Red Hat Enterprise Linux AS release 4 Update 8 下安装 Open××× 服务器

一、Open××× 的安装环境
1、Server 端的环境
Red Hat Enterprise Linux AS release 4 (Nahant Update 8)
Kernel：2.6.27.48
Ip：192.168.0.1

2、Client 端的环境
Windows XP PRO SP2
Ip：192.168.0.2

二、Open××× 服务端安装过程
1、检查 kernel 需要支持 tun 设备，需要加载 iptables 模块。
检查 tun 是否安装：
代码：

[root@localhost ~]# modinfo tun filename:       /lib/modules/2.6.27.48/kernel/drivers/net/tun.ko description:    Universal TUN/TAP device driver author:         (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> license:        GPL alias:          char-major-10-200 vermagic:       2.6.27.48 SMP mod_unload modversions 686 4KSTACKS depends:

2、检查OpenSSL
如果需要启用 SSL 连接，则需要先安装 OpenSSL。默认rhel4内都安装了 OpenSSL ，如果没有请自行安装。

3、下载安装 Lzo
从 http://www.oberhumer.com/opensource/lzo/download/ 下载最新版 lzo-2.03.tar.gz
代码：

[root@localhost src]# tar zxvf lzo-2.03.tar.gz [root@localhost src]# cd lzo-2.03 [root@localhost lzo-2.03]# ./configure [root@localhost lzo-2.03]# make [root@localhost lzo-2.03]# make check   (运行检查，此步骤可以省略) [root@localhost lzo-2.03]# make test     (运行全面测试，此步骤可以省略) [root@localhost lzo-2.03]# make install   (试用root身份安装)

4、下载安装 Open×××
从 http://openvpn.net/download.html 下载最新版本 openvpn-2.1.2.tar.gz
代码：

[root@localhost src]# tar zxvf openvpn-2.1.2.tar.gz [root@localhost src]# cd openvpn-2.1.2 [root@localhost openvpn-2.1.2]# ./configure --prefix=/usr/local/openvpn \                             --with-lzo-lib=/usr/local/lib  \                             --with-ssl-headers=/usr/include/openssl \                             --with-ssl-lib=/lib [root@localhost openvpn-2.1.2]# make [root@localhost openvpn-2.1.2]# make install

 5、生成 vpn 服务端和客户端的证书和密钥
设置环境变量
方法一：export 声明变量
代码：

[root@localhost openvpn-2.1.2]# cd easy-rsa/2.0 [root@localhost 2.0]# export D=`pwd` [root@localhost 2.0]# export KEY_CONFIG=$D/openssl.cnf [root@localhost 2.0]# export KEY_DIR=$D/keys [root@localhost 2.0]# export KEY_SIZE=1024 [root@localhost 2.0]# export KEY_COUNTRY=CN [root@localhost 2.0]# export KEY_PROVINCE=SH [root@localhost 2.0]# export KEY_CITY=SH [root@localhost 2.0]# export KEY_ORG="dzh.com" [root@localhost 2.0]# export KEY_EMAIL="me@dzh.com"

方法二：编辑环境变量文件 vars
代码：

[root@localhost 2.0]# vi vars    (按照上面的内容修改变量文件里的相应变量值) [root@localhost 2.0]# . vars

清理以前的ca证书和密钥
代码：

[root@localhost 2.0]# ./clean-all

生成 CA
代码：

[root@localhost 2.0]# ./build-ca Generating a 1024 bit RSA private key ...............++++++ .....++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [dzh.com]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [dzh.com CA]: Name []: Email Address [me@dzh.com]: 因为已经在变量里设置过了，所以直接回车就是默认值了。

为 openvpn 服务端生成key
代码：

[root@localhost 2.0]# ./build-key-server server Generating a 1024 bit RSA private key .........................................++++++ .........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [dzh.com]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [server]: Name []: Email Address [me@dzh.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/src/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName           :PRINTABLE:'CN' stateOrProvinceName   :PRINTABLE:'SH' localityName          :PRINTABLE:'Shanghai' organizationName      :PRINTABLE:'dzh.com' commonName            :PRINTABLE:'server' emailAddress          :IA5STRING:'me@dzh.com' Certificate is to be certified until Aug 17 07:20:17 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

