OpenVPN 安装配置教程

/

OpenVPN 是首选的 VPN 协议,和 PPTP、L2TP 相比,安全性较高、速度也较快,以下是基于 Debian 的 OpenVPN 安装配置教程。

OpenVPN 的服务端安装配置

1、基础设置

# 安装 OpenVPN
apt-get install openvpn
# 复制生成证书和密钥的脚本到 /etc/openvpn
cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0
# 初始化 PKI
. ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
# 清除旧有证书和密钥
./clean-all
# 生成根证书和密钥
./build-ca
Generating a 2048 bit RSA private key
..................................+++
..+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:ZJ
Locality Name (eg, city) [SanFrancisco]:JX
Organization Name (eg, company) [Fort-Funston]:QTJ
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:QTJ CA
Name []:
Email Address [me@myhost.mydomain]:lypdarling@gmail.com
# 生成服务端证书和密钥
./build-key-server server
Generating a 2048 bit RSA private key
.................................+++
.............................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:ZJ
Locality Name (eg, city) [SanFrancisco]:JX
Organization Name (eg, company) [Fort-Funston]:QTJ
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [me@myhost.mydomain]:lypdarling@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :'CN'
stateOrProvinceName   :'ZJ'
localityName          :'JX'
organizationName      :'QTJ'
commonName            :'server'
emailAddress          :'lypdarling@gmail.com'
Certificate is to be certified until Oct  6 09:26:49 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 生成客户端证书和密钥
./build-key client1
Generating a 2048 bit RSA private key
....................................................+++
...............................................+++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:ZJ
Locality Name (eg, city) [SanFrancisco]:JX
Organization Name (eg, company) [Fort-Funston]:QTJ
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address [me@myhost.mydomain]:lypdarling@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :'CN'
stateOrProvinceName   :'ZJ'
localityName          :'JX'
organizationName      :'QTJ'
commonName            :'client1'
emailAddress          :'lypdarling@gmail.com'
Certificate is to be certified until Oct  6 09:27:35 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 生成 Diffie Hellman 参数
./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............................................................................+............+...................................................+..........................................................................................+................................................................................................+..............................................................................................................+..............................................................................................................+...................................................................................................................................................................................................................................................................+....................+.......................++*++*

现在,/etc/openvpn/easy-rsa/2.0/keys 目录下应该存在如下文件:

文件名 被…依赖 描述 是否加密
ca.crt 服务端和所有客户端 根证书
ca.key 仅签署密钥的机器 根密钥
dh2048.pem 仅服务端 Diffie Hellman 参数
server.crt 仅服务端 Server 证书
server.key 仅服务端 Server 密钥
client1.crt 仅客户端 Client1 证书
client1.key 仅客户端 Client1 密钥

2、新建服务端配置文件并进行编辑

vi /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key 
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

3、建立 iptables 规则并设置为开机自动运行

vi /etc/rc.local
# !/bin/sh -e
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to the_ip_address_of_your_vps
exit 0

4、设置相关内核参数

vi /etc/sysctl.conf
net.ipv4.ip_forward=1
# 使改变立刻生效
sysctl -p /etc/sysctl.conf

5、运行 OpenVPN 服务

/etc/init.d/openvpn start
/etc/rc.local &

OpenVPN 的 Windows 客户端安装配置

1、下载安装 OpenVPN,复制服务端 /etc/openvpn/easy-rsa/2.0/keys 目录下的 ca.crt、client1.crt、client1.key 到客户端安装路径下的 config 目录;

OpenVPN 的 Windows 客户端安装配置

2、在客户端安装路径下的 config 目录下新建客户端配置文件 client.ovpn 并进行编辑;

client
dev tun
proto udp
remote the_ip_address_of_your_vps 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

3、进行连接!

Comments