Openvpn construction in linux

Openvpn construction in linux
Tags: original vpn files, which can be reprinted. During reprinting, you must use hyperlinks to indicate the original source, author information, and this statement. Otherwise, legal liability will be held. Http://304076020.blog.51cto.com/7503470/1605312

Lab Environment
System: centos 6.5
Hostname: openvpn-server
Ip: 192.168.1.236

Installation Package address: http://down.51cto.com/data/1976343 (beans-free)

[Root @ openvpn-server ~] # Yum-y install openssl-devel gcc
1. Install lzo
Note: lzo is used to compress tunnel Communication Data to speed up transmission.
[Root @ vpn-server opt] # tar zxf lzo-2.03.tar.gz
[Root @ vpn-server opt] # cd lzo-2.03
[Root @ vpn-server lzo-2.03] #./configure -- prefix =/usr
[Root @ vpn-server lzo-2.03] # make & make install
2. Install openvpn
[Root @ vpn-server opt] # tar zxf openvpn-2.0.9.tar.gz
[Root @ vpn-server opt] # cd openvpn-2.0.9
[Root @ vpn-server openvpn-2.0.9] #./configure -- with-lzo-lib =/usr
[Root @ vpn-server openvpn-2.0.9] # make & make install
3. openvpn Server Configuration
[Root @ openvpn-server openvpn-2.0.9] # vi/opt/openvpn-2.0.9/easy-rsa/2.0/vars
Export KEY_COUNTRY = CN # country
Export KEY_PROVINCE = GD # Province
Export KEY_CITY = Shenzhen # City
Export KEY_ORG = "Kimvpn" # the organization to which the CA certificate is generated.
Export KEY_EMAIL = "kim@163.com" # mailbox, can be filled in any
[Root @ openvpn-server openvpn-2.0.9] # source/opt/openvpn-2.0.9/easy-rsa/2.0/vars # Make the modified variable take effect
NOTE: when you run./clean-all, I will be doing a rm-rf on/root/keys
4. openvpn Configuration
[Root @ vpn-server ~] # Cd/opt/openvpn-2.0.9/easy-rsa/2.0
[Root @ openvpn-server 2.0] #./clean-all # Clear all openvpn certificate files
[Root @ openvpn-server 2.0] #./build-ca # generate a ca certificate

[Root @ openvpn-server 2.0] # ls-lsart keys | grep ca
4-rw ------- 1 root 916 Jan 8 12:12 ca. key
4-rw-r -- 1 root 1220 Jan 8 12:12 ca. crt
[Root @ openvpn-server 2.0] #./build-dh # generate the dh1024.pem File

Generate certificates and keys for Servers
[Root @ openvpn-server 2.0] #./build-key-server Kimvpn

Generate a client certificate file for the client. This document uses two users, client1 and client2, as an example.
[Root @ openvpn-server 2.0] #./build-key client1

[Root @ openvpn-server 2.0] #./build-key client2 # Same as above
[Root @ openvpn-server 2.0] # ls-lsart keys

Modify the configuration file/etc/server. conf of the openvpn server
[Root @ openvpn-server 2.0] # cp-p/opt/openvpn-2.0.9/sample-config-files/server. conf/etc/server. conf
[Root @ openvpn-server 2.0] # vi/etc/server. conf # modify the configuration to the following content:
Proto tcp # Change proto udp to proto tcp to enable the tcp port.
Ca/opt/openvpn-2.0.9/easy-rsa/2.0/keys/ca. crt
Cert/opt/openvpn-2.0.9/easy-rsa/2.0/keys/Kimvpn. crt
Key/opt/openvpn-2.0.9/easy-rsa/2.0/keys/Kimvpn. key
Dh/opt/openvpn-2.0.9/easy-rsa/2.0/keys/dh1024.pem

Log/var/log/openvpn. log # enable log

Server 192.168.2.0 255.255.255.0 # the IP address range allocated by the openvpn server to the vpn Client. do not conflict with the company's actual IP address range.
Verb 5
[Root @ openvpn-server 2.0] # echo "1">/proc/sys/net/ipv4/ip_forward # enable ip forwarding to ensure data packets flow between different network segments.
[Root @ openvpn-server ~] #/Usr/local/sbin/openvpn -- config/etc/server. conf & # Start the vpn and add it to the background for running
[Root @ openvpn-server ~] # Netstat-anpt | grep openvpn
Tcp 0 0 0.0.0.0: 1194 0.0.0.0: * LISTEN 51774/openvpn

5. Client Configuration

Log on to the openvpn server on the linux end and run the cleint. conf command under the/opt/openvpn-2.0.9/sample-config-files directory.

Download the file to the windows vpn client Machine and place it in the C: \ Program Files (x86) \ OpenVPN \ config directory. rename it client. ovpn, set the ca under the/opt/openvpn-2.0.9/easy-rsa/2.0/keys directory. download the crt, client1.crt, and client1.key Files to the windows vpn Client and place them in the C: \ Program Files (x86) \ OpenVPN \ config directory.

Edit the client. ovpn file under the C: \ Program Files (x86) \ OpenVPN \ config directory

Proto tcp # Change proto udp to proto tcp

Remote Host 192.168.1.236 1194

Ca. crt
Cert client1.crt
Key client1.key

# Comp-lzo # comment out comp-lzo

6. Connect the client to the vpn

Click the OpenVPN GUI icon in the lower-right corner of windows and select connect.

As you can see, the client has obtained the IP address allocated by vpn-server.

7. log out of the vpn user

Note: Because vpn is used in an enterprise, the vpn Server creates a certificate file for each vpn Client. If a colleague leaves, the user needs to be logged out. For example, client1 User:

[Root @ openvpn-server ~] # Cd/opt/openvpn-2.0.9/easy-rsa/2.0/

[Root @ openvpn-server 2.0] #./revoke-full client1

Please source the vars script first (I. e. "source./vars ")
Make sure you have edited it to reflect your configuration.

The system prompts you to perform the above operations.

[Root @ openvpn-server 2.0] # source./vars
NOTE: If you run./clean-all, I will be doing a rm-rf on/opt/openvpn-2.0.9/easy-rsa/2.0/keys

Then, log out

[Root @ openvpn-server 2.0] #./revoke-full client1

Note: The above error is normal. This is a bug of openvpn. The solution is as follows:

[Root @ openvpn-server 2.0] # vi/opt/openvpn-2.0.9/easy-rsa/2.0/o