资源描述
服务器 rhel5.8-64bit
软件版本
openvpn-2.0.9.tar.gz (安装包)
openvpn-2.0.9-gui-1.0.3-install.exe (客户端)
lzo-2.03.tar.gz
openssl系统自带
1.安装openssl
[root@samba-wiki openvpn]# yum install openssl.x86_64 -y
2.安装lzo
[root@samba-wiki lzo-2.03]# ./configure
[root@samba-wiki lzo-2.03]# make
[root@samba-wiki lzo-2.03]# make install
3.安装OpenVPN
[root@samba-wiki openvpn-2.0.9]# ./configure --enable-pthread
[root@samba-wiki openvpn-2.0.9]# make && make install
4.配置TUN/TAP驱动,并且启用IP转发
[root@samba-wiki openvpn]# modprobe tun
[root@samba-wiki openvpn]# lsmod |grep tun
tun 82241 2
[root@samba-wiki openvpn]# vim /etc/sysctl.conf
修改net.ipv4.ip_forward = 0为1,使配置生效
[root@samba-wiki openvpn]# sysctl -p
5.配置openvpn
A.生成证书
第一步,设置环境变量
[root@samba-wiki openvpn]# vim /root/.bash_profile
在最后添加这几行
DIR=/usr/src/openvpn/openvpn-2.0.9/easy-rsa
KEY_CONFIG=$DIR/f
KEY_DIR=$DIR/keys
KEY_SIZE=1024
KEY_COUNTRY=CN
KEY_PROVINCE=BJ
KEY_CITY=BJ
KEY_ORG="creditease"
KEY_EMAIL="yulindong@"
export KEY_CONFIG KEY_DIR KEY_SIZE KEY_COUNTRY KEY_PROVINCE KEY_CITY KEY_ORG KEY
_EMAIL DIR
使环境变量生效
[root@samba-wiki openvpn]# source /root/.bash_profile
第二步,生成证书
1.进入安装包的easy-rsa目录
[root@samba-wiki easy-rsa]# pwd
/usr/src/openvpn/openvpn-2.0.9/easy-rsa
2.生成CA证书
[root@samba-wiki easy-rsa]# ./clean-all
[root@samba-wiki easy-rsa]# ./build-ca
3.生成服务器Key
[root@samba-wiki easy-rsa]# ./build-key-server server
4.生成客户端Key
[root@samba-wiki easy-rsa]# ./build-key chenyu #这里以用户名字命名key
[root@samba-wiki keys]# ls chenyu.*
chenyu.crt chenyu.csr chenyu.key #可以看到生成了chenyu的相关证书
[root@samba-wiki easy-rsa]# ./build-dh
5.生成ta.key
[root@samba-wiki easy-rsa]# openvpn --genkey --secret ta.key
B.创建OpenVPN配置文件
[root@samba-wiki easy-rsa]# vi /usr/local/etc/server.conf
port 2194
proto tcp
dev tap0
server-bridge 10.10.37.2 255.255.255.0 10.10.37.128 10.10.37.254
push "dhcp-option DNS 192.168.101.13"
push "dhcp-option DNS 192.168.101.14"
ifconfig-pool-persist /usr/local/etc/ipp.txt
ca /usr/local/etc/keys/ca.crt
cert /usr/local/etc/keys/server.crt
key /usr/local/etc/keys/server.key
dh /usr/local/etc/keys/dh1024.pem
tls-auth /usr/local/etc/keys/ta.key 0
keepalive 10 120
comp-lzo
status /var/log/openvpn-status.log
verb 4
persist-key
persist-tun
把相应的ca.crt,server.crt,server.key,dh1024.pem,ta.key文件copy到相应的路径
C.启动OpenVPN(后台进程)
[root@samba-wiki easy-rsa]# /usr/local/sbin/openvpn --daemon --config /usr/local/etc/server.conf
D.设置桥接网卡
[root@samba-wiki easy-rsa]# yum isntall -y bridge-utils.x86_64
2.编辑bridge-start脚本
[root@samba-wiki sample-scripts]# pwd
/usr/src/openvpn/openvpn-2.0.9/sample-scripts
[root@samba-wiki sample-scripts]# vim bridge-start
修改如下
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="10.10.37.2"
eth_netmask="255.255.255.0"
eth_broadcast="10.10.37.255"
3.启动脚本,重启OpenVPN服务
[root@samba-wiki sample-scripts]# ./bridge-start
6.客户端配置
将ca.crt,dh1024.pem,ta.key,chenyu.crt,chenyu.key下载到客户端,安装openvpn-2.0.9-gui-1.0.3-install.exe客户端工具,将证书放在安装路径的config目录下,创建配置文件client.ovpn
内容如下
client
dev tap0
proto tcp
remote 119.255.7.37 2194
persist-key
persist-tun
ca ca.crt
cert chenyu.crt
key chenyu.key
ns-cert-type server
comp-lzo
verb 3
tls-auth ta.key 1
连接测试
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
