VPN直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道,OpenVPN无疑是Linux下开源VPN的先锋,提供了良好的性能和友好的用户GUI。(是不是看起来很牛逼….)
1、确保你是Root用户 或者是个有权限做事情的用户(第一件事就是Yum)
[root@ipython ~]# yum install pam-devel openssl-devel automake pkgconfig gcc-c++ make ntpdate wget unzip#不介意的话 这算是可选执行#[root@ipython ~]# yum -y groupinstall "Development Tools"#时间同步#[root@ipython ~]# ntpdate ntp.sjtu.edu.cn
2、下载安装lzo库(细节参考:CentOS6.5 编译安装OpenVPN)
[root@ipython openvpn]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.08.tar.gz[root@ipython openvpn]# tar zxf lzo-2.08.tar.gz[root@ipython openvpn]# cd lzo-2.08[root@ipython lzo-2.08]# ./configure --prefix=/software/lzo[root@ipython lzo-2.08]# make && make install
3、安装配置openvpn
[root@ipython ~]# wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.6.tar.gz[root@ipython openvpn]# tar zxf openvpn-2.3.6.tar.gz[root@ipython openvpn]# cd openvpn-2.3.6[root@ipython openvpn-2.3.6]# CPPFLAGS="-I/software/lzo/include/lzo" LDFLAGS="-L/software/lzo/lib/" ./configure --prefix=/software/openvpn --sysconfdir=/software/openvpn/etc[root@ipython openvpn-2.3.6]# make && make install##制作证书###[root@ipython openvpn]# wget http://build.openvpn.net/downloads/releases/easy-rsa-2.2.0_master.tar.gz[root@ipython openvpn]# tar zxf easy-rsa-2.2.0_master.tar.gz[root@ipython openvpn]# mv easy-rsa-2.2.0_master /software/openvpn/easy-rsa[root@ipython openvpn]# cd /software/openvpn/easy-rsa/easy-rsa/2.0/[root@ipython 2.0]# chmod +x vars[root@ipython 2.0]# source ./vars[root@ipython 2.0]# ./clean-all##之前写过这块的注释 这里就不赘述了##[root@ipython 2.0]# export KEY_COUNTRY="CN"[root@ipython 2.0]# export KEY_PROVINCE="SX"[root@ipython 2.0]# export KEY_CITY="IPYTHON"[root@ipython 2.0]# export KEY_ORG="VPNS"[root@ipython 2.0]# export KEY_EMAIL="itchenyi@gmail.com"[root@ipython 2.0]# ln -s openssl-1.0.0.cnf openssl.cnf[root@ipython 2.0]# ./build-caGenerating a 1024 bit RSA private key..++++++......++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [SX]:Locality Name (eg, city) [IPYTHON]:Organization Name (eg, company) [VPNS]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [changeme]:Name [changeme]:Email Address [itchenyi@gmail.com]:####太长了 太长了####[root@ipython 2.0]# ./build-caGenerating a 1024 bit RSA private key..++++++......++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [SX]:Locality Name (eg, city) [IPYTHON]:Organization Name (eg, company) [VPNS]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [changeme]:Name [changeme]:Email Address [itchenyi@gmail.com]:[root@ipython 2.0]# ./build-key-server openvpn.ipython.comGenerating a 1024 bit RSA private key.....................................................++++++.++++++writing new private key to 'openvpn.ipython.com.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [SX]:Locality Name (eg, city) [IPYTHON]:Organization Name (eg, company) [VPNS]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [openvpn.ipython.com]:Name [changeme]:Email Address [itchenyi@gmail.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:#password#An optional company name []:#password#Using configuration from /software/openvpn/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'SX'localityName :PRINTABLE:'IPYTHON'organizationName :PRINTABLE:'VPNS'organizationalUnitName:PRINTABLE:'changeme'commonName :PRINTABLE:'openvpn.ipython.com'name :PRINTABLE:'changeme'emailAddress :IA5STRING:'itchenyi@gmail.com'Certificate is to be certified until Dec 16 15:58:38 2024 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated#####生成客户端证书密钥文件[不贴输出了]#####[root@ipython 2.0]# ./build-key client-one####利用数学算法增强OpenVPN的安全性...Diffie-Hellman密钥交换协议/算法####[root@ipython 2.0]# ./build-dh####打包keys####[root@ipython 2.0]# ls keys/01.pem ca.key client-one.key index.txt.attr openvpn.ipython.com.crt serial02.pem client-one.crt dh1024.pem index.txt.attr.old openvpn.ipython.com.csr serial.oldca.crt client-one.csr index.txt index.txt.old openvpn.ipython.com.key[root@ipython 2.0]# tar zcf keys.tar.gz keys/[root@ipython 2.0]# tar zcf cline-one.tar.gz keys/{client-one.crt,client-one.key,ca.crt}###创建服务器配置文件####[root@ipython 2.0]# mkdir /software/openvpn/etc[root@ipython 2.0]# grep -v "^#" /software/openvpn/etc/server.confport 1994proto udpdev tunca /software/openvpn/easy-rsa/easy-rsa/2.0/keys/ca.crtcert /software/openvpn/easy-rsa/easy-rsa/2.0/keys/openvpn.ipython.com.crtkey /software/openvpn/easy-rsa/easy-rsa/2.0/keys/openvpn.ipython.com.keydh /software/openvpn/easy-rsa/easy-rsa/2.0/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist /software/openvpn/ipp.txtclient-to-clientserver 10.8.0.0 255.255.255.0push "redirect-gateway def1"push "dhcp-option DNS 8.8.8.8"push "dhcp-option DNS 8.8.4.4"keepalive 10 600comp-lzopersist-keypersist-tunstatus /software/openvpn/openvpn-status.logverb 3##启动服务##[root@ipython 2.0]# /software/openvpn/sbin/openvpn /software/openvpn/etc/server.conf &##Iptables##[root@ipython 2.0]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE[root@ipython 2.0]# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT[root@ipython 2.0]# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT[root@ipython 2.0]# iptables -A FORWARD -j REJECT##Iptables NAT for OpenVZ##iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 106.185.41.18##or##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 106.185.41.18##保存策略##[root@ipython 2.0]# service iptables save
你可以参考此图:
openvpn-client-conf
下载keys到本地(用任何办法)
[root@ipython 2.0]# sz cline-one.tar.gz
客户端配置文件(参考)
clientdev tunproto udpremote 106.185.41.18 1994resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client-one.crtkey client-one.keycomp-lzoverb 3
此时双击即可链接!
openvpn-client-conn
? 转载保留版权:IT辰逸 ? 《VPS OpenVPN 撸啊撸》 ? 本文链接地址:http://www.ipython.me/centos/vps-openvpn.html ? 本文版权采取:BY-NC-SA 协议进行授权,转载注明出处。除IT-Tools、News以及特别标注,本站所有文章均为原创。 ? 如果喜欢可以:点此订阅本站
环境不会改变,解决之道在于改变自己。
