when\r\n# the other side has gone down.\r\n# Ping every 10 seconds, assume that remote\r\n# peer is down if no ping received during\r\n# a 120 second time period.\r\nkeepalive 10 120\r\n# For extra security beyond that provided\r\n# by SSL\/TLS, create an "HMAC firewall"\r\n# to help block DoS attacks and UDP port flooding.\r\n#\r\n# Generate with:\r\n# openvpn --genkey --secret ta.key\r\n#\r\n# The server and each client must have\r\n# a copy of this key.\r\n# The second parameter should be '0'\r\n# on the server and '1' on the clients.\r\n;tls-auth ta.key 0 # This file is secret\r\n\r\n# Select a cryptographic cipher.\r\n# This config item must be copied to\r\n# the client config file as well.\r\n;cipher BF-CBC # Blowfish (default)\r\n;cipher AES-128-CBC # AES\r\n;cipher DES-EDE3-CBC # Triple-DES\r\n\r\n# Enable compression on the VPN link.\r\n# If you enable it here, you must also\r\n# enable it in the client config file.\r\ncomp-lzo\r\n\r\n# The maximum number of concurrently connected\r\n# clients we want to allow.\r\n;max-clients 100\r\n\r\n# It's a good idea to reduce the OpenVPN\r\n# daemon's privileges after initialization.\r\n#\r\n# You can uncomment this out on\r\n# non-Windows systems.\r\n;user nobody\r\n;group nobody\r\n\r\n# The persist options will try to avoid\r\n# accessing certain resources on restart\r\n# that may no longer be accessible because\r\n# of the privilege downgrade.\r\npersist-key\r\npersist-tun\r\n\r\n# Output a short status file showing\r\n# current connections, truncated\r\n# and rewritten every minute.\r\nstatus openvpn-status.log\r\n\r\n# By default, log messages will go to the syslog (or\r\n# on Windows, if running as a service, they will go to\r\n# the "\Program Files\OpenVPN\log" directory).\r\n# Use log or log-append to override this default.\r\n# "log" will truncate the log file on OpenVPN startup,\r\n# while "log-append" will append to it. Use one\r\n# or the other (but not both).\r\n;log openvpn.log\r\n;log-append openvpn.log\r\n\r\n# Set the appropriate level of log\r\n# file verbosity.\r\n#\r\n# 0 is silent, except for fatal errors\r\n# 4 is reasonable for general usage\r\n# 5 and 6 can help to debug connection problems\r\n# 9 is extremely verbose\r\nverb 3\r\n\r\n# Silence repeating messages. At most 20\r\n# sequential messages of the same message\r\n# category will be output to the log.\r\n;mute 20<\/pre>\n
\u5982\u679c\u662fRHEL5\uff0c\u5efa\u8bae\u628a\u4ee5#\u5c4f\u853d\u7684\u9009\u9879\u5168\u6253\u5f00\u3002\u662f\u7167\u67d0\u516c\u53f8\u4e45\u7ecf\u8003\u9a8c\u7684\u6587\u6863\u5199\u7684\u3002
\u636e\u795e\u79d8\u7684\u8001\u718a\u5206\u4eab\uff0c\u5728RHEL6\u4e0b\u5e94\u8be5\u628a\u90a3\u4e00\u5806\u53c2\u6570\u5c4f\u853d\u3002\u6211\u5728centos 6\u4e0b\uff0c\u5df2\u7ecf\u7167\u6b64\u914d\u7f6e\u6d4b\u8bd5\u901a\u8fc7\u4e86\u3002<\/p>\n# Added for openvpn. esojourn.org\r\nnet.ipv6.conf.eth0.forwarding = 1\r\nnet.ipv6.conf.default.forwarding = 1\r\nnet.ipv6.conf.all.forwarding = 1\r\nnet.ipv6.conf.lo.forwarding = 1\r\n# net.ipv4.conf.tun0.mc_forwarding = 1\r\n# net.ipv4.conf.tun0.forwarding = 1\r\n# net.ipv4.conf.eth0.mc_forwarding = 1\r\nnet.ipv4.conf.eth0.forwarding = 1\r\n# net.ipv4.conf.lo.mc_forwarding = 1\r\nnet.ipv4.conf.lo.forwarding = 1\r\n# net.ipv4.conf.default.mc_forwarding = 1\r\nnet.ipv4.conf.default.forwarding = 1\r\n# net.ipv4.conf.all.mc_forwarding = 1\r\nnet.ipv4.conf.all.forwarding = 1\r\n# net.ipv4.ip_forward = 1\r\n<\/pre>\n
\u8bf8\u4f4d\u65b0\u624b\u3001\u51c6\u65b0\u624b\u4eec\uff0c\u5343\u4e07\u522b\u7528\u5929\u6740\u7684setup\u6216\u8005system-config-firewall\u6765\u914d\u9632\u706b\u5899\u4e86\u3002
