= "netops@netops.com"
Export KEY_OU = "netops"
# Initializing Environment Variables
Source vars
# Generate the root certificate, Root key, server certificate, server key, Diffie-Hellman key, and ta. key Files.
./Clean-all
./Build-ca
./Build-key-server OpenVPN
./Build-dh
Openvpn -- genkey -- secret keys/ta. key
The generated Certificate file is under the keys directory of the current directory.
such as winscp.
6. create a server configuration fileDecompress the source code and copy the standard configuration file in the directory.Mkdir/etc/openvpn/easy-rsa/2.0/conf/Cp/tmp/openvpn-2.2.2/sample-config-files/server. conf/etc/openvpn/easy-rsa/2.0/conf/Edit the configuration file:Vim/etc/
mode to listen to the default UDP port 1194. The Virtual Interface uses the tun0 device. See the configuration example openvpn-2.0.9/sample-config-files/server. conf in the openvpn source code directory)
[Root @ gw1 ~] # Vim/etc/openvpn/gw1_tun0.conf
Local 173.74.75.76 // specify the IP address of the lis
signatureSignature okThe Subj Ect's Distinguished Name is as followscountryName: PRINTABLE: 'cn' region: PRINTABLE: 'sh' localityName: PRINTABLE: 'PD 'organizationname: PRINTABLE: 'zyfmaster' organizationalUnitName: PRINTABLE: 'zyfmaster' commonName: PRINTABLE: 'client1' emailAddress: IA5STRING: '2017 @ qq.com 'Certificate is to be certified until Dec 2 04:15:50 905407204 GMT (2022 days) Sign the certificate? [Y/n]: y 1 out of 1 certificate requests certified, commit? [Y/n] yWrite out database
are generated in the keys directory.
./Build-dh
# Generate the Diffie-Hellman file for encryption. The dh1024.pem file will be generated in the keys directory.
./Build-key-server xuyou
# Generate the server certificate and key file. You only need to enter y in the last two places. xuyou. crt xuyou. csr xuyou. key is generated in the keys directory.
Copy the generated server-side ca certificate and key file to/etc/openvpn/
Cp ca. crt ca. key xuyou.
xuyou
# Generate the server certificate and key file. You only need to enter y in the last two places. xuyou. crt xuyou. csr xuyou. key is generated in the keys directory.
VcD4KPHA + pgltzybzcm9 "http://www.2cto.com/uploadfile/Collfiles/20140905/2014090509150260.png" alt = "\">
Copy the generated server-side ca certificate and key file to/etc/openvpn/
Cp ca. crt ca. key xuyou. crt xuyou. csr xuyou. key/etc/
-TunStatus openvpn-status.logVerb 3-------------- Cut here -----------------Place the configuration file in the c: \ Program Files \ openvpn \ config \ directory.Set ca. CRT server01.crt server01.key ta. Key dh1024.pem under easy-RSA \ keys \.Copy to the directory where server01.ovpn is located.Server configuration has ended. You can start the server. Right-click
# Cd/etc/openvpn
# Vim server. conf (this file is not available by default)
Local 192.168.10.191
Port 1194
Proto udp
Dev tun
Ca. crt
Cert server. crt
Key server. key
Dh dh1024.pem
Server11.8.0.0255.255.255.0
Keepalive 10 120
Comp-lzo
Persist-key
Persist-tun
Logopenvpn. log
Log-append openvpn. log
Status openvpn-status.log
Verb 3
Start the server
#
, ESTABLISHED-j ACCEPT
-A input-s 10.8.0.0/24-j ACCEPT
-A input-p tcp-m state -- state NEW-m tcp -- dport 22-j ACCEPT
-A input-p tcp-m state -- state NEW-m tcp -- dport 1194-j ACCEPT
-A input-p udp-m state -- state NEW-m udp -- dport 1194-j ACCEPT
-A input-I tun +-j ACCEPT
-A forward-d 10.8.0.0/24-j ACCEPT
-A forward-I tun +-j ACCEPT
-A input-j DROP
COMMIT
# Completed on Tue May 5 11:25:43 2015
Taking windows as an example:
Client operation steps:
Download windows client:
Http://openvpn.ustc.ed
sample and then modify it on this basis:
# Cp/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz/etc/openvpn/
# Cd/etc/openvpn/
# Gunzip server.conf.gz
This will decompress a server. open the conf file and edit it. If you follow my steps from the beginning, you can copy my configuration directly. In thi
will be hosted to ensure that each customer's key identifier is unique.
Sudo. /etc/openvpn/easy-rsa/2.0/build-key Client
Move the file server certificate and key to the/etc/openvpn directory. Replace the server. CRT and server. The file name that is used primarily.
sudo cp/etc/openvpn/easy-rsa/2.0/keys/ca.crt/etc/openvpnsudo cp/etc/
=Export PKCS11_MODULE_PATH =Export PKCS11_PIN =
Enter "=" next to ". I don't know whether the case sensitivity is affected. To avoid this, write it in the default format. Remember to save after editing.4. Generate a certificate
# Cd/etc/openvpn/easy-rsa/2.0/# Chown-R root: admin.# Chmod g + w.
# Source./vars // if this step prompts no openssl. cnf, rename the openssl-1.0.0.cnf to openssl. cnf.
#./Build-ca option by default.
#./Build-key-server
#./Bui
Before installation, use cat/dev/net/tun to check whether tun/tap [root @ lx_web_s1 ~] is enabled. # Cat/dev/net/tuncat:/dev/net/tun: Filedescriptorinbadstate indicates that tun/tap has been enabled. you can install openVPN and configure the VPN server. 1. install and prepare yum-yinsta.
Run cat/dev/net/tun to check whether tun/tap is enabled before installation.[Root @ lx_web_s1 ~] # Cat/dev/net/tunCat:/dev/net/tun: File descriptor in bad stateIt ind
One, OpenVPN server-side configuration file details
################################################## Example of a server-side configuration file for OpenVPN 2.0 for multiple clients## This file is used for multi-client ## OpenVPN also supports stand-alone ## This configuration supports Windows or LINUX/BSD systems. Also, on Windows, remember to enclose the pat
OpenVPN-ng: The application-layer tunnel for Mobile Life, And openvpn-ng Application LayerVPN makes people think that it is always a good thing and a way to escape from supervision. In fact, VPN has become the only synonym for escaping from supervision. You see, no matter what technology, IPSec, or WEB Proxy, as long as it is the technology that encrypts the original information, it can all be called VPN, s
network IP, because my server is a local area network of a machine, only LAN IP, So here is the IP of this machine.
If you do not add a iptables rule, the result is that you can connect to the VPN server but not the Internet. Additional rules that may be required are as follows:
Iptables-a forward-i tun0-s 10.1.1.0/24-j ACCEPTIptables-a forward-i eth0-d 10.1.1.0/24-j ACCEPTIptables-i input-p TCP--dport 1194-m comment--comment "OpenVPN"-jIptables-t
easy-rsa3
Generate Certificate
# Configuration file directories are generally in a similar directory cp/usr/share/doc/openvpn-2.3.6/sample-config-files/server. conf/etc/openvpn/#2.3 needs to download an easy-rsa package independently. This package is used to create ca certificates and server certificates, client certificate wget-c https://github.com/
content of/usr/share/easy-rsa/2.0/keys/ca. crt in thisCopy and paste all the content of/usr/share/easy-rsa/2.0/keys/ta. keyDownload client from the server. ovpn, and copy it to the config directory of the openvpn installation directory. Finally, start the openvpn program and connect to the server. The account and password are all test. If you can obtain the IP a
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.