Shulou(Shulou.com)06/01 Report--

Today, the editor will share with you the relevant knowledge points about how to build an OpenVPN server in Linux. The content is detailed and the logic is clear. I believe most people still know too much about this, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

Tools / raw materials

Server side: CentOS6.5

Client: Windows7

Server-side software: epel-release-6-8.noarch.rpmQuery openvpnDie easyMerrsa

Client software: openvpn-install-2.3.4

Server-side installation and configuration

1. Close SELINUX

Setenforce 0 / / temporarily shuts down sed-I'^ SELINUX=/c\ SELINUX=disabled' / etc/selinux/config / / restart is valid

two。 Install "EPEL" source

Wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm / / download centos6 32-bit EPEL source rpm-ivh epel-release-6-8.noarch.rpm / / install EPEL source yum makecache / / update the local cache

3. Install openvpn

Yum-y install openvpn easy-rsa

4. Easy-rsa configuration

Mkdir-p / etc/openvpn/easy-rsa/keys cp-rf/usr/share/easy-rsa/2.0/* / etc/openvpn/easy-rsa/

5. Create CA certificates and keys

Vi / etc/openvpn/easy-rsa/vars / / change your own country, province, city, mailbox, etc. Source. / vars / / initialize the certificate's authorization authority. / clean-all / / clear the files under the keys directory. / build-ca / / create a ca certificate Generating a 1024 bit RSA private key.+..+writing new private key to 'ca.key' -- You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [CN]: State or Province Name (full name) [CA]: Locality Name (eg, city) [HZ]: Organization Name (eg, company) [HZ]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [changeme]: Name [changeme]: Email Address [mail@host.domain]:

6. Create a certificate and key on the server side

. / build-key-server serverGenerating a 1024 bit RSA private key.+.+writing new private key to 'server.key'-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'. The field will be left blank.-Country Name (2 letter code) [CN]: State or Province Name (full name) [CA]: Locality Name (eg, city) [HZ]: Organization Name (eg, company) [HZ]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg) Your name or your server's hostname) [server]: Name [changeme]: Email Address [mail@host.domain]: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []: Using configuration from / etc/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName: PRINTABLE:'CN'stateOrProvinceName: PRINTABLE:'CA'localityName: PRINTABLE:'HZ'organizationName : PRINTABLE:'HZ'organizationalUnitName:PRINTABLE:'changeme'commonName: PRINTABLE:'server'name: PRINTABLE:'changeme'emailAddress: IA5STRING:'mail@host.domain'Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days) Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entriesData Base Update

7. Create a certificate and key for the client

. / build-key client1Generating a 1024 bit RSA private key...+.+writing new private key to 'client1.key'-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'. The field will be left blank.-Country Name (2 letter code) [CN]: State or Province Name (full name) [CA]: Locality Name (eg, city) [HZ]: Organization Name (eg, company) [HZ]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg) Your name or your server's hostname) [client1]: Name [changeme]: Email Address [mail@host.domain]: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []: Using configuration from / etc/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName: PRINTABLE:'CN'stateOrProvinceName: PRINTABLE:'CA'localityName: PRINTABLE:'HZ'organizationName : PRINTABLE:'HZ'organizationalUnitName:PRINTABLE:'changeme'commonName: PRINTABLE:'client1'name: PRINTABLE:'changeme'emailAddress: IA5STRING:'mail@host.domain'Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days) Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entriesData Base Updated

8. Create a Diffy Holman key exchange parameter

. / build-dh

9. Copy server certificate, secret key, etc.

Cp / etc/openvpn/easy-rsa/keys/ {server.crt,server.key,dh3048.pem,ca.crt} / etc/openvpn

10. Configure the VPN server

Cp / usr/share/doc/openvpn-2.3.*/sample/sample-config-files/server.conf/etc/openvpn/ copy the configuration file to / etc/openvpn

Modify the server configuration file:

Cat server.conf | grep "^ [^ # | ^ ] "/ / list uncommented content local 10.17.1.20 # listening address port 1194 # listening port proto tcp # listening protocol dev tun # routing tunnel mode ca ca.crt # ca certificate path cert server.crt # server certificate key server.key # This file should be kept secret server key dh dh3048.pem # key exchange protocol file server 10.8.0.0 255.255.255.0 # assign address pool to client Note: you cannot have the same ifconfig-pool-persist ipp.txt push "route 192.168.20.0255.255.255.255.0" # as the intranet segment of the VPN server. Push "dhcp-option DNS 8.8.8.8" # dhcp assigns dns client-to-client # clients to communicate with each other keepalive 10 120 # Survival time Once every 10 seconds ping, if no response is received, it will be regarded as disconnected comp-lzo # transmit data compression max-clients 100 # allow up to 100 clients to connect to user nobody # user group nobody # user group persist-key persist-tun status / var/log/openvpn/openvpn-status.log log/ var/log/openvpn/openvpn.log verb 3

11. Iptables configuration

Clear iptables configuration: iptables-F iptables-X configure openvpn's nat function, forward packets of all network segments to eth0 port: iptables-t nat-A POSTROUTING-o eth0-j MASQUERADE add FORWARD whitelist: iptables-A FORWARD-I tun+-j ACCEPT enable system routing function: echo "1" > / proc/sys/net/ipv4/ip_forward service iptables save / / Save iptables configuration service iptables restart / / restart iptables

twelve。 Start openvpn

Service openvpn start

13. Configure the client

Copy the client profile client.ovpn:

Cp / usr/share/doc/openvpn-2.3.*/sample/sample-config-files/client.conf / etc/openvpn/client.ovpn

Modify the client profile:

Cat server.conf | grep "^ [^ # | ^;]" client dev tun proto tcp / / changed to the public network IP of tcp remote 203.195.xxx.xxx 1194 / / OpenVPN server and the key ns-cert-type server comp-lzo verb 3 of the certificate cert client.crt key client.key / / client1 of port resolv-retry infinite nobind persist-key persist-tun ca ca.crt / / client1

OpenVPN client configuration

\ 1. Copy server side / etc/openvpn/easy-rsa/keys/ {ca.crt,client.crt,client,key} and / etc/openvpn/client.ovpn to Windows7 client

\ 2. Download openvpn client installation

Download address: http://pan.baidu.com/s/1ZsgpS

\ 3. Copy the files you just copied to the config directory under the openvpn client installation directory (C:\ Program Files\ OpenVPN\ config)

\ 4. Start OpenVPN GUI

Right-click on the openvpn icon in the lower right corner of the computer and select "Connect". Under normal circumstances, you should be able to connect successfully and assign a normal IP.

These are all the contents of the article "how to build an OpenVPN server in Linux". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.