centos6搭建openvpn详细步骤
一、下载安装包
1、登陆到http://rpm.pbone.net/ 下载你所需的rpm包,由于源码包编译时间较长而且叫麻烦这里使用的是rpm包。
2、openvpn需要两个包,lzo和openvpn可使用一下命令下载安装
二、安装rpm包 #安装过程中可能会提示缺少依赖包,如果提示按照提示安装上依赖包就可以,这里不多说了
rpm -ivh lzo-2.04-2.2.i386.rpm
rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.i386.rpm
三、拷贝配置文件到/etc/openvpen下
cp -a /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn
cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn
四、配置openvpn
1、初始化PKI
[root@Lemko208 ~]# cd /etc/openvpn/2.0/
[root@Lemko208 2.0]# vim vars
2、修改一下选项,也就是变量
export KEY_COUNTRY="CN" (国家)
export KEY_PROVINCE="BJ" (省份)
export KEY_CITY="BJ" (城市)
export KEY_ORG="×××-LEMKO" (描述)
export KEY_EMAIL="maxiaohui@lemko-cn.com" (管理员电子邮件)
3、检查变量环境十分生效
[root@Lemko208 2.0]# env | grep KEY (没有输出结果证明没有生效,使用下面命令时期生效)
[root@Lemko208 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
You have new mail in /var/spool/mail/root
[root@Lemko208 2.0]# env | grep KEY
KEY_EXPIRE=3650
KEY_EMAIL=maxiaohui@lemko-cn.com
KEY_SIZE=1024
KEY_DIR=/etc/openvpn/2.0/keys
KEY_CITY=BJ
KEY_PROVINCE=BJ
KEY_ORG=×××-LEMKO
KEY_CONFIG=/etc/openvpn/2.0/openssl.cnf
KEY_COUNTRY=CN
4、生成keys目录
[root@Lemko208 2.0]# ./clean-all
[root@Lemko208 2.0]# ls
build-ca build-key build-key-server clean-all list-crl openssl.cnf revoke-full whichopensslcnf
build-dh build-key-pass build-req inherit-inter Makefile pkitool sign-req
build-inter build-key-pkcs12 build-req-pass keys openssl-0.9.6.cnf README vars
5、生成ca证书
[root@Lemko208 2.0]# ./build-ca
Generating a 1024 bit RSA private key
.......................++++++
.++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: (国家默认回车)
State or Province Name (full name) [BJ]: (省份默认回车)
Locality Name (eg, city) [BJ]: (城市默认回车)
Organization Name (eg, company) [×××-LEMKO]: (vpn描述继续回车)
Organizational Unit Name (eg, section) []:vpn (另一个描述自己定义,回车)
Common Name (eg, your name or your server's hostname) [×××-LEMKO CA]:server (这里注意,这台服务器是做server所以这里写server)
Email Address [maxiaohui@lemko-cn.com]: (管理员邮箱回车确认)
6、建立server key文件
[root@Lemko208 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
...............................++++++
.............................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: (国家默认回车)
State or Province Name (full name) [BJ]: (省份默认回车)
Locality Name (eg, city) [BJ]: (城市默认回车)
Organization Name (eg, company) [×××-LEMKO]: (vpn描述继续回车)
Organizational Unit Name (eg, section) []:vpn (另一个描述自己定义,回车)
Common Name (eg, your name or your server's hostname) [server]:server (这里肯定得写server)
Email Address [maxiaohui@lemko-cn.com]: (管理员邮箱回车确认)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 (初始化密码自己定,回车)
An optional company name []: (另一个名字,不愿意写就回车)
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'×××-LEMKO'
organizationalUnitName:PRINTABLE:'vpn'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'maxiaohui@lemko-cn.com'
Certificate is to be certified until Jul 1 08:16:15 2023 GMT (3650 days)
Sign the certificate? [y/n]:y (y确认)
1 out of 1 certificate requests certified, commit? [y/n]y (y确认)
Write out database with 1 new entries
Data Base Updated
[root@Lemko208 2.0]# ls keys/ (查看下生成的server key)
01.pem ca.crt ca.key index.txt index.txt.attr index.txt.old serial serial.old server.crt server.csr server.key
7、建立客户端key文件 (这里不多解释和生成服务器key文件一样,注意个别变化红色字体,想要几个客户端你就执行几次就行,不要重名)
[root@Lemko208 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
..............................................................................................++++++
.................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [×××-LEMKO]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server's hostname) [client1]:client1
Email Address [maxiaohui@lemko-cn.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'×××-LEMKO'
organizationalUnitName:PRINTABLE:'vpn'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'maxiaohui@lemko-cn.com'
Certificate is to be certified until Jul 1 08:27:11 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
