Install and configure OpenVPN in CentOS and log on with the certificate or account password.

OpenVPN is another VPN software package different from PPTP and L2TP. It is based on ssl vpn. The use of OpenVPN requires client support. Here the system is CentOS6.4.
I. Check the environment required by OpenVPN
OpenVPN requires support from TUN devices and the nat module of iptables.
1. Check the TUN module:

Modinfo tun

Shown as follows:

If an error is reported, the TUN device is not supported. 2. In OpenVZ VPS, the administrator needs to enable the TUN/TAP device on the hen.

Cat/dev/net/tun

If:

Cat:/dev/net/tun: File descriptor in bad state

Vps tun/TAP is available.
If:

Cat:/dev/net/tun: No such device

Otherwise, it indicates that the TUN/TAP device is not correctly configured and you need to contact customer service to activate TUN/TAP.
3. Check whether iptables on OpenVZ VPS is supported:

Iptables-t nat-a postrouting-s 10.8.0.0/24-o venet0-j MASQUERADE

If:

Iptables: Unknown error 4294967295

Description supported.
II. Compile and install OpenVPN
1. Install the dependent environment

Yum install-y openssl-devel lzo-devel pam-devel automake pkgconfig

2. Install OpenVPN

Wget-c http://swupdate.openvpn.org/community/releases/openvpn-2.3.0.tar.gz tar zxvf openvpn-2.3.0.tar.gz cd openvpn-2.3.0./configure make install mkdir-p/etc/openvpn cp-Rf sample/etc/openvpn/cd ..

Download easy-rsa separately to create ca certificates, server certificates, and client certificates.

Unzip openvpn-2.3.0.tar.gz the source code does not contain easy-rsa, so you need to separately download and install easy-rsa wget-c https://github.com/OpenVPN/easy-rsa/archive/master.zip unzip master mv easy-rsa-master easy-rsa cp-Rf easy-rsa/etc/openvpn cd/etc/openvpn/easy -rsa/easy-rsa/2.0

3. Generate keys and certificates

Vim vars # finally find the code export KEY_COUNTRY = "CN" export KEY_PROVINCE = "JN" export KEY_CITY = "DZ" export KEY_ORG = "lvtao" export KEY_EMAIL = "admin@lvtao.net" export KEY_OU = "lvtao" # x! Save exit ln-s openssl-1.0.0.cnf openssl. cnf chmod + x vars source. /vars. /clean-all # Create a ca certificate. /build-ca # Create a server certificate. /build-key-server # Create a client certificate. /build-key client1. /build-dh # package keys tar zcvf keys.tar.gz keys/# The Terminal sends it to the client for backup sz keys.tar.gz

# File description in keys

Filename	Needed	Purpose	Secret
Ca. crt	Server + all clients	Root CA certificate	NO
Ca. key	Key signing machine only	Root CA key	YES
Dh {n}. pem	Server only	Diffie Hellman parameters	NO
Server. crt	Server only	Server Certificate	NO
Server. key	Server only	Server Key	YES
Client1.crt	Client1 only	Client1 Certificate	NO
Client1.key	Client1 only	Client1 Key	YES

Cd/etc/openvpn/sample-config-files/cp server. conf .. /.. /# configure server. conf. The specific parameters are not described in vi .. /.. /server. conf # copy keys cd/etc/openvpn/easy-rsa/2.0/keys cp-Rf ca. crt server. crt server. key dh2048.pem/etc/openvpn/# Edit/etc/sysctl. conf, find net. ipv4.ip _ forward = 0 to net. ipv4.ip _ forward = 1 save. Run sysctl-p # set nat forwarding. Note that 192.168.122.180 is changed to the IP address of your server. Iptables-t nat-a postrouting-s 10.8.8.0/24-j SNAT -- to-source 192.168.122.180/etc/init. d/iptables save/etc/init. d/iptables restart

PS: If iptables save reports an error

Iptables: Saving firewall rules to/etc/sysconfig/iptables:/etc/init. d/iptables: line 268: restorecon: command not found

To install a software package:
Yum install policycoreutils

Echo "/usr/local/sbin/openvpn -- config/etc/openvpn/easy-rsa/2.0/conf/server. conf &">/etc/rc. local

Start OpenVPN

/Usr/local/sbin/openvpn -- config/etc/openvpn/easy-rsa/2.0/conf/server. conf>/dev/null 2> & 1 &

Login configuration with password
Modify the main configuration file of the openvpn service and add the following content. If client-cert-not-required is added, the user name and password are used to verify logon, it indicates that you need to log on with both the certificate and user name and password!

Tail-3/etc/openvpn/server. conf auth-user-pass-verify/etc/openvpn/checkpsw. sh via-env client-cert-not-required username-as-common-name

Verify the user's logon script and modify it accordingly. Change the PASSFILE and LOG_FILE variables.

#! /Bin/sh #################################### ####################### checkpsw. sh (C) 2004 Mathias Sundman <mathias@openvpn.se> # This script will authenticate OpenVPN users against # a plain text file. the passfile shoshould simply contain # one row per user with the username first followed by # one or more space (s) or tab (s) and then the password. PASSFILE = "/etc/openvpn/psw-file" LOG_FILE = "/var/lo G/openvpn-password.log "TIME_STAMP = 'date" + % Y-% m-% d % T "'################## ######################################## # if [! -R "$ {PASSFILE}"]; then echo "$ {TIME_STAMP}: cocould not open password file" $ {PASSFILE} "for reading. ">>$ {LOG_FILE} exit 1 fi CORRECT_PASSWORD = 'awk '! /^ ;/&&! /^ #/& $1 = "'$ {username}'" {print $2; exit} '$ {PASSFILE}' if ["$ {CORRECT_PASSWORD}" = ""]; then echo "$ {TIME_STAMP}: User does not exist: username = "$ {username}", password = "$ {password }". ">>$ {LOG_FILE} exit 1 fi if [" $ {password} "=" $ {CORRECT_PASSWORD} "]; then echo" $ {TIME_STAMP}: Successful authentication: username = "$ {username }". ">>$ {LOG_FILE} exit 0 fi echo" $ {TIME_STAMP}: Incorrect password: username = "$ {username}", password = "$ {password }". ">>$ {LOG_FILE} exit 1

Prepare the user name and password authentication file. Separate the user name and password with spaces and ensure that the openvpn start user can read the file.

Vi psw-file LV Tao 954270

Configure permissions

Chmod 400 psw-file chown nobody. nobody psw-file

Modify the client configuration file
Comment out

; Cert lvtao. crt; key lvtao. key

Add user name and password for inquiry

Auth-user-pass