Keep on going, never give up.

CentOS 6系统安装OpenVPN教程

互联网之初,VPN还可以随意使用,现在VPN早已被干扰几乎很难正常使用,甚至经常连GMAIL都无法正常登录,更别说我们自己搭建的安全通道服务,所以,想用VPN的网友尽可当本文是个故事看看,相信肯定有一天还能用的上,因为VPN的通信至少目前为止仍是较为安全的一种通信方式。

本文测试环境:CentOS 6 + OpenVPN 2.2

一、安装OpenVPN

1、下载Epel(Extra Packages for Enterprise Linux)软件包

CentOS6下,使用如下命令:

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm

2、更新系统和软件

yum update

3、安装OpenVPN和openvpn-auth-ldap

yum install openvpn openvpn-auth-ldap

//以后卸载OpenVPN可用:yum remove openvpn openvpn-auth-ldap

4、拷贝加密算法工具到vpn加载目录

cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn/

二、生成证书

初始化公钥机制(PKI)

5、修改配置配置/etc/openvpn/easy-rsa/2.0/vars

export KEY_COUNTRY="US"
export KEY_PROVINCE="OH"
export KEY_CITY="Oxford"
export KEY_ORG="My Company"
export KEY_EMAIL="squire@example.com"

#也可以不用设置直接执行下面的命令
cd /etc/openvpn/easy-rsa/2.0/
./vars

如果上一句出现如下错误(CENTOS6):
No /etc/openvpn/easy-rsa/2.0/openssl.cnf file could be found
修改vars:
#export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

6、创建证书颁发机构(CA):

继续执行命令(仍在/etc/openvpn/easy-rsa/2.0/目录下):
./clean-all
./build-ca

Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:server
Email Address [support@cooldvd.com]:

7、生成服务器server key:

./build-key-server server

Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:server
Email Address [support@cooldvd.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:dvdmaster
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'dvdmaster'
organizationalUnitName:PRINTABLE:'dvdmaster'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'support@cooldvd.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

8、生成客户端 key:

./build-key client1

Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [dvdmaster]:
Organizational Unit Name (eg, section) []:dvdmaster
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的client 生成的证书, 名字必须不同.
Email Address [support@cooldvd.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:dvdmaster
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'dvdmaster'
organizationalUnitName:PRINTABLE:'dvdmaster'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'support@cooldvd.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

如果有多个客户端需访问OpenVPN,重复步骤7和步骤8即可。

注意在进入 Common Name (eg, your name or your server's hostname) []: 此处输入时, 每个证书输入的名字必须不同.

三、生成Diffie Hellman参数

9、执行如下命令:

. /etc/openvpn/easy-rsa/2.0/build-dh

输出结果类似如下:
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time

四、重新加载安全密钥

10、下载并安全保存相关证书及密钥

把/etc/openvpn/easy-rsa/2.0/keys/下面的ca.crt、client1.crt、client1.key这三个文件打包下载到本地(tar zcvf yskeys.tar.gz keys/),客户机登录VPN用。必须安全保存,切免泄漏。

然后,我们就可以通过winscp,http,ftp等方式登录服务器。

11、重新加载文件相关证书及密钥

涉及文件有:ca.crt ca.key dh1024.pem server.crt server.key

方法如下:

cd /etc/openvpn/easy-rsa/2.0/keys

cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn

============================================

撤销客户端证书(后期动作,如果需要)
12、撤销客户端访问VPN,执行命令:
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full client1

============================================

五、配置VPN

13、创建服务器配置文件

#cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
#cp /usr/share/doc/openvpn-2.1.4/sample-config-files/client.conf ~/
#cd ~/

路径:/etc/openvpn/server.conf

server.conf示例内容如下:
port 1194 #端口,需要与客户端配置保持一致,或用443 HTTPS端口
proto udp #使用协议,需要与客户端配置保持一致
dev tun #也可以选择tap模式
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
server 10.8.0.0 255.255.255.0 #给客户端分配的IP段,注意不要与客户端网段冲突
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 10.8.0.1"
client-to-client
push "route 10.8.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
log openvpn.log
status openvpn-status.log #日志
verb 3 #日志级别

13、获取DNS地址命令?(暂时不要本步骤)
vi /etc/resolv.conf
nameserver 71.99.98.10
nameserver 72.99.99.11

六、安装配置iptables防火墙

14、安装iptable(如已安装请跳过)

yum install iptables

15、配置iptable路由

iptables -t nat -A POSTROUTING -s x.x.0.0/24 -o eth0 -j SNAT -–to-source x.x.x.x
//前面一个ip是你配置的内部ip,后面一个ip是你vps server的ip
(示例:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 12.34.56.78)

保存iptable:
/etc/init.d/iptables save

启动iptable:
/etc/init.d/iptables restart

service iptables start

如果出现错误:
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: security raw nat mangle filter[FAILED]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
请参照:http://www.linode.com/forums/archive/o_t/t_3930/iptables.html
解决办法(不知道为什么,我执行总是失败,后来又执行就OK了):
--------------------------
cd /etc/init.d
mv iptables ~/iptables.bak
wget http://epoxie.net/12023.txt && cat 12023.txt | tr -d '\r' > iptables
chmod +x iptables
rm -rf 12023.txt
--------------------------
参考地址:http://impactservices.in/content/iptables-error-setting-chains-policy-accept-security-raw-nat-mangle-filter-failed

如果出现错误:
/bin/sh^M:bad interpreter: No such file or directory
这个错误发生在你在windows下编写文件上传到linux服务器去运行的时候。
错误原因:windows和linux的文件不一样。
解决办法:vi该文件 在命令模式下输入 :set ff=unix 回车
例如:vi a.sh
进入输入 :set ff=unix 回车
输入:wq 回车
再次执行就不会有这样的问题了。


设置开机启动防火墙配置,修改/etc.rc.local添加:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

15、启动VPN

/etc/init.d/openvpn start
或,
service openvpn restart

设置开机启动
chkconfig openvpn on
============================================

16、查看检查ip_forward

路径为/proc/sys/net/ipv4/ip_forward

查看命令:
sysctl -a | grep for
#查看结果:
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1
如果你的主机上列数值不是为1, 则要将其改成1, 示例代码如下:
sysctl -w net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/ipv4/ip_forward

17、安装dnsmasq

yum install dnsmasq

启动dnsmasq
/etc/init.d/dnsmasq start

设置dnsmasq开机启动
chkconfig dnsmasq on

参考资料:

http://www.newxd.com/4758.html
http://rashost.com/blog/centos-openvpn-install

 

相关评论(0):  

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

订阅博客

最新文章

本站采用创作共用版权协议, 要求署名、非商业用途和保持一致. 转载也必须遵循“署名-非商业用途-保持一致”的创作共用协议. 返回顶部
Copyright@2005-2016 Metsky.com, All rights Reserved.