8、生成Diffie Hellman参数
[root@Lemko208 2.0]# ./build-dh (休息片刻等带完成就好)
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..............................................................+.............+.......................................................................................................................+.........+..................+...............+...............................................+......................................................................................................................................................................................+..+............+.........+...............................................................................................+............................+.+.....................................................................+.......................................................+...........+..............+........................................+..........+.............................................................+..........+....................................................................................................................+.....................................+.......................+.....................................................+..+.............................+.........+.........................................+.............................+..........................................+.............+..................................................+...+.....................+........................................................+.........................................................................................................................+..........................................+.........................................+.......................+...................................................+...............................................................................................+...............................+.................................................................+.....................+..................................................+.......+.........................................+.................................+......................+...............................................+........................+.......................+......................................+....................................+..............+...+...+.................+.........................................+..............................+.........................................................................................+..........................................................................+.........................+........................................+...........................................+.............................................................+......................+....................+.........................+..................................+............+..+.+...................................................................................................+.........++*++*++*
9、打包keys目录文件下载到本地计算机,也就是客户端计算机
[root@Lemko208 2.0]# tar -zcvf key.tar.gz keys/
keys/
keys/ca.key
keys/server.key
keys/client1.crt
keys/server.csr
keys/client2.csr
keys/server.crt
keys/client2.key
keys/index.txt.old
keys/index.txt.attr.old
keys/index.txt
keys/serial
keys/index.txt.attr
keys/client3.crt
keys/ca.crt
keys/serial.old
keys/04.pem
keys/03.pem
keys/client1.key
keys/dh1024.pem
keys/01.pem
keys/client3.csr
keys/client1.csr
keys/02.pem
keys/client3.key
keys/client2.crt
[root@Lemko208 2.0]# ls (查看下刚才打的包)
build-ca build-key build-key-server clean-all key.tar.gz openssl-0.9.6.cnf README vars
build-dh build-key-pass build-req inherit-inter list-crl openssl.cnf revoke-full whichopensslcnf
build-inter build-key-pkcs12 build-req-pass keys Makefile pkitool sign-req
10、创建服务端配置文件
