openvpn2.1.2搭建安装篇（1）

安装openvpn:cd /usr/local下载lzo压缩模块，用于压缩传输的数据：

wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
tar xf lzo-2.06.tar.gz
cd lzo-2.06
./configure 
make && make install
cd ..

由于openvpn依赖于openssl，因此安装：

yum install -y openssl*
https://openvpn.net/release/openvpn-2.1.2.tar.gz
tar xf openvpn-2.1.2.tar.gz 
cd openvpn-2.1.2
./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib
make && make install
cd ..

需要指定lzo模块的路径

https://openvpn.net/release/建立证书:由于客户端和服务器是公用一个ca证书，先创建此证书

cd /usr/local/openvpn-2.1.2/easy-rsa/2.0/
cp vars vars`date +%T-%F`
vim vars

修改

export KEY_COUNTRY="CN"
export KEY_PROVINCE="shanghai"
export KEY_CITY="Shanghai"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="usertzc@163.com"
[root@node 2.0]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys
[root@node 2.0]# 

运行clean-all将会清楚keys所有文件，第一次需要执行

[root@node 2.0]# ./clean-all 
生成ca
[root@node 2.0]# ./build-ca
Generating a 1024 bit RSA private key
....................................++++++
...++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [shanghai]:
Locality Name (eg, city) [Shanghai]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:linuxea
Name []:
Email Address [usertzc@163.com]:
[root@node 2.0]# 

将会生成ca文件，如下：

[root@node 2.0]# ll keys/
total 12
-rw-r--r-- 1 root root 1220 Mar 10 06:42 ca.crt
-rw------- 1 root root  916 Mar 10 06:42 ca.key
-rw-r--r-- 1 root root    0 Mar 10 06:40 index.txt
-rw-r--r-- 1 root root    3 Mar 10 06:40 serial
[root@node 2.0]# 

生成server key

[root@node 2.0]# ./build-key-server server

一路回车，y即可生成如下：

[root@node 2.0]# ll keys/
total 40
-rw-r--r-- 1 root root 3882 Mar 10 06:46 01.pem
-rw-r--r-- 1 root root 1220 Mar 10 06:42 ca.crt
-rw------- 1 root root  916 Mar 10 06:42 ca.key
-rw-r--r-- 1 root root  111 Mar 10 06:46 index.txt
-rw-r--r-- 1 root root   21 Mar 10 06:46 index.txt.attr
-rw-r--r-- 1 root root    0 Mar 10 06:40 index.txt.old
-rw-r--r-- 1 root root    3 Mar 10 06:46 serial
-rw-r--r-- 1 root root    3 Mar 10 06:40 serial.old
-rw-r--r-- 1 root root 3882 Mar 10 06:46 server.crt
-rw-r--r-- 1 root root  676 Mar 10 06:46 server.csr
-rw------- 1 root root  916 Mar 10 06:46 server.key

生成客户端证书和秘钥文件：

[root@node 2.0]# ./build-key linuxeacom

一路回车，y即可生成内容如下：

[root@node 2.0]# ll keys/
total 64
-rw-r--r-- 1 root root 3882 Mar 10 06:46 01.pem
-rw-r--r-- 1 root root 3769 Mar 10 06:50 02.pem
-rw-r--r-- 1 root root 1220 Mar 10 06:42 ca.crt
-rw------- 1 root root  916 Mar 10 06:42 ca.key
-rw-r--r-- 1 root root  226 Mar 10 06:50 index.txt
-rw-r--r-- 1 root root   21 Mar 10 06:50 index.txt.attr
-rw-r--r-- 1 root root   21 Mar 10 06:46 index.txt.attr.old
-rw-r--r-- 1 root root  111 Mar 10 06:46 index.txt.old
-rw-r--r-- 1 root root 3769 Mar 10 06:50 linuxeacom.crt
-rw-r--r-- 1 root root  684 Mar 10 06:50 linuxeacom.csr
-rw------- 1 root root  916 Mar 10 06:50 linuxeacom.key
-rw-r--r-- 1 root root    3 Mar 10 06:50 serial
-rw-r--r-- 1 root root    3 Mar 10 06:46 serial.old
-rw-r--r-- 1 root root 3882 Mar 10 06:46 server.crt
-rw-r--r-- 1 root root  676 Mar 10 06:46 server.csr
-rw------- 1 root root  916 Mar 10 06:46 server.key

生成秘钥协议文件在keys下

-rw-r--r-- 1 root root  245 Mar 10 06:56 dh1024.pem
[root@node 2.0]# ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......................................................................................+.............+..........+.....................+.......................+...+...............+........+.................+...........+......+..................................+....+..............................................................................+............................................+..+................................+.......................................................................................................................................+..+........................................................................+.++*++*++*
[root@node 2.0]# 

创建配置文件和证书目录

[root@node ~]# mkdir /etc/openvpn

复制文件到/etc/openvpn下

[root@node 2.0]# cp -ap keys /etc/openvpn/
[root@node 2.0]# cp /usr/local/openvpn-2.1.2/sample-config-files/* /etc/openvpn/

为了方便起见，过滤冒号，#号和空格

[root@node openvpn]# mv server.conf server.conf.bak
[root@node openvpn]# grep -vE "^;|#|^$" server.conf.bak >> ./server.conf
local openvpn地址
port 1194  端口
proto udp  协议
dev tun
ca ca.crt  证书
cert server.crt  证书
dh dh1024.pem  验证
server 10.8.0.0 255.255.255.0 客户端的ip
ifconfig-pool-persist ipp.txt
keepalive 10 120 10秒钟ping一次，120秒未收到回复则认为客户端断开
comp-lzo
persist-key  当超时，重新启动保持上一次使用的key
persist-tun 通过keepalive检测vpn超时，重新启动vpn后，保持tun或者tap设备自带连接状态
status openvpn-status.log  日志
verb 3      日志级别冗余
[root@node openvpn]# 

修改后的配置文件如下：

[root@node openvpn]# vim server.conf
local 10.0.0.4
port 1194
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 172.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
log /var/log/openvpn.log

调试服务器环境

iptables
[root@node openvpn]# iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
[root@node openvpn]# setenforce 0
setenforce: SELinux is disabled

打开内核转发

[root@node openvpn]# sed -ri 's@(.*_fo.*= ).*@11@g' /etc/sysctl.conf
[root@node openvpn]# sysctl -p

启动：指定配置文件启动

[root@node openvpn]# /usr/local/openvpn-2.1.2/ --config /etc/openvpn/server.conf 

开机启动：

echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &' >>/etc/rc.local

也可以复制脚本启动：

[root@node openvpn]# cp /usr/local/openvpn-2.1.2/sample-scripts/openvpn.init /etc/init.d/openvpn
[root@node openvpn]# chmod +X /etc/init.d/openvpn 
[root@node openvpn]# chkconfig --add openvpn

启动脚本需要修改：将*.conf改成server.conf，这里主要是由于配置文件过多，读取错误配置文件导致，所以这里需要明确指明使用哪个配置文件启动

for c in `/bin/ls server.conf 2>/dev/null`; do
[root@node openvpn]# ps -ef|grep vpn
root       2934      1  0 08:01 ?        00:00:00 /usr/local/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn
root       2950   2011  0 08:02 pts/0    00:00:00 grep vpn
[root@node openvpn]# 

客户端使用：https://openvpn.net/release/openvpn-2.1.2-install.exe下载ca.crt linuxeacom.crt linuxeacom.key到windows安装目录C:Program Files (x86)OpenVPNconfig下，并且在config下创建linuxea目录，将ca.crt linuxeacom.crt linuxeacom.key复制到linuxea中

将修改好的配置文件下载到C:Program Files (x86)OpenVPNconfiglinuxeacom下叫做Linuxeacom.ovpn，内容如下：客户端配置文件：

[root@node openvpn]# egrep -v "^#|^;|^$" client.conf 
client
dev tun
proto tcp tcp协议
remote 10.0.0.4 1194 服务端地址
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert linuxeacom.crt 用户的key
key linuxeacom.key
ns-cert-type server
comp-lzo
verb 3

登录后查看日志：

[root@node openvpn]# cat /var/log/openvpn.log 
Thu Mar 10 08:42:01 2016 MULTI: multi_create_instance called
Thu Mar 10 08:42:01 2016 Re-using SSL/TLS context
Thu Mar 10 08:42:01 2016 LZO compression initialized
Thu Mar 10 08:42:01 2016 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Mar 10 08:42:01 2016 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Mar 10 08:42:01 2016 Local Options hash (VER=V4): 'c0103fa8'
Thu Mar 10 08:42:01 2016 Expected Remote Options hash (VER=V4): '69109d17'
Thu Mar 10 08:42:01 2016 TCP connection established with 10.0.0.3:59364
Thu Mar 10 08:42:01 2016 TCPv4_SERVER link local: [undef]
Thu Mar 10 08:42:01 2016 TCPv4_SERVER link remote: 10.0.0.3:59364
Thu Mar 10 08:42:01 2016 10.0.0.3:59364 TLS: Initial packet from 10.0.0.3:59364, sid=698dad12 0424ce72
Thu Mar 10 08:42:01 2016 10.0.0.3:59364 VERIFY OK: depth=1, /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxea/emailAddress=usertzc@163.com
Thu Mar 10 08:42:01 2016 10.0.0.3:59364 VERIFY OK: depth=0, /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxeacom/emailAddress=usertzc@163.com
Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Mar 10 08:42:01 2016 10.0.0.3:59364 [linuxeacom] Peer Connection Initiated with 10.0.0.3:59364
Thu Mar 10 08:42:01 2016 linuxeacom/10.0.0.3:59364 MULTI: Learn: 10.8.0.6 -> linuxeacom/10.0.0.3:59364
Thu Mar 10 08:42:01 2016 linuxeacom/10.0.0.3:59364 MULTI: primary virtual IP for linuxeacom/10.0.0.3:59364: 10.8.0.6
Thu Mar 10 08:42:03 2016 linuxeacom/10.0.0.3:59364 PUSH: Received control message: 'PUSH_REQUEST'
Thu Mar 10 08:42:03 2016 linuxeacom/10.0.0.3:59364 SENT CONTROL [linuxeacom]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

如果拨不上，请查看驱动是否安装，配置是否出错