OpenVPN安裝配置

一. OpenVPN 安裝環境

Server 端的環境

redhat, kernel版本: 2.6.18.8-128.el5, IP 為 192.168.0.166

kernel 需要支援 tun 裝置, 需要載入 iptables 模組. 
檢查 tun 是否安裝: 
程式碼:

[root@sever160 ~]# modinfo tun

如果沒有 modinfo 命令, 直接找一下, 看看 kernel 裡是否有 tun.o 檔案,但是本機的確是tun.ko，如果你找不到tun.o，那麼你可以查詢tun.ko: 
程式碼:

檢查iptables 模組, 檢視是否有下列檔案: 
/etc/init.d/iptables

更多版本：http://openvpn.net/release/

Client 端的環境: Windows XP PRO SP2

openvpn-2.0.9-install.exe,

可在http://openvpn.net/release/openvpn-2.0.9-install.exe 下載 
注意: openvpn-2.0.9-install.exe 的版本要和 OpenVPN Server 的版本配套. 
例如, 伺服器裝的是openvpn-2.0.9-, 那麼下載的 OpenVPN GUI fow windows 應該是: openvpn-2.0.9-install.exe

OpenVPN GUI的所有歷史版本: http://openvpn.se/files/install_packages/

二. OpenVPN 服務端安裝過程

用 SecureCRT或者SSH登入到Linux伺服器, 進入根目錄

程式碼:

cd /usr/local/src/tarbag

下載 LZO，解壓到lzo-2.02.

下載 OpenVPN, 解壓到openvpn-2.0.9

安裝 LZO 程式碼:

#tar -zxvf lzo-2.03.tar.gz -C ../software

#cd ../software/lzo-2.03 
#./configure –prefix=/usr/local/lzo //設定安裝路徑 
#make //編譯 
#make check //編譯檢查 
#make install //安裝

安裝 OpenVPN

#tar -xzvf openvpn-2.0.9.tar.gz -C ../software/

#cd /usr/local/src/software/openvpn-2.0.9 
#./configure --with-lzo-headers=/usr/local/lzo/include

--with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl

--with-ssl-lib=/usr/lib

//以下為配置的輸出內容

checking for ifconfig... /sbin/ifconfig

checking for ip... /sbin/ip

checking for route... /sbin/route

checking build system type... i686-pc-linux

checking host system type... i686-pc-linux

checking target system type... i686-pc-linux

checking for a BSD-compatible install... /usr/bin/install –c

………………

//檢查LZO檔案，如果這邊沒通過則無法安裝OpenVPN

configure: checking for LZO Library and Header files...

checking lzo/lzo1x.h usability... yes

checking lzo/lzo1x.h presence... yes

checking for lzo/lzo1x.h... yes

checking for lzo1x_1_15_compress in -llzo2... yes

//檢查SSL檔案如果這邊沒通過則無法安裝OpenVPN

configure: checking for OpenSSL Crypto Library and Header files...

checking openssl/evp.h usability... yes

checking openssl/evp.h presence... yes

checking for openssl/evp.h... yes

checking for EVP_CIPHER_CTX_init in -lcrypto... yes

//OpenSSL版本至少是0.9.6，如果不成功查查你的OpenSSL的版本

configure: checking that OpenSSL Library is at least version 0.9.6...

checking for EVP_CIPHER_CTX_set_key_length... yes

checking openssl/engine.h usability... yes

checking openssl/engine.h presence... yes

checking for openssl/engine.h... yes

checking for ENGINE_load_builtin_engines... yes

checking for ENGINE_register_all_complete... yes

checking for ENGINE_cleanup... yes

configure: checking for OpenSSL SSL Library and Header files...

checking openssl/ssl.h usability... yes

checking openssl/ssl.h presence... yes

checking for openssl/ssl.h... yes

checking for SSL_CTX_new in -lssl... yes

configure: creating ./config.status

config.status: creating Makefile

config.status: creating openvpn.spec

config.status: creating config-win32.h

config.status: creating install-win32/openvpn.nsi

config.status: creating config.h

config.status: executing depfiles commands 
#make //編譯，輸出的內容就不貼上了 
#make install //最後一步，安裝。

生成證照Key

初始化 PKI

程式碼:

#cd /usr/local/src/software/openvpn-2.0.9/easy-rsa/2.0

#vi vars

修改以下內容

-------------開始------------------ 
export EASY_RSA="`pwd`" 
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` 
export KEY_CONFIG=$EASY_RSA/openssl.cnf 
export KEY_DIR=$EASY_RSA/keys

export KEY_SIZE=1024 
export KEY_COUNTRY=CN 
export KEY_PROVINCE=FJ 
export KEY_CITY=FZ 
export KEY_ORG="netgaming" 
export KEY_EMAIL=""

