基于伟大的 GFW 越来越牛B,网站的正常维护如 FTP、pop & smtp 的邮件收发、在 google 查技术资料,都经常被 GFW 强行断开。为了解决这个问题,于是我在自己的国外主机上安装了一个 OpenVPN,当时记录了一下安装的经过。
今天正好又有一个朋友问及 OpenVPN 安装的事情,于是我重新整理一下这篇Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记
希望对大家有所帮助。
当时在安装 OpenVPN 的时候,得到了 WenZK 的指导帮助。在此表示感谢。
root@a [/]# modinfo tun filename: /lib/modules/2.4.20-31.9/kernel/drivers/net/tun.o description:如果没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件:author: license: "GPL"
find -name tun.o ./lib/modules/2.4.20/kernel/drivers/net/tun.o检查iptables 模块, 查看是否有下列文件:
yum install openssl yum install openssl-devel
http://www.xiaohui.com/dev/server/20070514-install-openvpn.htm
cd /
地址: http://www.oberhumer.com/opensource/lzo/download/ 代码:
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
地址: http://openvpn.net/download.html 代码:
wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
cd /lzo-2.02 ./configure make make check make install
代码:
cd /openvpn-2.0.5 ./configure # 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行) # ./configure --with-lzo-headers=/usr/local/include # --with-lzo-lib=/usr/local/lib # --with-ssl-headers=/usr/local/include/openssl # --with-ssl-lib=/usr/local/lib make make install
初始化 PKI
(如果没有 export 命令也可以用 setenv [name] [value] 命令)
代码:
cd /openvpn-2.0.5/easy-rsa export D=`pwd` export KEY_COnFIG=$D/openssl.cnf export KEY_DIR=$D/keys export KEY_SIZE=1024 export KEY_COUNTRY=CN export KEY_PROVINCE=GD export KEY_CITY=SZ export KEY_ORG="xiaohui.com" export KEY_EMAIL="your-email [at] xiaohui.com"Build:
代码:
./clean-all ./build-ca Generating a 1024 bit RSA private key ................++++++ ........++++++ writing new private key to \'ca.key\' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter \'.\', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GD]: Locality Name (eg, city) [SZ]: Organization Name (eg, company) [xiaohui.com]: Organizational Unit Name (eg, section) []:xiaohui.com Common Name (eg, your name or your server\'s hostname) []:server Email Address [your-email [at] xiaohui.com]:# 建立 server key 代码: 代码:
./build-key-server server Generating a 1024 bit RSA private key ......++++++ ....................++++++ writing new private key to \'server.key\' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter \'.\', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GD]: Locality Name (eg, city) [SZ]: Organization Name (eg, company) [xiaohui.com]: Organizational Unit Name (eg, section) []:xiaohui.com Common Name (eg, your name or your server\'s hostname) []:server Email Address [your-email [at] xiaohui.com]: Please enter the following \'extra\' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:xiaohui.com Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject\'s Distinguished Name is as follows countryName :PRINTABLE:\'CN\' stateOrProvinceName :PRINTABLE:\'GD\' localityName :PRINTABLE:\'SZ\' organizationName :PRINTABLE:\'xiaohui.com\' organizationalUnitName:PRINTABLE:\'xiaohui.com\' commonName :PRINTABLE:\'server\' emailAddress :IA5STRING:\'your-email [at] xiaohui.com\' Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
#生成客户端 key
代码:
./build-key client1 Generating a 1024 bit RSA private key .....++++++ ......++++++ writing new private key to \'client1.key\' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter \'.\', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GD]: Locality Name (eg, city) [SZ]: Organization Name (eg, company) [xiaohui.com]: Organizational Unit Name (eg, section) []:xiaohui.com Common Name (eg, your name or your server\'s hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同. Email Address [your-email [at] xiaohui.com]: Please enter the following \'extra\' attributes to be sent with your certificate request A challenge password []:abcd1234 An optional company name []:xiaohui.com Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject\'s Distinguished Name is as follows countryName :PRINTABLE:\'CN\' stateOrProvinceName :PRINTABLE:\'GD\' localityName :PRINTABLE:\'SZ\' organizationName :PRINTABLE:\'xiaohui.com\' organizationalUnitName:PRINTABLE:\'xiaohui.com\' commonName :PRINTABLE:\'client1\' emailAddress :IA5STRING:\'your-email [at] xiaohui.com\' Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
依次类推生成其他客户端证书/key
代码:
./build-key client2 ./build-key client3注意在进入 Common Name (eg, your name or your server\'s hostname) []: 的输入时, 每个证书输入的名字必须不同.
./build-dh
代码:
tar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys cp mykeys.tar /home/xiaohui.comsys/public_html/mykeys.tar将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 http://www.a.com/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除: 代码:
rm /home/xiaohui.comsys/public_html/mykeys.tar也可以用其他方法把 key file搞到本地,例如 ftp.
从样例文件创建:
代码:
cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录 cp server.conf /usr/local/etc # cp服务器配置文件到/usr/local/etc vi /usr/local/etc/server.conf我建立的server.conf 的内容稍后另附.
代码:
cd $dir/sample-config-files/ #进入源代码解压目录下的sample-config-files子目录 cp client.conf /usr/local/etc #cp客户端配置文件到/usr/local/etc vi /usr/local/etc/client.conf我建立的client.conf 的内容稍后另附.
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf