Install Openvpn in Ubuntu 14.04
Install Openvpn in Ubuntu 14.04
--------------------------- Download and install openvpn -----------------------------------
- Install openvpn and other necessary plug-ins
- # Apt-get install openvpn libssl-dev openssl
- Install easy-rsa for certificate usage
- # Apt-get install easy-rsa
- Note: Since ubuntu 13, easy-rsa must be installed separately
- Copy the easy-rsa file to openvpn
- # Cp-r/usr/share/easy-rsa // etc/openvpn/
- Copy and decompress the openvpn configuration file
- # Cp-r/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz/etc/openvpn/
- Decompress:
- # Gzip-d server.conf.gz
- Edit the configuration vars file to set the initialization configuration file.
- # Vim/etc/openvpn/easy-rsa/vars
- Before change:
- # Don't leave any of these fields blank.
- Export KEY_COUNTRY = "US"
- Export KEY_PROVINCE = "CA"
- Export KEY_CITY = "SanFrancisco"
- Export KEY_ORG = "Fort-Funston"
- Export KEY_EMAIL = "me@myhost.mydomain"
- Export KEY_OU = "MyOrganizationalUnit"
- Modified content:
- # Don't leave any of these fields blank.
- Export KEY_COUNTRY = "CN"
- Export KEY_PROVINCE = "ZZ"
- Export KEY_CITY = "ZhengZhou"
- Export KEY_ORG = "ZZ"
- Export KEY_EMAIL = "me@myhost.mydomain"
- Export KEY_OU = "Yunhe"
- Configure the openssl soft connection:
- Ln-sv openssl-1.0.0.cnf openssl. cnf
- If this parameter is not added, the following error occurs during execution:
- # Source easy-rsa/vars
- Bash:/etc/openvpn/whichopensslcnf: No such file or directory
- Grant the execution permission and make it take effect:
- Chmod + x vars
- Source/etc/openvpn/easy-rsa/vars
------------------------- Server certificate ------------------------------------------
- CA certificate production:
- Delete/etc/openvpn/keys/* all files
- #./Clean-all
- Production CA:
- #./Build-ca
- Country Name (2 letter code) [CN]:
- State or Province Name (full name) [ZZ]:
- Locality Name (eg, city) [ZhengZhou]:
- Organization Name (eg, company) [ZZ]:
- Organizational Unit Name (eg, section) [Yunhe]:
- Common Name (eg, your name or your server's hostname) [zz ca]:
- Name [EasyRSA]: wkgbc
- Email Address [me@myhost.mydomain]:
- Generate server certificate:
- #./Build-key-server
- Note: This name is random. Remember to use the machine name or domain name and press Enter.
- The Subject's Distinguished Name is as follows
- CountryName: PRINTABLE: 'cn'
- StateOrProvinceName: PRINTABLE: 'zz'
- LocalityName: PRINTABLE: 'zhengzhou'
- OrganizationName: PRINTABLE: 'zz'
- OrganizationalUnitName: PRINTABLE: 'yunhe'
- CommonName: PRINTABLE: 'ligengsheng'
- Name: PRINTABLE: 'wgbc'
- EmailAddress: IA5STRING: 'Me @ myhost. mydomain'
- Certificate is to be certified until Aug 9 05:51:30 2024 GMT (3650 days)
- Sign the certificate? [Y/n]: y
- 1 out of 1 certificate requests certified, commit? [Y/n] y
- Write out database with 1 new entries
- Data Base Updated
- Production DH verification file:
- #./Build-dh
- Generate the diffie hellman parameter to enhance openvpn Security (generation takes a long wait)
------------------------- Client certificate ------------------------------------------
- Generate client certificate:
- # Hostname
- Ligengsheng
- #./Build-key ligengsheng001
- The Subject's Distinguished Name is as follows
- CountryName: PRINTABLE: 'cn'
- StateOrProvinceName: PRINTABLE: 'zz'
- LocalityName: PRINTABLE: 'zhengzhou'
- OrganizationName: PRINTABLE: 'zz'
- OrganizationalUnitName: PRINTABLE: 'yunhe'
- CommonName: PRINTABLE: 'ligengsheng001'
- Name: PRINTABLE: 'easyrsa'
- EmailAddress: IA5STRING: 'Me @ myhost. mydomain
---------------------- Set the Internet access permission ---------------------------------------------
- Set Internet access:
- # Vim/etc/sysctl. conf
- Find net. ipv4.ip _ forward = 0
- Change 0 to 1.
- Take effect again:
- # Sysctl-p
- Set iptables to access the Internet through nat
- # Iptables-t nat-a postrouting-s 10.8.0.0/24-o eth0-j MASQUERADE
- Set the openvpn port to pass through:
- # Iptables-a input-p TCP -- dport 1194-j ACCEPT
- # Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
------------------------ Except for other systems such as Centos ------------------------------------
- Note that iptables On Debian/Ubuntu does not save rules.
- You need to follow the steps below to save iptables rules when the NIC is disabled and load iptables rules at startup:
- # Vim/etc/network/if-post-down.d/iptables
- Add the following content:
- #! /Bin/bash
- Iptables-save>/etc/iptables. rules
- Grant execution permission:
- # Chmod + x/etc/network/if-post-down.d/iptables
- Create a/etc/network/if-pre-up.d/iptables File
- Vim/etc/network/if-pre-up.d/iptables
- Add the following content:
- #! /Bin/bash
- Iptables-restore </etc/iptables. rules
- Grant execution permission:
- # Chmod + x/etc/network/if-pre-up.d/iptables
---------------------------- Client installation :---------------------------------------
- Download openvpn to local:
- Http://swupdate.openvpn.org/community/releases/openvpn-2.2.2-install.exe
- Copy the downloaded key file to the config file,
- Copy the client file in the local sample-config folder to the config file and change:
- ; Remote my-server-1 1194
- ; Remote my-server-2 1194
- Changed:
- Remote ligengsheng.chinacloudapp.cn 1194
- ; Remote my-server-2 1194
- Change the key file name:
- # File can be used for all clients.
- Ca. crt
- Cert ligengsheng001.crt
- Key ligengsheng001.key
- If the server is configured with a ta. key File, remove the comment.
- # Then every client must also have the key.
- ; Tls-auth ta. key 1
- ------------------ Linux client :-----------------------------------------
- # Yum install openvpn
- # Openvpn -- daemon -- config client. ovpn