解决依赖关系
yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
2.由于我的mysql已经编译安装过,所以只安装pam相关的挂件包
yum install pam_krb5 pam_mysql pam pam-devel
3.编译安装lzo
tar -zxvf lzo-2.03.tar.gz cd lzo-2.03 ./configure make && make install
4.添加路径
vi /etc/ld.so.conf 添加以下内容 /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64
5.安装openvpn,需要两个版本2.2.2和2.0.9,2.0.9是因为2.2.2版本pam认证有问题,所以拿个低版本的
tar -zxvf openvpn-2.2.2.tar.gz ./configure --prefix=/usr/local/openvpn make && make install mkdir -pv /etc/openvpn cd /root/openvpn-2.2.2 cp -R easy-rsa /etc/openvpn/ cd /etc/openvpn/easy-rsa/2.0/ cp vars vars.bak 修改vars文件,如下: cat vars|egrep -v "(^#|^$)" export KEY_COUNTRY="CN" export KEY_PROVINCE="BJ" export KEY_CITY="beijing" export KEY_ORG="beijing" export KEY_EMAIL="32895@139.com" export KEY_EMAIL=32895@139.com export KEY_CN=CN export KEY_NAME=hello export KEY_OU=hello export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=1234
保存退出,执行以下命令,生成服务器和客户端所需要的key,注意!有的地方需要交互
source ./vars ./clean-all ./build-ca ca ./build-key-server server ./build-dh /usr/local/openvpn/sbin/openvpn --genkey --secret keys/ta.key
6.MySQL配置×××账号
mysql> create database vpn;
mysql> grant all on vpn.* to vpn@localhost identified by 'vpnadmin';
mysql> flush privileges;
mysql> use vpn;
mysql> create table vpnuser (name char(20) NOT NULL,password char(120) default null,active int(10) not null default 1,primary key (name));
mysql> insert into vpnuser (name,password) values('qd',password('qd123'));
mysql> desc vpnuser7.配置pam
创建openvpn pam验证配置文件 vim /etc/pam.d/openvpn 添加以下内容 auth sufficient pam_mysql.so user=vpn passwd=vpnadmin host=localhost db=vpn table=vpnuser usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=2 account required pam_mysql.so user=vpn passwd=vpnadmin host=localhost db=vpn table=vpnuser usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=2 保存退出
8.编译2.0.9openvpn源码,将openvpn-auth-pam.so文件拷贝到/etc/openvpn目录下
tar -zxvf openvpn-2.0.9.tar.gz cd openvpn-2.0.9/ ./configure cd plugin/auth-pam/ make cp openvpn-auth-pam.so /etc/openvpn/
9.测试pam
yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-lib cyrus-sasl-gssapi /etc/init.d/saslauthd restart [root@slave02 2.0]# testsaslauthd -u qd -p qd123 -s openvpn 0: OK "Success.
10.修改配置文件如下:
默认配置文件在源码包的sample-config-files/server.conf,直接复制到/etc/openvpn/下 修改为: port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp bypass-dns" push "dhcp-option DNS 8.8.8.8" push "172.16.10.0 255.255.255.0" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log openvpn.log verb 3 client-cert-not-required username-as-common-name plugin ./openvpn-auth-pam.so /usr/local/openvpn/sbin/openvpn
11.开启内核转发
net.ipv4.ip_forward = 1 记得sysctl -p
12.设置防火墙转发
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o em1 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source x.x.x.x #表示vpn内网ip地址 记得保存防火墙策略
13.创建启动脚本:
进入源码包目录 sample-scripts/openvpn.init /etc/init.d/openvpn 修改/etc/init.d/openvpn启动脚本的第69行改为 openvpn_locations="/usr/local/openvpn/sbin/openvpn /usr/sbin/openvpn /usr/local/sbin/openvpn"
客户端配置:
windows默认安装路径为C:\Program File(x86)\Open×××
将服务器端的ca.crt ca.key ta.key放到openvpn客户端的config下
将客户端默认安装路径中sample-config中的client复制到config目录,然后修改如下
client dev tun proto udp remote openvpn服务端的IP resolv-retry infinite nobind persist-key persist-tun ca ca.crt tls-auth ta.key 1 ns-cert-type server comp-lzo verb 5 auth-user-pass
在安装完客户端配置完成后桌面会有openvpn gui双击运行,输入数据库中vpn的账号密码,图标变绿表示已经连接上拉~~
感谢振兴的帮忙~~
