本文以CentOS 6 作为OpenVPN服务器,WIN XP及WIN 7作为客户端操作系统。以下内容大量借鉴了pcman大侠的文章。在此基础上,老熊又根据实际经验改写了一些配置选项。
先说服务器端
1. 安装openvpn
openvpn不在centos默认的yum安装源内。需要先安装Fedora的EPEL源。
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm yum install openvpn -y
其他更多软件包来源,请看EPEL、Remi、RPMForge、RPMFusion安装介绍
2. 初始化
初始化主要是配置openvpn的config文件,并设置openvpn自动启动。
复制配置文件的样本到/etc/openvpn目录下。
[[email protected] ~]# cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/ [[email protected] ~]#
编辑/etc/openvpn/server.conf,修改如下配置,
使用TCP协议来进行访问。打开gateway,推送dns等。
#################################################Sample OpenVPN 2.0 config file for
multi-client server.
# #
This file is for the server side
of a many-clients one-server
OpenVPN configuration.
# #
OpenVPN also supports
single-machine single-machine
configurations (See the Examples page
on the web site for more info).
# #
This config should work on Windows
or Linux/BSD systems. Remember on
Windows to quote pathnames and use
double backslashes, e.g.:
"C:\\Program Files\\OpenVPN\\config\\foo.key"
# #
Comments are preceded with '#' or ';'
#################################################
Which local IP address should OpenVPN
listen on? (optional)
;local a.b.c.d
Which TCP/UDP port should OpenVPN listen on?
If you want to run multiple OpenVPN instances
on the same machine, use a different port
number for each one. You will need to
open up this port on your firewall.
port 1194
TCP or UDP server?
proto tcp
proto udp
"dev tun" will create a routed IP tunnel,
"dev tap" will create an ethernet tunnel.
Use "dev tap0" if you are ethernet bridging
and have precreated a tap0 virtual interface
and bridged it with your ethernet interface.
If you want to control access policies
over the VPN, you must create firewall
rules for the the TUN/TAP interface.
On non-Windows systems, you can give
an explicit unit number, such as tun0.
On Windows, use "dev-node" for this.
On most systems, the VPN will not function
unless you partially or fully disable
the firewall for the TUN/TAP interface.
;dev tap dev tun
Windows needs the TAP-Win32 adapter name
from the Network Connections panel if you
have more than one. On XP SP2 or higher,
you may need to selectively disable the
Windows firewall for the TAP adapter.
Non-Windows systems usually don't need this.
;dev-node MyTap
SSL/TLS root certificate (ca), certificate
(cert), and private key (key). Each client
and the server must have their own cert and
key file. The server and all clients will
use the same ca file.
#
See the "easy-rsa" directory for a series
of scripts for generating RSA certificates
and private keys. Remember to use
a unique Common Name for the server
and each of the client certificates.
#
Any X509 key management system can be used.
OpenVPN can also use a PKCS #12 formatted key file
(see "pkcs12" directive in man page).
ca ca.crt cert server.crt key server.key # This file should be kept secret
Diffie hellman parameters.
Generate your own with:
# openssl dhparam -out dh1024.pem 1024
Substitute 2048 for 1024 if you are using
2048 bit keys.
dh dh1024.pem
Configure server mode and supply a VPN subnet
for OpenVPN to draw client addresses from.
The server will take 10.8.0.1 for itself,
the rest will be made available to clients.
Each client will be able to reach the server
on 10.8.0.1. Comment this line out if you are
ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
Maintain a record of client virtual IP address
associations in this file. If OpenVPN goes down or
is restarted, reconnecting clients can be assigned
the same virtual IP address from the pool that was
previously assigned.
ifconfig-pool-persist ipp.txt
Configure server mode for ethernet bridging.
You must first use your OS's bridging capability
to bridge the TAP interface with the ethernet
NIC interface. Then you must manually set the
IP/netmask on the bridge interface, here we
assume 10.8.0.4/255.255.255.0. Finally we
must set aside an IP range in this subnet
(start=10.8.0.50 end=10.8.0.100) to allocate
to connecting clients. Leave this line commented
out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
Configure server mode for ethernet bridging
using a DHCP-proxy, where clients talk
to the OpenVPN server-side DHCP server
to receive their IP address allocation
and DNS server addresses. You must first use
your OS's bridging capability to bridge the TAP
interface with the ethernet NIC interface.
