本文翻译自:Installing OpenVPN on CentOS 5 and CentOS 6
本教程将引导你在CengOS上部署OpenVPN服务器。
一、准备工作:
检测tun/tap是否激活:
cat /dev/net/tun
如果以激活,将会返回如下信息:
cat: /dev/net/tun: File descriptor in bad state
安装必须的软件包:
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
下载LZO RPM并配置RPMForge仓库:
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
安装rpmforge:
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm #32bit - CentOS 6: wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm #64bit - CentOS 5: wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm #64bit - CentOS 6: wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
编译rpm包:
rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release*
二、OpenVPN安装与配置:
安装OpenVPN:
yum install openvpn -y
将easy-rsa文件夹复制到/etc/openvpn/下:
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
需要注意的是,如果是CentOS6,要做如下修改:
打开/etc/openvpn/easy-rsa/2.0/vars,将如下行:
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
替换为:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
创建证书:
chmod 755 * source ./vars ./vars ./clean-all
编译证书:
./build-ca
编译key-server:
./build-key-server server
加密:
./build-dh
创建VPN配置文件/etc/openvpn/server.conf,并键入如下内容:
proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3
在启动OpenVPN之前,应确保SELinux已经关闭,否则会导致OpenVPN异常,特别是在多配置的情况下:
echo 0 > /selinux/enforce
不过这仅是一种临时解决方式,如果要永久关闭SELinux,需要修改配置文件 /etc/selinux/config,将其中的:
SELINUX=enforcing
改为:
SELINUX=disabled
启动OpenVPN:
service openvpn restart
三、IP转发与防火墙配置:
启用IP转发:打开/etc/sysctl.conf,修改如下行:
net.ipv4.ip_forward = 1
保存后执行:
sysctl -p
使配置生效。
加入iptables规则:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE #OpenVZ iptable rules: iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
其中123.123.123.123为你的服务器IP。
如果在你的服务器上还启用了CSF,则需要手动打开OpenVPN的端口地址(默认为1194)并执行如下命令:
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123
如果OpenVPN服务器仍不能正常工作,那么取消以上的配置并增加如下规则:
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
执行service iptables save时修改生效。
四、OpenVPN客户端配置:
新建文件server.ovpn并输入如下内容:
dev tun proto udp remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3
下载 /etc/openvpn/easy-rsa/2.0/keys/目录下的ca.crt并将其和server.ovpn放在同一目录下 ,最后下载OpenVPN客户端并载入ovpn文件即可开始连接。
如果出现客户端能连接成功但无法上网,则检查服务端防火墙配置以及确保客户端是以管理员方式运行OpenVPN客户端程序。
证书
证书