本来我是在美国的VPS服务器上安装的pptp vpn,这个vpn可以用windows自带的拨号连接,配置也很方便。刚配置好的时候很好用,可以开youtube也可以访问一些被封闭的站点。但是后来家里的歌华有线好像调整了一些路由配置,导致我在家里就不能连接vpn了。单位也不能连接。我用老婆家里的adsl尝试连接正常,用联通3G连接也正常。。。。这个既然是网络的问题,估计个人也解决不了了

最近单位也开始搞起来封锁了,开心、verycd等都被封。。。又不能用pptpd vpn了。。。看来该想想其他办法了。代理尝试了,不管用,看来不是基于域名的限制。

于是就开始尝试采用openvpn了。

参考了

http://www.throx.net/2008/04/13/openvpn-and-centos-5-installation-and-configuration-guide/

http://www.xiaohui.com/dev/server/20070514-install-openvpn.htm

2010年10月14日更新

加入官方CentOS下,iptables规则修改.保证顺利nat上网

整体方案

采用位于美国的CentOS 5.3 Linux服务器搭建openvpn服务器,并通过iptables的nat功能使openvpn服务器当做客户端网关。

客户端安装OpenVPN GUI程序连接服务器

服务器

服务器采用位于美国的vps

系统CentOS 5.3

安装openvpn作为vpn服务器软件

OpenVPN服务器安装

kernel 需要支持 tun 设备, 需要加载 iptables 模块.
检查 tun 是否安装:

复制内容到剪贴板
  1. modinfo tun
  2.  
  3. 或者
  4.  
  5. find / -name tun.o -print

安装需要的相关软件

复制内容到剪贴板
  1. yum install rpm-build
  2. yum install autoconf.noarch
  3. yum install zlib-devel
  4. yum install pam-devel
  5. yum install openssl-devel

安装环境准备好后,我们下载需要安装的软件。一共需要下载两个软件openvpn 2.0.9和lzo-1.08-4

复制内容到剪贴板
  1. wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
  2. wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

安装lzo

复制内容到剪贴板
  1. rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
  2. rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm

安装openvpn

复制内容到剪贴板
  1. rpmbuild -tb openvpn-2.0.9.tar.gz
  2. rpm -Uvh /usr/src/redhat/RPMS/i386/openvpn-2.0.9-1.i386.rpm

安装后,复制配置文件

复制内容到剪贴板
  1. cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
  2. cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/

配置生成CA脚本需要的配置文件vars

复制内容到剪贴板
  1. vi /etc/openvpn/easy-rsa/vars

打开vars后,找到文件最后的如下内容

复制内容到剪贴板
  1. export KEY_COUNTRY=KG
  2. export KEY_PROVINCE=NA
  3. export KEY_CITY=BISHKEK
  4. export KEY_ORG="OpenVPN-TEST"
  5. export KEY_EMAIL="me@myhost.mydomain"

根据自己信息修改上面内容,下面是具体含义

复制内容到剪贴板
  1. export KEY_COUNTRY=KG 设置国家
  2. export KEY_PROVINCE=NA 设置省份
  3. export KEY_CITY=BISHKEK 设置城市
  4. export KEY_ORG="OpenVPN-TEST" 设置组织
  5. export KEY_EMAIL="me@myhost.mydomain" 设置邮件

设置好后,执行如下命令

复制内容到剪贴板
  1. cd /etc/openvpn/easy-rsa/
  2. . ./vars
  3. ./clean-all
  4. 注意上面的. ./vars两个点之间有一个空格

建立CA证书

复制内容到剪贴板
  1. ./build-ca

生成后,ls keys 可以看到ca.crt ca.key文件

建立服务器密钥

复制内容到剪贴板
  1. ./build-key-server xinlogs
  2. 注意这里的xinlogs是我给密钥起的名字,可以根据个人情况修改

生成Diffie-Hellman文件

复制内容到剪贴板
  1. ./build-dh

以上文件都正确生成后,拷贝文件到正确目录

复制内容到剪贴板
  1. cd /etc/openvpn/easy-rsa/
  2. cp keys/ca.crt ../
  3. cp keys/dh1024.pem ../
  4. cp keys/xinlogs.key ../
  5. cp keys/xinlogs.crt ../

