windows serv
Linux 开机启动[r
不过OpenVPN有一个致命缺点,就是绝大多数移动设备不支持,电脑上使用需要安装复杂的客户端。
网上有很多的教程,但大都不适合VPS或者不完善,我根据我自己安装的经验,记录下来以便查阅。
OpenVPN需要TUN支持,大多数VPS默认都没有开启,你可以用这个命令检测:
如果返回信息为:cat: /dev/net/tun: File descriptor in bad state 说明正常。
如果你需要连上OpenVPN后能访问互联网,还需要iptables_nat模块支持,用这个命令检测:
如果返回信息为:iptables: Unknown error 4294967295 说明正常,否则需要发个ticket让VPS公司帮忙开通。
你可以直接给客服发个Ticket告诉他你要用OpenVPN,让他开启tun/tap就行了。
Can you help me enable tun/tap?
I want to run openvpn, need tun/tap support.
不一会客服就回复说:
This has been added to your container. Have a good day.
环境准备好之后,我们正式开始安装OpenVPN了。网上的教程绝大多数都是用源代码编译方式安装的,但我觉得这种方式不便于以后升级维护,这里我们使用yum来安装。
默认情况下centos的yum源没有OpenVPN的,先安装EPEL这个东西,使用命令:
成功后yum源里面就有OpenVPN了,直接使用命令:
这里就体现了yum安装的好处,比如OpenVPN需要lzo支持,安装的时候会检测系统,没有的组件会自动安装进去。
我们来找一下安装到哪去了,使用命令:locate easy-rsa
找出来了原来在这里:/usr/share/openvpn/easy-rsa 大家应该都是一样的。
我们把easy-rsa这个文件夹移出来,用命令:
然后
进入,生成OpenVPN需要的证书。用
来编辑环境变量,这里涉及到编辑器vi的用法,不会用就自己google一下。
把最后几行根据实际情况修改:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GD"
export KEY_CITY="GZ"
export KEY_ORG="TELENAMEORG"
export KEY_EMAIL="webmaster@domains.com"
保存后运行:
. vars
./clean-all
接下来运行
创建证书颁发机构。
Generating a 1024 bit RSA private key
........................++++++
....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:回车
State or Province Name (full name) [GD]:回车
Locality Name (eg, city) [GZ]:回车
Organization Name (eg, company) [Black-Xstar Net Empire]:回车
Organizational Unit Name (eg, section) []:回车
Common Name (eg, your name or your server's hostname) [Black-Xstar Net Empire CA]:回车
Name []:回车
Email Address [webmaster@black-xstar.com]:回车
创建CA之后来生成服务器证书,输入
Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:回车
State or Province Name (full name) [GD]:回车
Locality Name (eg, city) [GZ]:回车
Organization Name (eg, company) [Black-Xstar Net Empire]:回车
Organizational Unit Name (eg, section) []:回车
Common Name (eg, your name or your server's hostname) [server]:回车
Name []:回车
Email Address [webmaster@black-xstar.com]:回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:回车
An optional company name []:回车
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :P RINTABLE:'CN'
stateOrProvinceName :P RINTABLE:'GD'
localityName :P RINTABLE:'GZ'
organizationName :P RINTABLE:'Black-Xstar Net Empire'
commonName :P RINTABLE:'server'
emailAddress :IA5STRING:'webmaster@black-xstar.com'
Certificate is to be certified until Nov 18 17:25:15 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
服务器证书生成完了,我们来生成客户端证书,理论上每个OpenVPN用户都有独立的证书,我们先来生成一个试试。
输入命令:
这里的client1是客户端名称,如果第二个就是client2了。
Generating a 1024 bit RSA private key
.......++++++
.........++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:回车
State or Province Name (full name) [GD]:回车
Locality Name (eg, city) [GZ]:回车
Organization Name (eg, company) [Black-Xstar Net Empire]:回车
Organizational Unit Name (eg, section) []:回车
Common Name (eg, your name or your server's hostname) [client1]:回车
Name []:回车
Email Address [webmaster@black-xstar.com]:回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:回车
An optional company name []:回车
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :P RINTABLE:'CN'
