环境:服务器CentOS6.2 64位 客户端windows 7 首先开启ip转发 sysctl -w net.ipv4.ip_forward=1 在安装openvpn之前,我们先要安装 gcc gcc-c++ make openssl openssl-devel lzo lzo-devel 安装完这些包之后就可以make openvpn了, openvpn-2.2.2 # tar zxvf openvpn-2.2.2.tar.gz # cd openvpn-2.2.2 # ./configure --prefix=/usr/local/openvpn # make # make install # mkdir /etc/openvpn # cp sample-config-files/server.conf /etc/openvpn # cp -r easy-rsa/ /usr/local/openvpn/ 接下来创建ca # cd /usr/local/openvpn/easy-rsa/2.0 # source ./vars 如果报错说找不到openssl.cnf,那么就把openssl-1.0.0.cnf重命名成openssl.cnf # mv openssl-1.0.0.cnf openssl.cnf # ./clean-all 这个只能在第一次使用,以后就不要用了,否则会把你的ca给清掉哈,如果你想rebuild你的ca请使用它 接下来buildca # ./build-ca 按照提示填入信息 生成服务器key和证书 # ./build-key-server openvpn 按照提示填入信息 生成dh key # ./build-dh 将生成的ca.crt openvpn.key openvpn.crt dh1024.pem拷贝到/etc/openvpn目录中 # cp keys/{ca.crt,openvpn.key,openvpn.crt,dh1024.pem} 修改/etc/openvpn.conf: port 1194 proto udp dev tap ca ca.crt cert openvpn.crt key openvpn.key dh dh1024.pem ifconfig-pool-persist ipp.txt server-bridge bridge-ip netmask ip-start ip-end # bridge-ip是以后桥的ip地址; ip-start是用于vpn客户端开始的地址,ip-end是用于vpn客户端结束的地址 如果你是用于dhcp服务器来分发地址,那么server-bridge后面就不要跟参数了 client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 创建桥:openvpn的安装包提供了两个脚本用于创建桥和停用桥 在sample-scripts目录下面:bridge-start bridge-stop 我自己用着感觉有些缺陷,因为这个脚本会先创建一个tap0设备并加它和eth设备加入到一个桥中,但是当openvpn启动时还会创建一个tap设备,并且这个设备不在桥中,所以客户端就无法将数据包路由过来 这是你可以手工的将这个设备加入到创建的桥中: brctl addif br0 tap1 ifconfig tap1 0.0.0.0 promisc up 这样就可以了,但是会麻烦一点儿,所以我就修改了一下这个脚本 #!/bin/sh ################################# # Set up Ethernet bridge on Linux # Requires: bridge-utils ################################# # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth1" eth_ip="10.1.1.1" eth_netmask="255.255.255.0" eth_broadcast="10.1.1.255" /usr/local/openvpn/sbin/openvpn --cd /etc/openvpn --config server.conf --daemon brctl addbr $br brctl addif $br $eth for t in $tap do brctl addif $br $t done for t in $tap do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast 把创建tap设备的那块去掉了,加入了openvpn启动的命令,这样的话,就是直接使用openvpn启动时创建的tap设备了 好了这样就可以使用 bridge-start脚本来创建桥,启动openvpn,并将eth和tap设备加入到桥中 接下来,我们要为client生成key用于vpn连接 ./build-key client1 按照提示填入信息 客户端配置文件:client1.ovpn client dev tap proto udp remote 192.168.1.113 1194 persist-key persist-tun ca ca.crt cert ssun.crt key ssun.key ns-cert-type server comp-lzo verb 3 将 client1.crt client1.key ca.crt 和client1.ovpn打包给用户 启动openvpn: ./bridge-start 关闭openvpn killall openvpn bridge-stop 再给客户创建key的使用要填入很多信息,是不是很麻烦,于是我就把它用脚本自动化了,贴出来抛砖引玉一下,呵呵 expect_cert: #!/usr/bin/expect set user [lindex $argv 0] set email [lindex $argv 1] spawn /usr/local/openvpn/easy-rsa/2.0/build-key $user expect "Country Name" send "CN\n" expect "State or Province" send "BeiJing\n" expect "Locality" send "BeiJing\n" expect "Organization Name" send "Samsun\n" expect "Unit Name" send "IT\n" expect "Common Name" send "\n" expect "Name []" send "\n" expect "Email" send "$email\n" expect "challenge" send "\n" expect "company name" send "\n" expect "Sign the certificate" send "y\n" expect "requests certified" send "y\n" interact create_cert: #!/bin/bash if [ -z "$1" ] || [ -z "$2" ]; then echo "`basename $0` usage: ./`basename $0` var1 var2" exit 25 fi cert_path="/usr/local/openvpn/easy-rsa/2.0" source "$cert_path"/vars /root/bin/expect_cert $1 $2 mkdir -p /home/openvpn_cert/$1 echo "client" >/home/openvpn_cert/$1/$1.ovpn echo "dev tap" >>/home/openvpn_cert/$1/$1.ovpn echo "proto udp" >>/home/openvpn_cert/$1/$1.ovpn echo "remote 192.168.1.113 1194" >>/home/openvpn_cert/$1/$1.ovpn echo "persist-key" >>/home/openvpn_cert/$1/$1.ovpn echo "persist-tun" >>/home/openvpn_cert/$1/$1.ovpn echo "ca ca.crt" >>/home/openvpn_cert/$1/$1.ovpn echo "cert $1.crt" >>/home/openvpn_cert/$1/$1.ovpn echo "key $1.key" >>/home/openvpn_cert/$1/$1.ovpn echo "ns-cert-type server" >>/home/openvpn_cert/$1/$1.ovpn echo "comp-lzo" >>/home/openvpn_cert/$1/$1.ovpn echo "verb 3" >>/home/openvpn_cert/$1/$1.ovpn cp "$cert_path"/keys/{ca.crt,$1.crt,$1.key} /home/openvpn_cert/$1 cd /home/openvpn_cert tar zcf $1.tar.gz $1/ cp $1.tar.gz /var/ftp/pub 转载请保留固定链接: https://linuxeye.com/configuration/1073.html |