Openvpn安装和配置介绍资料.doc

《Openvpn安装和配置介绍资料.doc》由会员分享，可在线阅读，更多相关《Openvpn安装和配置介绍资料.doc（35页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、*OpenVPN实现网络互连一、试验网络架构21.服务器信息22.操作系统对tun的支持性23.所需软件及作用3二、LZO软件安装3三、Openvpn安装5四、Openvpn server文件生成61.编辑Vars文件62.创建CA文件7五、创建Openvpn Server所需文件9六、创建client端所需文件10七、设置openvpn server的配置文件12八、Openvpn Server的配置文件server001.conf13九、客户端主机的配置文件client001.ovpn22十、Openvpn server主机上启用openvpn服务25十一、Openvpn Client主机

2、连接Openvpn Server26十二、Client内网主机访问server内网主机261.server主机配置文件下添加ccd文件夹262.Server主机上开启路由转发和NAT263.client主机上开启路由和远程访问264.Client内网主机静态路由添加315.Client访问server多内网段32十三、测试结果32十四、总结34十五、参考文档35OpenVPN实现网络互连一、 试验网络架构1. 服务器信息服务器名称OS版本内网IP地址内网网关外网IP地址Openvpn ServerRedHat AS410.0.17.6010.0.17.1NATOpenvpn ClientWin

3、dows2003192.168.0.82192.168.0.12. 操作系统对tun的支持性 试验中安装的Red Hat AS4内核默认已经支持tun，并且已经安装tun模块。对于一些没安装此模块的，需要重新编译内核支持。内核加载tun模块只是让内核支持隧道，并不是就会出现隧道接口。在没安装此模块的系统上加载tun模块：Linux 2.4 or higher (with integrated TUN/TAP driver):(1) make device node: mknod /dev/net/tun c 10 200(2a) add to /etc/modules.conf: alias

4、char-major-10-200 tun(2b) load driver: modprobe tun(3) enable routing: echo 1 ; /proc/sys/net/ipv4/ip_forward3. 所需软件及作用OpenVPN依赖OpenSSL库，加密用；LZO库，数据压缩用。在我安装的Red Hat AS4系统默认安装了OpenSSL库，没有的可以到www.openssl.org下载。LZO软件是必须的，否则无法安装Openvpn软件，可以到下载。LZO包含几个版本，在测试中我选择是的lzo-2.0.2。以上是辅助软件，Openvpn软件的下载地址为，我选择的是比较

5、稳定的openvpn-2.0.9版。之前在windows下包含2.0.3和2.0.9等多个版本，但是2.0.9版本在windows下安装的时候由于程序问题在生成CA文件的时候会出错，如果是在windows下安装建议选择2.0.3版本。yum install openssl openssl-devel二、 LZO软件安装如果之前有点点Linux系统的知识的话，此步就可跳过。首先解压下载的lzo-2.0.2.tar.gz文件，命令为tar zxvf lzo-2.0.2.tar.gz（至于不知道在哪里敲此命令的，建议看看Linux的基本操作，在桌面上点右键选择“打开终端”，在跳出的框里输入）如下图所

6、示解压完毕后在当前目录下会有一个名为lzo-2.0.2的文件夹，通过cd命令切换到lzo-2.0.2目录下（切换完毕后可以通过pwd命令察看）。具体如下图所示下一步输入./configure命令检查文件（注意前面有个点，而且是要切换到此目录下执行的）。注释：一般的configure都是一个script，执行后可以传入必要参数告知配置项目，最后产生Makefile档案后才可以给make程式读入使用，尽而呼叫相关编译程式。然后输入make命令编译，如下图所示最后通过输入命令make intall来安装lzo至此lzo安装完毕三、 Openvpn安装Openvpn的安装与lzo的安装命令一致，都是.

