OpenVPN安装与配置实践


OpenVPN在安全性上比PPTP,L2TP和IPsec都高,因为它通过三个证书的安全验证,实现了整个通信链路的完整加密。

注:该文档参考了VPSYOU.com的帮助文档,在此表示感谢。
帮助文档链接如下:http://www.vpsyou.com/centos5-5-install-openvpn/

但在实际的安装配置过程中,我发现这篇帮助文档中仍然存在着一些小的配置上的错误,并且为了让OpenVPN易于卸载,我将分散的程序目录都规划在了相同位置,加上了防火墙策略,最后成功登陆并翻过GFW。于是,我将整个过程记录了下来,以供大家参考。

安装步骤:

一、首先检查VPS上的tun设备是否可用,如果不可用需要联系客服打开,否则OpenVPN无法启用。
通过root用户登陆,执行
#cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state

如果现实结果如上所示,则表示tun设备可用,其它则表示设备异常,无法安装OpenVPN。

二、下载安装所需软件包:
wget ftp://rpmfind.net/linux/epel/5/i386/pkcs11-helper-devel-1.07-2.el5.1.i386.rpm
wget ftp://rpmfind.net/linux/epel/5/i386/pkcs11-helper-1.07-2.el5.1.i386.rpm
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz
wget http://swupdate.openvpn.net/community/releases/openvpn-2.1.4.tar.gz

三、使用yum安装程序所需开发包
yum install -y openssl openssl-devel automake pkgconfig iptables

四、安装OpenVPN服务端
1.安装pkcs11-helper RPM包
rpm -ivh pkcs11-helper-1.07-2.el5.1.i386.rpm
rpm -ivh pkcs11-helper-devel-1.07-2.el5.1.i386.rpm

2.安装 LZO
tar zxvf lzo-2.04.tar.gz
cd lzo-2.04/
./configure --prefix=/opt/lzo
make
make check
make install
cd ../

3.安装 OpenVPN

tar zxvf openvpn-2.1.4.tar.gz
cd openvpn-2.1.4
./configure --prefix=/opt/openvpn --with-lzo-headers=/opt/lzo/include --with-lzo-lib=/opt/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib
make
make install

然后,下面就开始key证书文件的创建,总共需要创建三个,即ca,server key,client key。

4.生成证书Key
cp -r easy-rsa /opt/openvpn/
cd /opt/openvpn/easy-rsa/2.0/

vim export_new_var

export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN #国家
export KEY_PROVINCE=BJ #省份
export KEY_CITY=BJ   #城市
export KEY_ORG="heyLinux.com" #组织
export KEY_EMAIL="root@heyLinux.com" #邮箱

source export_new_var
./clean-all

./build-ca

Generating a 1024 bit RSA private key
..++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [heyLinux.com]:
Organizational Unit Name (eg, section) []:heyLinux
Common Name (eg, your name or your server's hostname) [heyLinux.com CA]:heyLinux
.com
Name []:heyLinux
Email Address [root@heyLinux.com]:

5.建立 server key

[root@centos 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
............................++++++
..........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [heyLinux.com]:
Organizational Unit Name (eg, section) []:heyLinux
Common Name (eg, your name or your server's hostname) [server]:heyLinux.com
Name []:heyLinux
Email Address [root@heyLinux.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:heyLinux.com
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BJ'
organizationName      :PRINTABLE:'heyLinux.com'
organizationalUnitName:PRINTABLE:'heyLinux'
commonName            :PRINTABLE:'heyLinux.com'
name                  :PRINTABLE:'heyLinux'
emailAddress          :IA5STRING:'root@heyLinux.com'
Certificate is to be certified until Apr 12 08:21:52 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

6.生成客户端 key

[root@centos 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
................................................................................
.........++++++
......................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [heyLinux.com]:
Organizational Unit Name (eg, section) []:heyLinux
Common Name (eg, your name or your server's hostname) [client1]:
Name []:heyLinux
Email Address [root@heyLinux.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:heyLinux.com
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BJ'
organizationName      :PRINTABLE:'heyLinux.com'
organizationalUnitName:PRINTABLE:'heyLinux'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'heyLinux'
emailAddress          :IA5STRING:'root@heyLinux.com'
Certificate is to be certified until Apr 12 08:24:33 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

如果想生成多个client key的话,重复以上步骤,修改client1为client2,client3……即可。

至此,所有的key都已经生成完毕,如果你想删除这些key,重新生成的话,执行以下命令。
source var
./clean-all

7.生成 Diffie Hellman 参数
./build-dh

8.将 keys 下的所有文件打包下载到本地
tar -cf keys.tar keys

9.创建服务端配置文件

vi /opt/openvpn/etc/server.conf
内容如下:

port 1194
proto udp

dev tun

ca /opt/openvpn/easy-rsa/2.0/keys/ca.crt
cert /opt/openvpn/easy-rsa/2.0/keys/server.crt
key /opt/openvpn/easy-rsa/2.0/keys/server.key
dh /opt/openvpn/easy-rsa/2.0/keys/dh1024.pem

server 10.10.20.0 255.255.255.0

client-to-client
keepalive 10 120

comp-lzo

persist-key
persist-tun
status /opt/openvpn/easy-rsa/2.0/keys/openvpn-status.log
verb 4

push "dhcp-option DNS 10.10.20.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

