共计 8298 个字符,预计需要花费 21 分钟才能阅读完成。
在内网搭建一台服务器实现从外网连接到内网
环境
服务端:CentOS 6.7 32-bit
客户端:Windows XP
服务端配置
# 关闭 SELinux
sed -i ‘/^SELINUX\b/s/=.*/=disabled/’ /etc/selinux/config
setenforce 0
# 安装 EPEL 源(默认 yum 源没有 openvpn 和 easy-rsa 软件包)
rpm -ivh http://mirrors.ustc.edu.cn/Fedora/epel/5/i386/epel-release-5-4.noarch.rpm
# 安装 openvpn 和 easy-rsa 软件包
yum -y install openvpn easy-rsa
# 切换到 /usr/share/easy-rsa/2.0/ 目录
cd /usr/share/easy-rsa/2.0/
# 初始化环境变量
source vars
# 清除所有与证书相关的文件
./clean-all
# 生成 CA 相关文件(一路按回车即可)
./build-ca
# 生成服务端相关文件(一路按回车,直到提示需要输入 y / n 时,输入 y 再按回车,一共两次)
./build-key-server server
# 生成客户端相关文件(一路按回车,直到提示需要输入 y / n 时,输入 y 再按回车,一共两次)
./build-key client
# 生成 dh2048.pem 文件(生成过程时快时慢,在此期间不要去中断它)
./build-dh
# 生成 ta.key 文件(防 DDos 攻击)
openvpn –genkey –secret keys/ta.key
# 在 openvpn 的配置目录下新建一个 key 目录
mkdir /etc/openvpn/keys
# 将 openvpn 配置文件需要用到的文件复制一份到刚创建好的 keys 目录中
cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
# 创建 /etc/openvpn/server.conf 文件,内容如下
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.1.0 255.255.255.0” # 192.168.1.0/24 是我这台 VPN 服务器所在的内网的网段,读者应该根据自身实际情况进行修改
keepalive 10 120
tls-auth keys/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# 开启路由转发功能
sed -i ‘/net.ipv4.ip_forward/s/0/1/’ /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
# 配置防火墙
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
service iptables save
# 启动 openvpn 服务并将其设置为开机启动
service openvpn start
chkconfig openvpn on
客户端配置
# 创建一份客户端文件(命名为 client.ovpn),内容如下(读者要注意修改下面的服务端公网 IP)
client
dev tun
proto udp
remote 服务端公网 IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
tls-auth [inline] 1
<ca>
将 /usr/share/easy-rsa/2.0/keys/ca.crt 的全部内容复制粘贴于此
</ca>
<cert>
将 /usr/share/easy-rsa/2.0/keys/client.crt 的全部内容复制粘贴于此
</cert>
<key>
将 /usr/share/easy-rsa/2.0/keys/client.key 的全部内容复制粘贴于此
</key>
<tls-auth>
将 /usr/share/easy-rsa/2.0/keys/ta.key 的全部内容复制粘贴于此
</tls-auth>
从服务端下载 client.ovpn,并将其复制到 openvpn 的安装目录的 config 目录下,最后,启动 openvpn 程序,连接服务端,如果能获取到 IP,且能 ping 内网的其他机器就表示配置成功了。
最后给出我的 client.ovpn 的范例文本供读者参考。
client
dev tun
proto udp
remote 192.168.1.88 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
tls-auth [inline] 1
<ca>
—–BEGIN CERTIFICATE—–
MIIFEjCCA/qgAwIBAgIJALomSu6uks0gMA0GCSqGSIb3DQEBCwUAMIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wHhcNMTQxMTA2MDg1NTA0
WhcNMjQxMTAzMDg1NTA0WjCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw
EwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsG
A1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3Rv
biBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArox/60tx
UeGdb/mRGvBK/MH0/egVx1Rv1kDiqXrECJqCM85rMv5h4A3CXFK4jwNDaZz3wybw
9XKpEyPtDfAbWaNaEoZXctEZQzh1Ju8Bhe3laGNmVW+noD+n20sG0E0SAdSmKH7o
BHWGM1xeDNQeKYwQAKuy88WVsH7fFf/wWLyD9p2tTJaxpG88bqNyXeWbEyHyr1g4
3wvmoZs+63hquXuhQSN/dyskYXmhficjY6H/fuTMVGk0to7KmrVeoEEb5ymf1U1W
wPFWErksN+YF8CAueE/vnm1bdJfBAS7Uv/KkDlV0IZ0dHRL5UrVq1k2QW//QsQiX
7YexZCwOjOUuJQIDAQABo4IBHzCCARswHQYDVR0OBBYEFEXeRmSTC9I8kUtgdbzA
Ug06WgYsMIHrBgNVHSMEgeMwgeCAFEXeRmSTC9I8kUtgdbzAUg06WgYsoYG8pIG5
MIG2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5j
aXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXph
dGlvbmFsVW5pdDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdF
YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQC6Jkru
rpLNIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBJox1vNdG8NvwK
43w/2rKAU85efraEYSxcUydTn5kh2RAi4y0MkZWkieypSAZIYSVUWYwU7RYbLJ02
j7H5TMTt2/h8Xr4jxZjYUB+vmMfVF2hI4kIEDZkf5P/6lLxxJE200bKcgp31Jftn
4lK5di/YZF95c8QHPEuqe04DXrUK0MjdQEYtccg4+R4E+Cfcfvy4N8LEChvdvMtI
q2cnS3NE6/+L0g9wzkVvxXbWnlUzVKzNJ5sUp1yU0eqXIh6sS6HhSCJEe1yHhp+L
bR69o/WHObGiMkc3y+WpP9MLWeoePWEfXCEQ2nqE+AGqGLh5VPmDlEEwc+omS2Xo
JZc3cagw
—–END CERTIFICATE—–
</ca>
<cert>
—–BEGIN CERTIFICATE—–
MIIFTzCCBDegAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV
BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3
DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTEwNjA5MDEyOFoXDTI0MTEw
MzA5MDEyOFowga0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15
T3JnYW5pemF0aW9uYWxVbml0MQ8wDQYDVQQDEwZjbGllbnQxEDAOBgNVBCkTB0Vh
c3lSU0ExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6VxW3cZuZ7Y4SY0NTQkA3ftIa/yN2D
DCstzZy5XVq+oGOIzU0vD1SkwrwBERhc5FY/yzYK5OZhAM7tdULQ2EsjB2gSu+ol
00NKxwRcppUFQ7xHleTuyaRg4Y4tNxhfJ9XGDyxM/8ivBrtxolgUKcsJxhWSYhPX
78OAKCIMdxMrmVmB7EkLPrr6C5s41u3NPpKA8VOjJ82JOtYM6qj+BxCqgWbHhEzi
GRyzSR00uTHLfgXp8k9nX7aijYQUKWG6VyN3dmuQlH7xtfEIAUAfn7kFkKjidUO3
WROXl79Q05UvF9VORqzwZKmjtD/MR5rgRg7KHlXBHCuuK67vxpZp0ykCAwEAAaOC
AW0wggFpMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVy
YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUtCoNrhqzLHMbOFJoiOiBq15khs4w
gesGA1UdIwSB4zCB4IAURd5GZJML0jyRS2B1vMBSDTpaBiyhgbykgbkwgbYxCzAJ
BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUw
EwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15T3JnYW5pemF0aW9uYWxV
bml0MRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExEDAOBgNVBCkTB0Vhc3lSU0Ex
ITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpboIJALomSu6uks0gMBMG
A1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOC
AQEAFCwWGJGDcOYsF2ByIQXSKUhzCdg+73YpxrdNiRuauTctq9sxOcM5K4upf76l
qI2LmXoKCLLVNhjUvNdxTE2g2iHAobPpaDFiLqxtu17GhQIQE57FMFa/0w1YO4LG