stateOrProvinceName :P RINTABLE:'GD'
localityName :P RINTABLE:'GZ'
organizationName :P RINTABLE:'Black-Xstar Net Empire'
commonName :P RINTABLE:'client1'
emailAddress :IA5STRING:'webmaster@black-xstar.com'
Certificate is to be certified until Nov 18 17:31:21 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
最后生成Diffie Hellman参数:
这个需要一点时间的。
接下来我们开始配置OpenVPN了,我的配置文件只是一个参考,可以根据实际情况修改。
首先
回到上一级目录,然后vi server.conf新建一个配置文件,输入下面内容:
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
其中DNS服务器地址可以换成主机商的,也可以和我一样用opendns。
到这里为止OpenVPN就配置好了,接下来我们设置外网访问。
输入
开始编辑,找到
改成
保存。然后执行
输入
添加规则,注意最后1.2.3.4改成你的VPS的IP地址。
完成后用
保存iptables设置,然后
重新启动下。
把OpenVPN添加到开机启动,用
进入编辑,在后面加入
需要在服务器上完成的操作到这里就结束了,输入
启动。
和PPTP不一样,OpenVPN需要安装客户端才行,在http://www.openvpn.net/index.php/open-source/downloads.html下载最新版本的Windows Installer安装。
然后在下载回来keys文件夹里面找到ca.crt、client1.crt和client1.key这三个文件,放到C:\Program Files\OpenVPN\config里面。
同时在这里面新建一个名字为“client1.ovpn”的文本文件,输入下面内容:
client
dev tun
proto tcp
# The hostname/IP and port of the server.
# CHANGE THIS TO YOUR VPS IP ADDRESS
remote 208.110.73.134 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
把208.110.73.134改成VPS的IP地址
在开始菜单里面找到OpenVPN GUI并运行,Vista和Win7下需要管理员身份运行。点Connect后等一下,是不是成功连上去了?!
成功连接后,右下角的OpenVPN GUI图标会由红色变为绿色。
网上有很多的教程,但大都不适合VPS或者不完善,我根据我自己安装的经验,记录下来以便查阅。
OpenVPN需要TUN支持,大多数VPS默认都没有开启,你可以用这个命令检测:
cat /dev/net/tun
如果返回信息为:cat: /dev/net/tun: File descriptor in bad state 说明正常。
如果你需要连上OpenVPN后能访问互联网,还需要iptables_nat模块支持,用这个命令检测:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
如果返回信息为:iptables: Unknown error 4294967295 说明正常,否则需要发个ticket让VPS公司帮忙开通。
引用
你可以直接给客服发个Ticket告诉他你要用OpenVPN,让他开启tun/tap就行了。
Can you help me enable tun/tap?
I want to run openvpn, need tun/tap support.
不一会客服就回复说:
This has been added to your container. Have a good day.
环境准备好之后,我们正式开始安装OpenVPN了。网上的教程绝大多数都是用源代码编译方式安装的,但我觉得这种方式不便于以后升级维护,这里我们使用yum来安装。
默认情况下centos的yum源没有OpenVPN的,先安装EPEL这个东西,使用命令:
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
成功后yum源里面就有OpenVPN了,直接使用命令:
yum -y install openvpn
这里就体现了yum安装的好处,比如OpenVPN需要lzo支持,安装的时候会检测系统,没有的组件会自动安装进去。
我们来找一下安装到哪去了,使用命令:locate easy-rsa
找出来了原来在这里:/usr/share/openvpn/easy-rsa 大家应该都是一样的。
我们把easy-rsa这个文件夹移出来,用命令:
cp -R /usr/share/openvpn/easy-rsa /etc/openvpn/
然后
cd /etc/openvpn/easy-rsa/2.0
进入,生成OpenVPN需要的证书。用
vi vars
来编辑环境变量,这里涉及到编辑器vi的用法,不会用就自己google一下。
把最后几行根据实际情况修改:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GD"
export KEY_CITY="GZ"
export KEY_ORG="TELENAMEORG"
export KEY_EMAIL="webmaster@domains.com"
保存后运行:
. vars
./clean-all
接下来运行
./build-ca server
创建证书颁发机构。
引用
Generating a 1024 bit RSA private key
........................++++++
....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:回车
State or Province Name (full name) [GD]:回车
Locality Name (eg, city) [GZ]:回车
Organization Name (eg, company) [Black-Xstar Net Empire]:回车
Organizational Unit Name (eg, section) []:回车
Common Name (eg, your name or your server's hostname) [Black-Xstar Net Empire CA]:回车
Name []:回车
Email Address [webmaster@black-xstar.com]:回车
创建CA之后来生成服务器证书,输入
./build-key-server server
引用
Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:回车
State or Province Name (full name) [GD]:回车
Locality Name (eg, city) [GZ]:回车
Organization Name (eg, company) [Black-Xstar Net Empire]:回车
Organizational Unit Name (eg, section) []:回车
Common Name (eg, your name or your server's hostname) [server]:回车
Name []:回车
Email Address [webmaster@black-xstar.com]:回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:回车
An optional company name []:回车
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :P RINTABLE:'CN'
stateOrProvinceName :P RINTABLE:'GD'
localityName :P RINTABLE:'GZ'
organizationName :P RINTABLE:'Black-Xstar Net Empire'
commonName :P RINTABLE:'server'
emailAddress :IA5STRING:'webmaster@black-xstar.com'
Certificate is to be certified until Nov 18 17:25:15 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
服务器证书生成完了,我们来生成客户端证书,理论上每个OpenVPN用户都有独立的证书,我们先来生成一个试试。
输入命令:
./build-key client1
这里的client1是客户端名称,如果第二个就是client2了。
引用
Generating a 1024 bit RSA private key
.......++++++
.........++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:回车
State or Province Name (full name) [GD]:回车
Locality Name (eg, city) [GZ]:回车
Organization Name (eg, company) [Black-Xstar Net Empire]:回车
Organizational Unit Name (eg, section) []:回车
Common Name (eg, your name or your server's hostname) [client1]:回车
Name []:回车
Email Address [webmaster@black-xstar.com]:回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:回车
An optional company name []:回车
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :P RINTABLE:'CN'
stateOrProvinceName :P RINTABLE:'GD'
localityName :P RINTABLE:'GZ'
organizationName :P RINTABLE:'Black-Xstar Net Empire'
commonName :P RINTABLE:'client1'
emailAddress :IA5STRING:'webmaster@black-xstar.com'
Certificate is to be certified until Nov 18 17:31:21 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
最后生成Diffie Hellman参数:
./build-dh
这个需要一点时间的。
接下来我们开始配置OpenVPN了,我的配置文件只是一个参考,可以根据实际情况修改。
首先
cd ../..
回到上一级目录,然后vi server.conf新建一个配置文件,输入下面内容:
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
其中DNS服务器地址可以换成主机商的,也可以和我一样用opendns。
到这里为止OpenVPN就配置好了,接下来我们设置外网访问。
输入
vi /etc/sysctl.conf
开始编辑,找到
net.ipv4.ip_forward = 0
改成
net.ipv4.ip_forward = 1
保存。然后执行
sysctl -p
输入
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 1.2.3.4
添加规则,注意最后1.2.3.4改成你的VPS的IP地址。
完成后用
/etc/init.d/iptables save
保存iptables设置,然后
/etc/init.d/iptables restart
重新启动下。
把OpenVPN添加到开机启动,用
vi /etc/rc.local
进入编辑,在后面加入
/usr/sbin/openvpn --config /etc/openvpn/server.conf &
需要在服务器上完成的操作到这里就结束了,输入
openvpn --config /etc/openvpn/server.conf &
启动。
和PPTP不一样,OpenVPN需要安装客户端才行,在http://www.openvpn.net/index.php/open-source/downloads.html下载最新版本的Windows Installer安装。
然后在下载回来keys文件夹里面找到ca.crt、client1.crt和client1.key这三个文件,放到C:\Program Files\OpenVPN\config里面。
同时在这里面新建一个名字为“client1.ovpn”的文本文件,输入下面内容:
client
dev tun
proto tcp
# The hostname/IP and port of the server.
# CHANGE THIS TO YOUR VPS IP ADDRESS
remote 208.110.73.134 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
把208.110.73.134改成VPS的IP地址
在开始菜单里面找到OpenVPN GUI并运行,Vista和Win7下需要管理员身份运行。点Connect后等一下,是不是成功连上去了?!
成功连接后,右下角的OpenVPN GUI图标会由红色变为绿色。