\u8840\u6cea\u53f2\u554a\uff0c\u4e0d\u591a\u89e3\u91ca\u4e86\u3002\u597d\u597d\u5b66\u57fa\u672c\u529f\u5427\u3002\u6211\u4e5f\u5728\u5b66\u4e60\u4e2d\u3002<\/p>\n*nat\r\n:PREROUTING ACCEPT [0:0]\r\n:POSTROUTING ACCEPT [0:0]\r\n:OUTPUT ACCEPT [0:0]\r\n-A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\r\nCOMMIT<\/pre>\n
-A FORWARD -d 10.8.0.0\/24 -j ACCEPT\r\n-A FORWARD -s 10.8.0.0\/24 -j ACCEPT<\/pre>\n
\u751f\u6210\u670d\u52a1\u5668\u7aef\u8bc1\u4e66\u4e3b\u8981\u6709\u5982\u4e0b\u51e0\u4e2a\u6b65\u9aa4\uff1a
1\uff0e \u8bbe\u7f6e\u73af\u5883\u53d8\u91cf
2\uff0e \u751f\u6210ca\u6587\u4ef6
3\uff0e \u751f\u6210cert\/key\u6587\u4ef6
4\uff0e \u751f\u6210dh\u6587\u4ef6<\/p>\ncd \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa\r\nchmod 700 build*<\/pre>\n
# Add for openvpn\r\nexport KEY_CONFIG=\/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa\/openssl.cnf\r\nexport KEY_DIR=\/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa\/keys\r\nexport KEY_SIZE=1024\r\nexport KEY_COUNTRY=CN\r\nexport KEY_PROVINCE=BJ\r\nexport KEY_CITY=BJ\r\nexport KEY_ORG=\"www.esojourn.org\"\r\nexport KEY_EMAIL=\"[email]abc@esojourn.org[\/email]\"\r\n<\/pre>\n
\u901a\u8fc7clean-all\u751f\u6210serial\u548cindex.txt<\/p>\nchmod 700 clean-all\r\n.\/clean-all<\/pre>\n
[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]# .\/build-ca\r\nGenerating a 1024 bit RSA private key\r\n..............................................................................................++++++\r\n..........++++++\r\nwriting new private key to 'ca.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [CN]:\r\nState or Province Name (full name) [BJ]:\r\nLocality Name (eg, city) [BJ]:\r\nOrganization Name (eg, company) [esojourn.org]:\r\nOrganizational Unit Name (eg, section) []:\r\nCommon Name (eg, your name or your server's hostname) []:\r\nEmail Address [[email]pcman@esojourn.org[\/email]]:\r\n[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]#\r\n<\/pre>\n
[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]# .\/build-key-server server\r\nGenerating a 1024 bit RSA private key\r\n............++++++\r\n..........++++++\r\nwriting new private key to 'server.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [CN]:\r\nState or Province Name (full name) [BJ]:\r\nLocality Name (eg, city) [BJ]:\r\nOrganization Name (eg, company) [esojourn.org]:\r\nOrganizational Unit Name (eg, section) []:\r\nCommon Name (eg, your name or your server's hostname) []:openvpn.esojourn.org\r\nEmail Address [[email]pcman@esojourn.org[\/email]]:\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:\r\nAn optional company name []:\r\nUsing configuration from \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa\/openssl.cnf\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncountryName :PRINTABLE:'CN'\r\nstateOrProvinceName :PRINTABLE:'BJ'\r\nlocalityName :PRINTABLE:'BJ'\r\norganizationName :PRINTABLE:'esojourn.org'\r\ncommonName :PRINTABLE:'openvpn.esojourn.org'\r\nemailAddress :IA5STRING:'[email]pcman@esojourn.org[\/email]'\r\nCertificate is to be certified until Jul 13 16:17:39 2017 GMT (3650 days)\r\nSign the certificate? [y\/n]:y\r\n1 out of 1 certificate requests certified, commit? [y\/n]y\r\nWrite out database with 1 new entries\r\nData Base Updated\r\n[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]#\r\n<\/pre>\n
[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]# .\/build-dh\r\nGenerating DH parameters, 1024 bit long safe prime, generator 2\r\nThis is going to take a long time\r\n..............................+........................................................................................................+.......................................................+.........................................................<\/pre>\n