7、/configure然后make最后make install安装，在此不赘述。在工作中有时候可能一台电脑做为两个或多个client端，因此需要在同一电脑上安装两个或多个openvpn软件。为了保证在运行的时候不冲突，在./configure的时候需要加入prefix参数来指定makefile文件的位置。详情如下：-prefix是最常用的选项，制作出的 Makefile会查看随此选项传递的参数，当一个包在安装时可以彻底的重新安置他的结构独立部分。 举一个例子,当安装一个包,例如说Emacs,下面的命令将会使Emacs Lisp file被安装到/opt/gnu/：$ ./configure -p

8、refix=/opt/gnu./configure -with-lzo-headers=/usr/local/include -with-lzo-lib=/usr/local/lib -with-ssl-headers=/usr/local/include/openssl -with-ssl-lib=/usr/local/lib四、 Openvpn server文件生成首先切换到openvpn安装目录下，例如我是把openvpn安装在/home/coldface/openvpn-2.0.9下，我通过在终端中输入命令cd /home/coldface/openvpn-2.0.9(coldface

9、此文件夹是自己建的，命令为mkdir /home/coldface，在安装过程中自己选择合适的目录)。然后输入cd easy-rsa/命令，切换到easy-ras目录下进行配置。下面的操作都是依据在此目录下进行的。1. 编辑Vars文件Vars文件的作用是是创建环境变量初始化程序，通过输入vi ./vars来进行编辑。（针对不熟悉vi操作的，自己找到此目录下的文件，双击用文本编辑器编辑），然后按下键盘的i键进行修改。主要是修改一些openvpn所在地等信息，如KEY_COUNTRY，KEY_PROVINCE，KEY_CITY，KEY_ORG等。修改完毕后按下ESC键，然后输入:wq保存退出（L

10、inux对命令区分大小写，留意命令的字母）。如下图所示修改完毕后，输入命令. ./vars运行此脚本（注意两个点中间有个空格）然后输入./clean-all继续运行，此命令主要是在easy-ras下生成一个keys文件夹用于存放后续生成的key，crt等文件。2. 创建CA文件输入./build-ca生成CA文件，CA证书用于验证客户端的证书是否合法，因此客户端和服务器端都需要此证书。详细结果为： You are about to be asked to enter information that will be incorporatedinto your certificate reque

11、st.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN:State or Province Name (full name) JS:Loc

12、ality Name (eg, city) Suzhou:Organization Name (eg, company) OpenVPN:Organizational Unit Name (eg, section) :OpenVPNtestCommon Name (eg, your name or your servers hostname) :RootCA(此处名字任意)3.创建加密算法所需文件dh1024.pem输入命令./build-dh五、 创建Openvpn Server所需文件输入命令./build-key-server server001(注意此处后面添加了server001，名

13、字可以任意，但是一定要与下面程序中的Common Name一致)详细信息为：.+.+writing new private key to keysserver01.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you

14、can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank. Country Name (2 letter code) CN:State or Province Name (full name) JS:Locality Name (eg, city) Suzhou:Organization Name (eg, company) OpenVPN:Organizational Unit Name (eg, section) :penvpn

15、testCommon Name (eg, your name or your servers hostname) :Server001(此处的名字一定要与./build-key-server后输入的名字一致)Please enter the following extra attributesto be sent with your certificate requestA challenge password :An optional company name :Using configuration from fCheck that the request matches the sign

16、atureSignature okCertificate is to be certified until Feb 9 10:01:34 2016 GMT (3650 days)Sign the certificate? y/n:y （选择Y）1 out of 1 certificate requests certified, commit? y/ny（选择Y）Write out database with 1 new entriesData Base Updated六、 创建client端所需文件输入命令./build-key client001（注意此处后面添加了client001，名字可

17、以任意，但是一定要与下面程序中的Common Name一致)详细信息为：Generating a 1024 bit RSA private key.+.+writing new private key to keyselm.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There a

18、re quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN:State or Province Name (full name) JS:Locality Name (eg, city) Suzhou:Organization Name (eg, company) OpenVPN:Organizational U

19、nit Name (eg, section) :openvpntestCommon Name (eg, your name or your servers hostname) :client001(此处的名字一定要与./build-key后输入的名字一致)Please enter the following extra attributesto be sent with your certificate requestA challenge password :An optional company name :Check that the request matches the signat

20、ureSignature okCertificate is to be certified until Feb 9 10:05:53 2016 GMT (3650 days)Sign the certificate? y/n:y （选择Y）1 out of 1 certificate requests certified, commit? y/ny（选择Y）Write out database with 1 new entriesData Base Updated注意Common name，如果有多个客户端连接的时候，Common name不能重复，另外要注意名字不要弄错，在后面配置服务器端内

