Build an Openvpn service environment

Source: Internet
Author: User
Before installation, use cat/dev/net/tun to check whether tun/tap [root @ lx_web_s1 ~] is enabled. # Cat/dev/net/tuncat:/dev/net/tun: Filedescriptorinbadstate indicates that tun/tap has been enabled. you can install openVPN and configure the VPN server. 1. install and prepare yum-yinsta.

Run cat/dev/net/tun to check whether tun/tap is enabled before installation.
[Root @ lx_web_s1 ~] # Cat/dev/net/tun
Cat:/dev/net/tun: File descriptor in bad state
It indicates that tun/tap has been enabled. you can install and configure openVPN.

VPN server
1. installation preparation
Yum-y install gcc-c ++
Download lzo, openssl, and openvpn

2. software installation
# Cd/data/software
# Wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
# Tar-xvzf lzo-2.03.tar.gz
# Cd lzo-2.03
#./Configure-prefix =/usr/local/lzo & make install

# Tar-xvzf openssl-0.9.8.tar.gz
# Cd openssl-0.9.8
#./Config-prefix =/usr/local/openssl & make install

# Tar-xvzf openvpn-2.2.2.tar.gz
# Cd openvpn-2.2.2
#. /Configure -- prefix =/usr/local/openvpn -- with-lzo-headers =/usr/local/lzo/include -- with-lzo-lib =/usr/local/lzo/ lib -- with-ssl-headers =/usr/local/openssl/include/-- with-ssl-lib =/usr/local/openssl/lib/
# Make & make install

3. configuration
Mkdir/etc/openvpn
Cp-R/data/software/openvpn-2.2.2/easy-rsa // etc/openvpn
Cd/etc/openvpn/easy-rsa/2.0/

The following is a brief introduction to the file:
Vars script is used to create environment variables and set the required variables.
The clean-all script is used to create the files and directories required to generate the CA certificate and key file.
Build-ca script to generate CA certificates (interaction)
Build-dh script to generate the Diffie-Hellman File (interaction)
Build-key-server script to generate server-side keys (interaction)
Build-key script to generate client keys (interaction)
The pkitool script directly uses the environment variable settings of vars to directly generate a certificate (non-interactive)

1. generate CA certificates and keys
Adjust the vars file
Export KEY_COUNTRY = "CN"
Export KEY_PROVINCE = "BJ"
Export KEY_CITY = "beijing"
Export KEY_ORG = "SHEN"
Export KEY_EMAIL = "ymshen83@163.com"
Export KEY_CN = shen
Export KEY_NAME = shen
Export KEY_OU = shen
Export PKCS11_MODULE_PATH = shen
Export maid = 123456

Initialize the keys file
# ../Vars (note that there are two vertices with spaces between them)
#./Clean-all
#./Build-ca (press enter all the way)
......
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [SHEN]:
Organizational Unit Name (eg, section) [shen]:
Common Name (eg, your name or your server's hostname) [shen]:
Name [shen]:
Email Address [ymshen83@163.com]:
[Root @ lx_web_s1 2.0] # cd keys
The ca. crt ca. key file is displayed in the keys directory.

2. Generate the Diffie-Hellman file
# Cd ..
#./Build-dh # [Note: Generating DH parameters, 1024 bit long safe prime]
# Ls keys
Ca. crt ca. key dh1024.pem index.txt serial

3. generate a VPN server ca certificate

#./Build-key-server lxsym # lxsym is a name of the CA certificate.

Press enter to Sign the certificate? [Y/n]: Select y
Certificate is to be certified until Jan 31 02:46:02 2022 GMT (3650 days)
Sign the certificate? [Y/n]: y
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
Then copy the generated CA certificate and key to/etc/openvpn /.
# Cd keys
# Cp ca. crt ca. key lxsym. crt lxsym. key dh1024.pem/etc/openvpn/

4. generate client CA certificates and keys
#./Build-key client-lxsym
Press enter to Sign the certificate? [Y/n]: Select y

Three client certificates, client-lxsym.crt client-lxsym.csr client-lxsym.key client-lxsym.crt, and ca. crt ca. key client-lxsym.csr client-lxsym.key, were generated under the keys directory for client vpn use.
# Cd keys
# Tar zcvf userkey.tar.gz ca. crt ca. key client-lxsym.crt client-lxsym.csr client-lxsym.key openvpn-2.2.2/data/software/sample-config-files/client. conf
# Sz userkey.tar.gz # download to windows client

5. openvpn configuration file
# Cp/data/software/openvpn-2.2.2/sample-config-files/server. conf/etc/openvpn. conf
Cat/etc/openvpn. conf
Port 1194
Proto tcp
Dev tun
Ca/etc/openvpn/ca. crt
Cert/etc/openvpn/lxsym. crt
Key/etc/openvpn/lxsym. key
Dh/etc/openvpn/dh1024.pem
Server 10.8.0.0 255.255.255.0
Ifconfig-pool-persist ipp.txt
Push "route 192.168.0.0 255.255.255.0"
Client-to-client
Duplicate-cn
Keepalive 10 120
Comp-lzo
User nobody
Group nobody
Persist-key
Persist-tun
Status/data/logs/openvpn-status.log
Log/data/logs/openvpn. log
Log-append/data/logs/openvpn. log
Verb 3

6. start OpenVPN

After modification, you can start the vpn. -- daemon is used to start the background daemon model.
/Usr/local/openvpn/sbin/openvpn -- daemon -- config/etc/openvpn. conf
[Root @ lx_web_s1 2.0] # netstat-tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
Tcp 0 0 0.0.0.0: 10888 0.0.0.0: * LISTEN 2353/ss5
Tcp 0 0 0.0.0.0: 1194 0.0.0.0: * LISTEN 16659/openvpn


II. Windows client installation and configuration
Installation directory: D: \ Program Files (x86) \ OpenVPN
Download the openvpnclient and install it. after installation, download and decompress the userkey.tar.gz package to the OpenVPN config directory.
Cat client. conf
Client
Dev tun
Proto udp
Remote 192.168.52.199 1194
Resolv-retry infinite
Nobind
Persist-key
Persist-tun
Ca. crt
Cert lxsym. crt
Key lxsym. key
Ns-cert-type server
Comp-lzo
Verb 3
Redirect-gateway def1

Make sure that it corresponds to the configuration of the server, and then set the client. change the conf file name to client. ovpn, right-click client. ovpn, select "Start OpenVPN on this config file" or create a desktop shortcut to facilitate future connection.
You can see that the connection is successful, or you can start openvpn-gui. after you double-click it, a small connection icon will appear in the Taskbar. if it turns green, the connection is successful.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.