OpenVPN configuration in Linux

Source: Internet
Author: User
Tags openvpn gui

OpenVPN introduction:
 
OpenVPN can run on most common system platforms and is a VPN solution based on SSL/TLS. OpenVPN can implement layer-2 and layer-3 links based on the TAP/TUN virtual device driver, and provides industry-level encryption based on SSL/TLS, and implements all the features of most common VPN solutions. However, there are not many VPN hardware vendors that integrate OpenVPN.


1. Download package # wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz# wget http://openvpn.net/release/openvpn-2.1_rc22.tar.gz# yum install openssl-devel 2. Unzip and install # tar xvf lzo-2.04.tar.gz # cd lzo-2.04 #. /configure # make & make install # cd .. /# tar xvf openvpn-2.1_rc22.tar.gz # cd openvpn-2.1_rc22 #. /configure # make & make install # cd .. /3. Server Side settings: 1. use easy-rsa to generate server certificate client certificate # cp openvpn-2.1 _ Rc22/easy-rsa/2.0-r/etc/openvpn/# cd/etc/openvpn/2.0/edit the required parameters and call it # vim varsexport D = "'pwd '" export KEY_CONFIG = "$ D/openssl. cnf "export KEY_DIR =" $ D/keys "export KEY_COUNTRY =" CN "export KEY_PROVINCE =" SH "export KEY_CITY =" PD "export KEY_ORG =" zyfmaster "export KEY_EMAIL =" 905407204@qq.com "# source vars # You do not need to set it, directly execute the following command. The following command can be run during the first installation. Do not run the command after adding a client. This command will clear all generated certificate keys. #. /Clean-all generate the server-side ca certificate #. /build-caGenerating a 1024 bit RSA private key ............ ++ .................. ++ writing new private key to 'Ca. key' ----- You are about to be asked to enter information that will be inreceivatedinto your certificate request. what you are about to enter is what is called a Distinguished Name or a DN. there are quite a few fields but you can leave some blankFor some fiel Ds there will be a default value, If you enter '. ', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [PD]: Organization Name (eg, company) [zyfmaster]: Organizational Unit Name (eg, section) []: zyfmasterCommon Name (eg, your name or your server's hostname) [zyfmaster CA]: serverName []: email Address [905407204@qq.com]: Generate the server key. The server-name is the server name, which can be customized. #. /Build-key-server Generating a 1024 bit RSA private key .......................... ............. ++ ....... ++ writing new private key to 'server. key' ----- You are about to be asked to enter information that will be inreceivatedinto your certificate request. what you are about to enter is what is called a Distinguished Name or a DN. there are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '. ', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [PD]: Organization Name (eg, company) [zyfmaster]: Organizational Unit Name (eg, section) []: zyfmasterCommon Name (eg, your name or your server's hostname) [server]: serverName []: email Address [905407204 @ q Q.com]: Please enter the following 'extra 'attributesto be sent with your certificate requestA challenge password []: abcd1234An optional company name []: zyfmasterUsing configuration from/etc/openvpn/2.0/openssl. cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName: PRINTABLE: 'cn' stateOrProvinceName: PRINTABLE: 'sh' localityName: PRINTAB LE: 'pd 'organizationname: PRINTABLE: 'zyfmaster' organizationalUnitName: PRINTABLE: 'zyfmaster' commonName: PRINTABLE: 'server' emailAddress: IA5STRING: '1970 @ qq.com 'Certificate is to be certified until Dec 2 04:14:34 905407204 GMT (2022 days) Sign the certificate? [Y/n]: y 1 out of 1 certificate requests certified, commit? [Y/n] yWrite out database with 1 new entriesData Base Updated generate client key #. /build-key client1Generating a 1024 bit RSA private key ............ ++ .................................. ...................... ++ writing new private key to 'client1. key' ----- You are about to be asked to enter information that will be inreceivatedinto your certificate request. what you are about to enter is what is called A Distinguished Name or a DN. there are quite a few fields but you can leave some blankFor some fields there will be a default value, If you enter '. ', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [PD]: Organization Name (eg, company) [zyfmaster]: Organizational Unit Name (eg, section) []: zyfmasterCommon Name (eg, Your name or your server's hostname) [client1]: client1 # Important: certificates generated by different clients must have different names. name []: Email Address [905407204@qq.com]: Please enter the following 'extra 'attributesto be sent with your certificate requestA challenge password []: abcd1234An optional company name []: zyfmasterUsing configuration from/etc/openvpn/2.0/openssl. cnfCheck that the request matches the signatureSignature okThe Subj Ect's Distinguished Name is as followscountryName: PRINTABLE: 'cn' region: PRINTABLE: 'sh' localityName: PRINTABLE: 'pd 'organizationname: PRINTABLE: 'zyfmaster' organizationalUnitName: PRINTABLE: 'zyfmaster' commonName: PRINTABLE: 'client1' emailAddress: IA5STRING: '2017 @ qq.com 'Certificate is to be certified until Dec 2 04:15:50 905407204 GMT (2022 days) Sign the certificate? [Y/n]: y 1 out of 1 certificate requests certified, commit? [Y/n] yWrite out database with 1 new entriesData Base Updated and so on to create other client keys #. /build-key client2 #. /build-key client3 note that when entering the Common Name (eg, your name or your server's hostname) []: input, each certificate must have a different Name. 5. generate the Diffie Hellman parameter #. /build-dh 6. package and download all files in keys to a local device (you can use winscp, http, ftp, etc ......) # Tar zcvf yskeys.tar.gz keys/* 7. create the server configuration file # mkdir/etc/openvpn/2.0/conf # cp/root/openvpn/openvpn-2.1_rc22/sample-config-files/server. conf/etc/openvpn/2.0/conf/# vim/etc/openvpn/2.0/conf/server. confport 1194 proto udp dev tun ca/etc/openvpn/2.0/keys/ca. crtcert/etc/openvpn/2.0/keys/server. crtkey/etc/openvpn/2.0/keys/server. key # This file shocould be kept secret dh/etc/openvpn/2.0/keys/dh1024.p Em server 10.8.0.0 255.255.255.0push "route 10.8.0.0 255.255.255.0" push "route 0.0.0.0 0.0.0" ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8.8" push ""dhcp-option DNS 8.8.4.4" client-to-client keepalive 10 120 comp-lzo user nobodygroup nobody persist-keypersist-tun status openvpn-status.log log openvpn. logverb 3 4. Enable Server Routing 1. enable route forwarding for CentOS 5 # Vim/etc/sysctl. conf: net. ipv4.ip _ forward = 1 5. Enable sysctl. the conf configuration file takes effect and adds iptables forwarding rules: # sysctl-p # iptables-t nat-a postrouting-o eth0-s 10.8.0.0/24-j MASQUERADE #/etc/init. d/iptables save 6. Start openvpn and add random startup vi/etc/rc. add this line at the end:/usr/local/sbin/openvpn -- config/etc/openvpn/2.0/conf/server. conf & 7. OpenVPN GUI For Windows Client installation process 1. download openvpn-2.1_rc15-install.exe (this version integrates OpenVPN GUI) official: ht Tp: // configure openvpn GUI3. unzip the following certificate files from yskeys.tar.gz packaged in Step 6 to the ca in the OpenVPN GUI installation path OpenVPNconfig folder. crchloroform. keyclient1.crtclient1. csrclient1.key 4. modify client. ovpn install OpenVPN GUI in the path OpenVPNsample-config. copy the ovpn file to your OpenVPN GUI installation path OpenVPNconfig folder and open the client in notepad. ovpn # locate remote my-server-1 1194 and change my-server-1 to your IP address remote. b. c. d (your own VPN address) 5. Double-click client. ovpn can be used to start openvpn, or the VPN can be started through OpenVPN GUI control. view the IP address obtained by the Client: after the connection is successful, go to www.ip138.com to check what the Internet ip address is. If it is the Internet ip address of the CentOS system, the test is successful ~

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.