Centos6, kernel version: 2.6.32-71. el6
The IP address is 192.168.122.180, and the tunnel IP address is 10.8.0.1.
Kernel must support Tun devices and must load iptables
Check whether Tun is installed:
# Modinfo Tun
Filename:/lib/modules/2.6.32-71. el6.i686/kernel/Drivers/NET/TUN. Ko |
The IP address of the win7 host is 192.168.122.29.
2.Currently, openvpn cannot be directly installed using yum. The RPM installation package is available on the official website and can be downloaded directly. This RPM depends on:
In addition, if we compile the source code package, we will also rely on the corresponding development package of the above package:
Fortunately, all dependent packages can be directly obtained and installed through yum.
Here we use the method of directly compiling the source code. After all the dependent packages are installed, decompress the downloaded source code package:
Download the latest source code package from http://openvpn.net/index.php/open-source/downloads.html.
#tar xfz openvpn-[version].tar.gz
Then, go to the top-level directories of the source code and execute the three steps of compilation and installation:
#./configure#make#make install2.2. Windows
Download the latest installation package from http://openvpn.net/index.php/open-source/downloads.html. double-click the installation.
3.Because my environment uses Linux as the server, certificate generation is also completed in Linux.
If openvpn is installed through the RPM package, the easy-RSA directory is usually/Usr/share/doc/packages/openvpn or/usr/share/doc/openvpn-versionIf openvpn is compiled using the source code package, easy-RSA will be under the top-level directory of the source code package.
(Before editing, it is best to copy the entire easy-RSA directory to another place, for example/Etc/openvpnIn this way, if you need to upgrade openvpn later, it will not overwrite the original configuration ).
First copy easy-RSA to/etc/openvpn:
#mkdir –p /etc/openvpn
#cp -R easy-rsa /etc/openvpn
#cd /etc/openvpn/easy-rsa/2.03.1. Ca File
Open it with a familiar editing toolVarsFile, modify the following variables according to the actual situation:
Export key_country = "CN" |
Configure OpenSSL, according to the OpenSSL version installed by the system, copy the corresponding openssl-version.cnf file, the target file name is OpenSSL. CNF, or create a file link:
# rpm -q openssl
openssl-1.0.0-20.el6_2.2.i686
# cp openssl-1.0.0.cnf openssl.cnf
Run the following command:
#. ./vars#./clean-all#./build-ca server
Note that the First Command has two.
Output:
Generating a 1024 bit RSA private key.++++++......................++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [CA]:Locality Name (eg, city) [HZ]:Organization Name (eg, company) [HZ]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [changeme]:Name [changeme]:Email Address [mail@host.domain]: |
3.2. Generate server key
# ./build-key-server server
The server here is the specified name label. If it is not specified, a prompt is displayed during execution.
Generating a 1024 bit RSA private key.....++++++.................++++++writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [CA]:Locality Name (eg, city) [HZ]:Organization Name (eg, company) [HZ]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [server]:Name [changeme]:Email Address [mail@host.domain]: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'CA'localityName :PRINTABLE:'HZ'organizationName :PRINTABLE:'HZ'organizationalUnitName:PRINTABLE:'changeme'commonName :PRINTABLE:'server'name :PRINTABLE:'changeme'emailAddress :IA5STRING:'mail@host.domain'Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entriesData Base Update |
Note that some content in the table box requires interaction. Generally, you can use the default value. You must enter the content marked in red.
3.3. Generate the client key
# ./build-key client1
Client1 indicates the client name. If multiple clients exist, multiple keys must be generated.
Generating a 1024 bit RSA private key...++++++...............++++++writing new private key to 'client1.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [CA]:Locality Name (eg, city) [HZ]:Organization Name (eg, company) [HZ]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [client1]:Name [changeme]:Email Address [mail@host.domain]: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'CA'localityName :PRINTABLE:'HZ'organizationName :PRINTABLE:'HZ'organizationalUnitName:PRINTABLE:'changeme'commonName :PRINTABLE:'client1'name :PRINTABLE:'changeme'emailAddress :IA5STRING:'mail@host.domain'Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entriesData Base Updated |
Note that some content in the table box requires interaction. Generally, you can use the default value. You must enter the content marked in red.
3.4. Generate the Diffie Hellman Parameter
This step is required on the server and may take a long time:
#./build-dh3.5. File description
Up to now, we have created a complete key and Certificate file, which is stored in the easy-RSA directory and namedKeys. The following table provides a brief description of these files:
Filename |
Needed |
Purpose |
Secret |
CA. CRT |
SERVER + all clients |
Root CA certificate |
No |
CA. Key |
Key signing machine only |
Root CA key |
Yes |
DH {n}. pem |
Server only |
Diffie Hellman Parameters |
No |
Server. CRT |
Server only |
Server Certificate |
No |
Server. Key |
Server only |
Server key |
Yes |
Client1.crt |
Client1 only |
Client1 Certificate |
No |
Client1.key |
Client1 only |
Client1 key |
Yes |
Finally, you need to download the keys Directory, which is used by some file clients.4.
Openvpn carries a configuration file template. You can edit the required configuration items according to the actual situation. The configuration template is stored in:
L openvpn source code packageSample-config-FilesSubdirectory
L RPM package/Usr/share/doc/packages/openvpnOr/Usr/share/doc/openvpn-versionUnderSample-config-FilesSubdirectory
4.1. Server
Edit/etc/sysctl. conf and change net. ipv4.ip _ forward = 0 to net. ipv4.ip _ forward = 1 to save. Then execute:
#sysctl –p
Add routing rules:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.122.180
Change 192.168.122.180 to the IP address of your VPs.
Use/Etc/init. d/iptables saveSave iptables settings, and then/Etc/init. d/iptables restartRestart.
Copy the keys directory to/etc/openvpn
Copy server. conf in the anti-template to/etc/openvpn and configure it according to your actual situation. The following is my Configuration:
local 192.168.122.180port 1194proto udp dev tun ca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtkey /etc/openvpn/keys/server.key # This file should be kept secretdh /etc/openvpn/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush “dhcp-option DNS 202.101.172.35client-to-clientkeepalive 10 120 comp-lzopersist-keypersist-tunstatus openvpn-status.logverb 4 Start openvpn#openvpn --config /etc/openvpn/server.conf & |
Open the downloaded keys folder and copy the ca. CRT, client1.crt, and client1.key files to the \ config directory under the openvpn installation path. Edit the client1.ovpn configuration file. For more information, see client. conf in the template. The following is my client Configuration
clientdev tun proto udp remote 192.168.122.180 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client1.crtkey client1.keyns-cert-type servercomp-lzoverb 3 |
Run openvpn GUI as an administrator in win7 and click Connect. After a while, you can see the successful connection message.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