Note: this mode only works on clients (such as
Windows), where the client-side TAP adapter is
bound to a DHCP client.
;server-bridge
Push routes to the client to allow it
to reach other private subnets behind
the server. Remember that these
private subnets will also need
to know to route the OpenVPN client
address pool (10.8.0.0/255.255.255.0)
back to the OpenVPN server.
push "route 10.8.0.0 255.255.255.0" push "route 192.168.5.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0"
To assign specific IP addresses to specific
clients or if a connecting client has a private
subnet behind it that should also have VPN access,
use the subdirectory "ccd" for client-specific
configuration files (see man page for more info).
EXAMPLE: Suppose the client
having the certificate common name "Thelonious"
also has a small subnet behind his connecting
machine, such as 192.168.40.128/255.255.255.248.
First, uncomment out these lines:
;client-config-dir ccd ;route 192.168.40.128 255.255.255.248
Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
This will allow Thelonious' private subnet to
access the VPN. This example will only work
if you are routing, not bridging, i.e. you are
using "dev tun" and "server" directives.
EXAMPLE: Suppose you want to give
Thelonious a fixed VPN IP address of 10.9.0.1.
First uncomment out these lines:
;client-config-dir ccd ;route 10.9.0.0 255.255.255.252
Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
Suppose that you want to enable different
firewall access policies for different groups
of clients. There are two methods:
(1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface # for each group/daemon appropriately.
(2) (Advanced) Create a script to dynamically
# modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script
If enabled, this directive will configure
all clients to redirect their default
network gateway through the VPN, causing
all IP traffic such as web browsing and
and DNS lookups to go through the VPN
(The OpenVPN server machine may need to NAT
or bridge the TUN/TAP interface to the internet
in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp" push "redirect-gateway"
Certain Windows-specific network settings
can be pushed to clients, such as DNS
or WINS server addresses. CAVEAT:
http://openvpn.net/faq.html#dhcpcaveats
The addresses below refer to the public
DNS servers provided by opendns.com.
push "dhcp-option DNS 60.195.250.225" push "dhcp-option DNS 8.8.8.8"
Uncomment this directive to allow different
clients to be able to "see" each other.
By default, clients will only see the server.
To force clients to only see the server, you
will also need to appropriately firewall the
server's TUN/TAP interface.
;client-to-client
Uncomment this directive if multiple clients
might connect with the same certificate/key
files or common names. This is recommended
only for testing purposes. For production use,
each client should have its own certificate/key
pair.
#
IF YOU HAVE NOT GENERATED INDIVIDUAL
CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
EACH HAVING ITS OWN UNIQUE "COMMON NAME",
UNCOMMENT THIS LINE OUT.
;duplicate-cn
The keepalive directive causes ping-like
messages to be sent back and forth over
the link so that each side knows when
the other side has gone down.
Ping every 10 seconds, assume that remote
peer is down if no ping received during
a 120 second time period.
keepalive 10 120
For extra security beyond that provided
by SSL/TLS, create an "HMAC firewall"
to help block DoS attacks and UDP port flooding.
#
Generate with:
# openvpn --genkey --secret ta.key #
The server and each client must have
a copy of this key.
The second parameter should be '0'
on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
Select a cryptographic cipher.
This config item must be copied to
the client config file as well.
;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES
Enable compression on the VPN link.
If you enable it here, you must also
enable it in the client config file.
comp-lzo
The maximum number of concurrently connected
clients we want to allow.
;max-clients 100
It's a good idea to reduce the OpenVPN
daemon's privileges after initialization.
#
You can uncomment this out on
non-Windows systems.
;user nobody ;group nobody
The persist options will try to avoid
accessing certain resources on restart
that may no longer be accessible because
of the privilege downgrade.
persist-key persist-tun
Output a short status file showing
current connections, truncated
and rewritten every minute.
status openvpn-status.log
By default, log messages will go to the syslog (or
on Windows, if running as a service, they will go to
the "\Program Files\OpenVPN\log" directory).
Use log or log-append to override this default.
"log" will truncate the log file on OpenVPN startup,
while "log-append" will append to it. Use one
or the other (but not both).
;log openvpn.log ;log-append openvpn.log
Set the appropriate level of log
file verbosity.
