Install OpenVPN
1. Create a directory for storing openvpn software and upload the software
1
2
3
[root@odsee ~]# cd /usr/local/
[root@odsee local]# mkdir openvpn
[root@odsee local]# cd openvpn/
Note: The most commonly used openvpn versions on the Internet are lzo-2.0.2 and openvpn-2.0.9, which are also the most stable.
2. Install the lzo compression module
1
2
3
4
5
[root@odsee openvpn]# tar zxf lzo-2.06.tar.gz
[root@odsee openvpn]# cd lzo-2.06
[root@odsee lzo-2.06]# ./configure
[root@odsee lzo-2.06]# make
[root@odsee lzo-2.06]# make install
3. Install openvpn software
1
2
3
[root@odsee lzo-2.06]# cd ..
[root@odsee openvpn]# tar zxf openvpn-2.2.2.tar.gz
[root@odsee openvpn]# cd openvpn-2.2.2
Check whether the dependent packages are installed. OpenVPN requires SSL support:
1
[root@odsee openvpn-2.2.2]# rpm -qa|grep openssl
1
2
3
[root@odsee openvpn-2.2.2]# ./configure –with-lzo-headers=/usr/local/include –with-lzo-lib=/usr/local/lib
[root@odsee openvpn-2.2.2]# make
[root@odsee openvpn-2.2.2]# make install
4. Configure openvpn server and create CA certificate
1
2
3
[root@odsee openvpn-2.2.2]# cd easy-rsa/2.0/
[root@odsee 2.0]# cp vars vars20151204.bak
[root@odsee 2.0]# vim vars
Modify the file to the following at the end:
export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”JS”
export KEY_CITY=”Nanjing”
export KEY_ORG=”wisedu”
export KEY_EMAIL=”[email protected]”
export [email protected]
export KEY_CN=CN
export KEY_NAME=wisedu
export KEY_OU=wisedu
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
After modifying the vars file, execute source vars to make the changes effective: Clear all certificate keys:
1
[root@odsee 2.0]# ./clean-all
Create a new CA certificate:
1
[root@odsee 2.0]# vim vars
1
[root@odsee 2.0]# source vars
1
2
[root@odsee 2.0]# ./clean-all
[root@odsee 2.0]# ./build-ca
View the generated certificate:
5. Generate server certificate and key file
[root@odsee 2.0]# ./build-key-server server You can also enter a password. View the created server certificate:
6. Generate client certificate and key file
Generate client certificate and key file. If you want to create multiple client certificates, just repeat the following steps. Just change the name of the Common Name item.
In openvpn, this configuration method requires a certificate for each VPN client that logs in, and each certificate can only be used by one client to connect at the same time. Next, create a client certificate, and the key name is test. At work, the name is usually the person’s name. .crt is the certificate, and .key is the key file. Both of these are required by the client. Note: Use build-key to generate a certificate and key for the client, and the client does not need a password to dial in. But you can also add a password and use the build-key-pass script to create the certificate and key file. In this way, you need to add a password when the client dials in. The password is the password of the dial-up VPN. Next, use build-key-pass to create another client certificate and key file.
1
[root@odsee ~]# cd /usr/local/openvpn/openvpn-2.2.2/easy-rsa/2.0
7. Generate VPN key protocol exchange file
Generate the exchange key protocol file used for key exchange during transmission:
1
[root@odsee 2.0]# ./build-dh
View the generated files:
8. Detailed explanation of the purpose of each file of the server and client certificates In order to prevent malicious attacks (such as DOS, UDP port flooding), we generate an “HMAC firewall”:
1
[root@odsee 2.0]# openvpn –genkey –secret keys/ta.key
At this point the file generation work is completed.
9. Detailed explanation of important server-side VPN commands
vars script: a script used to create environment variables and set the required variables
clean-all script: clean and generate CA certificate and key files
build-ca script: generate ca certificate (interactive)
build-key-server script: Generate server-side keys (interactive)
build-key script: Generate client key (interactive)
build-key-pass script: Generate a client key file with a password (interactive)
build-dh script: script to generate Diffie-Hellman file (interactive)
pkitool script: directly use the vars environment variable settings to directly generate certificates (non-interactive)
10. Detailed explanation of important configuration parameters of openvpn server
Copy keys and configuration
1
2
3
4
[root@odsee 2.0]# mkdir /etc/openvpn/
[root@odsee 2.0]# cp -ap keys/ /etc/openvpn/
[root@odsee 2.0]# cd /usr/local/openvpn/openvpn-2.2.2/sample-config-files/
[root@odsee sample-config-files]# cp client.conf server.conf /etc/openvpn/
Modify the server configuration file.
The original configuration file content is as follows:
1
2
3
[root@odsee 2.0]# cd /etc/openvpn/
[root@odsee openvpn]# grep -vE “;|#|^$” server.conf >tmp.log
[root@odsee openvpn]# cat tmp.log >server.conf
The final modified file content is as follows:
local 172.16.4.81
port 52115
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push “route 172.16.4.0 255.255.255.0”
push “redirect-gateway def1 bypass-dhcp”
#push “dhcp-option DNS 8.8.8.8”
#push “dhcp-option DNS 208.67.222.222”
#push “dhcp-option DNS 208.67.220.220”
push “dhcp-option DNS 114.114.114.114”
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn
log /var/log/openvpn.log
Common configuration instructions:
Configuration parameters Parameter Description
local 10.0.0.28 (external network card address) Which local address should be monitored by openvpn
port 52115 The default listening port is 1194. For security reasons, change it to 52115.
proto udp Specify the listening protocol. When there are many concurrent accesses, TCP is recommended.
dev tun The VPN server mode uses routing mode, and can choose tap or tun
ca ca.crt ca certificate, note that this file and server.conf are in the same directory, otherwise you need to call it with an absolute path
cert-server.crt
key server.key this file should be kept secret
dh dh1024.pem
server 10.8.0.0 This is the address pool that the VPN server dynamically assigns to the VPN client. Generally, it does not need to be changed. This segment should not conflict or overlap with any other network address segments.
ifconfig-pool-persist ipp.txt
push “route 172.16.1.0 255.255.255.0” This is the intranet segment where the VPN server is located. If there are multiple, you can write multiple pushes. Note that the actual function of this command is to generate the intranet segment route where the VPN server is located locally on the VPN client to ensure that it can communicate with the intranet segment where the VPN server is located.
client-to-client Allow multiple dial-up VPN clients to communicate with each other
duplicate-cn Allow multiple clients to connect using the same account
keepalive 10 20 Ping every 10 seconds. If no packet is received within 120 seconds, the client is considered disconnected.
comp-lzo Enable compression
persist-key When the VPN times out, when the VPN is restarted, keep the last used private key without re-reading the private key
persist-tun After detecting VPN timeout through keepalive, when VPN is restarted, keep the tun or tap device automatically connected
status openvpn-status.log openvpn log status information
log /var/log/openvpn.log Log files
verb 3 Specify log file redundancy
Configure and debug VPN and run VPN service
1. Remove the firewall restrictions on the vpnserver port and allow service forwarding. Or turn off the firewall first, adjust the VPN, and then turn on the firewall.
1
[root@odsee ~]# service iptables stop
2. Enable kernel forwarding function
1
[root@odsee ~]# sed -i ‘s#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#’ /etc/sysctl.conf
1
[root@odsee ~]# sysctl -p
Note: Both iptables and kernel ip_forward need to be enabled to allow forwarding.
3. Turn off SELinux
1
2
[root@odsee ~]# setenforce 0
[root@odsee ~]# vim /etc/sysconfig/selinux
4. Start the VPN service on the server
1
2
[root@odsee openvpn]# /usr/local/sbin/openvpn –config /etc/openvpn/server.conf &
[root@odsee openvpn]# netstat -anp|grep vpn
View the logs:
5. Check the virtual network card on the server