» 首页 > 服务器维护与开发笔记
http://www.XiaoHui.com 日期: 2007-05-13 13:00
Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记
http://www.XiaoHui.com 日期: 2007-05-13 13:00
基于伟大的 GFW 越来越牛B,网站的正常维护如 FTP、pop & smtp 的邮件收发、在 google 查技术资料,都经常被 GFW 强行断开。为了解决这个问题,于是我在自己的国外主机上安装了一个 OpenVPN,当时记录了一下安装的经过。
今天正好又有一个朋友问及 OpenVPN 安装的事情,于是我重新整理一下这篇Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记(http://www.xiaohui.com/dev/server/20070514-install-openvpn.htm), 希望对大家有所帮助。
当时在安装 OpenVPN 的时候,得到了 WenZK 的指导帮助。在此表示感谢。
一. OpenVPN 安装环境
-
Server 端的环境
- redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6
- kernel 需要支持 tun 设备, 需要加载 iptables 模块.
检查 tun 是否安装:
代码:root@a [/]# modinfo tun filename: /lib/modules/2.4.20-31.9/kernel/drivers/net/tun.o description:
如果没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件:author: license: "GPL"
代码:find -name tun.o ./lib/modules/2.4.20/kernel/drivers/net/tun.o
检查iptables 模块, 查看是否有下列文件:
/etc/init.d/iptables - 安装的 OpenVPN 的版本: 2.0.5. 现在似乎已经有一个更新的版本了. 可在http://openvpn.net 上下载.
- Client 端的环境:
- Windows XP PRO SP2
- OpenVPN GUI For windows 1.0.3 , 可在 openvpn.se 下载
注意: OpenVPN GUI for windows 的版本要和 OpenVPN Server 的版本配套.
例如, 服务器装的是 OpenVPN 2.0.5, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe
OpenVPN GUI的所有历史版本: http://openvpn.se/files/install_packages/
二. OpenVPN 服务端安装过程
http://www.xiaohui.com/dev/server/20070514-install-openvpn.htm- 用 SecureCRT 登录到 host, 进入根目录
代码:
cd /
- 下载 LZO,解压到lzo-2.02.
地址: http://www.oberhumer.com/opensource/lzo/download/ 代码:
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
- 下载 OpenVPN, 解压到openvpn-2.0.5
地址: http://openvpn.net/download.html 代码:
wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
- 安装 LZO
代码:
cd /lzo-2.02 ./configure make make check make install
- 安装 OpenVPN
代码:
cd /openvpn-2.0.5 ./configure # 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行) # ./configure --with-lzo-headers=/usr/local/include # --with-lzo-lib=/usr/local/lib # --with-ssl-headers=/usr/local/include/openssl # --with-ssl-lib=/usr/local/lib make make install
- 生成证书Key
初始化 PKI
(如果没有 export 命令也可以用 setenv [name] [value] 命令)
代码:
cd /openvpn-2.0.5/easy-rsa export D=`pwd` export KEY_CONFIG=$D/openssl.cnf export KEY_DIR=$D/keys export KEY_SIZE=1024 export KEY_COUNTRY=CN export KEY_PROVINCE=GD export KEY_CITY=SZ export KEY_ORG="dvdmaster" export KEY_EMAIL="support@cooldvd.com"
Build:代码:
./clean-all ./build-ca Generating a 1024 bit RSA private key ................++++++ ........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GD]: Locality Name (eg, city) [SZ]: Organization Name (eg, company) [dvdmaster]: Organizational Unit Name (eg, section) []:dvdmaster Common Name (eg, your name or your server's hostname) []:server Email Address [support@cooldvd.com]:
# 建立 server key 代码: 代码:./build-key-server server Generating a 1024 bit RSA private key ......++++++ ....................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GD]: Locality Name (eg, city) [SZ]: Organization Name (eg, company) [dvdmaster]: Organizational Unit Name (eg, section) []:dvdmaster Common Name (eg, your name or your server's hostname) []:server Email Address [support@cooldvd.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:dvdmaster Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'dvdmaster' organizationalUnitName:PRINTABLE:'dvdmaster' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'support@cooldvd.com' Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
#生成客户端 key
代码:
./build-key client1 Generating a 1024 bit RSA private key .....++++++ ......++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GD]: Locality Name (eg, city) [SZ]: Organization Name (eg, company) [dvdmaster]: Organizational Unit Name (eg, section) []:dvdmaster Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同. Email Address [support@cooldvd.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:dvdmaster Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'dvdmaster' organizationalUnitName:PRINTABLE:'dvdmaster' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'support@cooldvd.com' Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
依次类推生成其他客户端证书/key
代码:
./build-key client2 ./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同. - build:
代码:
./build-dh
- 将 keys 下的所有文件打包下载到本地
代码:
tar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys cp mykeys.tar /home/dvdmastersys/public_html/mykeys.tar
将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 http://www.a.com/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除: 代码:rm /home/dvdmastersys/public_html/mykeys.tar
也可以用其他方法把 key file搞到本地,例如 ftp. - 创建服务端配置文件
从样例文件创建:
代码:
cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录 cp server.conf /usr/local/etc # cp服务器配置文件到/usr/local/etc vi /usr/local/etc/server.conf
我建立的server.conf 的内容稍后另附. - 创建客户端配置文件
代码:
cd $dir/sample-config-files/ #进入源代码解压目录下的sample-config-files子目录 cp client.conf /usr/local/etc #cp客户端配置文件到/usr/local/etc vi /usr/local/etc/client.conf
我建立的client.conf 的内容稍后另附. - 启动Openvpn: openvpn [server config file]
代码:
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf
三. OpenVPN GUI For Windows 客户端安装过程
- 安装 OpenVPN GUI For Windows, 到 http://openvpn.se 下载. 目前的版本是 1.0.3. 注意: OpenVPN GUI 的版本要和 OpenVPN Server 的版本配套. 详见第一节一. 安装环境中的说明.
