Initial attempt to build Openvpn

Source: Internet
Author: User
Tags server installation and configuration vars
Installing # cdlzo-2.03 #./configure -- prefix/usr/local/lzo1_make1_makeinstall2133 install openvpntar-zxvfopenvpn-2.0.9.tar.gz cdopenvpn -..

OpenVPN Server installation and configuration
1. install lzo
# Tar-zxvf lzo-2.03.tar.gz
# Cd lzo-2.03
#./Configure -- prefix =/usr/local/lzo
# Make
# Make install
2. install openvpn
Tar-zxvf openvpn-2.0.9.tar.gz
Cd openvpn-2.0.9
. /Configure -- prefix =/usr/local/openvpn -- with-lzo-headers =/usr/local/lzo/include -- with-lzo-lib =/usr/local/lzo/ lib --
With-ssl-headers =/usr/include/openssl -- with-ssl-lib =/usr/lib
Make
Make install
3. Generate certificates and keys
# Cd easy-rsa/
# Vi vars
Export D = 'pwd'
Export KEY_CONFIG = $ D/openssl. cnf
Export KEY_DIR = $ D/keys
Echo NOTE: when you run./clean-all, I will be doing a rm-rf on $ KEY_DIR
Export KEY_SIZE = 1024
Export KEY_COUNTRY = CN
Export KEY_PROVINCE = BJ
Export KEY_CITY = BJ
Export KEY_ORG = "OpenVPN-TEST"
Export KEY_EMAIL = wjpheart@126.com
# Chmod a + x vars
[Root @ localhost easy-rsa] #./vars
NOTE: when you run./clean-all, I will be doing a rm-rf on/home/weijunping/openvpn-2.0.9/easy-rsa/keys
[Root @ localhost easy-rsa] #./clean-all
You must define KEY_DIR
[Root @ localhost easy-rsa] # export D = 'pwd'
[Root @ localhost easy-rsa] # export KEY_CONFIG = $ D/openssl. cnf
[Root @ localhost easy-rsa] # export KEY_DIR = $ D/keys
[Root @ localhost easy-rsa] # export KEY_SIZE = 1024
[Root @ localhost easy-rsa] # export KEY_COUNTRY = CN
[Root @ localhost easy-rsa] # export KEY_PROVINCE = BJ
[Root @ localhost easy-rsa] # export KEY_CITY = BJ
[Root @ localhost easy-rsa] # export KEY_ORG = "OpenVPN-TEST"
[Root @ localhost easy-rsa] # export key_mail = wjpheart@126.com
[Root @ localhost easy-rsa] #./clean-all
[Root @ localhost easy-rsa] #./build-ca
Generating a 1024 bit RSA private key
... ++
...
Writing new private key to 'ca. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: CN
State or Province Name (full name) [BJ]: BJ
Locality Name (eg, city) [BJ]: BJ
Organization Name (eg, company) [OpenVPN-TEST]: bokee
Organizational Unit Name (eg, section) []: blogchina
Common Name (eg, your name or your server's hostname) []: bokee-inc.com
Email Address [wjpheart@126.com]:
[Root @ localhost easy-rsa] #./build-key-server
Generating a 1024 bit RSA private key
...
...
Writing new private key to 'server. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: CN
State or Province Name (full name) [BJ]: BJ
Locality Name (eg, city) [BJ]: BJ
Organization Name (eg, company) [OpenVPN-TEST]: bokee
Organizational Unit Name (eg, section) []: blogchina
Common Name (eg, your name or your server's hostname) []: bokee-inc.com
Email Address [wjpheart@126.com]:
 
Please enter the following 'Extra 'attributes
To be sent with your certificate request
A challenge password []: wjpinrain
An optional company name []: bokee
Using configuration from/home/weijunping/openvpn-2.0.9/easy-rsa/openssl. cnf
Check that the request matches the signature
Signature OK
The Subject's Distinguished Name is as follows
CountryName: PRINTABLE: 'cn'
StateOrProvinceName: PRINTABLE: 'BJ'
LocalityName: PRINTABLE: 'BJ'
OrganizationName: PRINTABLE: 'bokee'
OrganizationalUnitName: PRINTABLE: 'blogchina'
CommonName: PRINTABLE: 'bokee -inc.com'
EmailAddress: IA5STRING: 'wjpheart @ 126.com'
Certificate is to be certified until Sep 12 03:40:48 2021 GMT (3650 days)
Sign the certificate? [Y/n]: y
 
