Openvpn construction in linux and linuxopenvpn Construction
Tags: original vpn files, which can be reprinted. During reprinting, you must use hyperlinks to indicate the original source, author information, and this statement. Otherwise, legal liability will be held. Http://304076020.blog.51cto.com/7503470/1605312
Lab Environment
System: centos 6.5
Hostname: openvpn-server
Ip: 192.168.1.236
Installation Package address: http://down.51cto.com/data/1976343 (beans-free)
[Root @ openvpn-server ~] # Yum-y install openssl-devel gcc
1. Install lzo
Note: lzo is used to compress tunnel Communication Data to speed up transmission.
[Root @ vpn-server opt] # tar zxf lzo-2.03.tar.gz
[Root @ vpn-server opt] # cd lzo-2.03
[Root @ vpn-server lzo-2.03] #./configure -- prefix =/usr
[Root @ vpn-server lzo-2.03] # make & make install
2. Install openvpn
[Root @ vpn-server opt] # tar zxf openvpn-2.0.9.tar.gz
[Root @ vpn-server opt] # cd openvpn-2.0.9
[Root @ vpn-server openvpn-2.0.9] #./configure -- with-lzo-lib =/usr
[Root @ vpn-server openvpn-2.0.9] # make & make install
3. openvpn Server Configuration
[Root @ openvpn-server openvpn-2.0.9] # vi/opt/openvpn-2.0.9/easy-rsa/2.0/vars
Export KEY_COUNTRY = CN # country
Export KEY_PROVINCE = GD # Province
Export KEY_CITY = Shenzhen # City
Export KEY_ORG = "Kimvpn" # the organization to which the CA certificate is generated.
Export KEY_EMAIL = "kim@163.com" # mailbox, can be filled in any
[Root @ openvpn-server openvpn-2.0.9] # source/opt/openvpn-2.0.9/easy-rsa/2.0/vars # Make the modified variable take effect
NOTE: when you run./clean-all, I will be doing a rm-rf on/root/keys
4. openvpn Configuration
[Root @ vpn-server ~] # Cd/opt/openvpn-2.0.9/easy-rsa/2.0
[Root @ openvpn-server 2.0] #./clean-all # Clear all openvpn certificate files
[Root @ openvpn-server 2.0] #./build-ca # generate a ca certificate
[Root @ openvpn-server 2.0] # ls-lsart keys | grep ca
4-rw ------- 1 root 916 Jan 8 12:12 ca. key
4-rw-r -- 1 root 1220 Jan 8 12:12 ca. crt
[Root @ openvpn-server 2.0] #./build-dh # generate the dh1024.pem File
Generate certificates and keys for Servers
[Root @ openvpn-server 2.0] #./build-key-server Kimvpn
Generate a client certificate file for the client. This document uses two users, client1 and client2, as an example.
[Root @ openvpn-server 2.0] #./build-key client1
[Root @ openvpn-server 2.0] #./build-key client2 # Same as above
[Root @ openvpn-server 2.0] # ls-lsart keys
Modify the configuration file/etc/server. conf of the openvpn server
[Root @ openvpn-server 2.0] # cp-p/opt/openvpn-2.0.9/sample-config-files/server. conf/etc/server. conf
[Root @ openvpn-server 2.0] # vi/etc/server. conf # modify the configuration to the following content:
Proto tcp # Change proto udp to proto tcp to enable the tcp port.
Ca/opt/openvpn-2.0.9/easy-rsa/2.0/keys/ca. crt
Cert/opt/openvpn-2.0.9/easy-rsa/2.0/keys/Kimvpn. crt
Key/opt/openvpn-2.0.9/easy-rsa/2.0/keys/Kimvpn. key
Dh/opt/openvpn-2.0.9/easy-rsa/2.0/keys/dh1024.pem
Log/var/log/openvpn. log # enable log
Server 192.168.2.0 255.255.255.0 # the IP address range allocated by the openvpn server to the vpn Client. do not conflict with the company's actual IP address range.
Verb 5
[Root @ openvpn-server 2.0] # echo "1">/proc/sys/net/ipv4/ip_forward # enable ip forwarding to ensure data packets flow between different network segments.
[Root @ openvpn-server ~] #/Usr/local/sbin/openvpn -- config/etc/server. conf & # Start the vpn and add it to the background for running
[Root @ openvpn-server ~] # Netstat-anpt | grep openvpn
Tcp 0 0 0.0.0.0: 1194 0.0.0.0: * LISTEN 51774/openvpn
5. Client Configuration
Log on to the openvpn server on the linux end and run the cleint. conf command under the/opt/openvpn-2.0.9/sample-config-files directory.
Download the file to the windows vpn client Machine and place it in the C: \ Program Files (x86) \ OpenVPN \ config directory. rename it client. ovpn, set the ca under the/opt/openvpn-2.0.9/easy-rsa/2.0/keys directory. download the crt, client1.crt, and client1.key Files to the windows vpn Client and place them in the C: \ Program Files (x86) \ OpenVPN \ config directory.
Edit the client. ovpn file under the C: \ Program Files (x86) \ OpenVPN \ config directory
Proto tcp # Change proto udp to proto tcp
Remote Host 192.168.1.236 1194
Ca. crt
Cert client1.crt
Key client1.key
# Comp-lzo # comment out comp-lzo
6. Connect the client to the vpn
Click the OpenVPN GUI icon in the lower-right corner of windows and select connect.
As you can see, the client has obtained the IP address allocated by vpn-server.
7. log out of the vpn user
Note: Because vpn is used in an enterprise, the vpn Server creates a certificate file for each vpn Client. If a colleague leaves, the user needs to be logged out. For example, client1 User:
[Root @ openvpn-server ~] # Cd/opt/openvpn-2.0.9/easy-rsa/2.0/
[Root @ openvpn-server 2.0] #./revoke-full client1
Please source the vars script first (I. e. "source./vars ")
Make sure you have edited it to reflect your configuration.
The system prompts you to perform the above operations.
[Root @ openvpn-server 2.0] # source./vars
NOTE: If you run./clean-all, I will be doing a rm-rf on/opt/openvpn-2.0.9/easy-rsa/2.0/keys
Then, log out
[Root @ openvpn-server 2.0] #./revoke-full client1
Note: The above error is normal. This is a bug of openvpn. The solution is as follows:
[Root @ openvpn-server 2.0] # vi/opt/openvpn-2.0.9/easy-rsa/2.0/openssl. cnf
Cancel again
[Root @ openvpn-server 2.0] #./revoke-full client1
For example, error23 indicates that the certificate is successfully canceled, but you will find that this certificate can still be logged on because the above operation produces crl under keys. the pem file contains the deregistered certificate. That is to say, the related certificate has not been completely canceled. You need to do the following:
[Root @ openvpn-server 2.0] # vi/etc/server. conf
Crl-verify/opt/openvpn-2.0.9/easy-rsa/2.0/keys/crl. pem # Add row content
Restart openvpn and find that the client can no longer log on to the vpn.
This article is from the "Linux art (Q group: 1991706)" blog, please be sure to keep this source http://304076020.blog.51cto.com/7503470/1605312