1、1.软件包:lzo openvpn openssl 2.系统环境:Vps centos53.采用编译方式进行安装tar xzvf openssl-version.tar.gztar xzvf lzo-version.tat.gztar xzvf openvpn-version.tar.gzcd /openssl./configure -prefix=/usr/local/opensslmake;make installcd cd /lzo./configmake;make installcd cd openvpn./configure -with-lzo-headers=/usr/local/
2、lzo/inlcude -with-lzo-lib=/usr/local/lzo/libmake;make install4.生成证书:cd /root/openvpn-2.0.9/easy-rsa i. export D=pwd ii. export KEY_CONFIG=$D/f iii. export KEY_DIR=$D/keys iv. export KEY_SIZE=1024 v. export KEY_COUNTRY=CN vi. export KEY_PROVINCE=BJ vii. export KEY_CITY=BJ viii. export KEY_ORG=“buaa“
3、ix. export KEY_EMAIL=b) ./clean-all c) ./build-ca./clean-all ./build-ca Generating a 1024 bit RSA private key + + writing new private key to ca.key - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called
4、a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. - Country Name (2 letter code) CN: State or Province Name (full name) BJ: Locality Name (eg, city) BJ: Organization Nam
5、e (eg, company) dvdmaster: buaaOrganizational Unit Name (eg, section) :gaitCommon Name (eg, your name or your servers hostname) :serverEmail Address :d) ./build-key-server server./build-key-server server Generating a 1024 bit RSA private key + + writing new private key to server.key - You are about
6、to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field wil
7、l be left blank. - Country Name (2 letter code) CN: State or Province Name (full name) BJ: Locality Name (eg, city) BJ: Organization Name (eg, company) buaa: Organizational Unit Name (eg, section) :gaitCommon Name (eg, your name or your servers hostname) :server Email Address : Please enter the foll
8、owing extra attributes to be sent with your certificate request A challenge password :abcd1234 An optional company name :dvdmaster Using configuration from /openvpn-2.0.5/easy-rsa/f Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName RI
9、NTABLE:CN stateOrProvinceName RINTABLE:GD localityName RINTABLE:SZ organizationName RINTABLE:dvdmaster organizationalUnitNameRINTABLE:dvdmaster commonName RINTABLE:server emailAddress :IA5STRING: Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) Sign the certificate? y/n:y 1
10、out of 1 certificate requests certified, commit? y/ny Write out database with 1 new entries Data Base Updated 5.客户端证书在 openvpn 中,这种配置方法是每一个登陆的 VPN 客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络) 。所以需要建立许多份证书。下面建立三份,名称分别为 client1 client3。./build-key client1 Generating a 102
11、4 bit RSA private key .+ + writing new private key to client1.key - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some
12、blank For some fields there will be a default value, If you enter ., the field will be left blank. - Country Name (2 letter code) CN: State or Province Name (full name) BJ: Locality Name (eg, city) BJ: Organization Name (eg, company) buaa: Organizational Unit Name (eg, section) :gaitCommon Name (eg,
13、 your name or your servers hostname) :client1 #重要: 每个不同的 client 生成的证书, 名字必须不同. Email Address : Please enter the following extra attributes to be sent with your certificate request A challenge password :abcd1234 An optional company name :gait Using configuration from /openvpn-2.0.5/easy-rsa/f Check t
14、hat the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName RINTABLE:CN stateOrProvinceName RINTABLE:GD localityName RINTABLE:SZ organizationName RINTABLE:dvdmaster organizationalUnitName:PRINTABLE:dvdmaster commonName :PRINTABLE:client1 emailAddress
15、:IA5STRING: Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) Sign the certificate? y/n:y 1 out of 1 certificate requests certified, commit? y/ny Write out database with 1 new entries Data Base Updated ) 依次类推生成其他客户端证书/key: ./build-key client2 ./build-key client3注意在进入 Common N
16、ame (eg, your name or your servers hostname) : 的输入时, 每个证书输入的名字必须不同.g) 执行./build-dhh) 生成的所有证书在/root/openvpn-2.0.9/easy-rsa/keys 下。i. 其中服务器需要的是 ca.crt、server.crt、server.key、dh1024.pem,每个客户端需要的是ca.crt、client1-3.crt、client1-3.key。7、 配置文件a) cp /root/openvpn-2.0.9/sample-config-files/server.conf /usr/loca
17、l/etc/server.confb) vi /usr/local/etc/server.confi. proto udp 改成 proto tcpii. ca 那四行改成ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crtcert /root/openvpn-2.0.9/easy-rsa/keys/server.crtkey /root/openvpn-2.0.9/easy-rsa/keys/server.keydh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pemiii. server.conf 配置文件见(参考文件
18、 server.conf)8、 启动服务:a) 关闭服务器、防火墙上所有对 SSH(22) 、openvpn (1194 )的拦截。b) echo 1 /proc/sys/net/ipv4/ip_forwardc) /usr/local/sbin/openvpn -config /usr/local/etc/server.confd) 为了实现开机启动,在/etc/rc.local 后面添加/usr/local/sbin/openvpn -config /usr/local/etc/server.conf /dev/null 2利用网络时间同步时间: ntpdate pool.ntp.org5
19、.在 openvz vps 上搭建 openvpnv 之前先执行以下过程:vzctl set 120 -devices c:10:200:rw -savevzctl exec 120 mkdir -p /dev/netvzctl exec 120 mknod /dev/net/tun c 10 200vzctl exec 120 chmod 600 /dev/net/tun否则会不能开启 TUN 6.在 vi ./etc/vz/vz.conf 里找到# IPv4 iptables kernel modulesIPTABLES=“iptable_nat ipt_REJECT ipt_tos ip
20、t_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length“将这里的模块加到 vi /etc/vz/conf/120.conf# CPU fair sheduler parameterCPUUNITS=“1000“VE_ROOT=“/vz/root/$VEID“VE_PRIVATE=“/vz/private/$VEID“OSTEMPLATE=“centos-4-i386-default“ORIGIN_SAMPLE=“vps.basic“IP_ADDRESS=“61.19
21、1.20.26“HOSTNAME=“vps120“NAMESERVER=“202.102.192.68“DEVICES=“c:10:200:rw “IPTABLES=“ip_tables iptable_nat iptable_filter iptable_mangle ipt_limit ipt_REJECT ipt_length “CAPABILITY=“NET_ADMIN:on “否则会报 nat filter 模块不存在需要重新编译内核。再执行 vzctl set 120 -iptables iptable_filter -iptables ipt_length -iptables ipt_limit -iptables iptable_mangle -iptables ipt_REJECT -save 重启 openvz 宿机。最后在 iptables 里开 NATiptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT -to-source 61.191.20.26 xp/vista 上使用 openvpn,如有报错,提示 log: 至少有一个参数不正确, 需要在配置文件中加入route-method exeroute-delay 2