[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]# cp keys\/ca.crt \/etc\/openvpn\/\r\n[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]# cp keys\/server.crt \/etc\/openvpn\/\r\n[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]# cp keys\/server.key \/etc\/openvpn\/\r\n[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]# cp keys\/dh1024.pem \/etc\/openvpn\/\r\nsysctl -p<\/pre>\n
openvpn\u670d\u52a1\u5668\u914d\u7f6e\u597d\u4e4b\u540e\uff0c\u65b0\u7684\u5ba2\u6237\u7aef\u8fd8\u4e0d\u80fd\u7acb\u523b\u8fde\u63a5\u8fdb\u6765\uff0c\u9700\u8981\u4e3a\u5ba2\u6237\u7aef\u5206\u522b\u521b\u5efa\u5c5e\u4e8e\u81ea\u5df1\u7684ssl\u8bc1\u4e66\u65b9\u53ef\u3002\u521b\u5efa\u7684\u65b9\u5f0f\u5982\u4e0b\uff1a
\u8fdb\u5165openvpn\u7684\u5bf9\u5e94\u5b89\u88c5\u76ee\u5f55\u3002\u751f\u6210\u8bc1\u4e66\u6587\u4ef6\u3002\u6ce8\u610f\uff0c\u5728\u63d0\u793a\u8f93\u5165CommonName\u7684\u65f6\u5019\uff0c\u5fc5\u987b\u8f93\u5165\u552f\u4e00\u4e00\u4e2a\u7528\u6237\u540d\u540d\u5b57\u6216\u8005\u57df\u540d\uff0c\u4ee5\u548c\u5176\u4ed6\u7684\u7528\u6237\u8bc1\u4e66\u76f8\u533a\u522b\u3002<\/p>\ncd \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]# .\/build-key client\r\nGenerating a 1024 bit RSA private key\r\n....++++++\r\n.......++++++\r\nwriting new private key to 'client.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [CN]:\r\nState or Province Name (full name) [BJ]:\r\nLocality Name (eg, city) [BJ]:\r\nOrganization Name (eg, company) [esojourn.org]:\r\nOrganizational Unit Name (eg, section) []:\r\nCommon Name (eg, your name or your server's hostname) []:pcman\r\nEmail Address [[email]pcman@esojourn.org[\/email]]:\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:\r\nAn optional company name []:\r\nUsing configuration from \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa\/openssl.cnf\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncountryName :PRINTABLE:'CN'\r\nstateOrProvinceName :PRINTABLE:'BJ'\r\nlocalityName :PRINTABLE:'BJ'\r\norganizationName :PRINTABLE:'esojourn.org'\r\ncommonName :PRINTABLE:'pcman'\r\nemailAddress :IA5STRING:'[email]pcman@esojourn.org[\/email]'\r\nCertificate is to be certified until Jul 13 17:08:27 2017 GMT (3650 days)\r\nSign the certificate? [y\/n]:y\r\n1 out of 1 certificate requests certified, commit? [y\/n]y\r\nWrite out database with 1 new entries\r\nData Base Updated\r\n[root@esojourn.org \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa]#<\/pre>\n
5. \u5ba2\u6237\u7aef\u7684\u4e0b\u8f7d\u5b89\u88c5<\/span>
\u5b98\u7f51\u4e0b\u8f7d http:\/\/openvpn.net\/index.php\/download.html
Windows Installer v2.2.2\uff1ahttp:\/\/swupdate.openvpn.org\/community\/releases\/openvpn-2.2.2-install.exe<\/p>\n
OpenVPN\u7684\u6570\u636e\u4f20\u8f93\u8fc7\u7a0b\u662f\u57fa\u4e8eOpenSSL\u5b89\u5168\u52a0\u5bc6\u7684\uff0c\u901a\u4fe1\u7684\u53cc\u65b9\uff1aVPN\u670d\u52a1\u5668\u7aef\u3001VPN\u5ba2\u6237\u7aef\u90fd\u9700\u8981IP\u5b89\u5168\u8bc1\u4e66\uff0c\u5426\u5219\u65e0\u6cd5\u5efa\u7acb\u8fde\u63a5\u3002IP\u8bc1\u4e66\u4e5f\u662f\u5efa\u7acb\u8fde\u63a5\u7684\u5fc5\u987b\u6761\u4ef6\uff0c\u57fa\u4e8eOpenVPN\u7684VPN\u5efa\u7acb\u662f\u6ca1\u6709\u4f20\u7edf\u5bc6\u7801\u9a8c\u8bc1\u7684\u3002\u4e0b\u8fb9\u914d\u7f6e\u8bc1\u4e66\u3002<\/p>\n
