Wednesday, 23 July 2014

OpenVpn Configuration

Openvpn 安装
服务端安装
  1. download and install additional dependencies for openvpn
# yum install openssl openssl-devel

./configure遇到错误libpam安装
#yum install pam-devel  (pam认证方式需要)

#yum install lzo-devel

  1. 安装openvpn
tar -zxvf openvpn-2.3.2.tar.gz
cd openvpn-2.3.2
./configure --prefix=/usr/local/openvpn
make && make install
# 如果出现command not found 可以下载make 命令 yum -y install gcc automake autoconf libtool make

  1. 创建etc目录
mkdir /usr/local/openvpn/etc

  1. Copy related files into etc directory.
(only copy source files in 2.0 folder to openvpn, to avoid editing too much 'vars' 's parameters)避免修改过多的vars参数,所以只把2.0里的文件copy到安装目录)

  • /easy/2.0/里的文件,
    •  ** openvpn2.3.x 需另外下载easy-rsa/2.0/   **
# unzip master
# cd easy-rsa-old-master/easy-rsa
cp -r -p easy-rsa/2.0/  /usr/local/openvpn/etc/easy-rsa/

  • openvpn 2.2.1
# cd openvpn-2.2.1      # 安装目录/源文件
# cp -r -p easy-rsa/2.0/  /usr/local/openvpn/etc/easy-rsa/





cd e


  1. 设置 vars 环境变量
# vi vars
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=HK
export KEY_CITY=HongKong
export KEY_ORG="test.net"
export KEY_EMAIL="postmaster@test.net"

  1.   生成相关cert/key

a.  生成服务端证书 generate server cert
. ./vars
./clean-all
./build-ca       # 如出现openssl路径错误,建立软链接 ln -s openssl-1.0.0.cnf openssl.cnf
./build-key-server server
./build-dh


    b.  生成 generate ta.key
          # cd /usr/local/openvpn/sbin
          ./openvpn --genkey --secret ta.key
          cp ta.key /usr/local/openvpn/etc/easy-rsa/keys/














  1.  从安装目录sample-config-file 复制server.conf去openvpn目录
# cp -r ~/openvpn-2.3.2/sample/sample-config-files/server.conf /usr/local/openvpn/etc/
   # vi /usr/local/openvpn/etc/server.conf
#specify server ip and related setting
local x.x.x.x

port 1194 #端口
server 10.8.0.0 255.255.255.0   #网段,可自己指定

push "redirect-gateway def1 bypass-dhcp"  #redirect gateway
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

;duplicate-cn  #如果你要多人共用一个证书的话,请开启本项。

# specify all cert/key path
ca /usr/local/openvpn/etc/easy-rsa/keys/ca.crt
cert /usr/local/openvpn/etc/easy-rsa/keys/server.crt
key /usr/local/openvpn/etc/easy-rsa/keys/server.key

dh /usr/local/openvpn/etc/easy-rsa/keys/dh1024.pem
tls-auth /usr/local/openvpn/etc/easy-rsa/keys/ta.key 0

  1.   其他相关文件 / 配置 
  • checkpw.sh
# cd /usr/local/openvpn/etc
# wget http://openvpn.se/files/other/checkpsw.sh   
# chmod 755 checkpsw.sh       
#vi checkpsw.sh
 PASSFILE="/usr/local/openvpn/etc/psw-file"
  LOG_FILE="/var/log/openvpn-password.log"

  • create psw-file in /usr/local/openvpn/etc/
# vi psw-file
username password
# chmod 400 psw-file

  •   使用密码登录方式 Password login configuration
# vi server.conf
client-cert-not-required             
username-as-common-name
script-security 3 system
auth-user-pass-verify /usr/local/openvpn/etc/checkpsw.sh via-env
#(如果加上client-cert-not-required则代表只使用用户名密码方式验证登录,如果不加,则代表需要证书和用户名密码双重验证登录!)
  1. enable ip forward
# vi /etc/sysctl.conf
#enable ip_forward
net.ipv4.ip_forward = 1
# sysctl -p

  1. enable SNAT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j SNAT --to-source yourip

  1.  start openvpn
/usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/etc/server.conf &

    

Part 2 证书认证方式 certificate login
#cd /usr/local/openvpn/etc/easy-rsa/
. ./vars
./build-key client_name




参考配置 Sample Configuration .ovpn
1. 客户端 client.ovpn, download ta.key, ca.crt from server.
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry 60
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
redirect-gateway def1
#route-method exe
#route-delay 2    #这两行win7如果不加上,就不能启动修改路由,导致"拨vpn成功,但是不能通过远程服务器做网关上网"

Openvpn排错

1) ./build-ca 出现
[root@VM easy-rsa]# ./build-ca
grep: /usr/local/openvpn/etc/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /usr/local/openvpn/etc/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x

解决方法
建立软链接
ln -s openssl-1.0.0.cnf openssl.cnf

2)port no open
- check local ip (depend on network)
LAN IP or WAN IP?

3.) Router Port forwarding

4.) Connected but no internet
- check iptables.
- Ip forward.
- iptables.

5.) make && make install error
install make
# yum -y install gcc automake autoconf libtool make

No comments:

Post a Comment