客户端:win7 64bit
openvpn: centos5.8 外网IP:x.x.x.x 内网IP:192.168.53.230
首先安装软件包:
yum
install
lzo
yum -y
install
openvpn easy-rsa
开启服务器端路由转发功能
vim
/etc/sysctl
.conf
net.ipv4.ip_forward= 1
sysctl -p
准备创建CA证书文件,修改vars文件中变量值。国家、省、城市、组织、邮箱、单位
cd
/usr/share/easy-rsa/2
.0/
这是修改好的文件
cat
vars |
grep
-E ^[^
export
EASY_RSA=
"`pwd`"
export
OPENSSL=
"openssl"
export
PKCS11TOOL=
"pkcs11-tool"
export
GREP=
"grep"
export
KEY_CONFIG=`$EASY_RSA
/whichopensslcnf
$EASY_RSA`
export
KEY_DIR=
"$EASY_RSA/keys"
echo
NOTE: If you run .
/clean-all
, I will be doing a
rm
-rf on $KEY_DIR
export
PKCS11_MODULE_PATH=
"dummy"
export
PKCS11_PIN=
"dummy"
export
KEY_SIZE=2048
export
CA_EXPIRE=3650
export
KEY_EXPIRE=3650
export
KEY_COUNTRY=
"CN"
export
KEY_PROVINCE=
"GD"
export
KEY_CITY=
"Gangzhou"
export
KEY_ORG=
"MyOrganizationalUnit"
export
KEY_EMAIL=
"me@myhost.mydomain"
export
KEY_OU=
"MyOrganizationalUnit"
export
KEY_NAME=
"EasyRSA"
source
一下这个文件 使这些变量生效,等下执行下面就不用输入了
source
vars
一下这些命令不停的enter就行了,需要输入Y的时候输入Y
.
/clean-all
.
/build-ca
.
/build-key-server
server
.
/build-key
win7
.
/build-key
client
.
/build-dh
openvpn --genkey --secret keys
/ta
.key
创建openvpn配置目录,拷贝生成的文件到指定目录下
mkdir
/etc/openvpn/keys
cp
keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key}
/etc/openvpn/keys/
cp
/usr/share/doc/openvpn-2
.3.8
/sample/sample-config-files/server
.conf
/etc/openvpn
/
配置文件如下:
grep
'^[^#;]'
/etc/openvpn/server
.conf
port 1194
proto tcp
dev tun
ca keys
/ca
.crt
cert keys
/server
.crt
key keys
/server
.key
dh keys
/dh2048
.pem
server 10.8.0.0 255.255.255.0
ifconfig
-pool-persist ipp.txt
push
"redirect-gateway def1 "
push
"dhcp-option DNS 8.8.8.8"
push
"dhcp-option DNS 8.8.4.4"
push
"route 192.168.53.0 255.255.255.0"
如果只要连内网,打开这行,其中内网为你服务器所在的真实内网 ,以上两行都注释掉
client-to-client
duplicate-cn
keepalive 10 120
tls-auth keys
/ta
.key 0
comp-lzo
persist-key
persist-tun
status
/var/log/openvpn/openvpn-status
.log
log-append
/var/log/openvpn/openvpn
.log
verb 3
*nat
:PREROUTING ACCEPT [133815:106094014]
:POSTROUTING ACCEPT [106420:6438724]
:OUTPUT ACCEPT [106420:6438724]
-A POSTROUTING -s 10.8.0.0
/255
.255.255.0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [25601:1544411]
:FORWARD ACCEPT [2478:211489]
:OUTPUT ACCEPT [1297534:172358827]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1194 -m comment --comment
"openvpn"
-j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-
type
8 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 20
/sec
--limit-burst 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
这是我的iptables配置,如果你要翻墙的话,要注意dns要能解析,不然你就只能登QQ了。
/etc/init.d/openvpn start #服务器配好之后,可以开启openvpn了
接下来配置客户端
cp
/usr/share/doc/openvpn-2
.3.8
/sample/sample-config-files/client
.conf
/usr/share/easy-rsa/keys/client
.ovpn
grep
'^[^#;]'
/usr/share/easy-rsa/keys/client
.ovpn
dev tun
proto tcp
remote 你的openvpn服务器IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert win7.crt
key win7.key
ns-cert-
type
server
tls-auth ta.key 1
comp-lzo
verb 3
cd
/usr/share/easy-rsa/2
.0
/keys/
zip conf.zip win7.crt win7.key ca.crt ta.key client.ovpn
sz conf.zip
1.下载客户端,并默认安装:下载地址可能需要翻墙
http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip
2.将服务端内conf.zip复制到客户端C:\Program Files(x86)\OpenVPN\config下并解压.
安装好后,需要以管理员的身份运行此程序,不然会添加不了route,导致报错
这样设置就好了...
延迟虽然有点高,但是确实已经连上了。搞定了,收工了。