[root@Lemko208 2.0]# cp keys/ca.* /etc/openvpn
You have new mail in /var/spool/mail/root
[root@Lemko208 2.0]# cp keys/server.* /etc/openvpn
[root@Lemko208 2.0]# cp keys/dh1024.pem /etc/openvpn
[root@Lemko208 2.0]# cd ..
[root@Lemko208 openvpn]# ls
2.0 ca.crt ca.key dh1024.pem server.conf server.crt server.csr server.key
[root@Lemko208 openvpn]# vim server.conf (配置文件写的很详细,也有很多注释,大家可以研究研究,这里就直接把主要内容写出来)
[root@Lemko208 openvpn]# >server.conf (清空配置文件内容)
[root@Lemko208 openvpn]# vim server.conf
port 1194 #端口
proto udp #协议
dev tun #网络模式
ca ca.crt #服务器ca文件
cert server.crt #
key server.key #服务器key文件
dh dh1024.pem
server 10.8.0.0 255.255.255.0 #服务器分配网段
client-to-client #点对点客户端对客户端
keepalive 10 120 #超时
comp-lzo #加密算法
persist-key #模式
persist-tun
status openvpn-status.log #服务器状态
verb 4 #加密方式
push "dhcp-option DNS "10.8.0.1" #客户端推送dns
push "dhcp-option DNS "219.141.136.10 #客户端推送dns
11、启动openvpn服务
[root@Lemko208 openvpn]# /etc/init.d/openvpn restart
Shutting down openvpn: [ OK ]
Starting openvpn: [ OK ]
[root@Lemko208 openvpn]# ifconfig #查看openvpn服务器是否配置成功
eth0 Link encap:Ethernet HWaddr 00:18:7D:2A:EF:29
inet addr:192.168.1.208 Bcast:192.168.255.255 Mask:255.255.0.0
inet6 addr: fe80::218:7dff:fe2a:ef29/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1759476 errors:0 dropped:0 overruns:0 frame:0
TX packets:375924 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:633526957 (604.1 MiB) TX bytes:125681128 (119.8 MiB)
Interrupt:66 Base address:0x4000
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 #说明openvpn以配置成功服务已启动
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
12、因本例是以内部服务器做的openvpn,公网以为用户不能访问到openvpn,所以要在防火墙或者路由器上面映射你openvpn服务器ip地址及端口号,以便客户端能够通过公网ip在外面访问,公司使用的是iptables防火墙所以我在iptables直接做了地址映射
[root@iptables ~]#iptables -t nat -I PREROUTING -d X.X.X.X -p udp --dport 1194 -j DNAT --to 192.168.1.208:1194 #X.X.X.X代表你的公网地址
[root@iptables ~]#echo 1 >/proc/sys/net/ipv4/ip_forward #打开路由转发功能,此处可以修改内核配置文件 vi /etc/sysctl.conf把net.ipv4.ip_forward = 0改为net.ipv4.ip_forward = 1或者把echo 1 >/proc/sys/net/ipv4/ip_forward写到/etc/rc.local里面避免服务器重启后路由转发功能失效。
[root@iptables ~]#iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 192.168.1.208 #使openvpn客户端连接后可以上公网
五、客户端配置连接vpn
1、登陆到http://openvpn.se/download.html 网站下载openvpn客户端软件适用于xp系统并安装,安装部分比较简单一直下一步就可以,这里不多说了安装成功后电脑右下角会出现一个连接图标
win7客户端下载地址:http://swupdate.openvpn.org/community/releases/openvpn-2.2.2-install.exe
#看到这个红×××标表示安装成功,成功后本地连接会多出一个连接
2、配置openvpn客户端
a、将在服务生产的key.tar.gz包拷贝到客户端并解压缩,然后把客户端证书文件拷贝到客户端安装目录C:\Program Files\Open×××\config下,同时在把客户端配置文件C:\Program Files\Open×××\sample-config下的client文件也拷贝到C:\Program Files\Open×××\config下
b、配置client.ovpn(client配置文件的后缀名是.ovpn,怎么看这里不多介绍了)文件,这个文件与服务器配置文件基本相同,大家可以看看上面服务器配置文件解释即可,也可以上网查查具体意思,下面我把主要配置文件内容写上,右键以记事本的方式打开client配置文件,清空里面的内容添加以下内容:
client
dev tun
proto udp
remote X.X.X.X 1194 #X为你公网的ip地址及端口号1194
persist-key
persist-tun
ca ca.crt
cert client1.crt #客户端认证文件,如果是别的客户端你改下名字即可
key client1.key #客户端认证文件,如果是别的客户端你改下名字即可
comp-lzo
ns-cert-type server
verb 3
redirect-gateway def1
c、测试连接,右键右下角安装客户端工具点击connect连接,当连接图标变成绿色会弹出获取ip信息,即表示连接成功
2、linux客户端配置
a、linux客户端配置比较简单,他也需要安装openvpn服务器所安装的软件包
[root@localhost ~]#rpm -ivh lzo-2.04-2.2.i386.rpm
[root@localhost ~]#rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.i386.rpm
b、安装完成后把服务器生成的客户端文件拷贝到/etc/openvpn下面,为了区分这里我用的client2客户端文件
[root@localhost openvpn]#ls
ca.crt client2.crt client2.csr client2.key client.conf #此文件就相当于windows下的client.ovpn文件,如果没有可以手动创建一个出来
[root@localhost openvpn]#vim client.conf
client
dev tun
proto udp
remote X.X.X.X 1194 #X为你公网的ip地址及端口号1194
persist-key
persist-tun
ca ca.crt
cert client2.crt #客户端认证文件,如果是别的客户端你改下名字即可
key client2.key #客户端认证文件,如果是别的客户端你改下名字即可
comp-lzo
ns-cert-type server
verb 3
redirect-gateway def1
c、配置完成后启动openvpn服务
[root@localhost openvpn]# /etc/init.d/openvpn restart
[root@localhost openvpn]# ifconfig
eth0 Link encap:Ethernet HWaddr F6:D3:7E:D7:64:9E
inet addr:192.168.1.71 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::f4d3:7eff:fed7:649e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5360452 errors:0 dropped:0 overruns:0 frame:0
TX packets:160479 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:885748110 (844.7 MiB) TX bytes:13228925 (12.6 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 #表示成功
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
六、客户端使用密码登陆openvpn
1、上面提到的都是先由服务器生成客户端证书,然后再分发到客户端使用,这样也有个弊端如果客户端过多的话就要先生成N多客户端在分发到个人手中使用,所以为了避免这个繁琐的工作,这里我们使用用户名密码形式登陆openvpn。使用用户名密码就没有那么麻烦了,客户端只要有ca.crt这个认证文件就可以了,等登陆服务器的时候只需要输入用户名密码就OK啦。
[root@Lemko208 ~]# useradd -M xiaohui #添加登陆用户
[root@Lemko208 ~]# passwd xiaohui #设置用户密码
Changing password for user xiaohui.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
2、openvpn要使用plugin插件以pam认证文件方式支持用户名密码认证登陆,修改openvpn配置文件
[root@Lemko208 ~]# vim /etc/openvpn/server.conf
port 1194
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login #添加红色字体三行,如果你是64位系统,那么路径为 /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so
client-cert-not-required
username-as-common-name
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push "dhcp-option DNS "10.8.0.1"
push "dhcp-option DNS "219.141.136.10"
[root@Lemko208 ~]# /etc/init.d/openvpn restart #重启openvpn服务,看到以下状态表面添加成功
Shutting down openvpn: [ OK ]
Starting openvpn: AUTH-PAM: INIT service='login'
[ OK ]
3、客户端配置
在客户端添加auth-user-pass激活认证方式,右键----打开client.ovpn文件
client
auth-user-pass #添加用户激活认证方式
dev tun
proto udp
remote 192.168.1.208 1194
persist-key
persist-tun
ca ca.crt
#cert client1.crt #注释掉客户端证书
#key client1.key ##注释掉客户端证书
comp-lzo
ns-cert-type server
verb 3
redirect-gateway def1
4、登陆客户端,在登陆的时候会出现以下对话框,当出现以下对话框后输入你的用户名密码即可登陆
七、注意事项
1、新增客户端后要从新生成Diffie Hellman参数,生成后把新生成的文件替换掉原有的dh参数,例如添加test用户
[root@test 2.0]# ./build-key test
[root@test 2.0]# ./build-dh
[root@test 2.0]# cp @ /etc/openvpn #@代表新生成的dh参数,在拷贝之前先删除之前的dh参数
2、多个用户使用一个证书,打开服务器配置文件
[root@Lemko208 ~]# vim /etc/openvpn/server.conf
port 1194
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login #添加红色字体三行,如果你是64位系统,那么路径为 /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so
client-cert-not-required
username-as-common-name
proto udp
#duplicate-cn #多个用户使用一个证书把这行注释掉就行,默认我是没有添加,如果你想一个用户使用一个证书的话就加上这行
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push "dhcp-option DNS "10.8.0.1"
push "dhcp-option DNS "219.141.136.10"
3、给客户端分配固定ip地址,修改服务器配置文件
[root@Lemko208 ~]#mkdir /etc/openvpn/address #建立ip地址目录
[root@Lemko208 ~]#cd /etc/openvpn/address #进入目录
[root@Lemko208 address]#vim client1 #创建用户名对应文件
ipconfig-push 10.8.0.9 10.8.0.10 #添加分配ip地址
[root@Lemko208 ~]# vim /etc/openvpn/server.conf
client-config-dir address #在原由配置文件添加这行就行了
4、win7客户端注意事项
安装使用是需要注意要使用兼容模式安装,或者安装完成后右键图标选择兼容模式
此时需要以管理员身份运行客户端,不然即使连接上也不能使用
八、FAQ是从网上找的资料仅供参考 #如有问题欢迎大家批评指正linux技术交流qq群:155596694
1.你得到如下错误信息: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). 这个错误指出客户端不能跟服务器建立网络链接.
解决办法:
a.请确认客户端访问的服务器的机器名/IP和端口是正确的.
b.如果你的Open×××服务器是单网卡,并处在受保护的局域网中,请确认你你的网关防火墙使用了正确的端口转发规则。比如:你的Open×××机器的地址是192.168.1.4,但处在防火墙保护下,时刻监听着UDP协议1194的连接请求,那么负责维护192.168.1.x子网的网关就会有一个端口转发策略,即所有访问UDP协议1194端口的请求都被转发到192.168.1.4 。
c.打开服务器的防火墙允许UDP协议1194端口连接进来,(或者不管是TCP还是UDP协议在服务器的配置文件中配置了)。
2.你得到如下错误信息: Initialization Sequence Completed with errors – 这个错误可能发生在windows下(a)你没有启用DHCP客户端服务(b)你的系统使用了某个第三方的个人防火墙。
解决办法: 启动DHCP客户端服务或者你确认你的系统正确使用了个人防火墙.
3.你虽然获得了Initialization Sequence Completed 的信息,但ping测试还是失败了,那就通常是在服务器或者客户端的防火墙阻止过滤了在TUN/TAP设备结构上的网络流量。
解决办法: 关闭客户端的防火墙,如果防火墙过滤了TUN/TAP设备端口的流量。比如在Windows XP 系统,你可以到Windows 安全中心 -> Windows 防火墙 -> 高级 然后不要选择TAP-Win32 adapter设备 (即禁止TUN/TAP设备使用防火墙过滤 ,实质上就是告诉防火墙不要阻止×××认证信息)。 同样在服务器端也要确认TUN/TAP设备不实用防火墙过滤 (也就是说在TUN/TAP接口上选择过滤是有一定的安全保障的. 具体请看下面一节的访问策略).
4.当以udp协议的配置文件启动的时候连接停止,服务器的日志文件显示如下一行信息:
TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx
不管怎么样,这信息只在服务器端显示,在客户端是不会显示相同的信息。
解决办法: 你只拥有单向连接从客户端到服务器,从服务器到客户端的连接被防火墙挡住, 通常在客户端这边,防火墙(a)可能是个运行在客户端的个人防火墙软件(b)或者服务客户端的NAT路由 网关被设置为从服务器端访问客户端的UDP协议包被阻挡返回。