生成客户端密钥

复制内容到剪贴板
  1. ./build-key client-1

这里client-1是客户端密钥的文件名,如果需要创建多个客户端密钥,就修改client-1名字多次生成即可。

修改/etc/openvpn/server.conf配置

复制内容到剪贴板
  1. local 204.74.212.217
  2. #修改local后面ip为服务器地址
  3.  
  4. dev tap
  5. ;dev tun
  6. #默认是dev tun修改为dev tap,tap是可以路由模式 tun 是以太网隧道模式。具体区别我也不太清楚
  7.  
  8. ca ca.crt
  9. cert xinlogs.crt
  10. key xinlogs.key
  11. #cert后面修改为生成的服务器crt文件xinlogs.crt
  12. #key后面修改为生成的服务器key文件xinlogs.key
  13.  
  14. dh dh1024.pem
  15. #dh后面修改问生成的dh1024.pem
  16.  
  17. server 10.8.0.0 255.255.255.0
  18. #server后面基本就用默认的10.8.0.0 255.255.255.0即可
  19.  
  20. ifconfig-pool-persist ipp.txt
  21. #这个默认的ipp.txt就可以
  22.  
  23. push "route 10.8.0.0 255.255.255.0"
  24. #添加客户端路由
  25. push "redirect-gateway"
  26. #修改客户端默认路由
  27. push "dhcp-option DNS 8.8.8.8"
  28. #修改客户端默认dns
  29. client-to-client
  30. #允许连接到vpn的客户端可以互相访问
  31. duplicate-cn
  32. keepalive 10 120
  33. comp-lzo
  34. #启用lzo压缩
  35. user nobody
  36. group nobody
  37. persist-key
  38. persist-tun
  39. status /var/log/openvpn-status.log
  40. log /var/log/openvpn.log
  41. log-append /var/log/openvpn.log
  42. verb 3

启动停止openvpn

复制内容到剪贴板
  1. service openvpn start
  2. #启动openvpn服务
  3.  
  4. service openvpn stop
  5. #停止openvpn服务

配置iptables

复制内容到剪贴板
  1. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 214.174.212.217
  2. #上面命令最后的214.174.212.217是服务器的公网地址,需要根据自己情况修改
  3. service iptables save

确认net.ipv4.ip_forward = 1后,服务器就全部配置完成。

如果是用的CentOS官方版本,不是VPS.那因为它自带的iptables规则限制,还需要在/etc/sysconfig/iptables加入下面语句才可以顺利nat上网

复制内容到剪贴板
  1. -A RH-Firewall-1-INPUT -i tap+ -j ACCEPT  

 

复制内容到剪贴板
  1. cat /etc/sysctl.conf |grep forward
  2. # Controls IP packet forwarding
  3. net.ipv4.ip_forward = 1
  4.  
  5. #如果不是1,请用vi修改/etc/sysctl.conf文件

Win7下Openvpn GUI安装

http://openvpn.se下载安装文件

Latest stable release: 1.0.3 with OpenVPN 2.0.9 (2006-10-17)

我们直接下载http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe

注意:下载后,别着急双击安装。先右键属性,设置兼容模式为windosxp sp3 并用管理员身份运行。

然后再运行安装。

客户端配置

安装后,将服务器/etc/openvpn/easy-rsa/keys/目录下的ca.crt、client-1.crt和client-1.key三个文件拷贝到C:Program FilesOpenVPNconfig目录下

再将C:Program FilesOpenVPNsample-config目录下的client.ovpn文件拷贝到C:Program FilesOpenVPNconfig目录下。