-----------結束-------------------

Build:

程式碼:

#source ./vars

#./clean-all //刪除keys資料夾 
#./build-ca //建立根證照

程式碼： 
[root@sever160 2.0]# ./build-ca

Generating a 1024 bit RSA private key

..++++++

...........................................++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:CN

State or Province Name (full name) [FJ]:FJ

Locality Name (eg, city) [FZ]:FZ

Organization Name (eg, company) [netgaming]:netgaming

Organizational Unit Name (eg, section) []:766

Common Name (eg, your name or your server's hostname) [netgaming CA]:server

Email Address [support@766.com]:support@766.com

# 建立 server key 程式碼:

程式碼:

#./build-key-server server 
[root@sever160 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key

....................++++++

.............................++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:CN

State or Province Name (full name) [FJ]:FJ

Locality Name (eg, city) [FZ]:FZ

Organization Name (eg, company) [netgaming]:netgaming

Organizational Unit Name (eg, section) []:766

Common Name (eg, your name or your server's hostname) [server]:server

Email Address [support@766.com]:support@766.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:ty12245^Hc1

An optional company name []:766

Using configuration from /usr/local/src/software/openvpn-2.0.9/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'FJ'

localityName :PRINTABLE:'FZ'

organizationName :PRINTABLE:'netgaming'

organizationalUnitName:PRINTABLE:'766'

commonName :PRINTABLE:'server'

emailAddress :IA5STRING:'support@766.com'

Certificate is to be certified until Sep 1 06:11:47 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

#生成客戶端 key

程式碼:

#./build-key client1 
[root@sever160 2.0]# ./build-key client1

Generating a 1024 bit RSA private key

...........................................++++++

.......++++++

writing new private key to 'client1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:CN

State or Province Name (full name) [FJ]:FJ

Locality Name (eg, city) [FZ]:FZ

Organization Name (eg, company) [netgaming]:netgaming

Organizational Unit Name (eg, section) []:766

Common Name (eg, your name or your server's hostname) [client1]:client1

Email Address [support@766.com]:support@766.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:ty12245^Hc1

An optional company name []:766

Using configuration from /usr/local/src/software/openvpn-2.0.9/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'FJ'

localityName :PRINTABLE:'FZ'

organizationName :PRINTABLE:'netgaming'

organizationalUnitName:PRINTABLE:'766'

commonName :PRINTABLE:'client1'

emailAddress :IA5STRING:'support@766.com'

Certificate is to be certified until Sep 1 06:19:03 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

依次類推生成其他客戶端證照/key

程式碼:

#./build-key client2 //和client1的做法相同 
#./build-key client3 //和client1的做法相同

注意在進入 Common Name (eg, your name or your server's hostname) []: 的輸入時, 每個證照輸入的名字必須不同.

build:

程式碼: 
./build-dh //這步很重要

[root@sever160 2.0]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

...+...........................................+.....+......+.+....................+.....................................................................+.......................+................+..+..................+.+.............................................................+.+..............+........................................................+...+.........................................+.................++*++*++*

使用ssh的FTP功能將keys下的所有檔案下載到本地，以及把keys拷貝到/usr/local/openvpn/keys中

建立服務端配置檔案

從樣例檔案建立:

程式碼:

#cd sample-config-files/ //進入原始碼解壓目錄下的sample-config-files子目錄

#mkdir /usr/local/openvpn/etc //新建openvpn配置檔案存放目錄 
#cp server.conf /usr/local/openvpn/etc //cp伺服器配置檔案到/usr/local/etc 
#vi /usr/local/openvpn/etc/server.conf

我建立的server.conf 的內容稍後另附.

建立客戶端配置檔案

程式碼:

#cd sample-config-files/ #進入原始碼解壓目錄下的sample-config-files子目錄 
#cp client.conf /usr/local/etc #cp客戶端配置檔案到/usr/local/etc 
#vi /usr/local/etc/client.conf

我建立的client.conf 的內容稍後另附.

啟動Openvpn:

#cd /usr/local/openvpn/sbin/

#./openvpn --daemon --config /usr/local/openvpn/etc/server.conf

三. OpenVPN For Windows 客戶端安裝過程

安裝 OpenVPN For Windows, 到 http://openvpn.se 下載. 目前的版本是 1.0.3. 注意: OpenVPN 的版本要和 OpenVPN Server 的版本配套.

