admin - 2013/1/10 11:41:00
上一篇文章中介绍了在CentOS下安装PPTP的VPN的方法,由于PPTP对环境的要求很高,大多数的VPS服务器都是基于OpenVZ虚拟化技术的,所以无法安装。其次由于网络环境的不同很多情况下我们的网络环境会受到很多限制,就拿我自己经常工作的网络环境来说网络限制变态到只允许基于HTTP方式的80端口和HTTPS的443端口可以对外访问,对于这种情况下PPTP的VPN就无能为力了。而OpenVPN可以自定义端口将其连接端口改为443这样就可以轻松的突破封锁遨游Internet了。首先OpenVPN需要TUN支持,大多数VPS默认都没有开启,你可以用这个命令检测:cat /dev/net/tun如果返回信息为:cat: /dev/net/tun: File descriptor in bad state 说明正常,否则发个ticket给VPS公司让他们帮忙开吧。另外如果你需要连上OpenVPN后能访问互联网,还需要iptables_nat模块支持,用这个命令检测:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE如果返回信息为:iptables: Unknown error 4294967295 说明正常,否则同样需要发个ticket让VPS公司帮忙开通。环境准备好之后,我们正式开始安装OpenVPN了。网上的教程绝大多数都是用源代码编译方式安装的,但我觉得这种方式不便于以后升级维护,这里我们使用yum来安装。默认情况下centos的yum源没有OpenVPN的,先安装EPEL这个东西,使用命令:rpm -Uvh http://download.fedora.redhat.co ... ease-5-3.noarch.rpm成功后yum源里面就有OpenVPN了,直接使用命令yum -y install openvpn这里就体现了yum安装的好处,比如OpenVPN需要lzo支持,安装的时候会检测系统,没有的组件会自动安装进去。我们来找一下安装到哪去了,使用命令:find / -name easy-rsa找出来了原来在这里:/usr/share/openvpn/easy-rsa 大家应该都是一样的。我们把easy-rsa这个文件夹移出来,用命令:cp -R /usr/share/openvpn/easy-rsa /etc/openvpn/然后cd /etc/openvpn/easy-rsa/2.0进入,生成OpenVPN需要的证书。用vi vars来编辑环境变量,这里涉及到编辑器vi的用法,不会用就自己google一下。把最后几行根据实际情况修改:export KEY_COUNTRY="CN"export KEY_PROVINCE="AH"export KEY_CITY="HF"export KEY_ORG="Gray God"export KEY_EMAIL="admin@graygod.com"保存后运行. vars设置生效。接下来运行./build-ca server创建证书颁发机构。Generating a 1024 bit RSA private key........................++++++....++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:回车State or Province Name (full name) [AH]:回车Locality Name (eg, city) [HF]:回车Organization Name (eg, company) [Gray God]:回车Organizational Unit Name (eg, section) []:回车Common Name (eg, your name or your server's hostname) [Gray God CA]:回车Name []:回车Email Address [admin@graygod.com]:回车注意红色的地方,需要按回车的。创建CA之后来生成服务器证书,输入./build-key-server serverGenerating a 1024 bit RSA private key...++++++...............++++++writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:回车State or Province Name (full name) [AH]:回车Locality Name (eg, city) [HF]:回车Organization Name (eg, company) [Black-Xstar Net Empire]:回车Organizational Unit Name (eg, section) []:回车Common Name (eg, your name or your server's hostname) [server]:回车Name []:回车Email Address [admin@graygod.com]:回车Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:回车An optional company name []:回车Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName RINTABLE:'CN'stateOrProvinceName RINTABLE:'AH'localityName RINTABLE:'HF'organizationName RINTABLE:'Gray God'commonName RINTABLE:'server'emailAddress :IA5STRING:'admin@graygod.com'Certificate is to be certified until Nov 18 17:25:15 2019 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated同样注意红色字的部分,是需要人工输入的。服务器证书生成完了,我们来生成客户端证书,理论上每个OpenVPN用户都有独立的证书,我们先来生成一个试试。输入命令:./build-key client1,这里的client1是客户端名称,如果第二个就是client2了。Generating a 1024 bit RSA private key.......++++++.........++++++writing new private key to 'client1.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:回车State or Province Name (full name) [AH]:回车Locality Name (eg, city) [HF]:回车Organization Name (eg, company) [Gray God]:回车Organizational Unit Name (eg, section) []:回车Common Name (eg, your name or your server's hostname) [client1]:回车Name []:回车Email Address [admin@graygod.com]:回车Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:回车An optional company name []:回车Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName RINTABLE:'CN'stateOrProvinceName RINTABLE:'AH'localityName RINTABLE:'HF'organizationName RINTABLE:'Gray God'commonName RINTABLE:'client1'emailAddress :IA5STRING:'admin@graygod.com'Certificate is to be certified until Nov 18 17:31:21 2019 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated注意红色字的部分,和上面生成服务器证书差不多。最后生成Diffie Hellman参数:./build-dh,这个需要一点时间的。完成上面的过程后,把/etc/openvpn/2.0/keys里面的东西下载回来。接下来我们开始配置OpenVPN了,我的配置文件只是一个参考,可以根据实际情况修改。首先cd ..回到上一级目录,然后vi server.conf新建一个配置文件,输入下面内容:port 443proto tcpdev tunca /etc/openvpn/easy-rsa/2.0/keys/ca.crtcert /etc/openvpn/easy-rsa/2.0/keys/server.crtkey /etc/openvpn/easy-rsa/2.0/keys/server.keydh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pemserver 10.8.0.0 255.255.255.0push "redirect-gateway def1"push "dhcp-option DNS 208.67.222.222"push "dhcp-option DNS 208.67.220.220"client-to-clientkeepalive 10 120comp-lzopersist-keypersist-tunverb 3其中DNS服务器地址可以换成主机商的,也可以和我一样用opendns。另外我有了tcp协议和443端口,是为了方便我在cmwap下使用,也可以换别的。到这里为止OpenVPN就配置好了,接下来我们设置外网访问。输入vi /etc/sysctl.conf开始编辑,找到net.ipv4.ip_forward = 0改成net.ipv4.ip_forward = 1保存。然后执行sysctl -p这个命令。输入iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source 1.2.3.4添加规则,注意最后1.2.3.4改成你的VPS的IP地址。完成后用/etc/init.d/iptables save保存iptables设置,然后/etc/init.d/iptables restart重新启动下。把OpenVPN添加到开机启动,用vi /etc/rc.local进入编辑,在后面加入/usr/sbin/openvpn –config /etc/openvpn/server.conf &这一行。需要在服务器上完成的操作到这里就结束了,输入openvpn –config /etc/openvpn/server.conf &启动。和PPTP不一样,OpenVPN需要安装客户端才行,在http://www.openvpn.net/index.php/open-source/downloads.html下载最新版本的Windows Installer安装。然后tar -cf keys.tar keys #将打包好的keys.tar文件下载到本地下载回来,keys文件夹里面找到ca.crt、client1.crt和client1.key这三个文件,放到C:\Program Files\OpenVPN\config里面。同时在这里面新建一个名字为“client1.ovpn”的文本文件,输入下面内容:clientdev tunproto tcpremote 1.2.3.4 443resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client1.crtkey client1.keyns-cert-type servercomp-lzoverb 3把第四行的1.2.3.4换成VPS的IP地址,然后保存。在开始菜单里面找到OpenVPN GUI并运行,Vista和Win7下需要管理员身份运行。点Connect后等一下,是不是成功连上去了?