10.创建客户端配置文件

vi /opt/openvpn/etc/client.conf
内容如下

client

dev tun
proto udp

remote 204.74.215.57 1194 #请换成自己ip
persist-key
persist-tun
ca /opt/openvpn/easy-rsa/2.0/keys/ca.crt
cert /opt/openvpn/easy-rsa/2.0/keys/client1.crt
key /opt/openvpn/easy-rsa/2.0/keys/client1.key
ns-cert-type server
comp-lzo
verb 3

redirect-gateway def1
route-method exe
route-delay 2

12.设置 OpenVPN 服务器 reboot后自动启动 openvpn

vi /etc/rc.local
加入:
/opt/openvpn/sbin/openvpn --config /opt/openvpn/etc/server.conf > /dev/null 2>&1 &

运行OpenVPN服务端
/opt/openvpn/sbin/openvpn --config /opt/openvpn/etc/server.conf > /dev/null 2>&1 &

检查服务端是否启动
执行netstat -lnp
如果看到有 0.0.0.0:1194 则证明服务端已经成功启动。

五、防火墙规则设置
1.开放OpenVPN服务器端口
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
2.启用NAT映射,实现共享上网
iptables -t nat -A POSTROUTING -s 10.10.20.0/255.255.255.0 -o eth0 -j MASQUERADE
3.开启数据转发
sysctl -w net.ipv4.ip_forward=1

六、OpenVPN GUI for Windows 客户端安装
1.下载并安装 .NET Framwork 3.5 SP1
由于OpenVPN客户端需要 .NET Framwork 3.5 SP1 以上的支持,所以很遗憾,我们不得不先安装它。
下载地址:http://www.microsoft.com/downloads/zh-cn/details.aspx?FamilyID=333325fd-ae52-4e35-b531-508d977d32a6&DisplayLang=zh-cn

2.下载并安装OpenVPN客户端
下载地址:http://swupdate.openvpn.net/downloads/openvpn-client.msi

3.创建客户端配置文件

进入程序目录,C:\Program Files\OpenVPN Technologies\OpenVPN Client\etc\profile
创建配置文件client.ovpn,内容如下:

client 

dev tun
proto udp 

remote 204.74.215.57 1194 #请换成自己ip

persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3 

redirect-gateway def1
route-method exe
route-delay 2

4.将所需的证书等文件放入客户端目录
将之前压缩的keys.tar压缩文件解压,并将目录下的所有文件移动到目录:
C:\Program Files\OpenVPN Technologies\OpenVPN Client\etc\profile

5.启动OpenVPN客户端
启动OpenVPN客户端软件,点击添加连接配置,选择本地文件导入,然后导入刚刚创建的client.ovpn文件。
如下图所示:

然后界面上会出现一个Client1选项,点击即可登录

登录成功

至此,整个OpenVPN的安装过程就已经完成了,如果你也是国外的VPS主机的话,那就开始体验翻过GFW的快乐吧。

七、卸载OpenVPN
如果你觉得OpenVPN用起来太过于麻烦或其它原因想卸载OpenVPN,那么,请执行以下操作。

killall openvpn
rpm -e pkcs11-helper-1.07-2.el5.1.i386.rpm
rpm -e pkcs11-helper-devel-1.07-2.el5.1.i386.rpm

rm -rf /opt/lzo
rm -rf /opt/openvpn

注:如果想了解新版本的非源码方式部署OpenVPN Server,可以参考《在CentOS 6上部署OpenVPN Server

,

  1. #1 by 傻瓜猫 on 2012/05/09 - 09:06

    哈哈测试成功,非常感谢!
    就是在“生成 Diffie Hellman 参数”的一个地方出现了一个错误

    ./build-dh: line 7: dhparam: command not found

    解决办法:
    vi build-dh
    把$OPENSSL 改成 openssl

    • #2 by mcsrainbow on 2012/05/09 - 10:00

      应该是环境变量丢了,通常遇到这种问题,跟着报错的行号去检查一下脚本就能发现。

  2. #3 by kw on 2012/06/17 - 12:53

    有一个问题,我翻墙安装官网的openvpn安装,使用其他服务的用户名密码,配置都没问题。可是无法登陆,之后安装源网站提供的openvpn,使用用户名密码也无法登陆。系统是win7 64位,网络是客厅的路由器分配之后我在屋内又经过一个无线路由登陆的,是因为我用了两个路由器所以不行吗

  3. #4 by tumor on 2012/08/30 - 22:49

    我在CentOS6.3上面安装OpenVPN之后 为什么客户端可以连接上服务器 但是服务器不转发数据包呢 tracert 都是到了主机就停了

    • #5 by mcsrainbow on 2012/09/09 - 13:17

      你要确保服务器实现了NAT映射上网,也就是我文章中的iptables规则的功能。

  4. #6 by hey on 2012/10/15 - 16:56

    四、安装OpenVPN服务端中的第10步是不需要的

  5. #7 by 523775 on 2013/07/10 - 16:19

    我配置了 都没有报错
    可是无法连接
    能告诉一下大致排错方法吗

  6. #8 by 廖世勇 on 2014/05/16 - 14:18

    我配置好了openvpn,而且客户端可以连接服务端,服务端也能捕获客户端虚拟IP,我发现每个客户端显示的都是:10.10.0.6,而且测试服务端对客户端发送数据不成功,是什么原因?
    还有就是假如我有1000台客户端,那么openvpn是怎么个分配机制呢?IP不会重叠了吗?

    • #9 by mcsrainbow on 2014/05/16 - 18:07

      server 10.10.20.0 255.255.255.0
      配置一个网络地址段,然后从这个区域里面分配给你的。

  7. #10 by JP4017 on 2014/05/24 - 22:38

    请问我导入证书总是出KT,但网上看到是要出KR,所以我是联不到线的,请问知不知道是什么原因?

(will not be published)
*