Configure openvpn in Ubuntu

Configure openvpn in Ubuntu

First, make sure that the apt-Get of ubuntu can find the openvpn package.

Sudo apt-Get update

Install openvpn package

Sudo apt-Get install openvpn

Create an openvpn configuration file. The example can be found in the following path:

/Usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz Regular Parameter explanation port 1194: the port proto UDP listened to by openvpn: Use the UDP protocol Dev Tun: write Dev tapca/etc/openvpn/keys/CA to use the routed IP Tunnel (Ethernet bridging tunnel. CRT: CA certificate path
CERT/etc/openvpn/keys/server. CRT: server certificate path
Key/etc/openvpn/keys/server. key: Server Key Path DH/etc/openvpn/keys/dh1024.pem: Diffie Hellman parameters file server 192.168.200.0 255.255.255.0: server configuration mode, 192.168.200.1 will be left to yourself, assign the address ifconfig-pool-persist/var/log/openvpn/ipp.txt of 192.168.200.0/24 to the client to maintain the IP address obtained by the client, when the client is reconnected, ensure that the same ippush "route 192.168.150.0 255.255.255.0" is obtained: allow the client to access the private network address of the server backend, for example, 192.168.150.0/24client-config-dir CCD: Specify the client-config directory name.
Route 192.168.153.0 255.255.255.0: Allow a unique private network address to access the VPN, such as 192.168.153.0/24 keepalive 10 120: Ping every 10 seconds, if no response is received within 120 seconds, the client has been down to comp-lzo: the compression algorithm is used for VPN connections. The server/client must activate the user nobody at the same time. To ensure security, the daemon permission is reduced.
Group nobody: for the sake of security, reduce the daemon permission persist-key: After the keepalive detection times out, restart the VPN, do not re-read the keys, keep the keyspersist-tun: through keepalive detection timeout, restart the VPN, keep the Tun or tap device is linkup, otherwise the network connection will first linkdown and then linkupstatus/var/log/openvpn/openvpn-status.log: VPN status log-append/var/log/openvpn. log: VPN System Log verb 3: output information level, 3 is normal

Use easy-RSA to create a certificate and key. The script can be found in the following path:

/Usr/share/doc/openvpn/examples/easy-RSA

Copy easy-RSA to/etc/openvpn/easy-RSA

Create a ca

First, you must change the vars environment variable under easy-RSA.

Export key_country = Cn
Export key_province = sh
Export key_city = Shanghai
Export key_org = "My Company"
Export key_email = "admin@mycompany.com.cn"

Then execute the following commands in order in easy-RSA:

Source vars
./Clean-all
./Build-ca

Create server certificate and key

Execute in easy-RSA
./Build-key-server Server

Create client certificate and key

Execute in easy-RSA
./Build-key client01

Generate generate Diffie Hellman Parameters

Execute in easy-RSA
./Build-DH

Copy the following files to/etc/openvpn/keys

CA. CRT
Dh1024.pem
Server. CRT
Server. Key

Call Tun to Module

Sudo modprobe Tun

IP-forward allows forwarding. If sudo does not work, it can only be done with root.

Sudo echo "1">/proc/sys/NET/IPv4/ip_forward

Confirm that the nobody group exists. If no, create a new nobody group. (It has been stuck for half a day)

Finally start the service

Sudo/etc/init. d/openvpn start