I. OpenVPN installation Environment
Server-Side environment
Redhat, kernel version: 2.4.20-31.9, IP for 70.8.7.6
Kernel need to support Tun devices and need to load iptables modules.
Check to see if Tun is installed:
Code:
root@a [/]# Modinfo Tun
FileName:/LIB/MODULES/2.4.20-31.9/KERNEL/DRIVERS/NET/TUN.O
Description
Author
License: "GPL"
If there is no modinfo command, just look for it and see if there are any tun.o files in kernel:
Code:
Find-name TUN.O
./lib/modules/2.4.20/kernel/drivers/net/tun.o
Check the Iptables module to see if the following files are available:
/etc/init.d/iptables
Openssl. If you need to enable SSL connections, you need to install OpenSSL first. The method of installing OpenSSL here does not introduce, can use Google search specifically. CentOS can be used Yum
Install
Yum Install OpenSSL
Yum Install Openssl-devel
Installed version of OpenVPN: 2.0.5. Now it seems that there is an updated version. Can be downloaded from the http://openvpn.net.
Client-side environments:
Windows XP PRO SP2
OpenVPN GUI for Windows 1.0.3, available in openvpn.se download
Note: The OpenVPN GUI for Windows version is compatible with the version of OpenVPN Server.
For example, the server is loaded with OpenVPN 2.0.5, then the downloaded OpenVPN GUI fow windows should be: Openvpn-2.0.5-gui-1.0.3-install.exe
All historical versions of the OpenVPN GUI: http://openvpn.se/files/install_packages/
Two. OpenVPN service-side installation process
Http://www.xiaohui.com/dev/server/20070514-install-openvpn.htm
Log in to host with SECURECRT and enter root directory code:
CD/
Download Lzo, extract to lzo-2.02.
Address: http://www.oberhumer.com/opensource/lzo/download/Code:
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
Download OpenVPN, extract to openvpn-2.0.5
Address: http://openvpn.net/download.html Code:
wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
Install Lzo Code:
cd/lzo-2.02
./configure
Make
Make check
Make install
Install OpenVPN
Code:
cd/openvpn-2.0.5
./configure
# or with the specified dir: (Note: The following command should be completed on one line. For convenience, this is divided into four lines)
#./configure--with-lzo-headers=/usr/local/include
#--with-lzo-lib=/usr/local/lib
#--with-ssl-headers=/usr/local/include/openssl
#--with-ssl-lib=/usr/local/lib
Make
Make install
Generate certificate Key
Initializing PKI
(You can also use the setenv [name] [value] command if you do not have an export command)
Code:
Cd/openvpn-2.0.5/easy-rsa
Export d= ' pwd '
Export key_config= $D/openssl.cnf
Export key_dir= $D/keys
Export key_size=1024
Export KEY_COUNTRY=CN
Export KEY_PROVINCE=GD
Export Key_city=sz
Export key_org= "xiaohui.com"
Export key_email= "Your-email [at] xiaohui.com"
Build:
Code:
./clean-all
./build-ca
Generating a 1024 bit RSA private key
................++++++
........++++++
Writing new private key to ' Ca.key '
-----
are about to is asked to enter information that would be incorporated
into your certificate request.
What you are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you can leave some
For some fields there would be a default value,
If you enter '. ', the field would be left blank.
-----
Country Name (2 letter code) [CN]:
State or province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [xiaohui.com]:
Organizational unit Name (eg, section) []:xiaohui.com
Common name (eg, your name or your server ' s hostname) []:server
Email address [Your-email [at] xiaohui.com]:
# Create server Key code: code:
./build-key-server Server
Generating a 1024 bit RSA private key
......++++++
....................++++++
Writing new private key to ' Server.key '
-----
are about to is asked to enter information that would be incorporated
into your certificate request.
What you are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you can leave some
For some fields there would be a default value,
If you enter '. ', the field would be left blank.
-----
Country Name (2 letter code) [CN]:
State or province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [xiaohui.com]:
Organizational unit Name (eg, section) []:xiaohui.com
Common name (eg, your name or your server ' s hostname) []:server
Email address [Your-email [at] xiaohui.com]:
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:abcd1234
An optional company name []:xiaohui.com
Using Configuration From/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature OK
The Subject ' s distinguished Name is as follows
CountryName:P rintable: ' CN '
Stateorprovincename:P rintable: ' GD '
Localityname:P rintable: ' SZ '
OrganizationName:P rintable: ' xiaohui.com '
Organizationalunitname:printable: ' xiaohui.com '
CommonName:P rintable: ' Server '
Emailaddress:ia5string: ' Your-email [at] xiaohui.com '
Certificate is to certified until Mar 08:15:31 2016 GMT (3650 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
#生成客户端 Key
Code:
./build-key Client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
Writing new private key to ' Client1.key '
-----
are about to is asked to enter information that would be incorporated
into your certificate request.
What you are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you can leave some
For some fields there would be a default value,
If you enter '. ', the field would be left blank.