- 依屏幕指示安装openvpn gui.
- 配置 openvpn gui
安装结束后, 进入安装文件夹下的 config 目录, 然后将上面第 10 步建立的 client.conf 文件从 server 上下载到此文件夹, 并更名为 client.ovpn
同时, 将第8 步打包的 mykeys.tar 中的下列证书文件解压到此文件夹:
代码:
ca.crt ca.key client1.crt client1.csr client1.key
然后双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.如果双击 client.ovpn 没有反应, 则在任务栏点 OpenVPN GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 然后再点右键中的 connect即可.
如果需要第二台机器上使用 vpn , 进行同样的配置, 只需要将 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.ovpn 中的对应key文件值改掉.
四. OpenVPN 配置样例文件
- OpenVPN 服务端:server.conf
代码:
local 70.8.7.6 port 1194 proto udp dev tun ca /openvpn-2.0.5/easy-rsa/keys/ca.crt cert /openvpn-2.0.5/easy-rsa/keys/server.crt key /openvpn-2.0.5/easy-rsa/keys/server.key # This file should be kept secret dh /openvpn-2.0.5/easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status /openvpn-2.0.5/easy-rsa/keys/openvpn-status.log verb 4 push "dhcp-option DNS 10.8.0.1" push "dhcp-option DNS 70.88.98.10" # name server 地址, 如何获取见随后说明 push "dhcp-option DNS 70.88.99.11" # name server 地址, 如何获取见随后说明
说明: 有些 domain 被 GFW 封掉了, 这时, 如果要访问这些网站, 应该将 server 上的 dns push 到 client. 上面示例中的 dns ip: 70.88.98.10, 70.88.99.10, 可以在 /etc/resolv.conf 中找到: 代码:vi /etc/resolv.conf nameserver 70.88.98.10 nameserver 70.88.99.11
- OpenVPN 客户端: client.ovpn
代码:
client dev tun proto udp remote 70.8.7.6 1194 persist-key persist-tun ca ca.crt cert client1.crt key client1.key ns-cert-type server comp-lzo verb 3 redirect-gateway def1
五. OpenVPN 访问外网的设置
- 打开路由
VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet. 在 linux host 上添加路由:
代码:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 70.8.7.6 /etc/init.d/iptables save /etc/init.d/iptables restart
不同的机器,-o eth0 参数可能不一样,具体可输入 ifconfig 查看,搞清 ip(70.8.7.6)所在的网卡号.同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下:
代码:
sysctl -a | grep for #查看结果: net.ipv4.conf.tun0.mc_forwarding = 0 net.ipv4.conf.tun0.forwarding = 1 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 1 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.forwarding = 1 net.ipv4.ip_forward = 1
如果你的主机上列数值不是为1, 则要将其改成1, 例如:代码:
sysctl -w net.ipv4.ip_forward=1
依此类推. - 开启域名服务器
如果你需要访问一些已经被GFW封掉了域名的网站, 但你的 OpenVPN 服务器没有被封的话,那么你需要在你的主机上开启 name server, 并将 dns push 给 client。 一般的独立主机, 都带有 private dns server.
代码:
rpm -qa | grep bind /etc/init.d/named start
另外, 必须保证 server.conf 配置中, 有这三个配置:代码:
push "dhcp-option DNS 10.8.0.1" push "dhcp-option DNS 70.88.98.10" # name server 地址 push "dhcp-option DNS 70.88.99.11" # name server 地址
当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:代码:
Ethernet adapter Local Area Connection 3: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Win32 Adapter V8 Physical Address. . . . . . . . . : 00-FF-AA-B0-60-2B Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.8.0.6 Subnet Mask . . . . . . . . . . . : 255.255.255.252 Default Gateway . . . . . . . . . : 10.8.0.5 DHCP Server . . . . . . . . . . . : 10.8.0.5 DNS Servers . . . . . . . . . . . : 10.8.0.1 70.88.98.10 70.88.99.11 Lease Obtained. . . . . . . . . . : 2006年5月25日 5:13:52 Lease Expires . . . . . . . . . . : 2007年5月25日 5:13:52
六. 设置 OpenVPN 服务器 reboot后自动启动 openvpn
执行命令:代码:
vi /etc/rc.local然后在最后面加入此行:
代码:
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf > /dev/null 2>&1 &
七. OpenVPN 测试
你可以用 VPN 登录上去之后, 测试 MSN, QQ, IE 等网络应用, 也可以尝试访问一些被 GFW 禁掉的网站, 当然, 前提是你的 VPN 服务器不在境内.
八. 使用 OpenVPN 的强烈注意事项
不建议用 VPN 登录 paypal 帐户和 google adsense 帐户. 否则有可能导致帐户受限或带来其他风险.相关文章: