OpenVPN在Ubuntu12.04下的安装配置

服务器端配置 1  安装openvpn,apt-get会自动安装相应的依赖库的。

# apt-get install openvpn
2  配置服务器 2.1  初始化服务端 将OpenVPN文件拷贝到/etc/openvpn/目录下
# cd /etc/openvpn/
# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* .
# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
# gzip -d server.conf.gz

2.2  配置PKI,结合自己情况修改如下一段配置,在后面生成服务端ca证书时,这里的配置会作为缺省配置

# vi /etc/openvpn/vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="Beijing"
export KEY_CITY="Beijing"
export KEY_ORG="ABC"
export KEY_EMAIL="openvpn@ABC.com"
export KEY_EMAIL=openvpn@ABC.com
export KEY_CN=ABCVPN
export KEY_NAME=ABCVPN
export KEY_OU=ABCVPN
export PKCS11_MODULE_PATH=ABCVPN
export PKCS11_PIN=1234

做SSL配置文件软链,修改vars文件可执行并调用

# cd /etc/openvpn
# ln -s openssl-1.0.0.cnf openssl.cnf
# chmod +x vars

3  生成证书 3.1  生成CA证书

# source ./vars
开始配置证书: 清空原有证书,添加完客户端后慎用,因为这个命令会清除所有已经生成的证书密钥
# ./clean-all
生成服务器端ca证书,一路回车即可,最后有个输入密码的,留空就行。
# ./build-ca
3.2  生成服务器端密钥证书, 后面这个openvpn.ABC.com可以自定义,随便起,但要记住.
# ./build-key-server openvpn.ABC.com
3.3  生成DH验证文件,即diffie hellman参数,用于增强openvpn安全性.
# ./build-dh
3.4  生成客户端证书,这里与生成服务端证书配置类似,按照缺省提示一路回车即可。
# ./build-key si.li
# ./build-key san.zhang

3.5  生成ta.key文件,这步不知道做什么用的

# openvpn --genkey --secret /etc/openvpn/keys/ta.key
3.6  创建日志目录
# mkdir -p /var/log/openvpn/
3.7  打开IP转发
# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
# sysctl -p

3.8  在iptables中打开NAT功能,运行下面的脚本即可

#!/bin/bash
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 166.188.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING  -s 166.188.0.0/24 -j MASQUERADE
iptables -A FORWARD -p tcp --syn -s 166.188.0.0/24 -j TCPMSS --set-mss 1300
iptables-save > /etc/iptables.up.rules

3.9  编辑服务配置文件server.conf,直接贴我的配置吧

root@ABC:/etc/openvpn# more server.conf |grep -v -E '^$|^#|^;'
local 1.2.3.4
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/openvpn.ABC.com.crt
key /etc/openvpn/keys/openvpn.ABC.com.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 166.188.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 202.106.0.20"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
comp-lzo
max-clients 20
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
配置段的说明
# 设置监听IP,默认是监听所有IP
;local a.b.c.d

# 设置监听端口,必须要对应的在防火墙里面打开
port 1194

# 设置用TCP还是UDP协议?
;proto tcp
proto tcp

# 设置创建tun的路由IP通道,还是创建tap的以太网通道路由IP容易控制,所以推荐使用它;
# 但如果如IPX等必须使用第二层才能通过的通讯,则可以用tap方式,tap也就是以太网桥接
;dev tap
dev tun

# 这里是重点,必须指定SSL/TLS root certificate (ca),
# certificate(cert), and private key (key)
# ca文件是服务端和客户端都必须使用的,但不需要ca.key
# 服务端和客户端指定各自的.crt和.key
# 请注意路径,可以使用以配置文件开始为根的相对路径,
# 也可以使用绝对路径
# 请小心存放.key密钥文件
ca keys/ca.crt
cert keys/openvpn.example.com.crt
key keys/openvpn.example.com.key # This file should be kept secret

# 指定Diffie hellman parameters.
dh keys/dh1024.pem

# 配置VPN使用的网段,OpenVPN会自动提供基于该网段的DHCP服务,但不能和任何一方的局域网段重复,保证唯一
server 10.8.0.0 255.255.255.0

# 维持一个客户端和virtual IP的对应表,以方便客户端重新连接可以获得同样的IP
ifconfig-pool-persist ipp.txt

# 为客户端创建对应的路由,以另其通达公司网内部服务器
# 但记住,公司网内部服务器也需要有可用路由返回到客户端
;push "route 192.168.20.0 255.255.255.0"
push "route 10.6.0.0 255.255.0.0"

# 若客户端希望所有的流量都通过VPN传输,则可以使用该语句
# 其会自动改变客户端的网关为VPN服务器,推荐关闭
# 一旦设置,请小心服务端的DHCP设置问题
;push "redirect-gateway"

# 用OpenVPN的DHCP功能为客户端提供指定的DNS、WINS等
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

# 默认客户端之间是不能直接通讯的,除非把下面的语句注释掉
client-to-client

# 下面是一些对安全性增强的措施
# For extra security beyond that provided by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have a copy of this key.
# The second parameter should be 0 on the server and 1 on the clients.
tls-auth ta.key 0 # This file is secret

# 使用lzo压缩的通讯,服务端和客户端都必须配置
comp-lzo

# 输出短日志,每分钟刷新一次,以显示当前的客户端
status /var/log/openvpn/openvpn-status.log

# 缺省日志会记录在系统日志中,但也可以导向到其他地方
# 建议调试的使用先不要设置,调试完成后再定义
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log

# 设置日志的级别
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

3.10  启动服务,不出意外地话服务将顺利启动,可查看日志/var/log/openvpn/openvpn.log。

# /etc/init.d/openvpn start
4  客户端配置,这里使用mac下的Tunnelblick,下载服务器上的ca.crt,san.zhang.crt,san.zhang.key下载到本地,在本地新建san.zhang.ovpn文件,内容如下
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 1.2.3.4 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert san.zhang.crt
key san.zhang.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

把这四个文件放在同一个文件夹下,文件夹后缀改为tblk,双击即可导入配置到Tunnelblick中,然后连接就可以了。    

OPENVPN在CentOS下的安装配置

 
一.环境简介
 
服务器:CentOS 5.6 X64
软件: OpenVPN-2.3.0.tar.gz  lzo-2.03.tar.gz
 
二.系统设置
1.关闭Selinux
# vi /etc/sysconfig/selinux
---------------
SELINUX=disabled
---------------

重启系统

 
2.时间同步(重要)
# /usr/sbin/ntpdate asia.pool.ntp.org
 
# crontab -e
-----------------------------------------------------------------------------
*/30 * * * * /usr/sbin/ntpdate asia.pool.ntp.org > /dev/null 2>&1
------------------------------------------------------------------------------

3.开启服务器端路由转发功能
# vi /etc/sysctl.conf
---------------------
net.ipv4.ip_forward = 1
---------------------
# sysctl –p

4.配置iptables
# iptables -t NAT -F
# iptables -F
# iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
# iptables -A INPUT -p UDP --dport 1194 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
# iptables -A FORWARD -p tcp --syn -s 10.8.0.0/24 -j TCPMSS --set-mss 1356

三.安装OpenVPN
1.安装依赖库
# yum install -y openssl openssl-devel pam pam-devel automake pkgconfig

2.安装lzo
# wget http://down1.chinaunix.net/distfiles/lzo-2.06.tar.gz
# tar zxvf lzo-2.06.tar.gz
# cd lzo-2.06
# ./configure
# make
# make install

3.安装OpenVPN
# wget http://swupdate.OpenVPN.org/community/releases/OpenVPN-2.3.0.tar.gz
# gzip -d zxvf OpenVPN-2.3.0.tar.gz
# tar zxvf OpenVPN-2.3.0.tar
# cd OpenVPN-2.3.0
# /configure --prefix=/usr/local/OpenVPN
# make && make install
# mkdir -p /etc/OpenVPN
复制模板到OpenVPN配置目录:
# cp -rf sample  /etc/openvpn/
复制OpenVPN配置文件到主目录:
# cp /etc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
# cd ..

四.配置easy-rsa
该包用来制作ca证书,服务端证书,客户端证书,OpenVPN2.3.0该版本源码不包含easy-rsa,所以需要单独下载安装用来配合OpenVPN实现证书生成。

1.安装easy-rsa

 

# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
# unzip master
# mv easy-rsa-master easy-rsa
# cp -rf  easy-rsa /etc/OpenVPN
# cd /etc/openvpn/easy-rsa/easy-rsa/2.0
修改证书变量
# vi vars
修改如下参数
注:在后面生成服务端ca证书时,这里的配置会作为缺省配置
---------------------
export KEY_SIZE=1024
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BeiJing"
export KEY_ORG="anyuser"
export KEY_EMAIL="anyuser@xyz.com"
export KEY_OU="xyz.com"
---------------------
做SSL配置文件软链:
# ln -s openssl-0.9.8.cnf openssl.cnf
修改vars文件可执行并调用
# chmod +x vars
# source ./vars
-----------------
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/easy-rsa/2.0/keys
-----------------
注:也就是如果执行./clean-all,就会清空/etc/openvpn/easy-rsa/easy-rsa/2.0/keys下所有文件。

2.配置证书
a)清空原有证书
# ./clean-all

注:下面这个命令在第一次安装时可以运行,以后在添加完客户端后慎用,因为这个命令会清除所有已经生成的证书密钥,和上面的提示对应。

b)生成服务器端ca证书
# ./build-ca

注:由于之前做过缺省配置,这里一路回车即可

c)生成服务器端密钥证书(后面这个OpenVPN_server就是服务器名,也可以自定义)
# ./build-key-server OpenVPN_server
Generating a 1024 bit RSA private key
.............++++++
.................................................++++++
writing new private key to 'OpenVPN_server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [anyuser]:
Organizational Unit Name (eg, section) [MyOpenVPN]:
Common Name (eg, your name or your server's hostname) [OpenVPN_server]:
Name [EasyRSA]:
Email Address [anyuser@xyz.com]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:********
注:输入密码
 
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BeiJing'
organizationName      :PRINTABLE:'anyuser'
organizationalUnitName:PRINTABLE:'MyOpenVPN'
commonName            :T61STRING:'OpenVPN_server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'anyuser@xyz.com'
Certificate is to be certified until Nov 19 03:19:46 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

d)生成所需客户端证书密钥文件

# ./build-key user_client1
# ./build-key user_client2

注:这里与生成服务端证书配置类似,中间一步提示输入邮箱,其他按照缺省提示一路回车即可。

Generating a 1024 bit RSA private key
..++++++
...........++++++
writing new private key to 'user_client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [anyuser]:
Organizational Unit Name (eg, section) [MyOpenVPN]:
Common Name (eg, your name or your server's hostname) [user_client1]:
注:此处名字不能重复
Name [EasyRSA]:
Email Address [anyuser@xyz.com]:client1@xyz.com
注:输入用户邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BeiJing'
organizationName      :PRINTABLE:'anyuser'
organizationalUnitName:PRINTABLE:'MyOpenVPN'
commonName            :T61STRING:'user_client1'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'client1@xyz.com'
Certificate is to be certified until Nov 19 03:32:14 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

e)再生成diffie hellman参数,用于增强OpenVPN安全性
# ./build-dh

f)下载key到客户端备用

包括:ca.crt  user_client1.crt  user_client1.csr  user_client1.key

五.配置OpenVPN
1.配置server.conf
# vi /etc/openvpn/server.conf
# 设置监听端口,必须要对应的在防火墙里面打开
port 1194
 
# 设置用TCP还是UDP协议?
;proto udp
proto udp
 
# 设置创建tun的路由IP通道,还是创建tap的以太网通道路由IP容易控制,所以推荐使用它;但如IPX等必须使用第二层才能通过的通讯,则可以用tap方式,tap也就是以太网桥接。
;dev tap
dev tun
 
# 这里是重点,必须指定SSL/TLS root certificate (ca),certificate(cert), and private key (key),ca文件是服务端和客户端都必须使用的,但不需要ca.key,服务端和客户端指定各自的.crt和.key,请注意路径,可以使用以配置文件开始为根的相对路径,也可以使用绝对路径,请小心存放.key密钥文件
ca /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/OpenVPN_server.crt
key /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/OpenVPN_server.key  # This file should be kept secret
 
