已登入: Logged in as: 登入
搜尋:
Page last modified 13:10, 24 Sep 2013 by alang
User:alang > IT 專案工作 > OpenVPN > Install OpenVPN on CentOS 5.9
Page Notifications Off

Install OpenVPN on CentOS 5.9

    必要的相依性套件

    yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel

    安裝 LZO RPM

    cd /usr/src/redhat/SRPMS/
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm 
rpm -ivh /usr/src/redhat/RPMS/i386/lzo-*.rpm

    安裝 RPMForge 套件庫與 OpenVPN RPM

    RPMForge:

    wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.5.3-1.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.5.3-1.el5.rf.i386.rpm
yum install openvpn 

    OpenVPN 設定

    編輯 /etc/openvpn/easy-rsa/2.0/vars

    export KEY_CONFIG="/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf"

    建立 CA

    cd /etc/openvpn/easy-rsa/2.0/
chmod 0755 *
mkdir keys/
source ./vars
./clean-all

./build-ca

    建立 Server key

    ./build-key-server myovpn.com

Common Name: myovpn.com

    NOTE:

    myovpn.com 是 OpenVPN 主機的 Domain Name,如果沒有申請,可以用 server 取代

    這指令除了建立 server 憑證 以外,還會向 CA 簽署

    建立 DH

    ./build-dh

    建立 openvpn設定檔 server.conf

    /etc/openvpn/server.conf

    port 1194 #- port
    proto udp #- protocol
    dev tun
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    reneg-sec 0
    ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
    cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
    key /etc/openvpn/easy-rsa/2.0/keys/server.key
    dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
    plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
    #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
    client-cert-not-required
    username-as-common-name
    server 10.0.0.0 255.255.255.0
    push "redirect-gateway def1"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    keepalive 5 30
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3

    TIPs:

    plugin 這項是用於 client 連線時以系統帳號作認證。 

    啟動 openvpn 服務

    service openvpn start
chkconfig openvpn on

    用戶端的設定

    用戶端軟體下載:http://openvpn.net/index.php/downloa...downloads.html
    檔案名稱:openvpn-install-2.3.2-I002-x86_64.exe

    用戶端連線設定檔 WIN-TCP-16833.ovpn:

    client
    dev tun
    proto tcp
    remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port
    resolv-retry infinite
    nobind
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    ca your_ca.crt
    auth-user-pass
    comp-lzo
    reneg-sec 0
    verb 3

    TIPs:

    remote <openvpn 主機 IP>

    ca CA憑證檔名稱

    設定 Default GW 路由(optional)

    如果想讓用戶端透過 OpenVPN 主機上網,必須完成以下設定。

    編輯 /etc/sysctl.conf

    net.ipv4.ip_forward = 1

    套用設定

    sysctl -p

    設定 NAT

    /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
/sbin/iptables-save > /etc/sysconfig/iptables

service iptables stop
service iptables start

chkconfig iptables on

    Q & A

    Q: 執行 ./build-ca,出現以下訊息

      Please edit the vars script to reflect your configuration,
      then source it with "source ./vars".
      Next, to start with a fresh PKI configuration and to delete any
      previous certificates and keys, run "./clean-all".
      Finally, you can run this tool (pkitool) to build certificates/keys.

    A: 檢查是否 /etc/openvpn/easy-rsa/2.0/keys 目錄是否存在,如不存在可以手動建立。

    標籤 (Edit tags)
    • No tags
    什麼連接到這裡

    文件 0

    附加檔案或者圖像
     
    您必須 登入 才能發佈評論。
    Powered by MindTouch Core