配置 openvpn gui

安裝結束後, 進入安裝資料夾下的 config 目錄, 然後將上面第 10 步建立的 client.conf 檔案從 server 上下載到此資料夾, 並更名為 client.ovpn

同時, 將第8 步打包的 mykeys.tar 中的下列證照檔案解壓到此資料夾:

程式碼:

ca.crt 
ca.key 
client1.crt 
client1.csr 
client1.key

然後雙擊 client.ovpn 即可啟動 openvpn, 或者通過 OpenVPN GUI 的控制啟動 VPN.

如果雙擊 client.ovpn 沒有反應, 則在工作列點 OpenVPN GUI 的小圖示右鍵, 選擇 edit config, 將內容複製過去再儲存. 然後再點右鍵中的 connect即可.

如果需要第二臺機器上使用 vpn , 進行同樣的配置, 只需要將 client1.crt, client1.csr, client1.key 換成對應的 client2.xxx 即可, 然後將 client.ovpn 中的對應key檔案值改掉.

四. OpenVPN 配置樣例檔案

OpenVPN 服務端：server.conf

程式碼:

local 192.168.50.160

port 1194 
proto udp 
dev tun 
ca /usr/local/openvpn/keys/ca.crt

cert /usr/local/openvpn/keys/server.crt

key /usr/local/openvpn/keys/server.key # This file should be kept secret

dh /usr/local/openvpn/keys/dh1024.pem

server 10.8.0.0 255.255.255.0 
client-to-client 
keepalive 10 120 
comp-lzo 
persist-key 
persist-tun 
status /usr/local/openvpn/openvpn-status.log 
verb 4 
push "dhcp-option DNS 218.85.157.99" # name server 地址, 如何獲取見隨後說明 
push "dhcp-option DNS 218.85.152.99" # name server 地址, 如何獲取見隨後說明

上面示例中的 dns ip: 218.85.157.99, 218.85.152.99, 可以在 /etc/resolv.conf 中找到

#vi /etc/resolv.conf 
nameserver 218.85.157.99 
nameserver 218.85.152.99

OpenVPN 客戶端: client.ovpn

程式碼:

client 
dev tun 
proto udp 
remote 218.66.36.119 1194 
persist-key 
persist-tun 
ca ca.crt 
cert client1.crt //可以換成相應的client2.crt 
key client1.key //可以換成相應的client2.key 
ns-cert-type server 
comp-lzo 
verb 3 
redirect-gateway def1 //這個非常重要，前幾次一直失敗的原因

五. OpenVPN 訪問外網的設定

開啟路由 VPN連線成功後, 還需要設定路由, 才能透過VPN訪問Internet. 在 linux伺服器上新增路由：

（備註：如果openvpn伺服器不是直接接外網，只是接在區域網交換機上的一臺普通線路上，則需要在路由器上新增一條到192.168.50.160的1194埠對映）

程式碼:

#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.50.160 （出口IP地址，和server.conf中local 192.168.50.160這個IP相同） 
#/etc/init.d/iptables save 
#/etc/init.d/iptables restart

不同的機器，-o eth0 引數可能不一樣，具體可輸入 ifconfig 檢視，搞清 ip(192.168.50.160)所在的網路卡號.

同時, 需要將 ip forward 開啟. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 這種方式重啟後無效. 先檢視一下:

程式碼:

#sysctl -a | grep for 
#檢視結果: 
net.ipv4.conf.tun0.mc_forwarding = 0 
net.ipv4.conf.tun0.forwarding = 1 
net.ipv4.conf.eth0.mc_forwarding = 0 
net.ipv4.conf.eth0.forwarding = 1 
net.ipv4.conf.lo.mc_forwarding = 0 
net.ipv4.conf.lo.forwarding = 1 
net.ipv4.conf.default.mc_forwarding = 0 
net.ipv4.conf.default.forwarding = 1 
net.ipv4.conf.all.mc_forwarding = 0 
net.ipv4.conf.all.forwarding = 1 
net.ipv4.ip_forward = 1

如果你的主機上列數值（*.forwarding）不是為1, 則要將其改成1。

程式碼:

#sysctl -w net.ipv4.conf.tun0.forwarding = 1

#sysctl -w net.ipv4.conf.eth0.forwarding = 1

#sysctl -w net.ipv4.conf.lo.forwarding = 1

#sysctl -w net.ipv4.conf.default.forwarding = 1

#sysctl -w net.ipv4.conf.all.forwarding = 1

#sysctl -w net.ipv4.ip_forward=1

（系統重啟後所有forwarding又重置為0，所以把這些命令加入rc.local中）

//以下內容766可選

-----------開始--------------

開啟域名伺服器

如果你需要訪問一些已經被GFW封掉了域名的網站, 但你的 OpenVPN 伺服器沒有被封的話，那麼你需要在你的主機上開啟 name server, 並將 dns push 給 client。 一般的獨立主機, 都帶有 private dns server.

