一、 需求

    在我选用Linux vpn的过程中,对于可选的方案进行了许多考察,根据我们自身应用环境的需要,着重考察了以下需求,其实这两方面也是各种vpn软件存在的关键差异:
    1. 安装方便,平台兼容性高,不用编译内核。(我比较反感动不动就要重新编译内核的软件);
    2. 能够没有限制的穿透NAT内网;(这个非常关键,因为现在我的服务器是在学校拖管,我们实验室内部都是一层一层NAT出去的。)

    由于以上两点限制,在现有许多种方案中,我试用了两种:pptpdopensvnpptpd是网上比较推荐使用的,因为配置非常方便,就改两个小文件就可以配置成功。但是有一个致命的弱点是起了两个端口,大多数情况下穿透NAT是个障碍,所以我最终放弃了。改用opensvn后解决了NAT的问题,在内网和公网上测试没有任何问题。
    openvpn唯一缺限是不能够使用Windows内置的vpn客户端,需要另外安装软件,所幸安装过程很简单。

二、 安装环境
    1. 服务器:Dell 6850服务器,Redhat Linux 企业版4 Update 2,内核

 

 

 

 

 

 

 

 

2.6.9

 

 

 

 

 

-22.ELsmp
    2. 客户端:Windows xp SP2

 

三、 安装×××服务器
    1 http://openvpn.net/上下载openvpn的最新版,时至今日是openvpn-2.0.9.tar.gz
    a) 网上都说还需要lzo这个压缩库。我没有安装,在编译程序的时候只需要加上--disable-lzo就可以了。这样所有要安装的就是一个包openvpn-2.0.9.tar.gz
    2 上传到服务器gait.buaa.edu.cn上,解开成为/root/openvpn-2.0.9
    3 cd /root/openvpn-2.0.9
    4 ./configure --disable-lzo
    a) 这个过程很可能需要Redhat的一些开发包,我安装的时候又打上了openssl-devel-0.9.7a-43.2.i386.rpmzlib-devel-1.2.1.2-1.2.i386.rpme2fsprogs-devel-1.35-12.2.EL4.i386.rpm,当然如果是完全安装的服务器就不用了。

5 make ; make install
    a) 我在很多机器上都做了编译,低至RH 9.0,高至RH EL4,覆盖了2.42.6内核,都没有出现问题。可见这个软件做的还是不错的。

    6 生成证书
   mkdir -p /etc/openvpn

cd /etc/openvpn/

cp -r /usr/local/openvpn-2.0.9/easy-rsa /etc/openvpn/

cp -r /usr/local/openvpn-2.0.9/sample-config-files/server.conf  /etc/openvpn/
    b) export D=`pwd`
    c) export KEY_CONFIG=$D/openssl.cnf
    d) export KEY_DIR=$D/keys
    e) export KEY_SIZE=1024
    f) export KEY_COUNTRY=CN
    g) export KEY_PROVINCE=BJ
    h) export KEY_CITY=BJ
    i) export KEY_ORG="buaa"
    j) export KEY_EMAIL=guojie.jin@hotmail.com
    k) ./clean-all
    l) ./build-ca
    ./clean-all
    ./build-ca

Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [dvdmaster]: buaa
Organizational Unit Name (eg, section) []:gait
Common Name (eg, your name or your server's hostname) []:server
Email Address [guojie.jin@hotmail.com]:
m) ./build-key-server server
./build-key-server server

Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [buaa]:
Organizational Unit Name (eg, section) []:gait
Common Name (eg, your name or your server's hostname) []:server
Email Address [support@cooldvd.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:dvdmaster
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GD'
localityName          :PRINTABLE:'SZ'
organizationName      :PRINTABLE:'dvdmaster'
organizationalUnitName:PRINTABLE:'dvdmaster'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'support@cooldvd.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

n) 客户端证书
    openvpn中,这种配置方法是每一个登陆的×××客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。下面建立三份,名称分别为client1 client3
./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [buaa]:
Organizational Unit Name (eg, section) []:gait
Common Name (eg, your name or your server's hostname) []:client1    #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [support@cooldvd.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:gait
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GD'
localityName          :PRINTABLE:'SZ'
organizationName      :PRINTABLE:'dvdmaster'
organizationalUnitName:PRINTABLE:'dvdmaster'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'support@cooldvd.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
    o) 依次类推生成其他客户端证书/key:
./build-key client2
./build-key client3
    注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
    p) 执行./build-dh
    q) 生成的所有证书在/root/openvpn-2.0.9/easy-rsa/keys下。
    i. 其中服务器需要的是ca.crtserver.crtserver.keydh1024.pem,每个客户端需要的是ca.crtclient1-3.crtclient1-3.key

    7 配置文件
    a) cp  /root/openvpn-2.0.9/sample-config-files/server.conf /usr/local/etc/server.conf
    b) vi  /usr/local/etc/server.conf
    i. proto udp改成proto tcp
    ii. ca那四行改成
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
    iii. server那行改成
server 10.0.0.0 255.255.255.0
    iv. 注释掉comp-lzo
v. 改成verb 5可以多查看一些调试信息
    8 启动服务:
    a) 关闭服务器、防火墙上所有对SSH22)、openvpn1194)的拦截。
    b) echo 1> /proc/sys/net/ipv4/ip_forward
    c) /usr/local/sbin/openvpn --config /usr/local/etc/server.conf
    d) 为了实现开机启动,在/etc/rc.local后面添加
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf > /dev/null 2>&1 &

四、 安装客户端
    1 http://openvpn.se/上下载与openvpn服务器版本一致的Windows客户端“Open××× GUI For Windows
    a) 例如, 服务器装的是 Open××× 2.09, 那么下载的 Open××× GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe
    2 执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。
    3 ca.crtclient1.crtclient1.key复制到C:\Program Files\Open×××\config。(不同用户使用不同的证书,每个证书包括.crt.key两个文件,如client2.crtclient2.key
    4 /root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件,改名为C:\Program Files\Open×××\config\client.ovpn
    a) proto udp改成proto tcp
    b) remote那行改成
gait.buaa.edu.cn 1194
    c) ca3行改为
ca ca.crt
cert client1.crt
key client1.key
    d) 注释掉comp-lzo
    5 连接:在右下角的openvpn图标上右击,选择“Connect”。正常情况下应该能够连接成功,分配正常的IP
    a) 在使用中发现,openvpn不是连续分IP,而是10.0.0.610.0.0.1010.0.0.14、……这样分下去,不知是何用意。
    6 测试:测试过程包括两个步骤:
    a) 第一步是测试到×××服务器的连通性,例如 ping 10.0.0.1