rLAd6NEp1Bpi/NRQ8c1KAMmvA/2Uz/0i840hJWooWOyR9v15tssaxhYx8MopURx4
SVIwef2cQrIE96emu0F037SqEwLc5ofTDjJpEQ+JmK3u0YQYIqJyp0fgBvPPJ7zP
Uvsizp5vxhn0F6ULtYpSsMgzQNljltjxmrBwnIUD85etqH/hf9WTxbZIxbyIdRvk
2j2G50sGzLYQ+f9MFnubIe4tKQ==
—–END CERTIFICATE—–
</cert>
<key>
—–BEGIN PRIVATE KEY—–
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC+lcVt3Gbme2OE
mNDU0JAN37SGv8jdgwwrLc2cuV1avqBjiM1NLw9UpMK8AREYXORWP8s2CuTmYQDO
7XVC0NhLIwdoErvqJdNDSscEXKaVBUO8R5Xk7smkYOGOLTcYXyfVxg8sTP/Irwa7
caJYFCnLCcYVkmIT1+/DgCgiDHcTK5lZgexJCz66+gubONbtzT6SgPFToyfNiTrW
DOqo/gcQqoFmx4RM4hkcs0kdNLkxy34F6fJPZ1+2oo2EFClhulcjd3ZrkJR+8bXx
CAFAH5+5BZCo4nVDt1kTl5e/UNOVLxfVTkas8GSpo7Q/zEea4EYOyh5VwRwrriuu
78aWadMpAgMBAAECggEAXPhu4RLdV53lhC+P3+EGBN6WEA3KjNR6wS2M2eFK+xN2
5lc732UPk3j0TgYvMrVN5g0ksm5KD2BOpqMLytZaTPz/hfNtm+Fr163IvAX+dT+m
NViudIlP8FIadeL0t3zjz9LYYAIH3PwUyqe6TEE5ygQwjyFjms6B9dq0uTdfdwe8
EETpINFRSSEtrxNe/Z8R3prkHBZ/cCfP08oDR8sThw+RqbqxUe0re2SKQxiIgBXU
5DuhCuoD6fdvLW/w/ArbligWOxAfuNNR5t0aSbRKDCacIaIrwrI5tZUxLiXHSTaj
CN++wXQsr/Hs4zHGz0Uyt1X8Cu1d3e3GwlHnVc0KAQKBgQDl1Gl10Jg3ULu1FcLS
nAs1RiTtWOcRP0Xl37ozIhjWY5iUB3SpzpD/pYbJgPnqZf6qwwp1CPdMao/oK4yW
9oQVs7IkdsOxiiq0qrtf/DbBImdxxx8LDpmceW6TEYreiVmjI8ddoNWKaFmqIz4G
1K1rXbCplqoMKFUUHl9PbU5hiQKBgQDUSV4mIBdHMwEGpwUgYr/Yqc0LNdt3HvsO
ZzrxKqFCiB1XE7rc05/2Tt0ll8FSNdlPIwfu3YPUzoU1SCMjb1Q9GrvR9H5DNv24
8wd74ThzOF0xiZUOZwj6X6ZxFvfdUe6hI5h/b0dG7pUw+JSkmnpD7BO+YE1MjjN3
nzqQTnecoQKBgQCyJFiyF0NE7PDxxbJC6OzPGFWbGyPPfInDSgzbgXxbAMvNQZIt
5I0Detvk6HHOO8yPs6oxWQfGVXrB7K+GfAGZiLV2ChBZVs0PSJ8AIVCXlwEzcbIg
MerjHESW/ivznea6ywrHCdk69PM7KyHyzXq2E+LRMJUR41k+xOP/fqwYcQKBgQDI
OU7wnLH3+JZOJPgD3L/f5f+8RBb0WqcmpZ0FXFTvAJzTxYsovv2P/kA9Nc4j8SA+
sObJl+rAq+0eHSTvRhDo9S8TTwxL7zEN4UM8x2dL3WygzYhmJi5koBTHc4djGuT8
3Sr3fwh2UY8rujnQqtcI+0B//irKOxE2EVvWQfw1IQKBgQCJgU0Ef+CDR6R2iImL
69xkwp2umQVDPFCJtlJ5Oqg7CRI4HHo2+ujfDq8hl4ihg0Zq6e+iIrBCBOOFlpLn
xrvhxAv79sB/w5Y3zSwTtqwnpUR65ZKi2X4exza0//yY77LAuGNcG5oKTUhTBDMz
FPnZX9Q0zJevs0+UfAeXvThc9g==
—–END PRIVATE KEY—–
</key>
<tls-auth>
—–BEGIN OpenVPN Static key V1—–
a692b93eeb708a615914f791ef42a2fb
4d14e99055aa297e564366ed272c25d7
116cd7a43d5f9d02c84d566406a3a657
84f1e69c23c3d954b1a19dc4d373b8a3
7c717d397c51e947183a628c4f4a7e98
173a65e0ce9806b2b04f1ce0e45ffacb
67bbca2db49cb3b78c573b85fb3d79c4
bbbf61d9147513957ac4668e541db859
c449eaf04b0d0585dc4c102ca010d91a
5ad275b7fb13e95f0a971a88a7550cb4
3485825fb6304b8537ac9cd6af5fda68
4a0d94d47f3a0478e722f20e0043de1c
c18684f5b68e6f19ad5b302cb9ddc1ca
b326c80c4b6bb235dda607a5fa79fbc8
5da586741a428e2ab390827c5145893a
d78f0bef7c86710ec7752d60cb94cada
—–END OpenVPN Static key V1—–
</tls-auth>
本文永久更新链接地址:http://www.linuxidc.com/Linux/2016-05/131226.htm
