环境
服务端:CentOS 6.7 32-bit
客户端:Windows XP
服务端配置
# 关闭SELinux
sed -i ‘/^SELINUX\b/s/=.*/=disabled/‘ /etc/selinux/config
setenforce 0
# 安装mysql-server
yum -y install mysql-server
# 启动mysqld服务
service mysqld start
# 初始化mysql管理员(root)密码
mysqladmin -uroot password redhat
# 创建radius数据库
mysqladmin -uroot -predhat create radius
# 安装radius和相关插件
yum -y install freeradius freeradius-mysql freeradius-utils
# 编辑/etc/raddb/radiusd.conf文件
sed -i ‘700s/#//‘ /etc/raddb/radiusd.conf
# 编辑/etc/raddb/sites-enabled/default文件
sed -i ‘170s/^/#/;177s/#//;406s/#//;454s/#//‘ /etc/raddb/sites-enabled/default
# 将数据结构导入radius数据库
for file in /etc/raddb/sql/mysql/*.sql;do mysql -uroot -predhat radius < $file;done
# 新建一个用户名和密码都是test的用户
mysql -uroot -predhat radius -e "insert into radcheck(username,attribute,value) values(‘test‘,‘Password‘,‘test‘)"
# 启动radiusd服务并将其设置为开机启动
service radiusd start
chkconfig radiusd on
# 测试(如果出现“Access-Accept”字样则表示配置成功)
radtest test test 127.1 0 testing123
# 安装EPEL源(默认yum源没有openvpn和easy-rsa软件包)
rpm -ivh http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm
# 安装openvpn和easy-rsa软件包
yum -y install openvpn easy-rsa
# 切换到/usr/share/easy-rsa/2.0/目录
cd /usr/share/easy-rsa/2.0/
# 初始化环境变量
source vars
# 清除所有与证书相关的文件
./clean-all
# 生成CA相关文件(一路按回车即可)
./build-ca
# 生成服务端相关文件(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)
./build-key-server server
# 生成dh2048.pem文件(生成过程时快时慢,在此期间不要去中断它)
./build-dh
# 生成ta.key文件(防DDos攻击)
openvpn --genkey --secret keys/ta.key
# 在openvpn的配置目录下新建一个key目录
mkdir /etc/openvpn/keys
# 将openvpn配置文件需要用到的文件复制一份到刚创建好的keys目录中
cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
# 开启路由转发功能
sed -i ‘/net.ipv4.ip_forward/s/0/1/‘ /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
# 配置防火墙
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
service iptables save
# 安装radiusplugin编译所需环境
yum -y install make gcc gcc-c++ libgcrypt libgpg-error libgcrypt-devel wget
# 下载radiusplugin源码包
wget -P /tmp http://www.nongnu.org/radiusplugin/radiusplugin_v2.1.tar.gz
# 解压
tar xzf /tmp/radiusplugin_v2.1.tar.gz -C /usr/src/
# 切换到/usr/src/radiusplugin/目录
cd /usr/src/radiusplugin/
# 编译
make
# 复制radiusplugin.so和radiusplugin.cnf文件到/etc/openvpn/目录
cp radiusplugin.{so,cnf} /etc/openvpn/
# 编辑/etc/openvpn/radiusplugin.cnf文件
sed -i ‘/\bsharedsecret=/s/=.*/=testing123/‘ /etc/openvpn/radiusplugin.cnf
# 创建/etc/openvpn/server.conf文件,内容如下
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" # 192.168.1.0/24是我这台VPN服务器所在的内网的网段,读者应该根据自身实际情况进行修改
keepalive 10 120
tls-auth keys/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
client-cert-not-required
# 启动openvpn服务并将其设置为开机启动
service openvpn start
chkconfig openvpn on
客户端配置
创建一份客户端文件(命名为client.ovpn),内容如下(读者要注意修改下面的服务端公网IP):
client
dev tun
