CentOS 下openvpn 的搭建

OpenVPN是一款基于隧道加密的VPN软件，下面介绍一下它在CentOS 6.5下的安装方法：

setenforce 0
yum install -y openssl openssl-devel lzo
rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
cd /etc/yum.repos.d/
cp epel.repo epel.repo.bak
sed -i 's/^mirrorlist=https/mirrorlist=http/' /etc/yum.repos.d/epel.repo
yum install openvpn easy-rsa
cd /usr/share/easy-rsa/2.0/
vim vars   修改省市，单位等相关信息
source vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh   生成 dm2048 信息
openvpn --genkey --secret keys/ta.key  生成 ta,key 防止DDos UDP洪水等攻击
mkdir -p /etc/openvpn/keys
cd /etc/openvpn/keys/
cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} ./

port 1194
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.20.0 255.255.255.0"
push "route 10.10.30.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth keys/ta.key 0
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 5

sed -i ‘/net.ipv4.ip_forward/s/0/1/‘ /etc/sysctl.conf

修改防火墙配置：vim /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Thu May 28 15:13:30 2015
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o em2 -j MASQUERADE 
COMMIT
# Completed on Thu May 28 15:13:30 2015
# Generated by iptables-save v1.4.7 on Thu May 28 15:13:30 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1265:195030]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT  
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT 
-A INPUT -s 10.8.0.0/24 -j ACCEPT 
-A FORWARD -i tun+ -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT

客户端的 client.ovpn 配置如下：

client 

dev tun 
proto tcp

remote internet 1194 
resolv-retry infinite
nobind
persist-key 
persist-tun 
ca ca.crt
cert client1.crt
key client1.key

ns-cert-type server 
tls-auth ta.key 1
comp-lzo 
verb 3

OpenVPN 2.3.3 Windows 32位 安装文件：
http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.3-I002-i686.exe
OpenVPN 2.3.3 Windows 64位 安装文件：
http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.3-I002-x86_64.exe

将OpenVPN服务器上的client.ovpn、ca.crt、client1.crt、client1.key、ta.key上传到Windows客户端安装目录下的config文件夹（C:\Program Files\OpenVPN\config)