为客户端生成key
代码：

[root@localhost 2.0]# ./build-key client1 Generating a 1024 bit RSA private key ....................................++++++ ........++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [dzh.com]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client1]: Name []: Email Address [me@dzh.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/src/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName           :PRINTABLE:'CN' stateOrProvinceName   :PRINTABLE:'SH' localityName          :PRINTABLE:'Shanghai' organizationName      :PRINTABLE:'dzh.com' commonName            :PRINTABLE:'client1' emailAddress          :IA5STRING:'me@dzh.com' Certificate is to be certified until Aug 17 07:24:46 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

如果有多个客户端，可以使用 ./build-key 依次生成不同的客户端key。
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同。

生成 Diffie Hellman 参数
代码：

[root@localhost 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ...............................+....+..........................+..............................................................+............+..............+.................................................................+.......................................+............................................+...........+..............+..........................................................................+.......................+.......................................+................................+...........................+........+....................+.+.+........................................+....++*++*++*

6、为服务器端生成配置文件和服务启动脚本
代码：

[root@localhost openvpn-2.1.2]# mkdir /etc/openvpn [root@localhost openvpn-2.1.2]# cp sample-config-files/server.conf /etc/openvpn [root@localhost openvpn-2.1.2]# cp sample-scripts/openvpn.init /etc/init.d/openvpnd 注意：这个默认的 openvpn.init 脚本里的openvpn应用程序的路径可能跟你实际安装的不一样，需要更改的。 [root@localhost openvpn-2.1.2]# vi /etc/init.d/openvpnd 将脚本里：openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn" 修改成实际安装的路径，比如：openvpn_locations="/usr/local/openvpn/sbin/openvpn" [root@localhost openvpn-2.1.2]# chkconfig --add openvpnd [root@localhost openvpn-2.1.2]# cp easy-rsa/2.0/keys/ca.crt /etc/openvpn/ [root@localhost openvpn-2.1.2]# cp easy-rsa/2.0/keys/server.crt /etc/openvpn/ [root@localhost openvpn-2.1.2]# cp easy-rsa/2.0/keys/server.key /etc/openvpn/ [root@localhost openvpn-2.1.2]# cp easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/

7、启动 openvpn 服务端
代码：

[root@localhost openvpn-2.1.2]# service openvpnd start Starting openvpn: [ OK ] [root@localhost openvpn-2.1.2]# tail /var/log/messages Aug 20 15:50:29 localhost openvpn[20961]: Open××× 2.1.2 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 20 2010 Aug 20 15:50:29 localhost openvpn[20961]: NOTE: Open××× 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Aug 20 15:50:29 localhost openvpn[20961]: Diffie-Hellman initialized with 1024 bit key Aug 20 15:50:29 localhost openvpn[20961]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Aug 20 15:50:29 localhost openvpn[20961]: Socket Buffers: R=[109568->131072] S=[109568->131072] Aug 20 15:50:29 localhost openvpn[20961]: ROUTE default_gateway=222.73.34.190 Aug 20 15:50:29 localhost openvpn[20961]: TUN/TAP device tun0 opened Aug 20 15:50:29 localhost openvpn[20961]: TUN/TAP TX queue length set to 100 Aug 20 15:50:29 localhost openvpn[20961]: /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Aug 20 15:50:29 localhost kernel: tun0: Disabled Privacy Extensions Aug 20 15:50:29 localhost openvpn[20961]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Aug 20 15:50:29 localhost openvpn[20961]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Aug 20 15:50:29 localhost openvpn[20966]: UDPv4 link local (bound): [undef]:1194 Aug 20 15:50:29 localhost openvpn[20966]: UDPv4 link remote: [undef] Aug 20 15:50:29 localhost openvpn[20966]: MULTI: multi_init called, r=256 v=256 Aug 20 15:50:29 localhost openvpnd:  succeeded Aug 20 15:50:29 localhost openvpn[20966]: IFCONFIG POOL: base=10.8.0.4 size=62 Aug 20 15:50:29 localhost openvpn[20966]: IFCONFIG POOL LIST Aug 20 15:50:29 localhost openvpn[20966]: Initialization Sequence Completed Aug 20 15:50:34 localhost udevd[1278]: udev done! [root@localhost openvpn-2.1.2]# ifconfig -a Link encap:Ethernet  HWaddr 00:26:55:1E:D8:9A            inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0           inet6 addr: fe80::226:55ff:fe1e:d89a/64 Scope:Link           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1           RX packets:0 errors:0 dropped:0 overruns:0 frame:0           TX packets:7 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           RX bytes:0 (0.0 b)  TX bytes:526 (526.0 b)           Interrupt:193 Memory:fa000000-fa012100   lo        Link encap:Local Loopback            inet addr:127.0.0.1  Mask:255.0.0.0           inet6 addr: ::1/128 Scope:Host           UP LOOPBACK RUNNING  MTU:16436  Metric:1           RX packets:1754296 errors:0 dropped:0 overruns:0 frame:0           TX packets:1754296 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0           RX bytes:165016597 (157.3 MiB)  TX bytes:165016597 (157.3 MiB) tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00            inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1           RX packets:0 errors:0 dropped:0 overruns:0 frame:0           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:100           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

