Build an OpenVPN server under CentOS6.6

Build an OpenVPN server under CentOS6.6

OpenVPN is a free open-source software used to create a Virtual Private Network (VPC) encrypted channel. OpenVPN allows you to easily build a dedicated network channel similar to a LAN between different network access sites, such as home, office, and hotel accommodation.

Using OpenVPN with a specific proxy server can be used to access restricted websites such as Youtube, FaceBook, and Twitter, or to break through the company's network restrictions.

I. Server installation and configuration

Server Environment: Clean CentOS6.3 64-bit System

Intranet IP Address: 10.143.80.116

Internet IP Address: 203.195.xxx.xxx

OpenVPN 2.3.2 x86_64-redhat-linux-gnu

1. Preparations before installation

# Disable selinuxsetenforce0sed-i'/^SELINUX=/c\SELINUX=disabled'/etc/selinux/config# Install openssl and lzo. lzo is used to compress communication data and speed up transmission.yum-yinstallopensslopenssl-develyum-yinstalllzo# Install the epel Sourcerpm-ivhhttp://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpmsed-i's/^mirrorlist=https/mirrorlist=http/'/etc/yum.repos.d/epel.repo

2. install and configure OpenVPN and easy-rsa

# Install openvpn and easy-rsayum-yinstallopenvpneasy-rsa# Modifying vars filescd/usr/share/easy-rsa/2.0/vimvars# Modify registration information, such as company address, company name, and department name.exportKEY_COUNTRY="CN"exportKEY_PROVINCE="Shandong"exportKEY_CITY="Qingdao"exportKEY_ORG="MyOrganization"exportKEY_EMAIL="me@myhost.mydomain"exportKEY_OU="MyOrganizationalUnit"# Initializing Environment Variablessourcevars# Clear all certificate-related files in the keys directory# The certificates and keys generated in the following steps are in the/usr/share/easy-rsa/2.0/keys directory../clean-all# Generate the root certificate ca. crt and Root key ca. key (Press enter all the way)./build-ca# Generate a certificate and key for the server (Press enter all the way until y/n is prompted, enter y and press ENTER twice)./build-key-serverserver# Each VPN Client that logs on requires a certificate. Each certificate can be connected to only one client at a time. The following two certificates are created:# Generate a certificate and key for the client (Press enter all the way until y/n is prompted, enter y and press ENTER twice)./build-keyclient1./build-keyclient2# Create the difi Herman key and generate the dh2048.pem file (the generation process is slow, so do not interrupt it during this period)./build-dh# Generate the ta. key File (Anti-DDos, UDP flood, and other malicious attacks)openvpn--genkey--secretkeys/ta.key

View the files generated in the keys directory:

3. Create a serviceDevice Configuration File

# Create a new keys directory under the openvpn configuration directorymkdir/etc/openvpn/keys# Copy the required openvpn certificate and key to the created keys directory.cp/usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key}/etc/openvpn/keys/# Copy the server configuration file template server. conf to/etc/openvpn/cp/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf/etc/openvpn/# View configuration parameters in server. confgrep'^[^#;]'/etc/openvpn/server.conf# Edit server. confvim/etc/openvpn/server.confport1194# Change to tcp. udp is used by default. If HTTPProxy is used, the tcp protocol must be used.prototcpdevtun# Add keys to the path. The full path is/etc/openvpn/keys/ca. crt.cakeys/ca.crtcertkeys/server.crtkeykeys/server.key#Thisfileshouldbekeptsecretdhkeys/dh2048.pem# Default Virtual lan cidr block. do not conflict with the actual LAN.server10.8.0.0255.255.255.0ifconfig-pool-persistipp.txt#10.0.0.0/8 is the Intranet CIDR block of my VPN Server. You should modify it based on your actual situation.push"route10.0.0.0255.0.0.0"# Allows clients to access each other directly through the openvpn program forwarding, set as neededclient-to-client# If the client uses the same certificate and key to connect to the VPN, you must enable this option. Otherwise, each certificate allows only one person to connect to the VPN.duplicate-cnkeepalive10120tls-authkeys/ta.key0#Thisfileissecretcomp-lzopersist-keypersist-tun# OpenVPN status log, the default is/etc/openvpn/openvpn-status.logstatusopenvpn-status.log# OpenVPN operation log. The default value is/etc/openvpn. log.log-appendopenvpn.log# Change to verb5 to view more debugging informationverb5

4. Configure the kernel and firewall to start the service.

# Enable route forwardingsed-i'/net.ipv4.ip_forward/s/0/1/'/etc/sysctl.confsysctl-p# Configure the firewall. Do not forget to save it.iptables-IINPUT-ptcp--dport1194-mcomment--comment"openvpn"-jACCEPTiptables-tnat-APOSTROUTING-s10.8.0.0/24-jMASQUERADEserviceiptablessave# Start openvpn and set it to start upon startupserviceopenvpnstartchkconfigopenvpnon

5. Create a client configuration file

# Copy a client. conf template and name it client. ovpn.cp/usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.confclient.ovpn# Edit client. ovpnvimclient.ovpnclientdevtun# Change to tcpprototcp# OpenVPN server's Internet IP address and portremote203.195.xxx.xxx1194resolv-retryinfinitenobindpersist-keypersist-tuncaca.crt# Client1 Certificatecertclient1.crt# Key of client1keyclient1.keyns-cert-typeserver# Remove the preceding commenttls-authta.key1comp-lzoverb3

Ii. installation and configuration of Windows Client

Client System: 64-bit Windows 7

Intranet IP Address: 172.16.4.4

OpenVPN version: OpenVPN 2.3.3 Windows 64-bit

1. Download and install OpenVPN

OpenVPN 2.3.3 Windows 32-bit installation file:

Http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.3-I002-i686.exe

OpenVPN 2.3.3 Windows 64-bit installation file:

Http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.3-I002-x86_64.exe

2. Configure the client

Set the client on the OpenVPN server. ovpn, ca. crt, client1.crt, client1.key, and ta. key to the config folder under the Windows Client installation directory (C: \ Program Files \ OpenVPN \ config)

3. Start OpenVPN GUI

Right-click the openvpn icon in the lower-right corner of the computer and select Connect ". Normally, the connection is successful and a normal IP address is allocated.

4. Test

Ping the Intranet IP address of the server, indicating that the server has been connected to the internal network of the server.

View the connection status of the client on the OpenVPN server, view the status file/etc/openvpn/openvpn-status.log: