. Open××× 安装环境
 
      Server 端的环境
 
   1. CentOS, kernel版本: 2.6.18, IP 192.168.1.254(虚拟机 6.5
   2. kernel 需要支持 tun 设备, 需要加载 iptables 模块.
   3. 安装的 Open××× 的版本: 2.1.rc15.(目前最新版 可在http://openvpn.net 上下载).
 
 
      Client 端的环境:
 
   1. Windows XP SP2
   2. openvpn-2.0.9-gui-1.0.3-install.exe
. Open××× 服务端安装过程
 
   1. putty登录到CentOS
   2. 下载Open××× 2.1.rc15
 
    wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz
    lzo-2.03.tar.gz
 
   3. 安装LZOOpen×××
 
      tar zxvf lzo-2.03.tar.gz
      cd lzo-2.03
      ./configure
      make
      make install
      cd ..
      tar zxvf openvpn-2.1_rc15.tar.gz
      cd openvpn-2.1_rc15
      ./configure
      make
      make install
拷贝配置文件:
cp –rf /root/openvpn-2.1_rc15/ /etc/openvpn
生成证书
初始化PKI
 
编辑/etc/openvpn/easy-rsa/2.0/vars
添加以下内容:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="CN"
export KEY_CITY="beijing"
export KEY_ORG="beijing"
export KEY_EMAIL=andlhz@gmail.com
 
保存
 
三.创建证书颁发机构(CA)
Cd  /etc/openvpn/easy-rsa/2.0
[root@server 2.0]# ./clean-all
[root@server 2.0]# ./build-ca
Generating a 1024 bit RSA private key
.............++++++
........................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CN]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [test]:beijing
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [test CA]:
Name []:
Email Address [andlhz@gmail.com]:
 
四.建立server key
 
执行./build-key-server server 
[root@server 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
.....++++++
...............................................................................................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CN]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [test]:beijing
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [andlhz@gmail.com]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'CN'
localityName          :PRINTABLE:'beijing'
organizationName      :PRINTABLE:'beijing'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'andlhz@gmail.com'
Certificate is to be certified until Aug 12 14:55:28 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server 2.0]#
 
五.生成客户端 key
 
[root@server 2.0]# ./build-key test
Generating a 1024 bit RSA private key
.........................++++++
..................++++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CN]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [test]:beijing
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [test]:
Name []:
Email Address [andlhz@gmail.com]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'CN'
localityName          :PRINTABLE:'beijing'
organizationName      :PRINTABLE:'beijing'
commonName            :PRINTABLE:'test'
emailAddress          :IA5STRING:'andlhz@gmail.com'
Certificate is to be certified until Aug 12 14:57:18 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server 2.0]#
 
 
以此类推建立其他客户端 key
 
./build-key test2
./build-key test3
 
生成Diffie Hellman参数
执行
./build-dh
keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等……)
 
创建服务端配置文件
 
cp /root/openvpn-2.1_rc15/sample-config-files/server.conf /etc/openvpn
 
port 1194
 
proto udp
 
dev tun
 
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
 
dh dh1024.pem
 
server 10.8.0.0 255.255.255.0
 
ifconfig-pool-persist ipp.txt
 
keepalive 10 120
 
comp-lzo
 
persist-key
persist-tun
 
status openvpn-status.log
 
verb 3
 
 
 
客户端:
3.2 Client
# 下载并安装 openvpn (GUI 版本)
http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
# 设定环境
进入 "c:\Program Files\Open×××\easy-rsa"目录中
 openssl.cnf.sample 另存为openssl.cnf
vars.bat.sample 另存为vars.bat
编辑 vars.bat
set KEY_COUNTRY="CN"
 set KEY_PROVINCE="CN"
 set KEY_CITY="beijing"
 set KEY_ORG="beijing"
 set KEY_EMAIL="andlhz@gmail.com"
        (內容必须与server 一至, 尤其 KEY_ORG 项目.)
安装 CA 文件 //在客户端操作
进入c:\Program Files\Open×××\config目录中
把服务器上的XXX.crt(客户端证书名称)和ca.crt  下载到本地的Open×××config目录 
# 复制 sample 目录下的client.ovpn:
复制
c:\Program Files\Open×××\config\sample-config\client.ovpn 
c:\Program Files\Open×××\config 目录中
# 配置 client 
右下角(Open××× GUI) 
右鍵--> Edit Config (沒提及的, 請保持原貌)
        dev tap
        ;dev tun
        remote remote 192.168.1.254 1194
        ca ca.crt
        cert test.crt
        key test.key
双点击桌面右下角的openvpn-gui的图标就会弹出界面,正在连接


测试:cmd --> ipconfig /all

 
Ping 10.8.0.1
给客户端制定具体的ip地址而不是自动分配,需要以下操作:
进入/etc/openvpn/ccd中,
Vi client1 并写入ifconfig-push 10.8.0.X 255.255.255.0
绑定虚拟ip