Example of using OpenVPN to build a VPN server

Environment company Intranet One CentOS 6.6 Server A, the network card eth0 intranet ip:192.168.8.60, the company public network IP is 116.228 12.88, uses the router's DMZ function to map the public net to the intranet server A (namely Intranet ip:192.168.8.60).

1, install OpenVPN on the server. Because there are no OpenVPN packages in the default CentOS software source, you can yum install OpenVPN by adding rpmforge repo.
For CentOS 5

RPM-IVH http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
For CentOS 6

RPM-IVH http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Note: The server is 32-bit or 64-bit, because my server installation CentOS is 64 bits, so the source of the upload installation is 64, if 32, you can browse the address: http://apt.sw.be/redhat/el6/en find the corresponding version of the address.

2, to generate OpenVPN required certificates.

OpenVPN has its own Easy-rsa tool, which makes it easy to generate the required certificates. Copy the tool directory under/etc/openvpn and give execution permissions.

Cp-r/usr/share/doc/openvpn-*/easy-rsa/etc/openvpn
cd/etc/openvpn/easy-rsa/2.0
chmod +x *
Execute the following command to create the certificate.

Ln-s openssl-1.0.0.cnf openssl.cnf
. VARs
./clean-all
./BUILD-CA Server
./build-key-server Server
./build-key Client
./BUILD-DH
3, create OpenVPN configuration file server.conf, file in/etc/openvpn

Port 1194
Proto TCP
Dev Tun
Ca/etc/openvpn/easy-rsa/2.0/keys/ca.crt
Cert/etc/openvpn/easy-rsa/2.0/keys/server.crt
Key/etc/openvpn/easy-rsa/2.0/keys/server.key
Dh/etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
Server 10.1.1.0 255.255.255.0

Auth-user-pass-verify/etc/openvpn/auth/checkpsw.sh via-env
Script-security 3 System
Client-cert-not-required
Username-as-common-name

Push "Redirect-gateway def1 bypass-dhcp"
Push "Dhcp-option DNS 8.8.8.8"
Push "Dhcp-option DNS 114.114.114.114"
Log/var/log/openvpn.log
KeepAlive 10 120
Verb 3
Client-to-client
Comp-lzo
Persist-key
Persist-tun
One of the IP behind the server refers to the VPN virtual network segment, that is, the client access to IP is in this segment, note, do not and the existing LAN IP paragraph conflict.
Auth-user-pass-verify The following four lines is to configure the client can use user name password authentication, special attention must add script-security 3 system, the following system also can not be less, I just wasted a lot of time on this.

The contents of the checkpsw.sh script are as follows:

#!/bin/sh
Passfile= "/etc/openvpn/auth/psw-file"
Log_file= "/etc/openvpn/auth/openvpn-password.log"
time_stamp= ' Date ' +%y-%m-%d%T '

if [!-R ' ${passfile} ']; Then
Echo ' ${time_stamp}: Could not open password file \ ${passfile}\ ' for reading. ' >> ${log_file}
Exit 1
Fi

correct_password= ' awk '!/^;/&&!/^#/&&$1== ' ${username} ' {print $2;exit} ' ${passfile} '

if ["${correct_password}" = "]; Then
echo "${time_stamp}: User does not exist:username=\" ${username}\ ", password= \" ${password}\ "." >> ${log_file}
Exit 1
Fi

if ["${password}" = "${correct_password}"]; Then
echo "${time_stamp}: Successful authentication:username=\" ${username}\ "." >> ${log_file}
Exit 0
Fi

echo "${time_stamp}: Incorrect password:username=\" ${username}\ ", password= \" ${password}\ "." >> ${log_file}
Exit 1
Where Passfile is the user name password file path, log_file output log file. Note: checkpsw.sh needs to have execute permissions. The Passfile format is: Username + space + password, for example:

NETINGCN MyPassword
4. Start OpenVPN and set it to boot automatically.

Start a service
/etc/init.d/openvpn start

Join Boot auto Start
Chkconfig OpenVPN on
The log for the OpenVPN service is located in/var/log/openvpn.log, and if you start an exception, you can view the log, typically because of a problem with the production certificate, which can be regenerated once.

5, the server other settings.
Close SELinux

Sed-i '/^selinux=/c\selinux=disabled '/etc/selinux/config
Open IP Forward

Sed-i '/net.ipv4.ip_forward/s/0/1/g '/etc/sysctl.conf
Sysctl-w net.ipv4.ip_forward=1
Open Iptables NAT

Iptables-t nat-a postrouting-s 10.1.1.0/24-j SNAT--to-source
Special note: To source value, some articles mentioned is the company's public network IP, this argument is somewhat inaccurate, if the server's network card binding is a public network IP, that is, as a routing server, then the public network IP, because my server is a local area network of a machine, only LAN IP, So here is the IP of this machine.

If you do not add a iptables rule, the result is that you can connect to the VPN server but not the Internet. Additional rules that may be required are as follows:

Iptables-a forward-i tun0-s 10.1.1.0/24-j ACCEPT
Iptables-a forward-i eth0-d 10.1.1.0/24-j ACCEPT
Iptables-i input-p TCP--dport 1194-m comment--comment "OpenVPN"-j
Iptables-t nat-a postrouting-s 10.1.1.0/24-o eth0-j Masquerade
Client website Download Address: https://openvpn.net/index.php/download/community-downloads.html.

Take the win 7 client as an example, after installing the client, open the default installation path: C:\Program files\openvpn\config, create a Client.ovpn file below,
The contents of the certificate authentication method are as follows:

Client
Dev Tun
Proto TCP
Remote 116.228.12.88 1194
Resolv-retry Infinite
Nobind
Persist-key
Persist-tun
CA ca.crt
Cert CLIENT.CRT
Key Client.key
Comp-lzo
Verb 3
Redirect-gateway DEF1
Route-method exe
Route-delay 2
Need to replicate server CA.CRT,CLIENT.CRT and Client.key to current directory, remote with company public network IP

User name password authentication method is as follows:

Client
Dev Tun
Proto TCP
Remote 116.228.208.10 2294
Resolv-retry Infinite
Nobind
Persist-key
Persist-tun
CA ca.crt
; auth-user-pass
Auth-user-pass pass.txt
Comp-lzo
Verb 3
Redirect-gateway DEF1
Route-method exe
Route-delay 2
Only need to replicate the server's CA.CRT to the current directory, at the same time in the current directory to establish a pass.txt, the user name password fill in, note the format is:

User name
Password
This configuration is complete, right click on the client and then select Connect, you should be able to connect.