-----
Country Name (2 letter code) [CN]:
State or province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [xiaohui.com]:
Organizational unit Name (eg, section) []:xiaohui.com
Common name (eg, your name or your server ' s hostname) []:client1 #重要: Each different client-generated certificate must have a different name.
Email address [Your-email [at] xiaohui.com]:
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:abcd1234
An optional company name []:xiaohui.com
Using Configuration From/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature OK
The Subject ' s distinguished Name is as follows
CountryName:P rintable: ' CN '
Stateorprovincename:P rintable: ' GD '
Localityname:P rintable: ' SZ '
OrganizationName:P rintable: ' xiaohui.com '
Organizationalunitname:printable: ' xiaohui.com '
CommonName:P rintable: ' Client1 '
Emailaddress:ia5string: ' Your-email [at] xiaohui.com '
Certificate is to certified until Mar 08:22:00 2016 GMT (3650 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
Generate additional client certificates in turn/key
Code:
./build-key Client2
./build-key Client3
Note When entering Common name (eg, your name or your server ' s hostname) []: The name of each certificate entry must be different.
Generates Diffie Hellman parameters. Code:
./BUILD-DH
Package all files under the keys for download to local
Code:
TAR-CF Mykeys.tar/openvpn-2.0.5/easy-rsa/keys
CP Mykeys.tar/home/xiaohui.comsys/public_html/mykeys.tar
Move Mykeys.tar to Web public (the absolute path varies from person to person), and then download it to the local save Http://www.a.com/mykeys.tar, and then remove it from the server: code:
Rm/home/xiaohui.comsys/public_html/mykeys.tar
You can also use other methods to get key file locally, such as FTP.
To create a service-side configuration file
To create from a sample file:
Code:
CD $dir/sample-config-files/# Enter the Sample-config-files subdirectory under the source code decompression directory
CP SERVER.CONF/USR/LOCAL/ETC # CP Server configuration file to/usr/local/etc
Vi/usr/local/etc/server.conf
The contents of the server.conf I created will be attached later.
To create a client configuration file
Code:
CD $dir/sample-config-files/#进入源代码解压目录下的sample-config-files subdirectories
CP client.conf/usr/local/etc #cp客户端配置文件到/usr/local/etc
Vi/usr/local/etc/client.conf
The contents of the client.conf I created will be attached later.
Start Openvpn:openvpn [Server Config file] code:
/usr/local/sbin/openvpn--config/usr/local/etc/server.conf
Three. OpenVPN GUI for Windows client installation process
Install OpenVPN GUI for Windows and download to http://openvpn.se. The current version is 1.0.3. Note: The version of the OpenVPN GUI will be compatible with the version of OpenVPN Server. See section I of first. Description in the installation environment.
Follow the on-screen instructions to install the OpenVPN GUI.
Configuring the OpenVPN GUI
After the installation is complete, go to the Config directory under the installation folder, and then download the client.conf file created in step 10th above from the server to this folder and rename it to Client.ovpn
Also, extract the following certificate files from the Mykeys.tar in step 8th into this folder:
Code:
Ca.crt
Ca.key
Client1.crt
Client1.csr
Client1.key
Then double-click Client.ovpn to start the OpenVPN, or start the VPN through control of the OpenVPN GUI.
If you double-click Client.ovpn No response, at the taskbar point OpenVPN GUI Small Icon right button, select Edit Config, copy the contents of the past and save. Then click Connect in the right key.
If you need a second machine to use the VPN, the same configuration, just want to CLIENT1.CRT, CLIENT1.CSR, Client1.key replaced by the corresponding client2.xxx can, and then the Client.ovpn of the corresponding key file value.
Four. OpenVPN Configuration sample file
OpenVPN Service End: server.conf
Code:
Local 70.8.7.6
Port 1194
Proto UDP
Dev Tun
Ca/openvpn-2.0.5/easy-rsa/keys/ca.crt
Cert/openvpn-2.0.5/easy-rsa/keys/server.crt
Key/openvpn-2.0.5/easy-rsa/keys/server.key # This file should be kept secret
Dh/openvpn-2.0.5/easy-rsa/keys/dh1024.pem
Server 10.8.0.0 255.255.255.0
Client-to-client
KeepAlive 10 120
Comp-lzo
Persist-key
Persist-tun
Status/openvpn-2.0.5/easy-rsa/keys/openvpn-status.log
Verb 4
Push "Dhcp-option DNS 10.8.0.1"
Push "Dhcp-option DNS 70.88.98.10" # Name server address, how to obtain the following instructions
Push "Dhcp-option DNS 70.88.99.11" # Name server address, how to obtain the following instructions
Description: Some domain is blocked by GFW, at this time, if you want to access these sites, you should push DNS on the server to the client. The DNS ip:70.88.98.10, 70.88.99.10, in the previous example, can be found in/etc/resolv.conf: code:
Vi/etc/resolv.conf
NameServer 70.88.98.10
NameServer 70.88.99.11
OpenVPN Client: Client.ovpn
Code:
Client
Dev Tun
Proto UDP
Remote 70.8.7.6 1194
Persist-key
Persist-tun
CA ca.crt
Cert CLIENT1.CRT
Key Client1.key
Ns-cert-type Server
Comp-lzo
Verb 3
Redirect-gateway DEF1
Five. OpenVPN access to extranet settings
After you have successfully opened a routed VPN connection, you also need to set up routes to access the Internet through VPN. To add a route to a Linux host: code:
Iptables-t nat-a postrouting-s 10.8.0.0/24-o eth0-j SNAT--to-source 70.8.7.6
/etc/init.d/iptables Save
/etc/init.d/iptables restart
Different machines, the-o eth0 parameters may not be the same, specific input ifconfig view, understand the IP (70.8.7.6) the network card number.