# 指定Diffie hellman parameters.
dh /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/dh1024.pem
 
# 配置VPN使用的网段,OpenVPN会自动提供基于该网段的DHCP服务,但不能和任何一方的局域网段重复,保证唯一。
server 10.8.0.0 255.255.255.0
 
# 连接可以获得同样的IP
ifconfig-pool-persist ipp.txt
 
# 若客户端希望所有的流量都通过VPN传输,则可以使用该语句
push "redirect-gateway def1 bypass-dhcp"
 
# 用OpenVPN的DHCP功能为客户端提供指定的DNS、WINS等
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 202.106.0.20"
 
#配置客户端之间能直接通讯
client-to-client
 
# 设置服务端检测的间隔和超时时间
keepalive 10 120
 
# 使用lzo压缩的通讯,服务端和客户端都必须配置
comp-lzo
 
# 设置最大用户数
max-clients 100
 
# 让OpenVPN以nobody用户和组来运行(安全)
user nobody
group nobody
 
persist-key
persist-tun
 
# 输出短日志,每分钟刷新一次,以显示当前的客户端
status /var/log/OpenVPN/OpenVPN-status.log
 
# 配置日志输出地址级日志级别
log         /var/log/OpenVPN/OpenVPN.log
log-append  o/var/log/OpenVPN/penvpn.log
 
verb 4

2.创建日志目录
# mkdir -p /var/log/OpenVPN/

3.创建OpenVPN启动脚本,启动OpenVPN
# vi /usr/local/bin/OpenVPN.sh
---------------------------------------------------------------------------
#!/bin/bash
 
case "$1" in
start)
echo "Starting OpenVPN server ... "
nohup /usr/local/OpenVPN/sbin/OpenVPN --config /etc/openvpn/server.conf &
;;
stop)
echo "Stopping OpenVPN server ... ... "
kill -9 `ps aux|grep OpenVPN|grep -v grep|awk '{print $2}'`
killall OpenVPN
;;
restart)
$0 stop
sleep 3
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac#
# ln -s /usr/local/bin/OpenVPN.sh /etc/init.d/OpenVPN
# /etc/init.d/OpenVPN start

设置开机启动:

# echo “/etc/init.d/OpenVPN start 2>&1” >> /etc/rc.local

六.注销OpenVPN证书

1OpenVPN证书
注:这里需保持OpenVPN服务正常开启
# cd /etc/openvpn/easy-rsa/easy-rsa/2.0
# ./revoke-full user_client2
如果报错,则注释掉该目录下openssl.cnf文件若干行内容,如下:
(实际情况执行上面的操作,直接可注销该用户)

#[pkcs11_section]
#engine_id = pkcs11
#dynamic_path = /usr/lib/engines/engine_pkcs11.so
#MODULE_PATH = $EVN::PKCS11_MODULE_PATH
#PIN = $ EVN::PKCS!!_PIN
#init =0  

2.重新注销

# ./revoke-full user_client2
若末行返回error23则账号注销成功,但需完全注销掉还需做如下配置:
# mv  /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/crl.pem  /etc/openvpn/crl.pem
# vi  /etc/openvpn/server.conf
末行添加如下内容保证每次在重启加载OpenVPN配置文件时都会重新加载crl.pem文件:
-----------------------
crl-verify  /etc/openvpn/crl.pem
-----------------------
注:crl.pem为注销的用户的黑名单,可以理解为每次启动OpenVPN时,加载一次黑名单操作,保证最新被吊销的证书无法使用。

3.重启OpenVPN

# /etc/init.d/openvpn restart
在客户端服务器使用user_client2证书验证该证书是否能够使用。

七.OpenVPN客户端

1. OpenVPN客户端安装
2. client.ovpn文件
# 定义是一个客户端
client
 
# 定义使用路由IP模式,与服务端一致
;dev tap
dev tun
 
# 定义使用的协议,与服务端一致
;proto tcp
proto udp
 
resolv-retry infinite
 
# 客户端不需要绑定端口
nobind
 
# 也是为了让Openvpn也nobody运行(安全),注意:Windows不能设置
;user nobody
;group nobody
 
persist-key
persist-tun
 
# 指定ca和客户端的证书
ca ca.crt
cert user_shengwei.e.crt
key user_shengwei.e.key
 
# 使用lzo压缩,与服务端一致
comp-lzo
 
# 日志级别
verb 3