Install and configure OpenVPN under Ubuntu12.04

Source: Internet
Author: User
At first, my vps was installed with Ubuntu10.10. In this version, I had been tossing for several days and failed to succeed. Later, after I upgraded the system online, I installed and configured openvpn. Finally, yes. If a new system version is available, a prompt will be displayed when the user just logs in. For example, enter & ldquo; do-release-upgrade & rdquo in shell directly; you can upgrade to the next version. I am a linux cainiao, so I will make a record here. Start now

At first, my vps was installed with Ubuntu 10.10. In this version, I had been tossing for several days and failed to succeed. Later, after I upgraded the system online, I installed and configured openvpn. Finally, yes. If a new system version is available, a prompt will be prompted when the user just logs in, such:

That is to say, you can directly enter "do-release-upgrade" in the shell to upgrade to the next version. I am a linux cainiao, so I will make a record here. Let's start our openvpn journey.

1. Install openvpn

This is easy to install online: apt-get install openvpn.

2. Copy the configuration file to/etc: cp-R/usr/share/doc/openvpn/examples/easy-rsa/etc/openvpn/

3. Modify the var file: vim/etc/openvpn/easy-rsa/2.0/vars. In fact, it can also not be modified, but for the sake of subsequent steps to enter, so let's modify it here first. It mainly refers to the number of rows at the end of the modification.

Export KEY_COUNTRY = ""
Export KEY_PROVINCE = ""
Export KEY_CITY = ""
Export KEY_ORG = ""
Export KEY_EMAIL = ""
Export KEY_EMAIL =
Export KEY_CN =
Export KEY_NAME =
Export KEY_OU =
Export PKCS11_MODULE_PATH =
Export PKCS11_PIN =

Enter "=" next to ". I don't know whether the case sensitivity is affected. To avoid this, write it in the default format. Remember to save after editing.
4. Generate a certificate

# Cd/etc/openvpn/easy-rsa/2.0/
# Chown-R root: admin.
# Chmod g + w.

# Source./vars // if this step prompts no openssl. cnf, rename the openssl-1.0.0.cnf to openssl. cnf.

#./Build-ca option by default.

#./Build-key-server

#./Build-key client

#./Build-dh

The new certificate can be found in the/etc/openvpn/easy-rsa/2.0/keys/directory.

5. Configure server files

First, copy a configuration sample and then modify it on this basis:

# Cp/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz/etc/openvpn/

# Cd/etc/openvpn/

# Gunzip server.conf.gz

This will decompress a server. open the conf file and edit it. If you follow my steps from the beginning, you can copy my configuration directly. In this case, modify the configuration according to your actual situation. Note the red font.

# Which local IP address shocould OpenVPN
# Listen on? (Optional)
Local xx. xx # the ip address here is the ip address of the NIC on your machine.


# Which TCP/UDP port shoshould OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# On the same machine, use a different port
# Number for each one. You will need
# Open up this port on your firewall.
Port 1194 # Set the port, which must be consistent with the client Configuration


# TCP or UDP server?
; Proto tcp
Proto udp # used protocol


# "Dev tun" will create a routed IP tunnel,
# "Dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# And have precreated a tap0 virtual interface
# And bridged it with your ethernet interface.
# If you want to control access policies
# Over the VPN, you must create firewall
# Rules for the TUN/TAP interface.
# On non-Windows systems, you can give

 


# An explicit unit number, such as tun0.0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# Unless you partially or fully disable
# The firewall for the TUN/TAP interface.
; Dev tap
Dev tun


# Windows needs the TAP-Win32 adapter name
# From the Network Connections panel if you
# Have more than one. On XP SP2 or higher,
# You may need to selectively disable
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
; Dev-node MyTap


# SSL/TLS root certificate (ca), certificate
# (Cert), and private key (key). Each client
# And the server must have their own cert and
# Key file. The server and all clients will
# Use the same ca file.
#
# See the "easy-rsa" directory for a series
# Of scripts for generating RSA certificates
# And private keys. Remember to use
# A unique Common Name for the server
# And each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (See "pkcs12" directive in man page ).

# The following three lines must be written to the correct path.
Ca easy-rsa/2.0/keys/ca. crt
Cert easy-rsa/2.0/keys/server. crt
Key easy-rsa/2.0/keys/server. key


# Diffie hellman parameters.
# Generate your own:
# Openssl dhparam-out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
#2048-bit keys.
Dh easy-rsa/2.0/keys/dh1024.pem # Note path


# Configure server mode and supply a VPN subnet
# For OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# The rest will be made available to clients.
# Each client will be able to reach the server
# On 10.8.0.1. Comment this line out if you are
# Ethernet bridging. See the man page for more info.
Server 10.9.0.0 255.255.255.0 # IP address segment on the virtual network card


# Maintain a record of client <-> virtual IP address
# Associations in this file. If OpenVPN goes down or
# Is restarted, reconnecting clients can be assigned
# The same virtual IP address from the pool that was
# Previusly assigned.
Ifconfig-pool-persist ipp.txt


# If enabled, this directive will configure
# All clients to redirect their default
# Network gateway through the VPN, causing
# All IP traffic such as web browsing and
# And DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# Or bridge the TUN/TAP interface to the internet