proto udp
remote 服务端公网IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
auth-user-pass
tls-auth [inline] 1
<ca>
将/usr/share/easy-rsa/2.0/keys/ca.crt的全部内容复制粘贴于此
</ca>
<tls-auth>
将/usr/share/easy-rsa/2.0/keys/ta.key的全部内容复制粘贴于此
</tls-auth>
从服务端下载client.ovpn,并将其复制到openvpn的安装目录的config目录下,最后,启动openvpn程序,连接服务端,账号密码都是test,如果能获取到IP,且能ping内网的其他机器就表示配置成功了。
最后给出我的client.ovpn的范例文本供读者参考。
client
dev tun
proto udp
remote 192.168.1.88 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
auth-user-pass
tls-auth [inline] 1
<ca>
-----BEGIN CERTIFICATE-----
MIIFEjCCA/qgAwIBAgIJAPuPhPG+3TThMA0GCSqGSIb3DQEBCwUAMIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wHhcNMTQxMTA4MDgxMTE1
WhcNMjQxMTA1MDgxMTE1WjCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw
EwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsG
A1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3Rv
biBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxVsiMkd3
n0jAFV9mz7F7HpR8oM15Fr0tjIjRZ6N3zvy8snuPtL6v7won25g8RqvzsYteyNaU
LboeqcpDFgoj3Fg9ltMnDeRp1AG/5eruaw2/q38zkOS2I1qP6HVcwABMr3CBPpqc
Be/rJXBBVqpyJQIa9F8qnXvYFyja0CD/g2xJn1TZ5gXYVsEsD4mTsTesei0mr/SS
jJlqESEEb7mrwpFcjMGTmDAamrdl4PI/IptjOhwrg62YRfpzni3fOrTDycVhaHQR
9Qbjvq+hfyzZJxPRaesCPoAR4aWhvGOMddhg7uZ7r21ZNb54QAkAudPQTVWle3it
QvQ+8ylOkoV66QIDAQABo4IBHzCCARswHQYDVR0OBBYEFHlXeNlCNmvR+Dm8tnnJ
CfpVSmwyMIHrBgNVHSMEgeMwgeCAFHlXeNlCNmvR+Dm8tnnJCfpVSmwyoYG8pIG5
MIG2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5j
aXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXph
dGlvbmFsVW5pdDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdF
YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD7j4Tx
vt004TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCFbyQbck5rI6fw
66bpoFTxKq7+8b738R0lbKggxzVzSh2KReemmuu93zyRQ4Iv3MDwAa2ffJGYFiQz
jXzun4Q0SPNocBAgV0pTPyrGH/zSOqi4CXsN02AOKGkTAVJaPLavAGlRSjGVh62g
8nAGzBDagD+FRlYzKZ3cupKGcmoXmWwrnS4YWoSf4+Dei52Fsqe43JEnY0wmXGvu
LkukweyWJIqy3iuvPaYzUWWZSe9c6Ytx5Et2y+rYbpxyLvJiX3le8Whf3u2HLuPV
cwOPvG71kHpOOVPpks2RHwQn3TwWgBWpqIN37Eaow4TuTHTgRjuATttUeAZoSLFV
9iLvv+FV
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
9f8d9e7776a5fc310ee39676c0fd4b2b
1b5d6525e26bc33fb23a64ded18f68ee
744cd707ee27c099caa9bf6622cfa1e5
73ff1026e59503760a1bac6102543e30
0946bb831cba42eb457b88eff73599b1
d26c39e6e0af27a55a83e4ed2d70a665
dcb83715e74ca0ce90ebd76344b14c23
b70cf9428b11b771dc6c5bcf0c638522
43ff98f637e3e637686ab23d01967a96
6a9d94f63dea50db264e246646f2dc27
3c2c957360108a993ea49481aadf7046
f38145175dbee319d69fc6202ed4934c
65ff2657e46c37f0f530acea93ee99e7
c7109996cdf13b0ae5f4b3506937cadb
793c9cc063b580aa70873499e5f02252
200f29305bfb0d934b1307fd9af3c7a9
-----END OpenVPN Static key V1-----
</tls-auth>
时间: 2024-10-13 07:34:02