声明
作者:昨夜星辰
博客:http://yestreenstars.blog.51cto.com/
本文由本人创作,如需转载,请注明出处,谢谢合作!
目的
搭建一台VPN服务器实现外部网络连接内部网络。
环境
服务端:CentOS 6.2 32
客户端:Windows XP
服务端配置
# 关闭SELinux
sed -i ‘/^SELINUX\b/s/=.*/=disabled/‘ /etc/selinux/config
setenforce 0
# 安装EPEL源(默认yum源没有openvpn和easy-rsa软件包)
rpm -ivh http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm
# 安装openvpn和easy-rsa软件包
yum -y install openvpn easy-rsa
# 切换到/usr/share/easy-rsa/2.0/目录
cd /usr/share/easy-rsa/2.0/
# 初始化环境变量
source vars
# 清除所有与证书相关的文件
./clean-all
# 生成CA相关文件(一路按回车即可)
./build-ca
# 生成服务端相关文件(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)
./build-key-server server
# 生成客户端相关文件(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)
./build-key client
# 生成dh2048.pem文件(生成过程时快时慢,在此期间不要去中断它)
./build-dh
# 生成ta.key文件(防DDos攻击)
openvpn --genkey --secret keys/ta.key
# 在openvpn的配置目录下新建一个key目录
mkdir /etc/openvpn/keys
# 将openvpn配置文件需要用到的文件复制一份到刚创建好的keys目录中
cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
# 创建/etc/openvpn/server.conf文件,内容如下
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" # 192.168.1.0/24是我这台VPN服务器所在的内网的网段,读者应该根据自身实际情况进行修改
keepalive 10 120
tls-auth keys/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# 开启路由转发功能
sed -i ‘/net.ipv4.ip_forward/s/0/1/‘ /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
# 配置防火墙
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
# 启动openvpn服务并将其设置为开机启动
service openvpn start
chkconfig openvpn on
客户端配置
# 创建一份客户端文件(命名为client.ovpn),内容如下(读者要注意修改下面的服务端公网IP) client dev tun proto udp remote 服务端公网IP 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server comp-lzo verb 3 tls-auth [inline] 1 <ca> 将/usr/share/easy-rsa/2.0/keys/ca.crt的全部内容复制粘贴于此 </ca> <cert> 将/usr/share/easy-rsa/2.0/keys/client.crt的全部内容复制粘贴于此 </cert> <key> 将/usr/share/easy-rsa/2.0/keys/client.key的全部内容复制粘贴于此 </key> <tls-auth> 将/usr/share/easy-rsa/2.0/keys/ta.key的全部内容复制粘贴于此 </tls-auth> # 从服务端下载client.ovpn,并将其复制到openvpn的安装目录的config目录下,最后,启动openvpn程序,连接服务端,如果能获取到IP,且能ping内网的其他机器就表示配置成功了。 # 最后给出我的client.ovpn的范例文本供读者参考。 client dev tun proto udp remote 192.168.1.88 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server comp-lzo verb 3 tls-auth [inline] 1 <ca> -----BEGIN CERTIFICATE----- MIIFEjCCA/qgAwIBAgIJALomSu6uks0gMA0GCSqGSIb3DQEBCwUAMIG2MQswCQYD VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wHhcNMTQxMTA2MDg1NTA0 WhcNMjQxMTAzMDg1NTA0WjCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw EwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsG A1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3Rv biBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0 Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArox/60tx UeGdb/mRGvBK/MH0/egVx1Rv1kDiqXrECJqCM85rMv5h4A3CXFK4jwNDaZz3wybw 9XKpEyPtDfAbWaNaEoZXctEZQzh1Ju8Bhe3laGNmVW+noD+n20sG0E0SAdSmKH7o BHWGM1xeDNQeKYwQAKuy88WVsH7fFf/wWLyD9p2tTJaxpG88bqNyXeWbEyHyr1g4 3wvmoZs+63hquXuhQSN/dyskYXmhficjY6H/fuTMVGk0to7KmrVeoEEb5ymf1U1W wPFWErksN+YF8CAueE/vnm1bdJfBAS7Uv/KkDlV0IZ0dHRL5UrVq1k2QW//QsQiX 7YexZCwOjOUuJQIDAQABo4IBHzCCARswHQYDVR0OBBYEFEXeRmSTC9I8kUtgdbzA Ug06WgYsMIHrBgNVHSMEgeMwgeCAFEXeRmSTC9I8kUtgdbzAUg06WgYsoYG8pIG5 MIG2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5j aXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXph dGlvbmFsVW5pdDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdF YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQC6Jkru rpLNIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBJox1vNdG8NvwK 43w/2rKAU85efraEYSxcUydTn5kh2RAi4y0MkZWkieypSAZIYSVUWYwU7RYbLJ02 j7H5TMTt2/h8Xr4jxZjYUB+vmMfVF2hI4kIEDZkf5P/6lLxxJE200bKcgp31Jftn 4lK5di/YZF95c8QHPEuqe04DXrUK0MjdQEYtccg4+R4E+Cfcfvy4N8LEChvdvMtI q2cnS3NE6/+L0g9wzkVvxXbWnlUzVKzNJ5sUp1yU0eqXIh6sS6HhSCJEe1yHhp+L bR69o/WHObGiMkc3y+WpP9MLWeoePWEfXCEQ2nqE+AGqGLh5VPmDlEEwc+omS2Xo JZc3cagw -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MIIFTzCCBDegAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3 DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTEwNjA5MDEyOFoXDTI0MTEw MzA5MDEyOFowga0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15 T3JnYW5pemF0aW9uYWxVbml0MQ8wDQYDVQQDEwZjbGllbnQxEDAOBgNVBCkTB0Vh c3lSU0ExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6VxW3cZuZ7Y4SY0NTQkA3ftIa/yN2D DCstzZy5XVq+oGOIzU0vD1SkwrwBERhc5FY/yzYK5OZhAM7tdULQ2EsjB2gSu+ol 00NKxwRcppUFQ7xHleTuyaRg4Y4tNxhfJ9XGDyxM/8ivBrtxolgUKcsJxhWSYhPX 78OAKCIMdxMrmVmB7EkLPrr6C5s41u3NPpKA8VOjJ82JOtYM6qj+BxCqgWbHhEzi GRyzSR00uTHLfgXp8k9nX7aijYQUKWG6VyN3dmuQlH7xtfEIAUAfn7kFkKjidUO3 WROXl79Q05UvF9VORqzwZKmjtD/MR5rgRg7KHlXBHCuuK67vxpZp0ykCAwEAAaOC AW0wggFpMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVy YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUtCoNrhqzLHMbOFJoiOiBq15khs4w gesGA1UdIwSB4zCB4IAURd5GZJML0jyRS2B1vMBSDTpaBiyhgbykgbkwgbYxCzAJ BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUw EwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15T3JnYW5pemF0aW9uYWxV bml0MRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0Ex ITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpboIJALomSu6uks0gMBMG A1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOC AQEAFCwWGJGDcOYsF2ByIQXSKUhzCdg+73YpxrdNiRuauTctq9sxOcM5K4upf76l qI2LmXoKCLLVNhjUvNdxTE2g2iHAobPpaDFiLqxtu17GhQIQE57FMFa/0w1YO4LG