OpenVPN 是首选的 VPN 协议,和 PPTP、L2TP 相比,安全性较高、速度也较快,以下是基于 Debian 的 OpenVPN 安装配置教程。

OpenVPN 的服务端安装配置

1、基础设置

# 安装 OpenVPN
apt-get install openvpn
# 复制生成证书和密钥的脚本到 /etc/openvpn
cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0
# 初始化 PKI
. ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
# 清除旧有证书和密钥
./clean-all
# 生成根证书和密钥
./build-ca
Generating a 2048 bit RSA private key
..................................+++
..+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:ZJ
Locality Name (eg, city) [SanFrancisco]:JX
Organization Name (eg, company) [Fort-Funston]:QTJ
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:QTJ CA
Name []:
Email Address [me@myhost.mydomain]:lypdarling@gmail.com
# 生成服务端证书和密钥
./build-key-server server
Generating a 2048 bit RSA private key
.................................+++
.............................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:ZJ
Locality Name (eg, city) [SanFrancisco]:JX
Organization Name (eg, company) [Fort-Funston]:QTJ
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [me@myhost.mydomain]:lypdarling@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :'CN'
stateOrProvinceName   :'ZJ'
localityName          :'JX'
organizationName      :'QTJ'
commonName            :'server'
emailAddress          :'lypdarling@gmail.com'
Certificate is to be certified until Oct  6 09:26:49 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 生成客户端证书和密钥
./build-key client1
Generating a 2048 bit RSA private key
....................................................+++
...............................................+++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:ZJ
Locality Name (eg, city) [SanFrancisco]:JX
Organization Name (eg, company) [Fort-Funston]:QTJ
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address [me@myhost.mydomain]:lypdarling@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :'CN'
stateOrProvinceName   :'ZJ'
localityName          :'JX'
organizationName      :'QTJ'
commonName            :'client1'
emailAddress          :'lypdarling@gmail.com'
Certificate is to be certified until Oct  6 09:27:35 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 生成 Diffie Hellman 参数
./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............................................................................+............+...................................................+..........................................................................................+................................................................................................+..............................................................................................................+..............................................................................................................+...................................................................................................................................................................................................................................................................+....................+.......................++*++*

现在,/etc/openvpn/easy-rsa/2.0/keys 目录下应该存在如下文件:

文件名被…依赖描述是否加密
ca.crt服务端和所有客户端根证书
ca.key仅签署密钥的机器根密钥
dh2048.pem仅服务端Diffie Hellman 参数
server.crt仅服务端Server 证书
server.key仅服务端Server 密钥
client1.crt仅客户端Client1 证书
client1.key仅客户端Client1 密钥

2、新建服务端配置文件并进行编辑

vi /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key 
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

3、建立 iptables 规则并设置为开机自动运行

vi /etc/rc.local
# !/bin/sh -e
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to the_ip_address_of_your_vps
exit 0

4、设置相关内核参数

vi /etc/sysctl.conf
net.ipv4.ip_forward=1
# 使改变立刻生效
sysctl -p /etc/sysctl.conf

5、运行 OpenVPN 服务

/etc/init.d/openvpn start
/etc/rc.local &

OpenVPN 的 Windows 客户端安装配置

1、下载安装 OpenVPN,复制服务端 /etc/openvpn/easy-rsa/2.0/keys 目录下的 ca.crt、client1.crt、client1.key 到客户端安装路径下的 config 目录;

OpenVPN 的 Windows 客户端安装配置

2、在客户端安装路径下的 config 目录下新建客户端配置文件 client.ovpn 并进行编辑;

client
dev tun
proto udp
remote the_ip_address_of_your_vps 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

3、进行连接!