\u53e6\u5916\u65b0\u5efa\u4e00\u4e2aesojourn.org.ovpn\u7684\u6587\u4ef6\uff0c\u7528\u4e8e\u5ba2\u6237\u7aef\u914d\u7f6e\u3002\u5305\u542b\u8bc1\u4e66\u6587\u4ef6\u540d\u3001\u5730\u5740\u7b49\u76f8\u5e94\u53c2\u6570\u3002ca.crt\u662f\u5168\u5c40\u7684CA\u8bc1\u4e66\uff0c\u800cclient.crt\u548cclient.key\u5219\u662f\u9881\u53d1\u7ed9\u6bcf\u4e2a\u4eba\u7684\u4e2a\u4eba\u8bc1\u4e66\u3002\u6bcf\u4e2a\u4eba\u7684\u4e2a\u4eba\u8bc1\u4e66\u6587\u4ef6\u4e0d\u4e00\u6837\uff0c\u800c\u53e6\u5916\u4e24\u4e2a\u6587\u4ef6\u5219\u4e00\u6837\u3002<\/p>\n\r\n##############################################\r\n# Sample client-side OpenVPN 2.0 config file #\r\n# for connecting to multi-client server. #\r\n# #\r\n# This configuration can be used by multiple #\r\n# clients, however each client should have #\r\n# its own cert and key files. #\r\n# #\r\n# On Windows, you might want to rename this #\r\n# file so it has a .ovpn extension #\r\n##############################################\r\n\r\n# Specify that we are a client and that we\r\n# will be pulling certain config file directives\r\n# from the server.\r\nclient\r\n\r\n# Use the same setting as you are using on\r\n# the server.\r\n# On most systems, the VPN will not function\r\n# unless you partially or fully disable\r\n# the firewall for the TUN\/TAP interface.\r\n;dev tap\r\ndev tun\r\n\r\n# Windows needs the TAP-Win32 adapter name\r\n# from the Network Connections panel\r\n# if you have more than one. On XP SP2,\r\n# you may need to disable the firewall\r\n# for the TAP adapter.\r\n;dev-node MyTap\r\n\r\n# Are we connecting to a TCP or\r\n# UDP server? Use the same setting as\r\n# on the server.\r\nproto tcp\r\n# proto udp\r\n\r\n# The hostname\/IP and port of the server.\r\n# You can have multiple remote entries\r\n# to load balance between the servers.\r\nremote www.esojourn.org 1194\r\n;remote my-server-2 1194\r\n\r\n# Choose a random host from the remote\r\n# list for load-balancing. Otherwise\r\n# try hosts in the order specified.\r\n;remote-random\r\n\r\n# Keep trying indefinitely to resolve the\r\n# host name of the OpenVPN server. Very useful\r\n# on machines which are not permanently connected\r\n# to the internet such as laptops.\r\nresolv-retry infinite\r\n\r\n# Most clients don't need to bind to\r\n# a specific local port number.\r\nnobind\r\n\r\n# Downgrade privileges after initialization (non-Windows only)\r\n;user nobody\r\n;group nobody\r\n\r\n# Try to preserve some state across restarts.\r\npersist-key\r\npersist-tun\r\n\r\n# If you are connecting through an\r\n# HTTP proxy to reach the actual OpenVPN\r\n# server, put the proxy server\/IP and\r\n# port number here. See the man page\r\n# if your proxy server requires\r\n# authentication.\r\n;http-proxy-retry # retry on connection failures\r\n;http-proxy [proxy server] [proxy port #]\r\n\r\n# Wireless networks often produce a lot\r\n# of duplicate packets. Set this flag\r\n# to silence duplicate packet warnings.\r\n;mute-replay-warnings\r\n\r\n# SSL\/TLS parms.\r\n# See the server config file for more\r\n# description. It's best to use\r\n# a separate .crt\/.key file pair\r\n# for each client. A single ca\r\n# file can be used for all clients.\r\nca ca.crt\r\ncert client.crt\r\nkey client.key\r\n\r\n# Verify server certificate by checking\r\n# that the certicate has the nsCertType\r\n# field set to \"server\". This is an\r\n# important precaution to protect against\r\n# a potential attack discussed here:\r\n# http:\/\/openvpn.net\/howto.html#mitm\r\n#\r\n# To use this feature, you will need to generate\r\n# your server certificates with the nsCertType\r\n# field set to \"server\". The build-key-server\r\n# script in the easy-rsa folder will do this.\r\nns-cert-type server\r\n\r\n# If a tls-auth key is used on the server\r\n# then every client must also have the key.\r\n;tls-auth ta.key 1\r\n\r\n# Select a cryptographic cipher.\r\n# If the cipher option is used on the server\r\n# then you must also specify it here.\r\n;cipher x\r\n\r\n# Enable compression on the VPN link.\r\n# Don't enable this unless it is also\r\n# enabled in the server config file.\r\ncomp-lzo\r\n\r\n# Set log file verbosity.\r\nverb 3\r\n\r\n# Silence repeating messages\r\n;mute 20\r\n<\/pre>\n