在开始->所有程序里找到openvpn,进入里面右键点击OpenVPN GUI属性,同样修改兼容模式为windows xp sp3 以管理员运行

修改后,运行openvpn gui程序

正确运行后,电脑的右下角会出现openvpn的图标,右键点击选择Edit Config来修改客户端配置文件

下面是我全部客户端配置文件

复制内容到剪贴板
  1. ##############################################
  2. # Sample client-side OpenVPN 2.0 config file #
  3. # for connecting to multi-client server. #
  4. # #
  5. # This configuration can be used by multiple #
  6. # clients, however each client should have #
  7. # its own cert and key files. #
  8. # #
  9. # On Windows, you might want to rename this #
  10. # file so it has a .ovpn extension #
  11. ##############################################
  12.  
  13. # Specify that we are a client and that we
  14. # will be pulling certain config file directives
  15. # from the server.
  16. client
  17.  
  18. # Use the same setting as you are using on
  19. # the server.
  20. # On most systems, the VPN will not function
  21. # unless you partially or fully disable
  22. # the firewall for the TUN/TAP interface.
  23. dev tap
  24. ;dev tun
  25.  
  26. # Windows needs the TAP-Win32 adapter name
  27. # from the Network Connections panel
  28. # if you have more than one. On XP SP2,
  29. # you may need to disable the firewall
  30. # for the TAP adapter.
  31. ;dev-node MyTap
  32.  
  33. # Are we connecting to a TCP or
  34. # UDP server? Use the same setting as
  35. # on the server.
  36. ;proto tcp
  37. proto udp
  38.  
  39. # The hostname/IP and port of the server.
  40. # You can have multiple remote entries
  41. # to load balance between the servers.
  42. remote 214.174.212.217 1194
  43. ;remote my-server-2 1194
  44.  
  45. # Choose a random host from the remote
  46. # list for load-balancing. Otherwise
  47. # try hosts in the order specified.
  48. ;remote-random
  49.  
  50. # Keep trying indefinitely to resolve the
  51. # host name of the OpenVPN server. Very useful
  52. # on machines which are not permanently connected
  53. # to the internet such as laptops.
  54. resolv-retry infinite
  55.  
  56. # Most clients don't need to bind to
  57. # a specific local port number.
  58. nobind
  59.  
  60. # Downgrade privileges after initialization (non-Windows only)
  61. ;user nobody
  62. ;group nobody
  63.  
  64. # Try to preserve some state across restarts.
  65. persist-key
  66. persist-tun
  67.  
  68. # If you are connecting through an
  69. # HTTP proxy to reach the actual OpenVPN
  70. # server, put the proxy server/IP and
  71. # port number here. See the man page
  72. # if your proxy server requires
  73. # authentication.
  74. ;http-proxy-retry # retry on connection failures
  75. ;http-proxy [proxy server] [proxy port #]
  76.  
  77. # Wireless networks often produce a lot
  78. # of duplicate packets. Set this flag
  79. # to silence duplicate packet warnings.
  80. ;mute-replay-warnings
  81.  
  82. # SSL/TLS parms.
  83. # See the server config file for more
  84. # description. It's best to use
  85. # a separate .crt/.key file pair
  86. # for each client. A single ca
  87. # file can be used for all clients.
  88. ca ca.crt
  89. cert client-1.crt
  90. key client-1.key
  91.  
  92. # Verify server certificate by checking
  93. # that the certicate has the nsCertType
  94. # field set to "server". This is an
  95. # important precaution to protect against
  96. # a potential attack discussed here:
  97. # http://openvpn.net/howto.html#mitm
  98. #
  99. # To use this feature, you will need to generate
  100. # your server certificates with the nsCertType
  101. # field set to "server". The build-key-server
  102. # script in the easy-rsa folder will do this.
  103. ;ns-cert-type server
  104.  
  105. # If a tls-auth key is used on the server
  106. # then every client must also have the key.
  107. ;tls-auth ta.key 1
  108.  
  109. # Select a cryptographic cipher.
  110. # If the cipher option is used on the server
  111. # then you must also specify it here.
  112. ;cipher x
  113.  
  114. # Enable compression on the VPN link.
  115. # Don't enable this unless it is also
  116. # enabled in the server config file.
  117. comp-lzo
  118.  
  119. # Set log file verbosity.
  120. verb 3
  121.  
  122. # Silence repeating messages
  123. ;mute 20
  124.  
  125. route-method exe
  126. route-delay 2

其实主要修改的就是如下地方

复制内容到剪贴板
  1. client
  2. #说明这个是客户端配置文件
  3.  
  4. dev tap
  5. ;dev tun
  6. #这个和服务器一样就可以
  7.  
  8. remote 214.174.212.217 1194
  9. #这个ip要修改为服务器的公网ip地址
  10.  
  11. resolv-retry infinite
  12. nobind
  13. persist-key
  14. persist-tun
  15.  
  16.  
  17. ca ca.crt
  18. cert client-1.crt
  19. key client-1.key
  20. #上面三行一定要根据自己生成的密钥配合
  21.  
  22. comp-lzo
  23. #启用lzo压缩
  24.  
  25. # Set log file verbosity.
  26. verb 3
  27.  
  28.  
  29. route-method exe
  30. route-delay 2
  31. #最后这两行win7如果不加上,就不能启动修改路由,导致拨vpn成功,但是不能通过远程服务器做网关上网

这些配置完成后,右键点openvpn gui在桌面右下角图标选择Connect连接

我正确连接后的日志如下

复制内容到剪贴板
  1. Mon Mar 15 13:03:14 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
  2. Mon Mar 15 13:03:14 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
  3. Mon Mar 15 13:03:14 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
  4. Mon Mar 15 13:03:14 2010 LZO compression initialized
  5. Mon Mar 15 13:03:14 2010 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
  6. Mon Mar 15 13:03:14 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
  7. Mon Mar 15 13:03:14 2010 Local Options hash (VER=V4): 'd79ca330'
  8. Mon Mar 15 13:03:14 2010 Expected Remote Options hash (VER=V4): 'f7df56b8'
  9. Mon Mar 15 13:03:14 2010 UDPv4 link local: [undef]
  10. Mon Mar 15 13:03:14 2010 UDPv4 link remote: 204.74.212.217:1194
  11. Mon Mar 15 13:03:16 2010 TLS: Initial packet from 204.74.212.217:1194, sid=3d4cf00a 84deb309
  12. Mon Mar 15 13:03:18 2010 VERIFY OK: depth=1, /C=US/ST=Beijing/L=BEIJING/O=xinlogs.com/CN=babodx/emailAddress=babodx@gmail.com
  13. Mon Mar 15 13:03:18 2010 VERIFY OK: depth=0, /C=US/ST=Beijing/O=xinlogs.com/CN=babodx/emailAddress=babodx@gmail.com
  14. Mon Mar 15 13:03:20 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
  15. Mon Mar 15 13:03:20 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
  16. Mon Mar 15 13:03:20 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
  17. Mon Mar 15 13:03:20 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
  18. Mon Mar 15 13:03:20 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
  19. Mon Mar 15 13:03:20 2010 [babodx] Peer Connection Initiated with 214.174.212.217:1194
  20. Mon Mar 15 13:03:21 2010 SENT CONTROL [babodx]: 'PUSH_REQUEST' (status=1)
  21. Mon Mar 15 13:03:21 2010 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,redirect-gateway,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0'
  22. Mon Mar 15 13:03:21 2010 OPTIONS IMPORT: timers and/or timeouts modified
  23. Mon Mar 15 13:03:21 2010 OPTIONS IMPORT: --ifconfig/up options modified
  24. Mon Mar 15 13:03:21 2010 OPTIONS IMPORT: route options modified
  25. Mon Mar 15 13:03:21 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
  26. Mon Mar 15 13:03:21 2010 TAP-WIN32 device [本地连接 3] opened: .Global{A958F4F2-14AF-49E6-9FBF-4FC25B8D8786}.tap
  27. Mon Mar 15 13:03:21 2010 TAP-Win32 Driver Version 8.4
  28. Mon Mar 15 13:03:21 2010 TAP-Win32 MTU=1500
  29. Mon Mar 15 13:03:21 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.3/255.255.255.0 on interface {A958F4F2-14AF-49E6-9FBF-4FC25B8D8786} [DHCP-serv: 10.8.0.0, lease-time: 31536000]
  30. Mon Mar 15 13:03:21 2010 Successful ARP Flush on interface [29] {A958F4F2-14AF-49E6-9FBF-4FC25B8D8786}
  31. Mon Mar 15 13:03:23 2010 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
  32. Mon Mar 15 13:03:23 2010 route ADD 214.174.212.217 MASK 255.255.255.255 192.168.2.1
  33. 操作完成!
  34. Mon Mar 15 13:03:23 2010 route DELETE 0.0.0.0 MASK 0.0.0.0 192.168.2.1
  35. 操作完成!
  36. Mon Mar 15 13:03:23 2010 route ADD 0.0.0.0 MASK 0.0.0.0 10.8.0.1
  37. 操作完成!
  38. Mon Mar 15 13:03:23 2010 route ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.1
  39. 操作完成!
  40. Mon Mar 15 13:03:23 2010 Initialization Sequence Completed