Openvpn construction in linux and linuxopenvpn Construction

Source: Internet
Author: User
Tags install openssl openvpn gui

Openvpn construction in linux and linuxopenvpn Construction
Tags: original vpn files, which can be reprinted. During reprinting, you must use hyperlinks to indicate the original source, author information, and this statement. Otherwise, legal liability will be held. Http://304076020.blog.51cto.com/7503470/1605312

Lab Environment
System: centos 6.5
Hostname: openvpn-server
Ip: 192.168.1.236

Installation Package address: http://down.51cto.com/data/1976343 (beans-free)

[Root @ openvpn-server ~] # Yum-y install openssl-devel gcc
1. Install lzo
Note: lzo is used to compress tunnel Communication Data to speed up transmission.
[Root @ vpn-server opt] # tar zxf lzo-2.03.tar.gz
[Root @ vpn-server opt] # cd lzo-2.03
[Root @ vpn-server lzo-2.03] #./configure -- prefix =/usr
[Root @ vpn-server lzo-2.03] # make & make install
2. Install openvpn
[Root @ vpn-server opt] # tar zxf openvpn-2.0.9.tar.gz
[Root @ vpn-server opt] # cd openvpn-2.0.9
[Root @ vpn-server openvpn-2.0.9] #./configure -- with-lzo-lib =/usr
[Root @ vpn-server openvpn-2.0.9] # make & make install
3. openvpn Server Configuration
[Root @ openvpn-server openvpn-2.0.9] # vi/opt/openvpn-2.0.9/easy-rsa/2.0/vars
Export KEY_COUNTRY = CN # country
Export KEY_PROVINCE = GD # Province
Export KEY_CITY = Shenzhen # City
Export KEY_ORG = "Kimvpn" # the organization to which the CA certificate is generated.
Export KEY_EMAIL = "kim@163.com" # mailbox, can be filled in any
[Root @ openvpn-server openvpn-2.0.9] # source/opt/openvpn-2.0.9/easy-rsa/2.0/vars # Make the modified variable take effect
NOTE: when you run./clean-all, I will be doing a rm-rf on/root/keys
4. openvpn Configuration
[Root @ vpn-server ~] # Cd/opt/openvpn-2.0.9/easy-rsa/2.0
[Root @ openvpn-server 2.0] #./clean-all # Clear all openvpn certificate files
[Root @ openvpn-server 2.0] #./build-ca # generate a ca certificate

[Root @ openvpn-server 2.0] # ls-lsart keys | grep ca
4-rw ------- 1 root 916 Jan 8 12:12 ca. key
4-rw-r -- 1 root 1220 Jan 8 12:12 ca. crt
[Root @ openvpn-server 2.0] #./build-dh # generate the dh1024.pem File

Generate certificates and keys for Servers
[Root @ openvpn-server 2.0] #./build-key-server Kimvpn

Generate a client certificate file for the client. This document uses two users, client1 and client2, as an example.
[Root @ openvpn-server 2.0] #./build-key client1

[Root @ openvpn-server 2.0] #./build-key client2 # Same as above
[Root @ openvpn-server 2.0] # ls-lsart keys

Modify the configuration file/etc/server. conf of the openvpn server
[Root @ openvpn-server 2.0] # cp-p/opt/openvpn-2.0.9/sample-config-files/server. conf/etc/server. conf
[Root @ openvpn-server 2.0] # vi/etc/server. conf # modify the configuration to the following content:
Proto tcp # Change proto udp to proto tcp to enable the tcp port.
Ca/opt/openvpn-2.0.9/easy-rsa/2.0/keys/ca. crt
Cert/opt/openvpn-2.0.9/easy-rsa/2.0/keys/Kimvpn. crt
Key/opt/openvpn-2.0.9/easy-rsa/2.0/keys/Kimvpn. key
Dh/opt/openvpn-2.0.9/easy-rsa/2.0/keys/dh1024.pem

Log/var/log/openvpn. log # enable log

Server 192.168.2.0 255.255.255.0 # the IP address range allocated by the openvpn server to the vpn Client. do not conflict with the company's actual IP address range.
Verb 5
[Root @ openvpn-server 2.0] # echo "1">/proc/sys/net/ipv4/ip_forward # enable ip forwarding to ensure data packets flow between different network segments.
[Root @ openvpn-server ~] #/Usr/local/sbin/openvpn -- config/etc/server. conf & # Start the vpn and add it to the background for running
[Root @ openvpn-server ~] # Netstat-anpt | grep openvpn
Tcp 0 0 0.0.0.0: 1194 0.0.0.0: * LISTEN 51774/openvpn

5. Client Configuration

Log on to the openvpn server on the linux end and run the cleint. conf command under the/opt/openvpn-2.0.9/sample-config-files directory.

Download the file to the windows vpn client Machine and place it in the C: \ Program Files (x86) \ OpenVPN \ config directory. rename it client. ovpn, set the ca under the/opt/openvpn-2.0.9/easy-rsa/2.0/keys directory. download the crt, client1.crt, and client1.key Files to the windows vpn Client and place them in the C: \ Program Files (x86) \ OpenVPN \ config directory.

Edit the client. ovpn file under the C: \ Program Files (x86) \ OpenVPN \ config directory

Proto tcp # Change proto udp to proto tcp

Remote Host 192.168.1.236 1194

Ca. crt
Cert client1.crt
Key client1.key

# Comp-lzo # comment out comp-lzo

6. Connect the client to the vpn

Click the OpenVPN GUI icon in the lower-right corner of windows and select connect.

As you can see, the client has obtained the IP address allocated by vpn-server.

7. log out of the vpn user

Note: Because vpn is used in an enterprise, the vpn Server creates a certificate file for each vpn Client. If a colleague leaves, the user needs to be logged out. For example, client1 User:

[Root @ openvpn-server ~] # Cd/opt/openvpn-2.0.9/easy-rsa/2.0/

[Root @ openvpn-server 2.0] #./revoke-full client1

Please source the vars script first (I. e. "source./vars ")
Make sure you have edited it to reflect your configuration.

The system prompts you to perform the above operations.

[Root @ openvpn-server 2.0] # source./vars
NOTE: If you run./clean-all, I will be doing a rm-rf on/opt/openvpn-2.0.9/easy-rsa/2.0/keys

Then, log out

[Root @ openvpn-server 2.0] #./revoke-full client1

Note: The above error is normal. This is a bug of openvpn. The solution is as follows:

[Root @ openvpn-server 2.0] # vi/opt/openvpn-2.0.9/easy-rsa/2.0/openssl. cnf

Cancel again

[Root @ openvpn-server 2.0] #./revoke-full client1

For example, error23 indicates that the certificate is successfully canceled, but you will find that this certificate can still be logged on because the above operation produces crl under keys. the pem file contains the deregistered certificate. That is to say, the related certificate has not been completely canceled. You need to do the following:

[Root @ openvpn-server 2.0] # vi/etc/server. conf

Crl-verify/opt/openvpn-2.0.9/easy-rsa/2.0/keys/crl. pem # Add row content

Restart openvpn and find that the client can no longer log on to the vpn.

 

This article is from the "Linux art (Q group: 1991706)" blog, please be sure to keep this source http://304076020.blog.51cto.com/7503470/1605312

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.