[Centos] install openvpn server (easy-rsa3)

Source: Internet
Author: User

[Centos] install openvpn server (easy-rsa3)
VPN is widely used in office and fan wall fields. We may use it in small office networks recently. Learn it first.
The vpn server must have a public ip address, which can be used by clients in multiple environments.
Concept
PKI: Public Key Infrastructure CA: core of Certificate Authority pki
Centos6.6 in virtual machine environment
Nic

eth0      Link encap:Ethernet  HWaddr 00:50:56:35:E7:EC            inet addr:192.168.37.129  Bcast:192.168.37.255  Mask:255.255.255.0          inet6 addr: fe80::250:56ff:fe35:e7ec/64 Scope:Link          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:108531 errors:0 dropped:0 overruns:0 frame:0          TX packets:89610 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000           RX bytes:82324349 (78.5 MiB)  TX bytes:10389968 (9.9 MiB)

Objective: To set up the openvpn service and run it properly (iptables is not set here)
Install dependency packages
Yum install-y openssl-devel lzo-devel pam-devel automake pkgconfigyum install openvpn # The openvpn version is 2.3.6 easy-rsa3

Generate Certificate
# Configuration file directories are generally in a similar directory cp/usr/share/doc/openvpn-2.3.6/sample-config-files/server. conf/etc/openvpn/#2.3 needs to download an easy-rsa package independently. This package is used to create ca certificates and server certificates, client certificate wget-c https://github.com/OpenVPN/easy-rsa/archive/master.zipunzip master.zip mv easy-rsa-master easy-rsacp-rf easy-rsa/etc/openvpneasy-rsa operate cd/etc/openvpn/According to github documentation/ easy-rsa/easyrsa3cp vars. example vars # In general, the default configuration can meet your needs, or you can modify it as needed. /easyrsa init-pk I # create an empty pki structure to generate a series of files and directories. /easyrsa build-ca # Remember to create the ca password and cn. /easyrsa gen-req server nopass # create the common name of the server certificate. It is best not to use the same name as the preceding cn. /easyrsa sign server # sign the server certificate. /easyrsa gen-dh # create Diffie-Hellman # The following is the client certificate # first create a working directory cd/home/mkdir client & cd clientcp-R ~ /Easy-rsa /. /# This is the decompressed easy-rsa instead of the easy-rsacd easy-rsa/easyrsa3/cp vars that generates the server certificate. example vars # Start generation. /easyrsa init-pki. /easyrsa gen-req orangleliu # use your own name. You need to create a password and cn name. Remember what you use # The client certificate must interact with the server, that is, sign the contract, this way, the user can use this vpn # Switch to cd/etc/openvpn/easy-rsa/easyrsa3/Under the server certificate directory /. /easyrsa import-req/home/client/easy-rsa/easyrsa3/pki/reqs/orangleliu. req orangleliu # import req. /easyrsa sign client orangleliu # sign the contract and enter the ca password of the server as prompted

See what is generated by/etc/openvpn/easy-rsa/easyrsa3.
[root@localhost easyrsa3]# tree pkipki├── ca.crt├── certs_by_serial│   ├── 01.pem│   └── 02.pem├── dh.pem├── index.txt├── index.txt.attr├── index.txt.attr.old├── index.txt.old├── issued│   ├── orangleliu.crt│   └── server.crt├── private│   ├── ca.key│   └── server.key├── reqs│   ├── orangleliu.req│   └── server.req├── serial└── serial.old


Check the client/home/client/easy-rsa/easyrsa3.
pki├── private│   └── orangleliu.key└── reqs    └── orangleliu.req


Put these files in the corresponding directory of the server certificate (put in a directory of the configuration file for easy configuration and search)
cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/

Client certificate (only centralized to a folder for vpn Users)
mkdir /home/myclientcp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /home/myclient/cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/orangleliu.crt  /home/myclient/cp /home/client/easy-rsa/easyrsa3/pki/private/orangleliu.key /home/myclient/

The most difficult part has passed. The following is the configuration service. Check whether the Configuration Service vim/etc/openvpn/server. conf has the specific meaning of each configuration. The configuration file has a detailed explanation.

local 192.168.37.129port 1194proto udpdev tunca /etc/openvpn/ca.crtcert /etc/openvpn/server.crtkey /etc/openvpn/server.key  # This file should be kept secretdh /etc/openvpn/dh.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 114.114.114.114"comp-lzomax-clients 100keepalive 10 120persist-keypersist-tunstatus openvpn-status.logverb 3


Start the service
[root@localhost easyrsa3]# service openvpn startStarting openvpn:                                          [FAILED]


View startup log Options error: Unrecognized option or missing parameter (s) in server. conf: 35: kcomp-lzo (2.3.6)
The configuration is incorrect .. It should be comp-lzo.
Restart
[root@localhost easyrsa3]# service openvpn startStarting openvpn:                                          [  OK  ]


OK.
Ifconfig view Nic information tun0 Link encap: UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr: 10.8.0.1 P-t-P: 10.8.0.2 Mask: 255.255.255.255 up pointopoint running noarp multicast mtu: 1500 Metric: 1 RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 0 errors: 0 dropped: 0 overruns: 0 carrier: 0 collisions: 0 txqueuelen: 100 RX bytes: 0 (0.0 B) TX bytes: 0 (0.0 B)

Added 10 CIDR blocks.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.