nguồn từ server-world.info
Install OpenVPN to Configure Virtual Private Network.
This example shows to configure on the environment like follows. ( use Bridge mode ) ( [172.16.2.1] is actually for private IP addtess, though, replace it to your global IP address. )
(1) VPN server
[172.16.2.1]
- Global IP address
[10.0.0.50]
- eth0 ( real IP address )
[10.0.0.60]
- br0 - set new as a Bridge
(2) VPN Client(Windows)
[192.168.0.244]
- real IP address
[10.0.0.??]
- automatically set from VPN Server
By the way, it's neccesary to set some settings on your router for NAT/Port forwarding. The used protocol and listening port by default on VPN server is UDP/1194. Speaking on an example on here, requests to 1194 with UDP from internet is needed to forward to 10.0.0.60:1194 in LAN.
| |
| [1] | Install and Configure OpenVPN |
|
[root@vpn ~]#
cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/
[root@vpn ~]#
vi /etc/openvpn/server.conf
# line 53: change
dev
tap0
# line 78: change like follows
ca
/etc/openvpn/easy-rsa/keys/ca.crt
cert
/etc/openvpn/easy-rsa/keys/server.crt
key
/etc/openvpn/easy-rsa/keys/server.key
# line 87: change
dh
/etc/openvpn/easy-rsa/keys/dh1024.pem
# line 96: make it comment
#
server 10.8.0.0 255.255.255.0
# line 103: make it comment
#
ifconfig-pool-persist ipp.txt
# line 115: uncomment and chnage ( [VPN server's IP] [subnetmask] [the range of IP for client] )
server-bridge
10.0.0.60 255.255.255.0 10.0.0.200 10.0.0.254
# line 138: add ( [network VPN server in] [subnetmask] )
push "route 10.0.0.0 255.255.255.0"
# line 275: change
status
/var/log/openvpn-status.log
# line 284: uncomment and change
log
/var/log/openvpn.log
log-append
/var/log/openvpn.log
|
| [2] | Create CA certificate and CA key. |
| [root@vpn ~]#
cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa
[root@vpn ~]#
cd /etc/openvpn/easy-rsa
[root@vpn easy-rsa]#
mkdir keys
[root@vpn easy-rsa]#
vi vars
# line 64: change to your environment
export KEY_COUNTRY="
JP
"export KEY_PROVINCE="
Hiroshima
"export KEY_CITY="
Hiroshima
"export KEY_ORG="
GTS
"export KEY_EMAIL="
xxx@server.world
"
source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys [root@vpn easy-rsa]#
./clean-all
[root@vpn easy-rsa]#
./build-ca
Generating a 1024 bit RSA private key .................++++++ ......++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]:
# Enter
State or Province Name (full name) [Hiroshima]:
# Enter
Locality Name (eg, city) [Hiroshima]:
# Enter
Organization Name (eg, company) [GTS]:
# Enter
Organizational Unit Name (eg, section) []:
# Enter
Common Name (eg, your name or your server's hostname) [GTS CA]:
vpn.server.world
# input FQDN
Name []:
server-ca
# set
Email Address [xxx@server.world]:
# Enter
|
| [3] |
ca.crt
is created under "/etc/openvpn/easy-rsa/keys", transfer it to your client PC via FTP or SFTP and so on. |
| [4] | Create certificate and key for server. |
| [root@vpn easy-rsa]#
./build-key-server server
Generating a 1024 bit RSA private key ........++++++ .......++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [JP]:
# Enter
State or Province Name (full name) [Hiroshima]:
# Enter
Locality Name (eg, city) [Hiroshima]:
# Enter
Organization Name (eg, company) [GTS]:
# Enter
Organizational Unit Name (eg, section) []:
# Enter
Common Name (eg, your name or your server's hostname) [server]:
vpn.server.world
# input FQDN
Name []:
server
# set
Email Address [xxx@server.world]:
# Enter
Please enter the following 'extra' attributes
1 out of 1 certificate requests certified, commit? [y/n]to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName
:PRINTABLE:'JP'
stateOrProvinceName
:PRINTABLE:'Hiroshima'
localityName
:PRINTABLE:'Hiroshima'
organizationName
:PRINTABLE:'GTS'
commonName
:PRINTABLE:'vpn.server.world'
name
:PRINTABLE:'server'
emailAddress
:IA5STRING:'xxx@server.world'
Certificate is to be certified until Jul 12 09:30:07 2021 GMT (3650 days) Sign the certificate? [y/n]:
y
y
Write out database with 1 new entries Data Base Updated |
| [5] | Generate Diffie Hellman ( DH ) parameter. |
| [root@vpn easy-rsa]#
./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time |
| [6] | Create certificate and key for client. |
| [root@vpn easy-rsa]#
./build-key-pass client
Generating a 1024 bit RSA private key
..................++++++ ..................++++++ writing new private key to 'client.key' Enter PEM pass phrase:
# set pass-phrase
Verifying - Enter PEM pass phrase:
# confirm
----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]:
# Enter
State or Province Name (full name) [Hiroshima]:
# Enter
Locality Name (eg, city) [Hiroshima]:
# Enter
Organization Name (eg, company) [GTS]:
# Enter
Organizational Unit Name (eg, section) []:
# Enter
Common Name (eg, your name or your server's hostname) [client]:
vpn.server.world
# input FQDN
Name []:
client
# set
Email Address [xxx@server.world]:
# Enter
Please enter the following 'extra' attributes
1 out of 1 certificate requests certified, commit? [y/n]to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName
:PRINTABLE:'JP'
stateOrProvinceName
:PRINTABLE:'Hiroshima'
localityName
:PRINTABLE:'Hiroshima'
organizationName
:PRINTABLE:'GTS'
commonName
:PRINTABLE:'vpn.server.world'
name
:PRINTABLE:'client'
emailAddress
:IA5STRING:'xxx@server.world'
Certificate is to be certified until Jul 12 09:31:14 2021 GMT (3650 days) Sign the certificate? [y/n]:
y
y
Write out database with 1 new entries Data Base Updated |
| [7] |
client.crt
and
client.key
are created under "/etc/openvpn/easy-rsa/keys", transfer them to your client PC via FTP or SFTP and so on. |
| [8] | Start OpenVPN |
| [root@vpn ~]#
cp /usr/share/doc/openvpn-*/sample-scripts/bridge-start /etc/openvpn/openvpn-startup
[root@vpn ~]#
cp /usr/share/doc/openvpn-*/sample-scripts/bridge-stop /etc/openvpn/openvpn-shutdown
[root@vpn ~]#
chmod 755 /etc/openvpn/openvpn-startup
[root@vpn ~]#
chmod 755 /etc/openvpn/openvpn-shutdown
[root@vpn ~]#
vi /etc/openvpn/openvpn-startup
# line 17-20: change
eth="eth0"
# chnage if needed
eth_ip="
10.0.0.60
"
# IP address for bridge
eth_netmask="
255.255.255.0
"
# subnetmask
eth_broadcast="
10.0.0.255
"
# broadcast address
/etc/rc.d/init.d/openvpn start
Starting openvpn: tun: Universal TUN/TAP device driver, 1.6 tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> Fri Jul 15 18:33:02 2011 TUN/TAP device tap0 opened Fri Jul 15 18:33:02 2011 Persist state set to: ON Bridge firewalling registered device eth1 entered promiscuous mode device tap0 entered promiscuous mode br0: port 2(tap0) entering learning state br0: port 1(eth1) entering learning state [ OK ] [root@vpn ~]#
chkconfig openvpn on
|
Giải pháp tốt cho kết nối VPN .
ReplyDeleteĐẹp blog.
top10-bestvpn.com
Cảm ơn bạn đã thiết lập một ví dụ VPN client .
ReplyDeleteNó thực sự làm việc cấu hình .
Tất cả mọi thứ hoạt động tốt .
10webhostingservice.com