配置openvpn
一、安装与配置1、软件下载
可以从“http://openvpn.net/”获得最新的软件
2、软件安装
tar xzvf openvpn-2.0.7.tar.gz
cd openvpn-2.0
./configure
make
make install
mknod /dev/net/tun c 10 200 #创建一个tun设备
echo "alias char-major-10-200 tun" >>/etc/modprobe.conf
3、初始化设置
mkdir /etc/openvpn #创建openvpn目录
cp -r easy-rsa /etc/openvpn #切换到OpenVPN源代码目录执行
cd /etc/openvpn/easy-rsa
vi vars #修改vars文件,如下:
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=cn
#国家
export KEY_PROVINCE=Beijing
#所属省
export KEY_CITY=Beijing
#所在城市
export KEY_ORG="test"
#所属组织,CA证书也会根据这个生成
export KEY_EMAIL="…@...com"
修改后保存,下面我们开始什成keys
#. vars #使修改的变量生效
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
#./clean-all #初始化keys目录,创建所需要的文件和目录
#./build-ca #什成Root CA证书,用于签发Server和Client证书,请保护好keys/ca.key文件
# ls keys
ca.crt ca.key index.txt serial
我们可以看到ca.crt ca.key文件已经什成了
下面我们为服务器生成 Diffie-Hellman 文件
# ./build-dh #TLS server 需要使用的一个文件
创建并签发VPN Server使用的CA
# ./build-key-server server # server 为创建后的文件名,分别为server.crt server.key
接下来为VPN Client颁发CA证书,如果以后要为其他Client颁发证书,直接使用build-key命令签发新证书。
# ./build-key client
为防止恶意攻击(如DOS、UDP port flooding),我们生成一个"HMAC firewall"
#openvpn --genkey --secret keys/ta.key
生成证书吊销链文件,防止日后有人丢失证书,被非法用户接入VPN
#./make-crl vpncrl.pem
4、服务器点设置
Server使用的配置文件server.conf,如下:
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
;local *.*.*.*
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 5000
# TCP or UDP server?
;proto tcp
proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
#push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "route 10.1.1.0 255.255.255.0"
route 10.3.0.0 255.255.0.0
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Theloniou