rLAd6NEp1Bpi/NRQ8c1KAMmvA/2Uz/0i840hJWooWOyR9v15tssaxhYx8MopURx4 SVIwef2cQrIE96emu0F037SqEwLc5ofTDjJpEQ+JmK3u0YQYIqJyp0fgBvPPJ7zP Uvsizp5vxhn0F6ULtYpSsMgzQNljltjxmrBwnIUD85etqH/hf9WTxbZIxbyIdRvk 2j2G50sGzLYQ+f9MFnubIe4tKQ== -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC+lcVt3Gbme2OE mNDU0JAN37SGv8jdgwwrLc2cuV1avqBjiM1NLw9UpMK8AREYXORWP8s2CuTmYQDO 7XVC0NhLIwdoErvqJdNDSscEXKaVBUO8R5Xk7smkYOGOLTcYXyfVxg8sTP/Irwa7 caJYFCnLCcYVkmIT1+/DgCgiDHcTK5lZgexJCz66+gubONbtzT6SgPFToyfNiTrW DOqo/gcQqoFmx4RM4hkcs0kdNLkxy34F6fJPZ1+2oo2EFClhulcjd3ZrkJR+8bXx CAFAH5+5BZCo4nVDt1kTl5e/UNOVLxfVTkas8GSpo7Q/zEea4EYOyh5VwRwrriuu 78aWadMpAgMBAAECggEAXPhu4RLdV53lhC+P3+EGBN6WEA3KjNR6wS2M2eFK+xN2 5lc732UPk3j0TgYvMrVN5g0ksm5KD2BOpqMLytZaTPz/hfNtm+Fr163IvAX+dT+m NViudIlP8FIadeL0t3zjz9LYYAIH3PwUyqe6TEE5ygQwjyFjms6B9dq0uTdfdwe8 EETpINFRSSEtrxNe/Z8R3prkHBZ/cCfP08oDR8sThw+RqbqxUe0re2SKQxiIgBXU 5DuhCuoD6fdvLW/w/ArbligWOxAfuNNR5t0aSbRKDCacIaIrwrI5tZUxLiXHSTaj CN++wXQsr/Hs4zHGz0Uyt1X8Cu1d3e3GwlHnVc0KAQKBgQDl1Gl10Jg3ULu1FcLS nAs1RiTtWOcRP0Xl37ozIhjWY5iUB3SpzpD/pYbJgPnqZf6qwwp1CPdMao/oK4yW 9oQVs7IkdsOxiiq0qrtf/DbBImdxxx8LDpmceW6TEYreiVmjI8ddoNWKaFmqIz4G 1K1rXbCplqoMKFUUHl9PbU5hiQKBgQDUSV4mIBdHMwEGpwUgYr/Yqc0LNdt3HvsO ZzrxKqFCiB1XE7rc05/2Tt0ll8FSNdlPIwfu3YPUzoU1SCMjb1Q9GrvR9H5DNv24 8wd74ThzOF0xiZUOZwj6X6ZxFvfdUe6hI5h/b0dG7pUw+JSkmnpD7BO+YE1MjjN3 nzqQTnecoQKBgQCyJFiyF0NE7PDxxbJC6OzPGFWbGyPPfInDSgzbgXxbAMvNQZIt 5I0Detvk6HHOO8yPs6oxWQfGVXrB7K+GfAGZiLV2ChBZVs0PSJ8AIVCXlwEzcbIg MerjHESW/ivznea6ywrHCdk69PM7KyHyzXq2E+LRMJUR41k+xOP/fqwYcQKBgQDI OU7wnLH3+JZOJPgD3L/f5f+8RBb0WqcmpZ0FXFTvAJzTxYsovv2P/kA9Nc4j8SA+ sObJl+rAq+0eHSTvRhDo9S8TTwxL7zEN4UM8x2dL3WygzYhmJi5koBTHc4djGuT8 3Sr3fwh2UY8rujnQqtcI+0B//irKOxE2EVvWQfw1IQKBgQCJgU0Ef+CDR6R2iImL 69xkwp2umQVDPFCJtlJ5Oqg7CRI4HHo2+ujfDq8hl4ihg0Zq6e+iIrBCBOOFlpLn xrvhxAv79sB/w5Y3zSwTtqwnpUR65ZKi2X4exza0//yY77LAuGNcG5oKTUhTBDMz FPnZX9Q0zJevs0+UfAeXvThc9g== -----END PRIVATE KEY----- </key> <tls-auth> -----BEGIN OpenVPN Static key V1----- a692b93eeb708a615914f791ef42a2fb 4d14e99055aa297e564366ed272c25d7 116cd7a43d5f9d02c84d566406a3a657 84f1e69c23c3d954b1a19dc4d373b8a3 7c717d397c51e947183a628c4f4a7e98 173a65e0ce9806b2b04f1ce0e45ffacb 67bbca2db49cb3b78c573b85fb3d79c4 bbbf61d9147513957ac4668e541db859 c449eaf04b0d0585dc4c102ca010d91a 5ad275b7fb13e95f0a971a88a7550cb4 3485825fb6304b8537ac9cd6af5fda68 4a0d94d47f3a0478e722f20e0043de1c c18684f5b68e6f19ad5b302cb9ddc1ca b326c80c4b6bb235dda607a5fa79fbc8 5da586741a428e2ab390827c5145893a d78f0bef7c86710ec7752d60cb94cada -----END OpenVPN Static key V1----- </tls-auth>
时间: 2024-08-02 02:47:31