 
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
[Root @ localhost easy-rsa] #
[Root @ localhost easy-rsa] # Create The Diffie Hellman parameter
[Root @ localhost easy-rsa] #./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
....... + ....................................... .................... + ............................... + .. + .. + ...................
............. + ....................................... ........................................ ............ + .................... + ....................................... ........................ + .................. + ...................................... + ................... + ....................... + ...... ++ *
4. create a server configuration file
# Mkdir/usr/local/openvpn/etc/
[Root @ localhostopenvpn] # cd/home/weijunping/openvpn-2.9/sample-config-files/
[Root @ localhost sample-config-files] # cp server. conf/usr/local/openvpn/etc/
[Root @ localhost sample-config-files] # vi/usr/local/openvpn/etc/server. conf
The edited server. conf file contains the following content:
Port 1194
Proto udp
Dev tun
Ca/home/weijunping/openvpn-2.0.9/easy-rsa/keys/ca. crt
Cert/home/weijunping/openvpn-2.0.9/easy-rsa/keys/server. crt
Key/home/weijunping/openvpn-2.0.9/easy-rsa/keys/server. key
Dh/home/weijunping/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
Server 10.8.0.0 255.255.255.0
Ifconfig-pool-persist ipp.txt
Push "redirect-gateway"
Push "dhcp-option DNS 202.106.0.20" (specify the address of the DNS server)
Client-to-client
Keepalive 10 120
Comp-lzo
Max-client 100
User nobody
Group nobody
Persist-key
Persist-tun
Status/home/weijunping/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
Verb 4
5. deploy the server key file
# Mkdir/usr/local/openvpn/etc/keys
# Cd/home/weijunping/openvpn-2.0.9/easy-rsa/keys
# Cp ca. crt server. crt server. key dh1024.pem/usr/local/openvpn/etc/keys
6. start openvpn server
#/Usr/local/openvpn/sbin/openvpn-daemon-config/usr/local/openvpn/etc/server. conf
[Root @ localhost keys] # netstat-unlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
Udp 0 0 0.0.0.0: 1194 0.0.0.0: * 28763/openvpn
II. openvpn client installation and configuration
[Root @ localhost ~] # CDs/home/weijunping/openvpn-2.0.9/easy-rsa/
[Root @ localhost easy-rsa] #./build-key weijunping
Generating a 1024 bit RSA private key
... ++
Writing new private key to 'weijunping. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: CN
State or Province Name (full name) [BJ]: BJ
Locality Name (eg, city) [BJ]: BJ
Organization Name (eg, company) [OpenVPN-TEST]: bokee
Organizational Unit Name (eg, section) []: blogchina
Common Name (eg, your name or your server's hostname) []: weijunping
Email Address [wjpheart@126.com]:
 
Please enter the following 'Extra 'attributes
To be sent with your certificate request
A challenge password []: 123456
An optional company name []: bokee
Using configuration from/home/weijunping/openvpn-2.0.9/easy-rsa/openssl. cnf
Check that the request matches the signature
Signature OK
The Subject's Distinguished Name is as follows
CountryName: PRINTABLE: 'cn'
StateOrProvinceName: PRINTABLE: 'BJ'
LocalityName: PRINTABLE: 'BJ'
OrganizationName: PRINTABLE: 'bokee'
OrganizationalUnitName: PRINTABLE: 'blogchina'
CommonName: PRINTABLE: 'weijunping'
EmailAddress: IA5STRING: 'wjpheart @ 126.com'
Certificate is to be certified until Sep 12 03:42:31 2021 GMT (3650 days)
Sign the certificate? [Y/n]: y
 
 
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
2. go to the specified directory and download the specified file to a windows local directory.
#/Home/weijunping/openvpn-2.0.9/easy-rsa/keys
Download ca. crt, ca. key, weijunping. crt, weijunping. csr, and weijunping. key to the local device.
Download the client configuration file client. conf and rename it to client. ovpn.
The content is as follows:
Client
Dev tun
Proto udp
Remote 172.16.10.231 1194
Resolv-retry infinite
Nobind
User nobody
Group nobody
Persist-key
Persist-tun
Ca "C: \ Program Files \ OpenVPN \ config \ ca. crt"
Cert "C :\\ Program Files \ OpenVPN \ config \ weijunping. crt"
Key "C :\\ Program Files \ OpenVPN \ config \ weijunping. key"
Comp-lzo
Verb 3
Client software installation method:
Double-click openvpn-2.0.9-gui-1.0.3-install.exe and install it in the default installation path.
Move the ca. crt, ca. key, weijunping. crt, weijunping. csr, weijunping. key, and client. ovpn Files to the C: \ Program Files \ OpenVPN \ config directory.
Right-click the icon in the lower right corner and select connect!
3. Openvpn Internet access settings
1. enable the routing function
In linux, enabling the routing function is actually very simple. you only need to execute a command and it will be OK. In fact, this command is used to modify the/proc/sys/net/opv4/ip_forward file. the default value is this
The value in the files is 0, that is, the data packet is not forwarded. All we need to do is modify the file to change 0 to 1 and then OK.
# Echo 1>/proc/sys/net/ipv4/ip_forward
[Root @ localhost ~] # More/proc/sys/net/ipv4/ip_forward
1
It will not take effect if the system is restarted. if you want to add it permanently, you need to modify/etc/sysctl. conf.
Modify net. ipv4.ip _ forward = 0 0 to 1.
After the Vpn connection is successful, you must configure a route to access the internet through the VPN.
# Iptables-t nat-a postrouting-s 10.8.0.0/24-o eth1-j SNAT-to-source 172.16.10.231 remember that this address is A public IP address. The intranet address is modified here.


 
Author: "Just do it !"

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.