#
0 is silent, except for fatal errors
4 is reasonable for general usage
5 and 6 can help to debug connection problems
9 is extremely verbose
verb 3
Silence repeating messages. At most 20
sequential messages of the same message
category will be output to the log.
;mute 20
vi /etc/sysctl.conf。在最下面加入如下内容。
如果是RHEL5,建议把以#屏蔽的选项全打开。是照某公司久经考验的文档写的。
据神秘的老熊分享,在RHEL6下应该把那一堆参数屏蔽。我在centos 6下,已经照此配置测试通过了。
# Added for openvpn. esojourn.org net.ipv6.conf.eth0.forwarding = 1 net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.lo.forwarding = 1net.ipv4.conf.tun0.mc_forwarding = 1
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 1
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1
sysctl -p使规则生效
vi /etc/sysconfig/iptables 在最上面加下nat表
诸位新手、准新手们,千万别用天杀的setup或者system-config-firewall来配防火墙了。
血泪史啊,不多解释了。好好学基本功吧。我也在学习中。*nat
- PREROUTING ACCEPT [0:0]
- POSTROUTING ACCEPT [0:0]
- OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
然后在下面filter表里,最后一条拒绝规则前面,加上-A FORWARD -d 10.8.0.0/24 -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT
service iptables restart
3. 生成服务器端证书
生成服务器端证书主要有如下几个步骤:
1. 设置环境变量
2. 生成ca文件
3. 生成cert/key文件
4. 生成dh文件
进入openvpn的对应安装目录。将所有脚本设置为可执行属性cd /usr/share/doc/openvpn-2.2.2/easy-rsa chmod 700 build
vi /etc/bashrc,在最下面加上环境变量# Add for openvpn export KEY_CONFIG=/usr/share/doc/openvpn-2.2.2/easy-rsa/openssl.cnf export KEY_DIR=/usr/share/doc/openvpn-2.2.2/easy-rsa/keys export KEY_SIZE=1024 export KEY_COUNTRY=CN export KEY_PROVINCE=BJ export KEY_CITY=BJ export KEY_ORG="www.esojourn.org" export KEY_EMAIL="[email][email protected][/email]"
建立存放key的目录 mkdir cd /usr/share/doc/openvpn-2.2.2/easy-rsa/keys
通过clean-all生成serial和index.txtchmod 700 clean-all ./clean-all
开始生成ca文件。需要注意的是,ca一旦生成就不能更换了,否则所有key都会失效,要重新签署。[[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]# ./build-ca Generating a 1024 bit RSA private key ..............................................................................................++++++ ..........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [BJ]: Organization Name (eg, company) [esojourn.org]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address [[email][email protected][/email]]: [[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]#
生成server端key和crt文件。注意,其中Common Name项目必须填写,其余项目可直接按回车使用环境变量预先设置的默认值。[[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]# ./build-key-server server Generating a 1024 bit RSA private key ............++++++ ..........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [BJ]: Organization Name (eg, company) [esojourn.org]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:openvpn.esojourn.org Email Address [[email][email protected][/email]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/doc/openvpn-2.2.2/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'BJ' organizationName :PRINTABLE:'esojourn.org' commonName :PRINTABLE:'openvpn.esojourn.org' emailAddress :IA5STRING:'[email][email protected][/email]' Certificate is to be certified until Jul 13 16:17:39 2017 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]#
证书生成完毕。生成dh文件。[[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..............................+........................................................................................................+.......................................................+.........................................................