21、网访问客户端内网的时候需要此名字。此时文件都是保存在keys目录下（/home/coldface/openvpn-2.0.9/easy-ras/keys）在试验中我在/etc下建立一新目录openvpn来存放配置文件（命令为mkdir /etc/openvpn），在上述步骤完毕后，把ca.key，ca.crt，dh-1024.pem，server001.crt，server001.key复制到openvpn目录下（命令为cp ca.key ca.crt dh-1024.pem server001.crt server001.key /etc/openvpn）。七、 设置openvpn serv

22、er的配置文件首先通过cd .(cd后有个空格然后是两个点)，退回到/home/coldface/openvpn-2.0.9目录下，输入cd sample-config-files/切换到sample-config-files文件夹下，把此目录下的server.conf修改名字为server001.conf，然后把server001.conf文件复制到/etc/openvpn目录下（命令为cp server001.conf /etc/openvpn）。在后面会介绍如何配置server001.conf此配置文件。Openvpn client主机上安装软件一直点下一步即可。安装完毕后，只需把Ope

23、nvpn server主机上的ca.crt client001.key client001.crt复制到openvpn的安装目录下的config目录下。例如我安装在默认的C:Program FilesOpenVPN，那么ca.crt client001.key client001.crt client001.ovpn都放置在C:Program FilesOpenVPN下的config目录下面。八、 Openvpn Server的配置文件server001.conf首先回顾下文件的存放位置，安装程序目录是/home/coldface/openvpn-2.0.9，配置文件的存放目录是/etc/op

24、envpn。为了让两端的内网主机间能互访，需要在Openvpn Server上建立一个名字为ccd的目录，在里面建立一个名字为clien001的文件（此名字一定要与生成客户端key时输入的名字一致），这样当client001连接到server001时，程序会检查ccd文件，看是够有一个文件的名字于client001的名字一致，如果有则进程会读该文件里的指令并把这些指令用于该名字的客户端。注意ccd目录是放置在/etc/openvpn下面（具体命令为mkdir /etc/openvpn/ccd和touch /etc/openvpn/ccd/client001）。在client001文件的内容在后

25、面给出。现在来配置server001.conf文件，首先vi /etc/openvpn/server001.conf（用vi编辑），内容如下# Which local IP address should OpenVPN# listen on? (optional);local a.b.c.d# Which TCP/UDP port should OpenVPN listen on?# If you want to run multiple OpenVPN instances# on the same machine, use a different port# number for each

26、one. You will need to# open up this port on your firewall.port 1194# TCP or UDP server?;proto tcpproto udp# dev tun will create a routed IP tunnel,# dev tap will create an ethernet tunnel.# Use dev tap0 if you are ethernet bridging# and have precreated a tap0 virtual interface# and bridged it with y

27、our ethernet interface.# If you want to control access policies# over the VPN, you must create firewall# rules for the the TUN/TAP interface.# On non-Windows systems, you can give# an explicit unit number, such as tun0.# On Windows, use dev-node for this.# On most systems, the VPN will not function#

28、 unless you partially or fully disable# the firewall for the TUN/TAP interface.;dev tapdev tun(使用tap，vpn里面就可以传输广播报文使用tun，vpn里面没有非IP报文了)# Windows needs the TAP-Win32 adapter name# from the Network Connections panel if you# have more than one. On XP SP2 or higher,# you may need to selectively disable

29、the# Windows firewall for the TAP adapter.# Non-Windows systems usually dont need this.;dev-node MyTap# SSL/TLS root certificate (ca), certificate# (cert), and private key (key). Each client# and the server must have their own cert and# key file. The server and all clients will# use the same ca file

30、.# See the easy-rsa directory for a series# of scripts for generating RSA certificates# and private keys. Remember to use# a unique Common Name for the server# and each of the client certificates.# Any X509 key management system can be used.# OpenVPN can also use a PKCS #12 formatted key file# (see

31、pkcs12 directive in man page).ca /etc/openvpn/ca.crtcert /etc/openvpn/server001.crt注意此处的文件名字要与在./build-key-server时输入的名字一致key /etc/openvpn/server001.key 注意此处把文件的存放的绝对路径写上# Diffie hellman parameters.# Generate your own with:# openssl dhparam -out dh1024.pem 1024# Substitute 2048 for 1024 if you are us

