[Centos] install openvpn server (easy-rsa3), centosopenvpn
VPN is widely used in office and fan wall fields. We may use it in small office networks recently. Learn it first.
The vpn server must have a public ip address, which can be used by clients in multiple environments.
Concept
PKI: Public Key Infrastructure CA: core of Certificate Authority pki
Some simple concepts of https://github.com/OpenVPN/easy-rsa/tree/master/doc here
Centos6.6 in virtual machine environment
Nic
eth0 Link encap:Ethernet HWaddr 00:50:56:35:E7:EC inet addr:192.168.37.129 Bcast:192.168.37.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fe35:e7ec/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:108531 errors:0 dropped:0 overruns:0 frame:0 TX packets:89610 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:82324349 (78.5 MiB) TX bytes:10389968 (9.9 MiB)
Objective: To set up the openvpn service and run it properly (iptables is not set here)
Install dependency packages
Yum install-y openssl-devel lzo-devel pam-devel automake pkgconfigyum install openvpn # The openvpn version is 2.3.6 easy-rsa3
Generate Certificate
# Configuration file directories are generally in a similar directory cp/usr/share/doc/openvpn-2.3.6/sample-config-files/server. conf/etc/openvpn/#2.3 needs to download an easy-rsa package independently. This package is used to create ca certificates and server certificates, client certificate wget-c https://github.com/OpenVPN/easy-rsa/archive/master.zipunzip master.zip mv easy-rsa-master easy-rsacp-rf easy-rsa/etc/openvpneasy-rsa operate cd/etc/openvpn/According to github documentation/ easy-rsa/easyrsa3cp vars. example vars # In general, the default configuration can meet your needs, or you can modify it as needed. /easyrsa init-pk I # create an empty pki structure to generate a series of files and directories. /easyrsa build-ca # Remember to create the ca password and cn. /easyrsa gen-req server nopass # create the common name of the server certificate. It is best not to use the same name as the preceding cn. /easyrsa sign server # sign the server certificate. /easyrsa gen-dh # create Diffie-Hellman # The following is the client certificate # first create a working directory cd/home/mkdir client & cd clientcp-R ~ /Easy-rsa /. /# This is the decompressed easy-rsa instead of the easy-rsacd easy-rsa/easyrsa3/cp vars that generates the server certificate. example vars # Start generation. /easyrsa init-pki. /easyrsa gen-req orangleliu # use your own name. You need to create a password and cn name. Remember what you use # The client certificate must interact with the server, that is, sign the contract, this way, the user can use this vpn # Switch to cd/etc/openvpn/easy-rsa/easyrsa3/Under the server certificate directory /. /easyrsa import-req/home/client/easy-rsa/easyrsa3/pki/reqs/orangleliu. req orangleliu # import req. /easyrsa sign client orangleliu # sign the contract and enter the ca password of the server as prompted
See what is generated by/etc/openvpn/easy-rsa/easyrsa3.
[root@localhost easyrsa3]# tree pkipki├── ca.crt├── certs_by_serial│ ├── 01.pem│ └── 02.pem├── dh.pem├── index.txt├── index.txt.attr├── index.txt.attr.old├── index.txt.old├── issued│ ├── orangleliu.crt│ └── server.crt├── private│ ├── ca.key│ └── server.key├── reqs│ ├── orangleliu.req│ └── server.req├── serial└── serial.old
Check the client/home/client/easy-rsa/easyrsa3.
pki├── private│ └── orangleliu.key└── reqs └── orangleliu.req
Put these files in the corresponding directory of the server certificate (put in a directory of the configuration file for easy configuration and search)
cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/
Client certificate (only centralized to a folder for vpn Users)
mkdir /home/myclientcp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /home/myclient/cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/orangleliu.crt /home/myclient/cp /home/client/easy-rsa/easyrsa3/pki/private/orangleliu.key /home/myclient/
The most difficult part has passed. The following is the configuration service. Check whether the Configuration Service vim/etc/openvpn/server. conf has the specific meaning of each configuration. The configuration file has a detailed explanation.
local 192.168.37.129port 1194proto udpdev tunca /etc/openvpn/ca.crtcert /etc/openvpn/server.crtkey /etc/openvpn/server.key # This file should be kept secretdh /etc/openvpn/dh.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 114.114.114.114"comp-lzomax-clients 100keepalive 10 120persist-keypersist-tunstatus openvpn-status.logverb 3
Start the service
[root@localhost easyrsa3]# service openvpn startStarting openvpn: [FAILED]
View startup log Options error: Unrecognized option or missing parameter (s) in server. conf: 35: kcomp-lzo (2.3.6)
The configuration is incorrect .. It should be comp-lzo.
Restart
[root@localhost easyrsa3]# service openvpn startStarting openvpn: [ OK ]
OK.
Ifconfig view Nic information tun0 Link encap: UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr: 10.8.0.1 P-t-P: 10.8.0.2 Mask: 255.255.255.255 up pointopoint running noarp multicast mtu: 1500 Metric: 1 RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 0 errors: 0 dropped: 0 overruns: 0 carrier: 0 collisions: 0 txqueuelen: 100 RX bytes: 0 (0.0 B) TX bytes: 0 (0.0 B)
Added 10 CIDR blocks.
Linux using openvpn https://openvpn.net/index.php/access-server/docs/admin-guides/182-how-to-connect-to-access-server-with-linux-clients.html, win7 client driver problem, in linux test vpn service normal.
Reference http://ju.outofmemory.cn/entry/71676http://www.raspberrypi.org/forums/viewtopic.php? P = 535351 & t = 70594
This article from the "orangleliu notebook" blog, reprint please be sure to keep this source http://blog.csdn.net/orangleliu/article/details/43157955
Author orangleliu adopts signature-non-commercial use-share protocol in the same way