配置openvpn

一、安装与配置

　　1、软件下载

　　可以从“http://openvpn.net/”获得最新的软件

　　2、软件安装

　　tar xzvf openvpn-2.0.7.tar.gz

　　cd openvpn-2.0

　　./configure

　　make

　　make install

　　mknod /dev/net/tun c 10 200 #创建一个tun设备

　　echo "alias char-major-10-200 tun" >>/etc/modprobe.conf

　　3、初始化设置

　　mkdir /etc/openvpn #创建openvpn目录

　　cp -r easy-rsa /etc/openvpn #切换到OpenVPN源代码目录执行

　　cd /etc/openvpn/easy-rsa

　　vi vars #修改vars文件，如下：

　　# These are the default values for fields

　　# which will be placed in the certificate.

　　# Don't leave any of these fields blank.

　　export KEY_COUNTRY=cn

　　#国家

　　export KEY_PROVINCE=Beijing

　　#所属省

　　export KEY_CITY=Beijing

　　#所在城市

　　export KEY_ORG="test"

　　#所属组织，CA证书也会根据这个生成

　　export KEY_EMAIL="…@...com"

　　修改后保存，下面我们开始什成keys

　　#. vars #使修改的变量生效

　　NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

　　#./clean-all #初始化keys目录，创建所需要的文件和目录

　　#./build-ca #什成Root CA证书，用于签发Server和Client证书，请保护好keys/ca.key文件

　　# ls keys

　　ca.crt ca.key index.txt serial

　　我们可以看到ca.crt ca.key文件已经什成了

　　下面我们为服务器生成 Diffie-Hellman 文件

　　# ./build-dh #TLS server 需要使用的一个文件

　　创建并签发VPN Server使用的CA

　　# ./build-key-server server # server 为创建后的文件名，分别为server.crt server.key

　　接下来为VPN Client颁发CA证书，如果以后要为其他Client颁发证书，直接使用build-key命令签发新证书。

　　# ./build-key client

　　为防止恶意攻击（如DOS、UDP port flooding），我们生成一个"HMAC firewall"

　　#openvpn --genkey --secret keys/ta.key

　　生成证书吊销链文件，防止日后有人丢失证书，被非法用户接入VPN

　　#./make-crl vpncrl.pem

　　4、服务器点设置

　　Server使用的配置文件server.conf，如下：

　　# Which local IP address should OpenVPN

　　# listen on? (optional)

　　;local a.b.c.d

　　;local *.*.*.*

　　# Which TCP/UDP port should OpenVPN listen on?

　　# If you want to run multiple OpenVPN instances

　　# on the same machine, use a different port

　　# number for each one. You will need to

　　# open up this port on your firewall.

　　port 5000

　　# TCP or UDP server?

　　;proto tcp

　　proto udp

　　# "dev tun" will create a routed IP tunnel,

　　# "dev tap" will create an ethernet tunnel.

　　# Use "dev tap0" if you are ethernet bridging

　　# and have precreated a tap0 virtual interface

　　# and bridged it with your ethernet interface.

　　# If you want to control access policies

　　# over the VPN, you must create firewall

　　# rules for the the TUN/TAP interface.

　　# On non-Windows systems, you can give

　　# an explicit unit number, such as tun0.

　　# On Windows, use "dev-node" for this.

　　# On most systems, the VPN will not function

　　# unless you partially or fully disable

　　# the firewall for the TUN/TAP interface.

　　;dev tap

　　dev tun

　　# Windows needs the TAP-Win32 adapter name

　　# from the Network Connections panel if you

　　# have more than one. On XP SP2 or higher,

　　# you may need to selectively disable the

　　# Windows firewall for the TAP adapter.

　　# Non-Windows systems usually don't need this.

　　;dev-node MyTap

　　# SSL/TLS root certificate (ca), certificate

　　# (cert), and private key (key). Each client

　　# and the server must have their own cert and

　　# key file. The server and all clients will

　　# use the same ca file.

　　#

　　# See the "easy-rsa" directory for a series

　　# of scripts for generating RSA certificates

　　# and private keys. Remember to use

　　# a unique Common Name for the server

　　# and each of the client certificates.

　　#

　　# Any X509 key management system can be used.

　　# OpenVPN can also use a PKCS #12 formatted key file

　　# (see "pkcs12" directive in man page).

　　ca ca.crt

　　cert server.crt

　　key server.key # This file should be kept secret

　　# Diffie hellman parameters.

　　# Generate your own with:

　　# openssl dhparam -out dh1024.pem 1024

　　# Substitute 2048 for 1024 if you are using

　　# 2048 bit keys.

　　dh dh1024.pem

　　# Configure server mode and supply a VPN subnet

　　# for OpenVPN to draw client addresses from.

　　# The server will take 10.8.0.1 for itself,

　　# the rest will be made available to clients.

　　# Each client will be able to reach the server

　　# on 10.8.0.1. Comment this line out if you are

　　# ethernet bridging. See the man page for more info.

　　server 10.8.0.0 255.255.255.0

　　# Maintain a record of client <-> virtual IP address

　　# associations in this file. If OpenVPN goes down or

　　# is restarted, reconnecting clients can be assigned

　　# the same virtual IP address from the pool that was

　　# previously assigned.

　　ifconfig-pool-persist ipp.txt

　　# Configure server mode for ethernet bridging.

　　# You must first use your OS's bridging capability

　　# to bridge the TAP interface with the ethernet

　　# NIC interface. Then you must manually set the

　　# IP/netmask on the bridge interface, here we

　　# assume 10.8.0.4/255.255.255.0. Finally we

　　# must set aside an IP range in this subnet

　　# (start=10.8.0.50 end=10.8.0.100) to allocate

　　# to connecting clients. Leave this line commented

　　# out unless you are ethernet bridging.

　　;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

　　# Push routes to the client to allow it

　　# to reach other private subnets behind

　　# the server. Remember that these

　　# private subnets will also need

　　# to know to route the OpenVPN client

　　# address pool (10.8.0.0/255.255.255.0)

　　# back to the OpenVPN server.

　　#push "route 192.168.1.0 255.255.255.0"

　　push "route 192.168.2.0 255.255.255.0"

　　push "route 10.1.1.0 255.255.255.0"

　　route 10.3.0.0 255.255.0.0

　　# To assign specific IP addresses to specific

　　# clients or if a connecting client has a private

　　# subnet behind it that should also have VPN access,

　　# use the subdirectory "ccd" for client-specific

　　# configuration files (see man page for more info).

　　# EXAMPLE: Suppose the client

　　# having the certificate common name "Theloniou