1.下载
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
wget https://nodeload.github.com/OpenVPN/openvpn/zip/release/2.3
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.0.tar.gz
2.安装LZO
tar -xvzf lzo-2.06.tar.gz
cd lzo-2.06
./configure –prefix=/usr/local/lzo-2.06
make && make install
3.安装openvpn
tar zxvf openvpn-2.3.0.tar.gz
cd openvpn-2.3.0
./configure –prefix=/usr/local/openvpn-2.3.0 –with-lzo-headers=/usr/local/lzo/include/lzo-2.06 –with-lzo-lib=/usr/local/lzo-2.06/lib –with-ssl-headers=/usr/include/openssl/ –with-ssl-lib=/usr/lib/openssl/
如果有错误
openvpn error: lzo enabled but missing
可以尝试下面
ldconfig
CFLAGS=”-I/usr/local/include” LDFLAGS=”-L/usr/local/lib”
./configure –prefix=/usr/local/openvpn-2.3.0
make && make install
安装后提示
(1) make device node: mknod /dev/net/tun c 10 200
(2a) add to /etc/modules.conf: alias char-major-10-200 tun
(2b) load driver: modprobe tun
(3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
4.创建tun
mknod /dev/net/tun c 10 200
5.复制服务端样例配置文件
mkdir /etc/openvpn
cp sample/sample-config-files/server.conf /etc/openvpn/
6.下载easy-rsa
wget https://nodeload.github.com/OpenVPN/easy-rsa/zip/master
unzip master
cd easy-rsa-master
cp -R easy-rsa/ /etc/openvpn/
7.创建证书
cd /etc/openvpn/easy-rsa/2.0/
这下面的文件做简单介绍:
vars 脚本,是用来创建环境变量,设置所需要的变量的脚本
clean-all 脚本,是创建生成CA证书及密钥 文件所需要的文件和目录
build-ca 脚本,生成CA证书(交互)
build-dh 脚本,生成Diffie-Hellman文件(交互)
build-key-server 脚本,生成服务器端密钥(交互)
build-key 脚本,生成客户端密钥(交互)
pkitool 脚本,直接使用vars的环境变量设置直接生成证书(非交互)
a.初始化keys文件
. ./vars (注意有两个点,两个点之间有空格)
./clean-all
./build-ca (一路按回车就可以)
b.生成Diffie-Hellman文件
./build-dh
c.生成VPN server ca证书
./build-key-server server
然后把刚生成的CA证书和密钥copy到/etc/openvpn/下
cd keys
cp ca.crt ca.key server.crt server.key dh2048.pem /etc/openvpn/
d.生成客户端CA证书及密钥
./build-key client
打包客户端证书 供客户端使用
tar zcvf userkeys.tar.gz ca.crt ca.key client.crt client.key client.csr
8.编辑配置文件
vi /etc/openvpn/openvpn.conf
port 8099
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 172.16.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “dhcp-option DNS 8.8.8.8”
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
9.启动和查看openvpn
ln -s /usr/local/openvpn-2.3.0 /usr/local/openvpn
/usr/local/openvpn/sbin/openvpn –daemon –config /etc/openvpn/openvpn.conf
netstat -tunlp
10.开启iptables
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.2.0/24 -j SNAT –to-source 100.100.100.100
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 8099 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 8099 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.1.0/24 -j SNAT –to-source 100.100.100.100
100.100.100.100为vpn服务器外网卡eth0的IP地址,这是保证客户端能翻墙上网。也可以这样设置
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.2.0/24 -j MASQUERADE
这应该是一种比较通用方法,适合ADSL拨号的动态公网地址
11.
客户端安装和配置
我的客户端是windowsXP系统的。从openvpn官网下载最新的客户端,然后安装,过程一直下一步就OK了。
完成之后我们需要把VPN-server服务器上的/etc/openvpn/keys/ 目录下的ca.crt、client.crt、client.key三个文件复制到“C:\Program Files\openvpn\config\keys”文件夹内。
然后连接
http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.0-I004-i686.exe
ps:openvpn需安装客户端,多用户也不能同时连接.
参考:
http://lxsym.blog.51cto.com/1364623/772075
http://blog.jiechic.com/archives/budgetvm-install-openvpn-vpn-vps-server
http://www.itdhz.com/post-287.html
http://www.kdolphin.com/1120
http://blog.creke.net/748.html
http://luxiaok.blog.51cto.com/2177896/1078375
http://docs.linuxtone.org/ebooks/VPN/openvpn%E9%9B%86%E5%90%88.pdf
No Responses (yet)
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.