客户端:win7 64bit
openvpn: centos5.8 外网IP:x.x.x.x 内网IP:192.168.53.230
首先安装软件包:
yum install lzo
yum -y install openvpn easy-rsa
开启服务器端路由转发功能
vim /etc/sysctl.conf
net.ipv4.ip_forward= 1
sysctl -p
准备创建CA证书文件,修改vars文件中变量值。国家、省、城市、组织、邮箱、单位
cd /usr/share/easy-rsa/2.0/
这是修改好的文件
cat vars |grep -E ^[^
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GD"
export KEY_CITY="Gangzhou"
export KEY_ORG="MyOrganizationalUnit"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"
source 一下这个文件 使这些变量生效,等下执行下面就不用输入了
source vars
一下这些命令不停的enter就行了,需要输入Y的时候输入Y
./clean-all
./build-ca
./build-key-server server
./build-key win7
./build-key client
./build-dh
openvpn --genkey --secret keys/ta.key
创建openvpn配置目录,拷贝生成的文件到指定目录下
mkdir /etc/openvpn/keys
cp keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
cp /usr/share/doc/openvpn-2.3.8/sample/sample-config-files/server.conf /etc/openvpn
/
配置文件如下:
grep '^[^#;]' /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 "
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 192.168.53.0 255.255.255.0" 如果只要连内网,打开这行,其中内网为你服务器所在的真实内网 ,以上两行都注释掉
client-to-client
duplicate-cn
keepalive 10 120
tls-auth keys/ta.key 0
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
*nat
:PREROUTING ACCEPT [133815:106094014]
:POSTROUTING ACCEPT [106420:6438724]
:OUTPUT ACCEPT [106420:6438724]
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [25601:1544411]
:FORWARD ACCEPT [2478:211489]
:OUTPUT ACCEPT [1297534:172358827]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 20/sec --limit-burst 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
这是我的iptables配置,如果你要翻墙的话,要注意dns要能解析,不然你就只能登QQ了。
/etc/init.d/openvpn start #服务器配好之后,可以开启openvpn了
接下来配置客户端
cp /usr/share/doc/openvpn-2.3.8/sample/sample-config-files/client.conf /usr/share/easy-rsa/keys/client.ovpn
grep '^[^#;]' /usr/share/easy-rsa/keys/client.ovpn
dev tun
proto tcp
remote 你的openvpn服务器IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert win7.crt
key win7.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
cd /usr/share/easy-rsa/2.0/keys/
zip conf.zip win7.crt win7.key ca.crt ta.key client.ovpn
sz conf.zip
1.下载客户端,并默认安装:下载地址可能需要翻墙
http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip
2.将服务端内conf.zip复制到客户端C:\Program Files(x86)\OpenVPN\config下并解压.
安装好后,需要以管理员的身份运行此程序,不然会添加不了route,导致报错
这样设置就好了...
延迟虽然有点高,但是确实已经连上了。搞定了,收工了。