看到上面的信息就说明 openvpn 服务起来了，openvpn 服务端配置完毕了。

三、Open××× GUI For Windows 客户端安装过程
1、下载安装Open××× GUI For Windows
从 http://openvpn.net/index.php/open-source/downloads.html 下载 openvpn-2.1.2-install.exe
注意: Open××× GUI 的版本要和 Open××× Server 的版本配套。
Windows下的安装过程就不具体说了，安装大家都会的。我使用默认路径安装在C:\Program Files\Open×××下了。

2、配置客户端配置文件
复制 sample-config 目录下的 client.ovpn 到 config 目录下。
用记事本打开配置文件 client.ovpn ，修改一下部分：

remote my-server-1 1194  改为  remote 192.168.0.1 1194 cert client.crt  改为  cert client1.crt key client.key  改为  key client1.key

把服务器端的认证证书下载下来
把  ca.crt client1.crt client1.key 这三个文件从服务端下载到客户端的 config 目录里。

3、启动客户端GUI
打开“开始”菜单----->“程序”----->“openvpn”----->“openvpn gui”，在出来的程序界面里点击“链接”按钮
代码：

C:\Documents and Settings\office>ipconfig /all Windows IP Configuration         Host Name . . . . . . . . . . . . : office         Primary Dns Suffix  . . . . . . . :         Node Type . . . . . . . . . . . . : Unknown         IP Routing Enabled. . . . . . . . : No         WINS Proxy Enabled. . . . . . . . : No Ethernet adapter vpn:         Connection-specific DNS Suffix  . :         Description . . . . . . . . . . . : TAP-Win32 Adapter V9         Physical Address. . . . . . . . . : 00-FF-FF-5D-70-E6         Dhcp Enabled. . . . . . . . . . . : Yes         Autoconfiguration Enabled . . . . : Yes         IP Address. . . . . . . . . . . . : 10.8.0.6         Subnet Mask . . . . . . . . . . . : 255.255.255.252         Default Gateway . . . . . . . . . :         DHCP Server . . . . . . . . . . . : 10.8.0.5         Lease Obtained. . . . . . . . . . : 2010年8月20日 16:47:39         Lease Expires . . . . . . . . . . : 2011年8月20日 16:47:39 Ethernet adapter local:         Connection-specific DNS Suffix  . :         Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Eth ernet NIC         Physical Address. . . . . . . . . : 00-1B-B9-5F-C3-58         Dhcp Enabled. . . . . . . . . . . : Yes         Autoconfiguration Enabled . . . . : Yes         IP Address. . . . . . . . . . . . : 10.9.21.74         Subnet Mask . . . . . . . . . . . : 255.255.255.0         Default Gateway . . . . . . . . . : 10.9.21.254         DHCP Server . . . . . . . . . . . : 10.9.21.254         DNS Servers . . . . . . . . . . . : 114.80.136.14                                             114.80.157.11         Lease Obtained. . . . . . . . . . : 2010年8月20日 12:41:54         Lease Expires . . . . . . . . . . : 2010年8月21日 12:41:54

上面vpn 链接获取正确的ip地址，就说明客户端已经和服务端链接成功了。要是需要客户端操作系统启动就能自动链接到服务端，可以在windows的服务里找到openvpn服务，设置为“自动”就可以了。