搭建openvpn服务器桥接模式.doc

1、服务器 rhel5.8-64bit 软件版本 openvpn-2.0.9.tar.gz (安装包) openvpn-2.0.9-gui-1.0.3-install.exe (客户端) lzo-2.03.tar.gz openssl系统自带 1.安装openssl [root@samba-wiki openvpn]# yum install openssl.x86_64 -y 2.安装lzo [root@samba-wiki lzo-2.03]# ./configure [root@samba-wiki lzo-2.03]# make [root@samba-wiki

2、 lzo-2.03]# make install 3.安装OpenVPN [root@samba-wiki openvpn-2.0.9]# ./configure --enable-pthread [root@samba-wiki openvpn-2.0.9]# make && make install 4.配置TUN/TAP驱动，并且启用IP转发 [root@samba-wiki openvpn]# modprobe tun [root@samba-wiki openvpn]# lsmod |grep tun tun 82241 2

3、 [root@samba-wiki openvpn]# vim /etc/sysctl.conf 修改net.ipv4.ip_forward = 0为1，使配置生效 [root@samba-wiki openvpn]# sysctl -p 5.配置openvpn A.生成证书 第一步，设置环境变量 [root@samba-wiki openvpn]# vim /root/.bash_profile 在最后添加这几行 DIR=/usr/src/openvpn/openvpn-2.0.9/easy-rsa KEY_CONFIG=$DIR/f KEY_DIR=$DIR/k

4、eys KEY_SIZE=1024 KEY_COUNTRY=CN KEY_PROVINCE=BJ KEY_CITY=BJ KEY_ORG="creditease" KEY_EMAIL="yulindong@" export KEY_CONFIG KEY_DIR KEY_SIZE KEY_COUNTRY KEY_PROVINCE KEY_CITY KEY_ORG KEY _EMAIL DIR 使环境变量生效 [root@samba-wiki openvpn]# source /root/.bash_profile 第二步，生成证书 1.进入安装包的easy-rsa目录

5、[root@samba-wiki easy-rsa]# pwd /usr/src/openvpn/openvpn-2.0.9/easy-rsa 2.生成CA证书 [root@samba-wiki easy-rsa]# ./clean-all [root@samba-wiki easy-rsa]# ./build-ca 3.生成服务器Key [root@samba-wiki easy-rsa]# ./build-key-server server 4.生成客户端Key [root@samba-wiki easy-rsa]# ./build-key chenyu

6、 #这里以用户名字命名key [root@samba-wiki keys]# ls chenyu.* chenyu.crt chenyu.csr chenyu.key #可以看到生成了chenyu的相关证书 [root@samba-wiki easy-rsa]# ./build-dh 5.生成ta.key [root@samba-wiki easy-rsa]# openvpn --genkey --secret ta.key B.创建OpenVPN配置文件 [root@samba-wiki easy-rsa]# vi /usr/local/etc/server

7、conf port 2194 proto tcp dev tap0 server-bridge 10.10.37.2 255.255.255.0 10.10.37.128 10.10.37.254 push "dhcp-option DNS 192.168.101.13" push "dhcp-option DNS 192.168.101.14" ifconfig-pool-persist /usr/local/etc/ipp.txt ca /usr/local/etc/keys/ca.crt cert /usr/local/etc/keys/server.crt

8、key /usr/local/etc/keys/server.key dh /usr/local/etc/keys/dh1024.pem tls-auth /usr/local/etc/keys/ta.key 0 keepalive 10 120 comp-lzo status /var/log/openvpn-status.log verb 4 persist-key persist-tun 把相应的ca.crt，server.crt，server.key，dh1024.pem，ta.key文件copy到相应的路径 C.启动OpenVPN(后台进程) [root@

9、samba-wiki easy-rsa]# /usr/local/sbin/openvpn --daemon --config /usr/local/etc/server.conf D.设置桥接网卡 [root@samba-wiki easy-rsa]# yum isntall -y bridge-utils.x86_64 2.编辑bridge-start脚本 [root@samba-wiki sample-scripts]# pwd /usr/src/openvpn/openvpn-2.0.9/sample-scripts [root@samba-wiki sample-scri

10、pts]# vim bridge-start 修改如下 # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth0" eth_ip="10.10.37.2" eth_netmask="

11、255.255.255.0" eth_broadcast="10.10.37.255" 3.启动脚本，重启OpenVPN服务 [root@samba-wiki sample-scripts]# ./bridge-start 6.客户端配置 将ca.crt,dh1024.pem,ta.key,chenyu.crt,chenyu.key下载到客户端，安装openvpn-2.0.9-gui-1.0.3-install.exe客户端工具，将证书放在安装路径的config目录下，创建配置文件client.ovpn 内容如下 client dev tap0 proto tcp remote 119.255.7.37 2194 persist-key persist-tun ca ca.crt cert chenyu.crt key chenyu.key ns-cert-type server comp-lzo verb 3 tls-auth ta.key 1 连接测试