源碼編譯搭建Key形式openvpn v2.1.3
1. 編譯並安裝openvpn
下載源碼
wget http://openvpn.net/release/openvpn-2.1.3.tar.gz
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
解壓源碼及補丁
tar -zxvf [openvpn-2.1.3.tar.gz路徑]
tar -zxvf [lzo-2.06.tar.gz路徑]
編譯lzo
cd /opt/lzo-2.06/
./configure && make && make install
編譯ipv6 openvpn
./configure --build=i386-redhat-linux-gnu --host=i386-redhat-linux-gnu --target=i686-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-password-save --enable-iproute2 --with-ifconfig-path=/sbin/ifconfig --with-iproute-path=/sbin/ip --with-route-path=/sbin/route
make && make install
安裝openssl
yum install -y openssl
2. 生成Key文件
下載easy-rsa
cd /opt
yum install git
git clone git://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easy-rsa/2.0
修改配置文件
vi vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export [email protected]
生成Key文件
. vars
./clean-all
./build-ca
若出現
No /usr/share/openvpn/easy-rsa/2.0/openssl.cnf file could be found
Further invocations will fail
則執行
cp openssl-1.0.0.cnf openssl.cnf
./bulid-key-server XXXXXX[假定server,可修改]
./build-key XXXXXX[假定client,可修改]
./build-dh
拷貝Key文件
cd keys
cp ca.crt server.crt server.key dh2048.pem /etc/openvpn
3. server配置文件,在/etc/openvpn目錄下創建server.conf,並寫入如下內容,此處原始官方參考server配置文件/usr/share/doc/openvpn-2.3.0/sample-config-files/server.conf
cp /usr/share/doc/openvpn-2.2.1/sample-config-files/server.conf /etc/openvpn
vi /etc/openvpnserver.conf
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist /var/log/ipp.txt
push "route 10.8.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log #此處註釋掉可以直接在控制檯下查看錯誤
verb 3
mute 20
4. 開啓端口轉發
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
5. iptables設置
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/etc/init.d/iptables save
service iptables restart
6. 測試啓動,鍵入命令,若看到Initialization Sequence Completed,表明成功。
openvpn --config /etc/openvpn/server.conf
7. client配置文件,在openvpn安裝目錄config文件夾下創建client.ovpn,並寫入如下內容,此處原始官方文件C:\Program Files\OpenVPN\sample-config\client.conf,同時需要將easy-rsa/easy-rsa/2.0/keys/文件夾下client.crt client.key ca.crt文件下載到config文件夾下。
client
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node OpenVPN
;proto tcp
proto udp
remote server-ip 1194
;remote my-server-2 1194
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
mute 20
然後進行連接測試,可以參考服務器端和客戶端調試信息,具體請百度。
8. 若測試成功,後續步驟
8.1 openvpn加入後臺
openvpn --daemon --config /etc/openvpn/server.conf
8.2 添加開機自啓動,修改/etc/rc.d/rc.local文件,添加如下
openvpn --daemon --config /etc/openvpn/server.conf
9. 添加新openvpn用戶
cd easy-rsa/easy-rsa/2.0
./build-ca
./build-key XXXXXX
同樣將XXXXXX.crt XXXXXX.key ca.crt以及client.ovpn文件拷貝到config文件夾下。
下載源碼
wget http://openvpn.net/release/openvpn-2.1.3.tar.gz
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
解壓源碼及補丁
tar -zxvf [openvpn-2.1.3.tar.gz路徑]
tar -zxvf [lzo-2.06.tar.gz路徑]
編譯lzo
cd /opt/lzo-2.06/
./configure && make && make install
編譯ipv6 openvpn
./configure --build=i386-redhat-linux-gnu --host=i386-redhat-linux-gnu --target=i686-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-password-save --enable-iproute2 --with-ifconfig-path=/sbin/ifconfig --with-iproute-path=/sbin/ip --with-route-path=/sbin/route
make && make install
安裝openssl
yum install -y openssl
2. 生成Key文件
下載easy-rsa
cd /opt
yum install git
git clone git://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easy-rsa/2.0
修改配置文件
vi vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export [email protected]
生成Key文件
. vars
./clean-all
./build-ca
若出現
No /usr/share/openvpn/easy-rsa/2.0/openssl.cnf file could be found
Further invocations will fail
則執行
cp openssl-1.0.0.cnf openssl.cnf
./bulid-key-server XXXXXX[假定server,可修改]
./build-key XXXXXX[假定client,可修改]
./build-dh
拷貝Key文件
cd keys
cp ca.crt server.crt server.key dh2048.pem /etc/openvpn
3. server配置文件,在/etc/openvpn目錄下創建server.conf,並寫入如下內容,此處原始官方參考server配置文件/usr/share/doc/openvpn-2.3.0/sample-config-files/server.conf
cp /usr/share/doc/openvpn-2.2.1/sample-config-files/server.conf /etc/openvpn
vi /etc/openvpnserver.conf
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist /var/log/ipp.txt
push "route 10.8.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log #此處註釋掉可以直接在控制檯下查看錯誤
verb 3
mute 20
4. 開啓端口轉發
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
5. iptables設置
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/etc/init.d/iptables save
service iptables restart
6. 測試啓動,鍵入命令,若看到Initialization Sequence Completed,表明成功。
openvpn --config /etc/openvpn/server.conf
7. client配置文件,在openvpn安裝目錄config文件夾下創建client.ovpn,並寫入如下內容,此處原始官方文件C:\Program Files\OpenVPN\sample-config\client.conf,同時需要將easy-rsa/easy-rsa/2.0/keys/文件夾下client.crt client.key ca.crt文件下載到config文件夾下。
client
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node OpenVPN
;proto tcp
proto udp
remote server-ip 1194
;remote my-server-2 1194
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
mute 20
然後進行連接測試,可以參考服務器端和客戶端調試信息,具體請百度。
8. 若測試成功,後續步驟
8.1 openvpn加入後臺
openvpn --daemon --config /etc/openvpn/server.conf
8.2 添加開機自啓動,修改/etc/rc.d/rc.local文件,添加如下
openvpn --daemon --config /etc/openvpn/server.conf
9. 添加新openvpn用戶
cd easy-rsa/easy-rsa/2.0
./build-ca
./build-key XXXXXX
同樣將XXXXXX.crt XXXXXX.key ca.crt以及client.ovpn文件拷貝到config文件夾下。
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.