yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel
cd /usr/src/redhat/SRPMS/ wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -ivh /usr/src/redhat/RPMS/i386/lzo-*.rpm
RPMForge:
wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.5.3-1.el5.rf.i386.rpm rpm -ivh rpmforge-release-0.5.3-1.el5.rf.i386.rpm yum install openvpn
編輯 /etc/openvpn/easy-rsa/2.0/vars
export KEY_CONFIG="/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf"
建立 CA
cd /etc/openvpn/easy-rsa/2.0/ chmod 0755 * mkdir keys/ source ./vars ./clean-all ./build-ca
建立 Server key
./build-key-server myovpn.com Common Name: myovpn.com
NOTE:
myovpn.com 是 OpenVPN 主機的 Domain Name,如果沒有申請,可以用 server 取代
這指令除了建立 server 憑證 以外,還會向 CA 簽署
建立 DH
./build-dh
建立 openvpn設定檔 server.conf
/etc/openvpn/server.conf
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.0.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
TIPs:
plugin 這項是用於 client 連線時以系統帳號作認證。
啟動 openvpn 服務
service openvpn start chkconfig openvpn on
用戶端軟體下載:http://openvpn.net/index.php/downloa...downloads.html
檔案名稱:openvpn-install-2.3.2-I002-x86_64.exe
用戶端連線設定檔 WIN-TCP-16833.ovpn:
client
dev tun
proto tcp
remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca your_ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
TIPs:
remote <openvpn 主機 IP>
ca CA憑證檔名稱
如果想讓用戶端透過 OpenVPN 主機上網,必須完成以下設定。
編輯 /etc/sysctl.conf
net.ipv4.ip_forward = 1
套用設定
sysctl -p
設定 NAT
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE /sbin/iptables-save > /etc/sysconfig/iptables service iptables stop service iptables start chkconfig iptables on
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
A: 檢查是否 /etc/openvpn/easy-rsa/2.0/keys 目錄是否存在,如不存在可以手動建立。
Images 0 | ||
---|---|---|
No images to display in the gallery. |