Skip to content


centos5.8 LINUX 安装openvpn

1.下载

wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz wget https://nodeload.github.com/OpenVPN/openvpn/zip/release/2.3 wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.0.tar.gz

2.安装LZO

tar -xvzf lzo-2.06.tar.gz cd lzo-2.06 ./configure –prefix=/usr/local/lzo-2.06 make && make install

3.安装openvpn

tar zxvf openvpn-2.3.0.tar.gz cd openvpn-2.3.0 ./configure –prefix=/usr/local/openvpn-2.3.0 –with-lzo-headers=/usr/local/lzo/include/lzo-2.06 –with-lzo-lib=/usr/local/lzo-2.06/lib –with-ssl-headers=/usr/include/openssl/ –with-ssl-lib=/usr/lib/openssl/

如果有错误 openvpn error: lzo enabled but missing 可以尝试下面

ldconfig CFLAGS=”-I/usr/local/include” LDFLAGS=”-L/usr/local/lib” ./configure –prefix=/usr/local/openvpn-2.3.0 make && make install

安装后提示

(1) make device node: mknod /dev/net/tun c 10 200 (2a) add to /etc/modules.conf: alias char-major-10-200 tun (2b) load driver: modprobe tun (3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward

4.创建tun

mknod /dev/net/tun c 10 200

5.复制服务端样例配置文件

mkdir /etc/openvpn cp sample/sample-config-files/server.conf /etc/openvpn/

6.下载easy-rsa

wget https://nodeload.github.com/OpenVPN/easy-rsa/zip/master unzip master cd easy-rsa-master cp -R easy-rsa/ /etc/openvpn/

7.创建证书 cd /etc/openvpn/easy-rsa/2.0/ 这下面的文件做简单介绍: vars 脚本,是用来创建环境变量,设置所需要的变量的脚本 clean-all 脚本,是创建生成CA证书及密钥 文件所需要的文件和目录 build-ca 脚本,生成CA证书(交互) build-dh 脚本,生成Diffie-Hellman文件(交互) build-key-server 脚本,生成服务器端密钥(交互) build-key 脚本,生成客户端密钥(交互) pkitool 脚本,直接使用vars的环境变量设置直接生成证书(非交互)

a.初始化keys文件

. ./vars (注意有两个点,两个点之间有空格) ./clean-all ./build-ca (一路按回车就可以)

b.生成Diffie-Hellman文件

./build-dh

c.生成VPN server ca证书

./build-key-server server

然后把刚生成的CA证书和密钥copy到/etc/openvpn/下

cd keys cp ca.crt ca.key server.crt server.key dh2048.pem /etc/openvpn/

d.生成客户端CA证书及密钥

./build-key client

打包客户端证书 供客户端使用

tar zcvf userkeys.tar.gz ca.crt ca.key client.crt client.key client.csr

8.编辑配置文件 vi /etc/openvpn/openvpn.conf

port 8099 proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key # This file should be kept secret dh /etc/openvpn/dh2048.pem server 172.16.1.0 255.255.255.0 ifconfig-pool-persist ipp.txt push “dhcp-option DNS 8.8.8.8” client-to-client duplicate-cn keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log log-append /var/log/openvpn.log verb 3

9.启动和查看openvpn

ln -s /usr/local/openvpn-2.3.0 /usr/local/openvpn /usr/local/openvpn/sbin/openvpn –daemon –config /etc/openvpn/openvpn.conf netstat -tunlp

10.开启iptables

iptables -t nat -A POSTROUTING -o eth0 -s 172.16.2.0/24 -j SNAT –to-source 100.100.100.100 iptables -A INPUT -p udp -m state –state NEW -m udp –dport 8099 -j ACCEPT iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 8099 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -s 172.16.1.0/24 -j SNAT –to-source 100.100.100.100

100.100.100.100为vpn服务器外网卡eth0的IP地址,这是保证客户端能翻墙上网。也可以这样设置

iptables -t nat -A POSTROUTING -o eth0 -s 172.16.2.0/24 -j MASQUERADE

这应该是一种比较通用方法,适合ADSL拨号的动态公网地址

11. 客户端安装和配置 我的客户端是windowsXP系统的。从openvpn官网下载最新的客户端,然后安装,过程一直下一步就OK了。 完成之后我们需要把VPN-server服务器上的/etc/openvpn/keys/ 目录下的ca.crt、client.crt、client.key三个文件复制到“C:\Program Files\openvpn\config\keys”文件夹内。 然后连接

http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.0-I004-i686.exe

ps:openvpn需安装客户端,多用户也不能同时连接.

参考: http://lxsym.blog.51cto.com/1364623/772075 http://blog.jiechic.com/archives/budgetvm-install-openvpn-vpn-vps-server http://www.itdhz.com/post-287.html http://www.kdolphin.com/1120 http://blog.creke.net/748.html http://luxiaok.blog.51cto.com/2177896/1078375 http://docs.linuxtone.org/ebooks/VPN/openvpn%E9%9B%86%E5%90%88.pdf

Posted in VPN.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.