centos 安装 OpenVPN

OpenVPN是个不错的工具

安装epel源

rpm -ivh http://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

安装

yum install openvpn easy-rsa

配置过程

cd /etc/openvpn
cp -rv /usr/share/easy-rsa/ ./

vi /etc/openvpn/easy-rsa/2.0/vars
source vars  
./clean-all  
./build-ca  
./build-key-server server 
./build-key client1  
./build-dh   生成 dm2048 信息  

#vi /etc/openvpn/easy-rsa/2.0/vars
修改以下变量
export KEY_COUNTRY="CN"
export KEY_PROVINCE="bj"
export KEY_CITY="bj"
export KEY_ORG="someorg"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

#变量生效
source vars  

#./build-key-server server 

./build-key-server server
Generating a 2048 bit RSA private key
.....+++
......................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [bj]:
Locality Name (eg, city) [bj]:
Organization Name (eg, company) [someorg]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'bj'
localityName          :PRINTABLE:'bj'
organizationName      :PRINTABLE:'someorg'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Mar 27 06:38:24 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

添加服务器配置

cp /usr/share/doc/openvpn-2.3.10/sample/sample-config-files/server.conf  /etc/openvpn

#将server.conf改为如下内容
port 443 #使用443 https端口以免被防火墙封端口
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key  
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

启动

/usr/sbin/openvpn  --config /etc/openvpn/server.conf &

打包三个证书到本地
ca.crt
client.crt
client.key
 zip client.zip ca.crt client.crt client.key

客户端配置文件

#client.ovpn
client
dev tun
proto tcp
remote remoteserver 443 #服务器IP
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
comp-lzo
verb 3

客户端安装openvpn客户端
http://openvpn.ustc.edu.cn/
Installer (32-bit), Windows XP openvpn-install-2.3.10-I001-i686.exe
Installer (64-bit), Windows XP openvpn-install-2.3.10-I001-x86_64.exe
Installer (32-bit), Windows Vista and later openvpn-install-2.3.10-I601-i686.exe
Installer (64-bit), Windows Vista and later openvpn-install-2.3.10-I601-x86_64.exe

将证书和配置文件放到OpenVPN\config文件夹下
ca.crt
client.crt
client.key
client.ovpn

打开VPN连接即可