32、ing# 2048 bit keys. dh /etc/openvpn /dh1024.pem# Configure server mode and supply a VPN subnet# for OpenVPN to draw client addresses from.# The server will take 10.8.0.1 for itself,# the rest will be made available to clients.# Each client will be able to reach the server# on 10.8.0.1. Comment this

33、line out if you are# ethernet bridging. See the man page for more info.server 172.16.0.0 255.255.255.0（此处是VPN地址池的范围）# Maintain a record of client virtual IP address# associations in this file. If OpenVPN goes down or# is restarted, reconnecting clients can be assigned# the same virtual IP address fr

34、om the pool that was# previously assigned.ifconfig-pool-persist ipp.txt# Configure server mode for ethernet bridging.# You must first use your OSs bridging capability# to bridge the TAP interface with the ethernet# NIC interface. Then you must manually set the# IP/netmask on the bridge interface, he

35、re we# assume 10.8.0.4/255.255.255.0. Finally we# must set aside an IP range in this subnet# (start=10.8.0.50 end=10.8.0.100) to allocate# to connecting clients. Leave this line commented# out unless you are ethernet bridging.;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100# Push routes to

36、 the client to allow it# to reach other private subnets behind# the server. Remember that these# private subnets will also need# to know to route the OpenVPN client# address pool (10.8.0.0/255.255.255.0)# back to the OpenVPN server.;push route 192.168.20.0 255.255.255.0# To assign specific IP addres

37、ses to specific# clients or if a connecting client has a private# subnet behind it that should also have VPN access,# use the subdirectory ccd for client-specific# configuration files (see man page for more info).# EXAMPLE: Suppose the client# having the certificate common name Thelonious# also has

38、a small subnet behind his connecting# machine, such as 192.168.40.128/255.255.255.248.# First, uncomment out these lines:client-config-dir ccd push”route 10.0.6.0 255.255.255.0”(#使vpn clients能访问vpn server内部网段计算机)route 192.168.0.0 255.255.255.0(此命令是让openvpn server访问客户端内网主机)# Then create a file ccd/Th

39、elonious with this line:# iroute 192.168.40.128 255.255.255.248# This will allow Thelonious private subnet to# access the VPN. This example will only work# if you are routing, not bridging, i.e. you are# using dev tun and server directives.# EXAMPLE: Suppose you want to give# Thelonious a fixed VPN

40、IP address of 10.9.0.1.# First uncomment out these lines:;client-config-dir ccd;route 10.9.0.0 255.255.255.252# Then add this line to ccd/Thelonious:# ifconfig-push 10.9.0.1 10.9.0.2# Suppose that you want to enable different# firewall access policies for different groups# of clients. There are two

41、methods:# (1) Run multiple OpenVPN daemons, one for each# group, and firewall the TUN/TAP interface# for each group/daemon appropriately.# (2) (Advanced) Create a script to dynamically# modify the firewall in response to access# from different clients. See man# page for more info on learn-address sc

42、ript.;learn-address ./script# If enabled, this directive will configure# all clients to redirect their default# network gateway through the VPN, causing# all IP traffic such as web browsing and# and DNS lookups to go through the VPN# (The OpenVPN server machine may need to NAT# the TUN/TAP interface

43、 to the internet in# order for this to work properly).# CAVEAT: May break clients network config if# clients local DHCP server packets get routed# through the tunnel. Solution: make sure# clients local DHCP server is reachable via# a more specific route than the default route# of 0.0.0.0/0.0.0.0.;pu

44、sh redirect-gateway# Certain Windows-specific network settings# can be pushed to clients, such as DNS# or WINS server addresses. CAVEAT:# http:/ dhcp-option DNS 10.8.0.1;push dhcp-option WINS 10.8.0.1# Uncomment this directive to allow different# clients to be able to see each other.# By default, cl

45、ients will only see the server.# To force clients to only see the server, you# will also need to appropriately firewall the# servers TUN/TAP interface.client-to-client #使vpn clients相互之间可以访问# Uncomment this directive if multiple clients# might connect with the same certificate/key# files or common na

46、mes. This is recommended# only for testing purposes. For production use,# each client should have its own certificate/key# pair.# IF YOU HAVE NOT GENERATED INDIVIDUAL# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,# EACH HAVING ITS OWN UNIQUE COMMON NAME,# UNCOMMENT THIS LINE OUT.;duplicate-cn# The keepalive directive causes