# In order for this to work properly ).
Push "redirect-gateway def1 bypass-dhcp"


# Certain Windows-specific network settings
# Can be pushed to clients, such as DNS
# Or WINS server addresses. CAVEAT:
# Http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
Push "dhcp-option DNS 208.67.222.222"
Push "dhcp-option DNS 208.67.220.220"


# Uncomment this directive to allow different
# Clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# Will also need to appropriately firewall
# Server's TUN/TAP interface.
Client-to-client


# Uncomment this directive if multiple clients
# Might connect with the same certificate/key
# Files or common names. This is recommended
# Only for testing purposes. For production use,
# Each client shoshould have its own certificate/key
# Pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/key pairs for each client,
# Each having its own unique "common name ",
# Uncomment this line out.
Duplicate-cn # Allow multiple users to use a set of configurations at the same time


# The keepalive directive causes ping-like
# Messages to be sent back and forth over
# The link so that each side knows when
# The other side has gone down.
# Ping every 10 seconds, assume that remote
# Peer is down if no ping has ed
# A 120 second time period.
Keepalive 10 120

# Enable compression on the VPN link.
# If you enable it here, you must also
# Enable it in the client config file.
Comp-lzo


# The maximum number of concurrently connected


# Clients we want to allow.
Max-clients 100


# It's a good idea to reduce the OpenVPN
# Daemon's privileges after initialization.
#
# You can uncomment this out on
# Non-Windows systems.
User nobody
Group nogroup


# The persist options will try to avoid
# Accessing certain resources on restart
# That may no longer be accessible because
# Of the privilege downgrade.
Persist-key
Persist-tun


# Output a short status file showing
# Current connections, truncated
# And rewritten every minute.
Status openvpn-status.log

# Set the appropriate level of log
# File verbosity.
#
#0 is silent, cannot t for fatal errors
#4 is reasonable for general usage
#5 and 6 can help to debug connection problems
#9 is extremely verbose
Verb 3


# Silence repeating messages. At most 20
# Sequential messages of the same message
# Category will be output to the log.


; Mute 20

 

 

6. Configure Firewall packet forwarding

# Sysctl-wnet. ipv4.ip _ forward = 1

# Iptables-t nat-a postrouting-s 10.9.0.0/24-o eth0-j MASQUERADE

7. Run openvpn server # openvpn/etc/openvpn/server. conf

8. Configure the client

A. Copy the generated ca. crt, client. key, and client. crt to the local device.

B. Edit the client. ovpn File

# Define a client
Client
# Define the use of the routing IP Mode, consistent with the server
; Dev tap
Dev tun
# Define the name of the NIC used in Windows, which is not required in linux
; Dev-node
# Define the used protocol, which is consistent with the server
; Proto tcp
Proto udp


# Specify the server address and port. You can use multiple lines to specify multiple servers.
# Implementing Server Load balancer (from top to bottom)
Remote xx. xx 1194 # enter the Server ip address and port
# If multiple servers are configured above, the client can be connected randomly.
; Remote-random


# Resolving server domain names
# Keep trying indefinitely to resolve
# Host name of the OpenVPN server. Very useful
# On machines which are not permanently connected
# To the internet such as laptops.
Resolv-retry infinite
# The client does not need to bind a port
# Most clients do not need to bind
# A specific local port number.
Nobind
# It is also used to make Openvpn run nobody (secure)
# Note: Windows cannot be set.
; User nobody
; Group nobody


# Try to preserve some state when SS restarts.
Persist-key
Persist-tun
# If the client uses HTTP Proxy, Set
# To use Proxy, do not use UDP as the VPN communication protocol
; Http-proxy-retry # retry on connection failures
; Http-proxy [proxy server] [proxy port #]


# The wireless network has many redundant header files and is set to ignore them.
; Mute-replay-warnings
# The key point is to specify the ca and client certificates
# Note: The following two numbers are connected with no space between them.
Ca. crt
Cert client01.crt
Key client01.key
# If the PAM Authentication Module is enabled on the server, the client must be valid
; Auth-user-pass
; Tls-auth ta. key 1


# Some security measures
# Verify server certificate by checking # that the certicate has the nsCertType
# Field set to "server". This is
# Important precaution to protect against
# A potential attack discussed here:
# Http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# Your server certificates with the nsCertType
# Field set to "server". The build-key-server
# Script in the easy-rsa folder will do this.
; Ns-cert-type server
# If a tls-auth key is used on the server
# Then every client must also have the key.
# Select a cryptographic cipher.
# If the cipher option is used on the server
# Then you must also specify it here.
; Cipher x
# Use lzo compression, consistent with the server
Comp-lzo
# Set log file verbosity.
Verb 3
# Silence repeating messages
Mute 20

C. Copy the ca. crt, client. crt, client. key, and client. ovpn files to the config folder under the openvpn-gui installation directory.

9. Start the openvpn Client

OpenVPN details: Click here
OpenVPN: Click here

Related reading:

Ubuntu OpenVPN client configuration tutorial http://www.linuxidc.com/Linux/2013-06/86562.htm

Build OpenVPN http://www.linuxidc.com/Linux/2012-11/74790.htm in Ubuntu 10.04

Ubuntu 13.04 VPN (OpenVPN) configuration and connection cannot simultaneously access the internal and external network problems http://www.linuxidc.com/Linux/2013-07/86899.htm

How to build a secure remote network architecture http://www.linuxidc.com/Linux/2013-11/92646.htm with OpenVPN in Linux

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.