OpenVPN 简单部署

#基础依赖软件包安装

yum install -y gcc openssl-devel lzo-devel pam-devel

yum install -y lzo lzo-devel openssl openssl-devel pam pam-develyum install -y pkcs11-helper pkcs11-helper-devel

#下载openvpn软件包

1 wget http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gz

rpmbuild -tb openvpn-2.2.2.tar.gz#rpm编译，当然可以直接使用源码操作，关于rpmbuild不知道的，可以查看http://www.cnblogs.com/schangech/p/5641108.html

#进入到rpm包目录

cd rpmbuild/RPMS/x86_64/

#安装

rpm -ivh openvpn-2.2.2-1.x86_64.rpm

#进入配置原始目录

cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0

#为了安全，先备份一下吧。熟悉的哥们可以直接操作

cp vars vars.bak

修改对应配置信息文件

vim vars

1 export KEY_COUNTRY="CN"
2
3 export KEY_PROVINCE="BJ"
4
5 export KEY_CITY="BeiJing"
6
7 export KEY_ORG="xxxx"
8
9 export KEY_EMAIL="[email protected]"

ln -s /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/openssl.cnf#做个软链

#让设置的相应信息生效

source ./vars

#先清空其它信息

./clean-all

#创建CA根证书

./build-ca

#生成服务器端的公司密钥

./build-key-server server

# 生成客户端的公私密钥

./build-key client

#创建迪菲·赫尔曼密钥

./build-dh

//生成ta.key防止遭到DDoS攻击[可以没有，一样可以正常工作]

./openvpn --genkey --secret ta.key        //生成ta.key防止遭到DDoS攻击

#拷贝到openvpn工作目录

cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/

cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/

#修改服务端配置文件

vim /etc/openvpn/server.conf

#添加转发路由

iptables -t nat -A POSTROUTING -s 10.100.0.0/24  -j MASQUERADE

#查看防火墙，是否添加成功

iptables -t nat -nvL

#设置支持路由转发功能

echo 1 > /proc/sys/net/ipv4/ip_forward

#配置kernel支持

vim /etc/sysctl.conf

1 net.ipv4.ip_forward = 1

## 使用密钥的方式进行认证登陆。

cat /etc/openvpn/server.conf.keyisok

 1 local $[服务器IP]
 2
 3 port 1195
 4
 5 #proto udp
 6
 7 proto tcp
 8
 9 dev tun
10
11 ca ca.crt
12
13 cert openvpn.dataengine.com.crt
14
15 key openvpn.dataengine.com.key  # This file should be kept secret
16
17 dh dh1024.pem
18
19 server 10.100.0.0 255.255.255.0
20
21 #server 172.16.198.0 255.255.255.0
22
23 ifconfig-pool-persist ipp.txt
24
25 push "redirect-gateway def1 bypass-dhcp"
26
27 push "dhcp-option DNS 10.200.0.22"
28
29 push "dhcp-option DNS 10.200.0.75"
30
31 client-to-client
32
33 keepalive 10 120
34
35 comp-lzo
36
37 persist-key
38
39 persist-tun
40
41 status openvpn-status.log
42
43 log         openvpn.log
44
45 verb 3

cat /etc/openvpn/server.conf

 1 local $[服务器IP]
 2
 3 port 1195
 4
 5 #proto udp
 6
 7 proto tcp
 8
 9 dev tun
10
11 ca ca.crt
12
13 cert cert.crt
14
15 key cert.key  # This file should be kept secret
16
17 dh dh1024.pem
18
19 server 10.100.0.0 255.255.255.0
22
23 ifconfig-pool-persist ipp.txt
24
25 push "redirect-gateway def1 bypass-dhcp"
26
27 push "dhcp-option DNS 10.200.0.22"
28
29 push "dhcp-option DNS 10.200.0.75"
30
31 client-to-client
32
33 #duplicate-cn
34
35 keepalive 10 120
36
37 comp-lzo
38
39 user nobody
40
41 group nobody
42
43 persist-key
44
45 persist-tun
46
47 status openvpn-status.log
48
49 log         openvpn.log
50
51 verb 5
52
53 # provide user and password access
54
55 script-security 3
56
57 #plugin ./openvpn-auth-pam.so openvpn
58
59 auth-user-pass-verify /etc/openvpn/etc/checkpwd.sh via-env
60
61 client-cert-not-required
62
63 username-as-common-name

#使用用户名和密码客户端配置

 1 client
 2
 3 dev tun
 4
 5 proto tcp
 6
 7 remote 服务器的IP 服务器的端口
 8
 9 remote-random
10
11 resolv-retry infinite
12
13 nobind
14
15 persist-key
16
17 persist-tun
18
19 ca ca.crt
20
21 ns-cert-type server
22
23 auth-user-pass
24
25 auth-nocache
26
27 comp-lzo
28
29 verb 5
30
31 route 172.16.205.0 255.255.255.0
32
33 route 172.16.200.0 255.255.255.0
34
35 route 10.200.0.0 255.255.0.0

#使用证书客户端配置【需要将对应的crt,key证书文件拷贝到对应的目录下才行】

 1 client
 2
 3 dev tun
 4
 5 proto tcp
 6
 7 remote $vpnserver_ip_addr $server_port
 8
 9 resolv-retry infinite
10
11 nobind
12
13 persist-key
14
15 persist-tun
16
17 ca ca.crt
18
19 cert dataengineuser.crt
20
21 key dataengineuser.key
22
23 ns-cert-type server
24
25 remote-cert-tls server
26
27 comp-lzo
28
29 verb 3
30
31 route 172.16.205.0 255.255.255.0
32
33 route 172.16.200.0 255.255.255.0
34
35 route 10.200.0.0 255.255.0.0