server端(路由模式):
一.网络设置
1.开启服务器端路由转发功能
# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
# sysctl -p
2.设置nat转发:
注:保证VPN地址池可路由出外网
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERAD
3.时间同步:
# ntpdate asia.pool.ntp.org
二.安装依赖库
# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
三.安装openvpn:
#yum install openvpn
这里我把我的配置贴出来
[root@localhost /etc/openvpn]$ cat /etc/openvpn/server.conf
local 0.0.0.0
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 172.31.0.0 255.255.0.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
client-cert-not-required #不使用客户端证书,使用密码进行验证
username-as-common-name #使用认证用户名,不使用证书
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #指定路径,允许登陆的用户名及密码
创建检查账号密码脚本
vim checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\",password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\",password=\"${password}\"." >> ${LOG_FILE}
exit 1
四.下载easy-rsa:
easy-rsa-release-2.x.zip 网上找到资源,其他的有时候我没有试验成功。
unzip easy-rsa-release-2.x.zip -d /etc/openvpn
cd /etc/openvpn/easy-rsa-release-2.x
cp easy-rsa ../
cd 2.0/
编辑 vars
[root@localhost /etc/openvpn]$ grep -v "^#" easy-rsa-release-2.x/easy-rsa/2.0/vars| grep -v "^$"
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONfig=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all,I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="California"
export KEY_CITY="BJ"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="dachenc@test.com"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"
保存推迟后给予x权限
chmod +x vars
./vars
./clean-all #清除文件
./build-ca server #生成服务端
./build-dh
生成的文件在/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys文件夹中
将ca.crt拷贝到本地
chkconfig openvpn on
/etc/init.d/openvpn restart
client配置:
https://openvpn.net/index.php/open-source/downloads.html
以上路径下载客户端 Windows版本
安装完毕后将路径中sample-config的client.ovpn拷贝到config文件夹中
client
dev tun
proto tcp
remote 公网地址 公网端口
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
#cert user1.crt
#key user1.key
comp-lzo
verb 3
auth-user-pass
编写密码文件:
vi psw-file
client1 123456
chmod 777psw-file
chown nobody.nobody psw-file
原文地址:https://www.jb51.cc/centos/376382.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
