1.软件包:lzo   openvpn  openssl
2.系统环境:Vps centos5
3.采用编译方式进行安装
tar xzvf openssl-version.tar.gz
tar xzvf lzo-version.tat.gz
tar xzvf openvpn-version.tar.gz
cd /openssl
./configure –prefix=/usr/local/openssl
make;make install
cd ..
cd /lzo
./config
make;make install
cd ..
cd openvpn
./configure –with-lzo-headers=/usr/local/lzo/inlcude –with-lzo-lib=/usr/local/lzo/lib
make;make install
4.生成证书:
cd /root/openvpn-2.0.9/easy-rsa
i. export D=`pwd`
ii. export KEY_CONFIG=$D/openssl.cnf
iii. export KEY_DIR=$D/keys
iv. export KEY_SIZE=1024
v. export KEY_COUNTRY=CN
vi. export KEY_PROVINCE=BJ
vii. export KEY_CITY=BJ
viii. export KEY_ORG="buaa"
ix. export KEY_EMAIL=liang3391@126.com
b) ./clean-all
c) ./build-ca
./clean-all
./build-ca
Generating a 1024 bit RSA private key
…………….++++++
……..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [dvdmaster]: buaa
Organizational Unit Name (eg, section) []:gait
Common Name (eg, your name or your server’s hostname) []:server
Email Address [liang3391@126.com]:
d) ./build-key-server server
./build-key-server server
Generating a 1024 bit RSA private key
……++++++
………………..++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [buaa]:
Organizational Unit Name (eg, section) []:gait
Common Name (eg, your name or your server’s hostname) []:server
Email Address [support@cooldvd.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:dvdmaster
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName RINTABLE:’CN’
stateOrProvinceName RINTABLE:’GD’
localityName RINTABLE:’SZ’
organizationName RINTABLE:’dvdmaster’
organizationalUnitNameRINTABLE:’dvdmaster’
commonName RINTABLE:’server’
emailAddress :IA5STRING:’support@cooldvd.com’
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5.客户端证书
openvpn中,这种配置方法是每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。下面建立三份,名称分别为client1 client3
./build-key client1
Generating a 1024 bit RSA private key
…..++++++
……++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [buaa]:
Organizational Unit Name (eg, section) []:gait
Common Name (eg, your name or your server’s hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [support@cooldvd.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge
password []:abcd1234
An optional company name []:gait
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName RINTABLE:’CN’
stateOrProvinceName RINTABLE:’GD’
localityName RINTABLE:’SZ’
organizationName RINTABLE:’dvdmaster’
organizationalUnitNamecentOSopenvpn部署过程RINTABLE:’dvdmaster’
commonName centOSopenvpn部署过程RINTABLE:’client1′
emailAddress :IA5STRING:’support@cooldvd.com’
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
) 依次类推生成其他客户端证书/key:
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.
g) 执行./build-dh
h) 生成的所有证书在/root/openvpn-2.0.9/easy-rsa/keys下。
i. 其中服务器需要的是ca.crtserver.crtserver.keydh1024.pem,每个客户端需要的是ca.crtclient1-3.crtclient1-3.key
7、 配置文件
a) cp /root/openvpn-2.0.9/sample-config-files/server.conf /usr/local/etc/server.conf
b) vi /usr/local/etc/server.conf
i. proto udp改成proto tcp
ii. ca那四行改成
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
iii. server.conf 配置文件见(参考文件server.conf
8、 启动服务:
a) 关闭服务器、防火墙上所有对SSH22)、openvpn1194)的拦截。
b) echo 1 > /proc/sys/net/ipv4/ip_forward
c) /usr/local/sbin/openvpn –config /usr/local/etc/server.conf
d) 为了实现开机启动,在/etc/rc.local后面添加
/usr/local/sbin/openvpn –config /usr/local/etc/server.conf > /dev/null 2>&1 &
4. 安装客户端
1、 从http://openvpn.se/上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows
a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe
2、 执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。
3、 将ca.crtclient1.crtclient1.key复制到C:Program FilesOpenVPNconfig。(不同用户使用不同的证书,每个证书包括.crt.key两个文件,如client2.crtclient2.key
4、 在/root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件,改名为C:Program FilesOpenVPNconfigclient.ovpn
a) proto udp改成proto tcp
b) remote那行改成
这里填写vpn服务器公网ip 1194(端口号)
c) ca3行改为
ca ca.crt
cert client1.crt
key client1.key
d) 注释掉comp-lzo
server.conf 配置文件见(参考文件client.ovpn)
,问题总结:
1.        在sever.conf/client.conf 里的证书keys相关的文件要写编对路径.
2.        proto udp改成proto tcp
3.        .
/build-key client ..不同的client不一样的common name 不能和上面的
common name一样
4.        考虑证书生效时间问题,要考虑服务端和客户端的时间同步问题,具体设置时方法:
Eg: date -s 20:30:30 #设置系统时间为20:30:30, clock w #将系统时间(如由date设置的时间)写入Bios;利用网络时间同步时间: ntpdate pool.ntp.org
5.openvz vps 上搭建openvpnv之前先执行以下过程:
vzctl set 120 –devices c:10:200:rw –save
vzctl exec 120 mkdir -p /dev/net
vzctl exec 120 mknod /dev/net/tun c 10 200
vzctl exec 120 chmod 600 /dev/net/tun
否则会不能开启  TUN
6.vi ./etc/vz/vz.conf 里找到
## IPv4 iptables kernel modules
IPTABLES="iptable_nat ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"
将这里的模块加到   vi /etc/vz/conf/120.conf
# CPU fair sheduler parameter
CPUUNITS="1000"
VE_ROOT="/vz/root/$VEID"
VE_PRIVATE="/vz/private/$VEID"
OSTEMPLATE="centos-4-i386-default"
ORIGIN_SAMPLE="vps.basic"
IP_ADDRESS="61.191.20.26"
HOSTNAME="vps120"
NAMESERVER="202.102.192.68"
DEVICES="c:10:200:rw "
IPTABLES="ip_tables iptable_nat iptable_filter iptable_mangle ipt_limit ipt_REJECT ipt_length "
CAPABILITY="NET_ADMINcentOSopenvpn部署过程n "
否则会报 nat  filter模块不存在需要重新编译内核。
再执行vzctl set 120 –iptables iptable_filter –iptables ipt_length –iptables ipt_limit –iptables iptable_mangle –iptables ipt_REJECT –save
重启openvz 宿机。
最后在iptables里开 NAT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -j SNAT –to-source 61.191.20.26

发表评论

电子邮件地址不会被公开。 必填项已用*标注