Install, configure, and use OpenVPN in Linux

Article title: installation, configuration, and use of OpenVPN in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
　　 Introduction
　　
OpenVPN is an application-layer VPN implementation based on the OpenSSL library. Compared with traditional VPN, it has the advantage of being easy to use.
　　
Here is a brief introduction of the OpenVPN configuration method based on CA and digital certificate authentication, which can be divided into multiple network segments.
　　
Note 1: VNN is similar to OpenVPN.
　　
Note 2: This is meaningful to break through the domestic network blockout and protect communication freedom. it is worth promoting.
　　
　　 Install OpenVPN
　　
　　 Linux installation
　　
First, the Kernel must support the TUN/TAP device. In Kernel 2.6.x, the corresponding Kernel option is "Universal TUN/TAP device driver support ".
　　
After confirming that Kernel supports TUN/TAP, you can download OpenVPN compilation and installation. This step is easy.
　　
　　 Installation in Windows
　　
Download the installation package installation from the http://www.openvpn.se (http://www.openvpn.se/), where the installation package comes with a Client GUI tool for ease of use.
　　
Configure OpenVPN
　　
Configure OpenVPN Server
　　
Only the configurations in Linux are described. Windows is similar. Create/etc/vpn/server. conf with the following content:
　　
Port 1494
Proto udp
Dev tun
Ca. crt
Cert server. crt
Key server. key
Dh dh1024.pem
　　
Server 10.1.0.0 255.255.255.0
　　
Push "route 10.1.0.0 255.255.255.0"
Push "route 10.1.1.0 255.255.255.0"
　　
Client-config-dir/etc/vpn/ccd
Route 10.1.1.0 255.255.255.0
　　
Client-to-client
　　
Keepalive 10 120
　　
User nobody
Group nobody
　　
Persist-key
Persist-tun
　　
Log-append openvpn. log
Verb 3
　　
Among them, ca. crt, server. key, server. crt can be created using the previously attached ca tool, and dh1024.pem can be created using the OpenVPN tool.
　　
This configuration file creates two CIDR blocks: 10.1.0. * and 10.1.1. *. the VPN server assigns an IP address to the Client from these two CIDR blocks. The IP address of the VPN Server is 10.0.0.1.
　　
"Client-config-dir" indicates the VPC configuration file directory of the Client. You can create a configuration file for a specific user in this directory. For example, to specify an IP address (such as 10.1.1.5) for user abc instead of making the VPN Server automatically allocated, you can create an abc file under the/etc/vpn/ccd configuration Directory. the content is as follows:
　　
Ifconfig-push 10.1.1.5 10.1.1.6
　　
The VPN Server automatically assigns the 10.1.1.5 address to the abc user. Note that the last number (5) of the first IP address must be 4 * n + 1.
　　
The problem is, how does the VPN Server know which user is abc? It is determined by the Common Name field in the Client digital certificate. That is to say, if the Common Name of the Client digital certificate is abc during connection negotiation, the VPN Server will find the abc file in the configuration directory.
　　
Configure OpenVPN Client
　　
Create the following Client. ovpn file under the config Directory of the OpenVPN installation directory on the client machine:
　　
Client
Dev tun
Proto udp
Remote vpn_server_ip 1494
　　
Ca. crt
Cryptoapicert "SUBJ: abc"
　　
Nobind
Persist-key
Persist-tun
Verb 2
　　
Modify the remote line and fill in the corresponding VPN Server IP address and port. Ca. crt is the same as ca. crt on the server. the ca. crt must also be placed in the config directory.
　　
The key is cryptoapicert "SUBJ: abc. This line specifies that the client's digital certificate is obtained from the Windows certificate Store. You can view your personal digital certificate on the "Options-> Content-> certificate" page of IE.
　　
SUBJ: abc indicates the certificate whose subject contains abc. The client digital certificate can also be generated using the ca tool that was previously attached. to issue a digital certificate to user abc, you only need to specify the Common Name as abc, and then set the generated abc. send p12 to the abc user and inform the import password. After abc imports the digital certificate, the VPN Client can work.
　　
Start OpenVPN
　　
　　 Server startup
　　
In the/etc/vpn Directory, run:
　　
Openvpn -- daemon -- config server. conf
　　
　　 Start the client
　　
OpenVPN comes with a GUI tool that will be installed in the system tray. Click connect in the menu.
　　
　　 FAQs
　　
Unable to get IP address
　　
It is usually because the DHCP Client service is not started. Start in service management.