Also, you need to open the IP forward. Do not use the Echo 1 >/proc/sys/net/ipv4/ip_forward method, which is not valid after rebooting. First Look at:
Code:
sysctl-a | grep for
#查看结果:
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
Net.ipv4.ip_forward = 1
If your host value is not 1, change it to 1, for example:
Code:
Sysctl-w net.ipv4.ip_forward=1
So.
Open a Domain name server
If you need to visit a website that has been GFW the domain name, but your OpenVPN server is not sealed, then you need to open the name server on your host and push DNS to the client. A typical stand-alone host with private DNS server.
Code:
Rpm-qa | grep bind
/etc/init.d/named start
In addition, you must ensure that there are three configurations in the server.conf configuration:
Code:
Push "Dhcp-option DNS 10.8.0.1"
Push "Dhcp-option DNS 70.88.98.10" # Name server address
Push "Dhcp-option DNS 70.88.99.11" # Name server address
When the client connection succeeds and executes Ipconfig/all under CMD, there should be output like this:
Code:
Ethernet Adapter Local Area Connection 3:
Connection-specific DNS Suffix. :
Description ........... : Tap-win32 Adapter V8
Physical Address ..... . : 00-ff-aa-b0-60-2b
Dhcp Enabled ...... : Yes
Autoconfiguration Enabled .... : Yes
IP address. ...........:10.8.0.6
Subnet Mask ........... : 255.255.255.252
Default Gateway ..... . : 10.8.0.5
DHCP Server ........... : 10.8.0.5
DNS Servers ........... : 10.8.0.1
70.88.98.10
70.88.99.11
Lease obtained. .........:2006 year May 25 5:13:52
Lease Expires ..........:2007 Year May 25 5:13:52
Six. Set OpenVPN server reboot automatically start OpenVPN
To execute a command:
Code:
Vi/etc/rc.local
Then join this line on the last side:
Code:
/usr/local/sbin/openvpn--config/usr/local/etc/server.conf >/dev/null 2>&1 &
Seven. OpenVPN test
You can use VPN login, test MSN, QQ, IE and other network applications, you can also try to visit some of the GFW banned sites, of course, if your VPN server is not in the territory.
Eight. The use of OpenVPN strong points of attention
It is not recommended to use VPN login paypal account and Google AdSense account. Failure to do so may result in account limitations or other risks.
10. Some additional
2011.01.11 supplement: Today with Yum-y update upgraded CentOS, found that OpenVPN connection does not go up, always said the user test error. After checking the server log, the following logs were found:
Thu Feb 11:13:07 us=3362 222.244.***.**:45771 tls:initial packet from 222.244.***.**:45771, Sid=eec450eb 8673ceef
Thu Feb 11:13:10 us=798063 222.244.***.**:45771 openvpn_execve:external program May is called unless '--scrip T-secur ity 2 ' or higher is enabled. Use the '--script-security 3 system ' for backward compatibility with 2.1_rc8 and earlier. --help t ext or mans page for detailed info.
Thu Feb 11:13:10 us=798127 222.244.***.**:45771 TLS Auth error:user-pass-verify script failed to execute:/USR/BI N/php-q/home/xiaohui/openvpn-manager/admin/openvpn-auth.php
Thu Feb 11:13:10 us=798141 222.244.***.**:45771 TLS Auth error:auth Username/password verification to failed for pee R
After investigation, originally is CentOS in Yum Update, will OpenVPN also from 2.0 upgrades to 2.1. One of the biggest changes in OpenVPN 2.1 is the addition of a script-security parameter. If you follow my tutorial to install, but the version of OpenVPN 2.1 and above, remember to add such a line of configuration in server.conf:
Script-security 3
=======================================
./configure--with-lzo-headers=/usr/local/include/--with-lzo-lib=/usr/local/lib--with-ssl-headers=/usr/include/ openssl/--with-ssl-lib=/usr/lib/openssl/
http://www.oberhumer.com/opensource/lzo/download/
Http://www.oberhumer.com/opensource/lzo/download/lzo-2.05.tar.gz
Http://openvpn.net/index.php/open-source/downloads.html
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.1.tar.gz