现在将刚才生成的证书和配置文件复制到相应目录下。[[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]# cp keys/ca.crt /etc/openvpn/ [[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]# cp keys/server.crt /etc/openvpn/ [[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]# cp keys/server.key /etc/openvpn/ [[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]# cp keys/dh1024.pem /etc/openvpn/ sysctl -p
4. 创建新的客户端
openvpn服务器配置好之后,新的客户端还不能立刻连接进来,需要为客户端分别创建属于自己的ssl证书方可。创建的方式如下:
进入openvpn的对应安装目录。生成证书文件。注意,在提示输入CommonName的时候,必须输入唯一一个用户名名字或者域名,以和其他的用户证书相区别。cd /usr/share/doc/openvpn-2.2.2/easy-rsa[[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]# ./build-key client Generating a 1024 bit RSA private key ....++++++ .......++++++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [BJ]: Organization Name (eg, company) [esojourn.org]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:pcman Email Address [[email][email protected][/email]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/doc/openvpn-2.2.2/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'BJ' organizationName :PRINTABLE:'esojourn.org' commonName :PRINTABLE:'pcman' emailAddress :IA5STRING:'[email][email protected][/email]' Certificate is to be certified until Jul 13 17:08:27 2017 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [[email protected] /usr/share/doc/openvpn-2.2.2/easy-rsa]#
生成完毕。在keys目录下即可找到client.key和client.crt。
下面再来看看客户端
5. 客户端的下载安装
官网下载 http://openvpn.net/index.php/download.html
Windows Installer v2.2.2:http://swupdate.openvpn.org/community/releases/openvpn-2.2.2-install.exe
安装时所有组件全装。安装时会装上一个虚拟网卡,系统可能会提示不兼容,不安全什么的。不用管,继续确定安装即可。
6. 初始化
OpenVPN的数据传输过程是基于OpenSSL安全加密的,通信的双方:VPN服务器端、VPN客户端都需要IP安全证书,否则无法建立连接。IP证书也是建立连接的必须条件,基于OpenVPN的VPN建立是没有传统密码验证的。下边配置证书。
首先获得证书。把刚才升成的客户端证书拷过来。3个文件! ca.crt, client.crt, client.key。
另外新建一个esojourn.org.ovpn的文件,用于客户端配置。包含证书文件名、地址等相应参数。ca.crt是全局的CA证书,而client.crt和client.key则是颁发给每个人的个人证书。每个人的个人证书文件不一样,而另外两个文件则一样。
ovpn文件如下,其他ca ca.crt,cert client.crt,key client.key,根据自己的文件名改。############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ##############################################
Specify that we are a client and that we
will be pulling certain config file directives
from the server.
client
Use the same setting as you are using on
the server.
On most systems, the VPN will not function
unless you partially or fully disable
the firewall for the TUN/TAP interface.
;dev tap dev tun
Windows needs the TAP-Win32 adapter name
from the Network Connections panel
if you have more than one. On XP SP2,
you may need to disable the firewall
for the TAP adapter.
;dev-node MyTap
Are we connecting to a TCP or
UDP server? Use the same setting as
on the server.
proto tcp
proto udp
The hostname/IP and port of the server.
You can have multiple remote entries
to load balance between the servers.
remote www.esojourn.org 1194 ;remote my-server-2 1194
Choose a random host from the remote
list for load-balancing. Otherwise
try hosts in the order specified.
;remote-random
Keep trying indefinitely to resolve the
host name of the OpenVPN server. Very useful
on machines which are not permanently connected
to the internet such as laptops.
resolv-retry infinite
Most clients don't need to bind to
a specific local port number.
nobind
Downgrade privileges after initialization (non-Windows only)
;user nobody ;group nobody
Try to preserve some state across restarts.
persist-key persist-tun
If you are connecting through an
HTTP proxy to reach the actual OpenVPN
server, put the proxy server/IP and
port number here. See the man page
if your proxy server requires
authentication.
;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #]
Wireless networks often produce a lot
of duplicate packets. Set this flag
to silence duplicate packet warnings.
;mute-replay-warnings
SSL/TLS parms.
See the server config file for more
description. It's best to use
a separate .crt/.key file pair
for each client. A single ca
file can be used for all clients.
ca ca.crt cert client.crt key client.key
Verify server certificate by checking
that the certicate has the nsCertType
field set to "server". This is an
important precaution to protect against
a potential attack discussed here:
# http://openvpn.net/howto.html#mitm #
To use this feature, you will need to generate
your server certificates with the nsCertType
field set to "server". The build-key-server
script in the easy-rsa folder will do this.
ns-cert-type server
If a tls-auth key is used on the server
then every client must also have the key.
;tls-auth ta.key 1
Select a cryptographic cipher.
If the cipher option is used on the server
then you must also specify it here.
;cipher x
Enable compression on the VPN link.
Don't enable this unless it is also
enabled in the server config file.
comp-lzo
Set log file verbosity.
verb 3
Silence repeating messages
;mute 20
将这几个文件全部复制到OpenVPN的安装目录下的“config”目录中。如:C:\Program Files\OpenVPN\config
配置完成。