Install openvpn in CentOS to enable Intranet access in win7 and go through the firewall

Install openvpn in CentOS to enable Intranet access in win7 and go through the firewall
Client: win764bitOpenvpn: centos5.8 Internet IP Address: x. x Intranet IP Address: 192.168.53.230First install the software package:yuminstalllzoyum-yinstallopenvpneasy-rsa

Enable server-side route forwarding

vim /etc/sysctl .conf net.ipv4.ip_forward=1 # Change 0 to 1 to enable the server-side route forwarding function sysctl-p Prepare to create a CA certificate file and modify the variable value in The vars file. Country, province, city, organization, mailbox, Unit cd /usr/share/easy-rsa/2 .0/ This is a modified file. cat vars| grep -E^[^ #] export EASY_RSA= "`pwd`" export OPENSSL= "openssl" export PKCS11TOOL= "pkcs11-tool" export GREP= "grep" export KEY_CONFIG=`$EASY_RSA /whichopensslcnf $EASY_RSA` export KEY_DIR= "$EASY_RSA/keys" echo NOTE:Ifyourun. /clean-all ,Iwillbedoinga rm -rfon$KEY_DIR export PKCS11_MODULE_PATH= "dummy" export PKCS11_PIN= "dummy" export KEY_SIZE=2048 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY= "CN" export KEY_PROVINCE= "GD" export KEY_CITY= "Gangzhou" export KEY_ORG= "MyOrganizationalUnit" export KEY_EMAIL= "me@myhost.mydomain" export KEY_OU= "MyOrganizationalUnit" export KEY_NAME= "EasyRSA" source Run this file to make these variables take effect. You do not need to enter them after the following execution. source vars Enter without stopping these commands. enter Y when entering Y. . /clean-all . /build-ca # Initialize the certificate authorization center, create a CA certificate, and output the variable value that has been referenced previously . /build-key-server server # Create a server certificate and secret. . /build-key win7 # Create a client certificate and key. . /build-key client # Create the second client certificate and key. . /build-dh # Create the DiffieHellman parameter. DiffieHellman is used to enhance security and is required in OpenVPN. openvpn--genkey--secretkeys /ta .key # It is an "HMACfirewall" generated to prevent malicious attacks (such as DoS and UDPportflooding ".

Create the openvpn configuration directory and copy the generated files to the specified directory.

mkdir /etc/openvpn/keys cp keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/ cp /usr/share/doc/openvpn-2 .3.8 /sample/sample-config-files/server .conf /etc/openvpn

/

The configuration file is as follows:

grep '^[^#;]' /etc/openvpn/server .conf port1194 prototcp # UDP is faster, but tcp is more secure devtun cakeys /ca .crt certkeys /server .crt keykeys /server .key #Thisfileshouldbekeptsecret dhkeys /dh2048 .pem server10.8.0.0255.255.255.0 # The secondary CIDR block cannot conflict with the existing ip cidr Block ifconfig -pool-persistipp.txt # Maintain a table corresponding to the client and virtualIP, so that the client can obtain the same IP address After reconnecting push "redirect-gatewaydef1" # All routes go through the vpn Server. Enable this function if you need to flip the wall. push "dhcp-optionDNS8.8.8.8" push "dhcp-optionDNS8.8.4.4" push "route192.168.53.0255.255.255.0" If you only need to connect to the Intranet, open this line. The intranet is the real intranet of your server. comment out the above two lines. client-to-client # Whether the client communicates with the client duplicate-cn # If you want clients with the same CommonName to log on, you can also comment out the following statements. We recommend that you use the unused CommonName for each client. If this is enabled, one certificate can be connected to multiple clients. keepalive10120 tls-authkeys /ta .key0 #Thisfileissecret comp-lzo # For lzo compression communication, both the server and client must be configured persist-key persist-tun # The duration option tries its best to avoid the possibility of downgrading the privileged access to certain resources during restart. status /var/log/openvpn/openvpn-status .log log-append /var/log/openvpn/openvpn .log verb3 # Log Level *nat :PREROUTINGACCEPT[133815:106094014] :POSTROUTINGACCEPT[106420:6438724] :OUTPUTACCEPT[106420:6438724] -APOSTROUTING-s10.8.0.0 /255 .255.255.0-jMASQUERADE COMMIT #CompletedonSatOct2421:20:272015 #Generatedbyiptables-savev1.3.5onSatOct2421:20:272015 *filter :INPUTDROP[25601:1544411] :FORWARDACCEPT[2478:211489] # Note that this is ACCEPT. Otherwise, the domain name cannot be resolved after a vpn connection occurs. :OUTPUTACCEPT[1297534:172358827] :RH-Firewall-1-INPUT-[0:0] -AINPUT-jRH-Firewall-1-INPUT -AFORWARD-jRH-Firewall-1-INPUT -ARH-Firewall-1-INPUT-ilo-jACCEPT -ARH-Firewall-1-INPUT-ptcp-mtcp--dport1194-mcomment--comment "openvpn" -jACCEPT -ARH-Firewall-1-INPUT-picmp-micmp--icmp- type 8-jACCEPT -ARH-Firewall-1-INPUT-ptcp-mtcp--tcp-flagsFIN,SYN,RST,ACKRST-mlimit--limit20 /sec --limit-burst20-jACCEPT # To prevent DDOS attacks -ARH-Firewall-1-INPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT -ARH-Firewall-1-INPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT

This is my iptables configuration. If you want to go over the wall, you must note that dns can be resolved. Otherwise, you can only log on to QQ.

/Etc/init. d/openvpn start # After the server is configured, you can enable openvpn.

Next, configure the client

cp /usr/share/doc/openvpn-2 .3.8 /sample/sample-config-files/client .conf /usr/share/easy-rsa/keys/client .ovpn grep '^[^#;]' /usr/share/easy-rsa/keys/client .ovpn devtun prototcp Remote your openvpn server IP1194 resolv-retryinfinite nobind persist-key persist-tun caca.crt certwin7.crt keywin7.key ns-cert- type server tls-authta.key1 comp-lzo verb3 cd /usr/share/easy-rsa/2 .0 /keys/ zipconf.zipwin7.crtwin7.keyca.crtta.keyclient.ovpn szconf.zip

1. Download the client and install it by default: you may need to flip the wall

Http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip

2.copy the conf.zip file in the service end to the client C: \ Program Files (x86) \ OpenVPN \ config and decompress it.

After installation, run the program as an administrator. Otherwise, the route cannot be added, resulting in an error.

This setting is fine...

Although the latency is a bit high, it is already connected. Now, you have finished.