What's OpenVPN:
OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.
OpenVPN 2.0 expands on the capabilities of OpenVPN 1.x by offering a scalable client/server mode, allowing multiple clients to connect to a single OpenVPN server process over a single TCP or UDP port.
Author: A-Lang (alang[dot]hsu[at]gmail[dot]com)
Our System Environment:
Server>
OS : CentOS Linux V4.4/kernel 2.6.9-34.0.2.EL
Real IP : 192.168.10.10
VPN IP : 10.8.0.1
Client>
OS : Windows XP Home
Real IP : 192.168.0.163(dhcp mode)
VPN IP : 10.8.0.x (server assigned)
Reference Document:
http://www.study-area.org/tips/openvpn.html
==============
For Server
==============
1. Download package files
#wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
#wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
2. Install package
#rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
#rpmbuild -tb openvpn-2.0.9.tar.gz
#rpm -Uvh /usr/src/redhat/RPMS/i386/openvpn-2.0.9-1.i386.rpm
Error:
Failed build dependencies:
autoconf is needed by lzo-1.08-4.rf.i386
Answer:
yum install autoconf.noarch
--
Error:
Failed build dependencies:
pam-devel is needed by openvpn-2.0.9-1.i386
Answer:
yum install pam-devel
3. Copy the sample configuration files
#cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
#cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
4. Configure the CA
#cd /etc/openvpn/easy-rsa/
#vi vars
export KEY_COUNTRY=TW
export KEY_PROVINCE=Taiwan
export KEY_CITY=Hsinchu
export KEY_ORG="ALANGVPN"
export KEY_EMAIL="vpn@myvpn.ca.mail"
#. ./vars
#./clean-all
5. Build the root CA
#./build-ca
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [TAIWAN]:
Locality Name (eg, city) [HSINCHU]:
Organization Name (eg, company) [ALANGVPN]:
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:VPN
Email Address [vpn@myvpn.ca.mail]:
6. Build the server key and crt
#./build-key-server ovpnsrv1
Generating a 1024 bit RSA private key
.....++++++
........................++++++
writing new private key to 'ovpnsrv1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [TAIWAN]:
Locality Name (eg, city) [HSINCHU]:
Organization Name (eg, company) [ALANGVPN]:
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:VPN
Email Address [vpn@myvpn.ca.mail]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'TW'
stateOrProvinceName :PRINTABLE:'TAIWAN'
localityName :PRINTABLE:'HSINCHU'
organizationName :PRINTABLE:'ALANGVPN'
organizationalUnitName:PRINTABLE:'linux'
commonName :PRINTABLE:'VPN'
emailAddress :IA5STRING:'vpn@myvpn.ca.mail'
Certificate is to be certified until Jun 27 05:21:29 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7. Build the Diffie Hellman parameters
#./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........
8. Install the CA file which server request
#cp keys/ca.crt ../
#cp keys/dh1024.pem ../
#cp keys/ovpnsrv1.key ../
#cp keys/ovpnsrv1.crt ../
9. Setting the server configuration for OpenVPN
#cd ../
#vi server.conf
dev tap
;dev tun
ca ca.crt
cert ovpnsrv1.crt
key ovpnsrv1.key # This file should be kept secret
10. Startup the service
#service openvpn restart
#chkconfig openvpn on
==============
For Client
==============
1. Download and install the OpenVPN GUI for Windows
http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
2. Configure the CA
cmd.exe
>cd "c:Program FilesOpenVPNeasy-rsa"
>copy vars.bat.sample vars.bat
edit vars.bat
set KEY_COUNTRY=TW
set KEY_PROVINCE=TAIWAN
set KEY_CITY=HSINCHU
set KEY_ORG=ALANGVPN
set KEY_EMAIL=vpn@myvpn.ca.mail
(PS. Above must be same as the server)
3. Double-Click the file vars.bat or run this batch file with command-line to load the configuration above.
4. Build the client key and csr
>cp openssl.cnf.sample openssl.cnf
>md keys
>build-key alanghome
5. Copy the client csr file to server and then sign up the csr file with command 'sign-req' .
Copy the keys/alanghome.csr of client to the directory /etc/openvpn/easy-rsa/keys of server.
#cd /etc/openvpn/easy-rsa/
#./sign-req alanghome
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'TW'
stateOrProvinceName :PRINTABLE:'TAIWAN'
localityName :PRINTABLE:'HSINCHU'
organizationName :PRINTABLE:'ALANGVPN'
organizationalUnitName:PRINTABLE:'linux'
commonName :PRINTABLE:'alanghome'
emailAddress :IA5STRING:'vpn@myvpn.ca.mail'
Certificate is to be certified until Jun 27 06:40:48 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
6. Return to client, install the CA files (including alanghome.crt and ca.crt)
Copy the crt file(alanghome.crt) that server made and ca.crt of server to the directory Program Files/OpenVPN/config of client.
>cd ../config
>copy ../easy-rsakeysalanghome.key ./
7. Setting the client configuration for OpenVPN
>copy ../sample-config/client.ovpn ./
Right-Click the OpenVPN GUI icon in the bottom right-hand corner, select 'Edit Config'
dev tap
;dev tun
dev-node OpenVPN_Tap
remote 192.168.10.10 1194
ca ca.crt
cert alanghome.crt
key alanghome.key
ns-cert-type server
8. Configure the network interface for OpenVPN
Select "Control Panel" -> "Network Connection" -> "TAP-Win32#(#)"
Right-Click to rename as 'OpenVPN_Tap'
9. Startup the connection of client
In the task-bar, select "OpenVPN GUI" -> right-click "Connect"
Here you should can connect with OpenVPN server thru VPN. However general web browsing will be accomplished with direct connections that bypass the VPN.
If you want to browse web thru VPN , please continue to follow the steps below.
1. Add the following directive to the server configuration file 'server.conf'
push "redirect-gateway def1"
push "dhcp-option DNS 168.95.1.1"
2. Setting NAT routing for VPN client on server (設定NAT)
#vi /etc/openvpn/start-nat.sh
#!/bin/bash
ipt="/sbin/iptables"
# Clean the all rules (清除所有iptables)
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
# Enable ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
# For NAT routing
$ipt -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
$ipt -t nat -L
#cd /etc/openvpn
#./start-nat.sh
See Also:
http://blog.chinaunix.net/u/9284/article.php?frmid=28653
http://openvpn.net/howto.html
http://openvpn.se/index.html
http://bbs.chinaunix.net/viewthread.php?tid=935322&extra=page%3D3
http://bbs.chinaunix.net/viewthread.php?tid=503434&extra=page%3D4
沒有留言:
張貼留言