程式碼:

rpm -qa | grep bind 
/etc/init.d/named start

另外, 必須保證 server.conf 配置中, 有這三個配置:

程式碼:

push "dhcp-option DNS 10.8.0.1" 
push "dhcp-option DNS 218.85.157.99" # name server 地址 
push "dhcp-option DNS 218.85.152.99" # name server 地址

--------結束-------------

當 client 連線成功後, 在 cmd 下執行 ipconfig /all, 應該有這類似這樣的輸出:

程式碼:

Ethernet adapter 本地連線 4:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : TAP-Win32 Adapter V8

Physical Address. . . . . . . . . : 00-FF-2B-EA-C0-89

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.8.0.26

Subnet Mask . . . . . . . . . . . : 255.255.255.252

Default Gateway . . . . . . . . . : 10.8.0.25

DHCP Server . . . . . . . . . . . : 10.8.0.25

DNS Servers . . . . . . . . . . . : 218.85.157.99

218.85.152.99

Lease Obtained. . . . . . . . . . : 2009年9月4日星期五 9:15:42

Lease Expires . . . . . . . . . . : 2010年9月4日星期六 9:15:42六. 設定 OpenVPN 伺服器 reboot後自動啟動 openvpn

執行命令:

程式碼:

vi /etc/rc.local 然後在最後面加入此行:

程式碼:

#/usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/etc/server.conf > /dev/null 2>&1 &

七. OpenVPN 測試

1、你可以用 VPN 登入上去之後, 測試 MSN, QQ, IE 等網路應用, 也可以嘗試訪問一些被 GFW 禁掉的網站, 當然, 前提是你的 VPN 伺服器不在境內.

2、不連線VPN，開啟www.ip138.com檢視本機IP外網ip地址，然後連線VPN再開啟一次，對比兩次的IP地址。

七、常見問題：

1、 客戶端本地連線沒有閘道器

檢查client.ovpn配置檔案中是否有redirect-gateway def1

2、 可以撥內網的IP地址192.168.50.160，無法撥通218.66.36.119

檢查客戶端是否被限制訪問外部網路

3、 提示證照無效

檢查openvpn伺服器的時間是否正確，如果不正確，請在修改時間後重新制作證照

4、 如何檢查所有網路是否走VPN線路

Windows下使用命令tracert 218.85.157.99或者pathping 218.85.157.99

例如：

C:\>tracert 218.85.157.99

Tracing route to FJ-DNS.fz.fj.cn [218.85.157.99]

over a maximum of 30 hops:

1 1 ms <1 ms <1 ms 10.8.0.1

（第一跳是VPN伺服器閘道器，如果不是這個說明失敗）

2 1 ms 1 ms 1 ms 192.168.50.254（VPN所在網路閘道器）

3 2 ms 2 ms 2 ms 218.66.36.254

4 4 ms 1 ms 1 ms 220.160.92.105

5 2 ms 2 ms 2 ms 202.109.204.161

6 2 ms 1 ms 2 ms 218.85.156.90

7 * * * Request timed out.

8 3 ms 3 ms 4 ms FJ-DNS.fz.fj.cn [218.85.157.99]

Trace complete.

Linux下使用命令tracert 218.85.157.99或者tracertpaht 218.85.157.99

5、 為什麼我在不同的電腦上撥VPN客戶端得ip地址都是一樣的呢？

檢查你是否使用了同一個客戶端證照

6、 為什麼一臺電腦撥號可以正常使用，當兩臺同時撥號就不行呢？

檢查你是否使用了同一個客戶端證照。

7、 斷開VPN馬上連線發現連線不上？

連線還未釋放所以連不上，你修改本機的ip地址就能重新連線VPN了。

8、 OPENVPN有段時間沒有使用，今天重新建證照，一切完畢之後發現連線上了卻無法上網

現在的IP地址從160修改為222，NAT沒有重新設定，於是開啟/etc/sysconfig/iptables把NAT轉發規則從：

-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.50.160

改為：

-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.50.222

搞定~~~~~