OpenVPN服务器与客户端的安装、配置与使用方法

Linux环境下OpenVPN的配置
第1章OpenVPN的安装环境
1.1 服务器端的环境
1.redhat, kernel版本:
2.4.20-31.9, IP 为70.8.7.6
2.kernel需要支持tun设备, 需要加载iptables模块.
检查tun 是否安装的命令:
modinfo tun
3.如果没有modinfo命令, 直接找一下, 看看kernel 里是否有tun.o文件:
代码: find -name tun.o
4.检查iptables模块, 查看是否有下列文件:
/etc/init.d/iptables
1.2 客户端的环境
1.操作系统：WinXP
2.客户端软件：OpenVPN GUI For windows 1.0.3 , 可在openvpn.se 下载
注意: OpenVPN GUI for windows 的版本要和OpenVPN Server 的版本配套.
例如, 服务器装的是OpenVPN 2.0.5, 那么下载的OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe
第2章服务器端安装OpenVPN
2.1 软件下载
1.下载LZO（/opensource/lzo/download/），解压到lzo-
2.04 wget /opensource/lzo/download/lzo-2.04.tar.gz
tar zxvf lzo-2.04.tar.gz
2.下载OpenVPN（/）, 解压到openvpn-2.2-beta3
源码下载地址：/index.php/open-source/downloads.html
wget /community/releases/openvpn-2.2-beta5.tar.gz
tar zxvf openvpn-2.2-beta3.tar.gz
2.2 辅助软件安装
1.安装LZO
cd lzo-2.2
./configure
make
make check
make install
2.安装openssl
yum -y install openssl*
2.3 OpenVPN安装
cd openvpn-2.2-beta3
./configure
# 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行) ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib
--with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib
make
make install
2.4 生成OpenVPN证书Key
2.4.1 生成证书初始化PKI
2.4.1.1 准备证书生成工具
mkdir /etc/openvpn/
mkdir /etc/openvpn/tools
cp easy-rsa/2.0/* /etc/openvpn/tools/
cd /etc/openvpn/tools/
2.4.1.2 准备证书生成工具
初始化PKI (如果没有export 命令也可以用setenv [name] [value] 命令): . vars
也可以不用设置直接执行下面的命令
cd /openvpn-2.0.5/easy-rsa/2.0
export D=`pwd`
export KEY_CONFIG=$D/f
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="TSINGHUA"
export KEY_EMAIL="liu-w@"
export OPENSSL=/usr/bin/openssl
或者：
（1）修改f
（2）source ./vars
（3）./clean-all
2.4.2清除所有证书文件
#清除所有证书文件（keys目录）
（2）source ./vars
（3）./clean-all
2.4.3 创建证书颁发机构(CA)
./build-ca
Generating a 1024 bit RSA private key .....................++++++ ...............................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [TSINGHUA]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [TSINGHUA CA]: Name []:
Email Address [liu-w@]:
2.4.4 建立server key
./build-key-server server
Generating a 1024 bit RSA private key ............................++++++ ..........................................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [TSINGHUA]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [liu-w@]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0/f Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'TSINGHUA'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'liu-w@'
Certificate is to be certified until Nov 17 20:01:55 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2.4.5 生成客户端key
2.4.5.1 设置环境变量
cd /root/.backup/easy-rsa/2.0
export D=`pwd`
export KEY_CONFIG=$D/f
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="TSINGHUA"
export KEY_EMAIL="liu-w@"
export OPENSSL=/usr/bin/openssl
或者：
（1）修改f
（2）source ./vars
2.4.5.2 生成客户端Key
./build-key client1
Generating a 1024 bit RSA private key ................................++++++ ...................................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [TSINGHUA]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address [liu-w@]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0/f Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'TSINGHUA'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'liu-w@'
Certificate is to be certified until Nov 17 20:03:37 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2.4.6 生成带密码的客户端key
./build-key --pass test
Generating a 1024 bit RSA private key
............++++++ ...................................++++++
writing new private key to 'test.key'
Enter PEM pass phrase: XXXXXX
Verifying - Enter PEM pass phrase: XXXXXX
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [TSINGHUA]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [test]:
Name []:
Email Address [liu-w@]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/.backup/easy-rsa/2.0/f
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'TSINGHUA'
commonName :PRINTABLE:'test'
emailAddress :IA5STRING:'liu-w@'
Certificate is to be certified until Nov 18 03:06:44 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2.4.7 生成其它客户端key
./build-key client2
./build-key client3
注意：在进入Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同
2.4.8 生成Diffie Hellman参数
export D=`pwd`
export KEY_CONFIG=$D/f
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="TSINGHUA"
export KEY_EMAIL="liu-w@"
export OPENSSL=/usr/bin/openssl
./build-dh
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.
2.5 生成OpenVPN客户端证书目录
mkdir client1
mv -f client1* client1
cp ca.key client1
cp ca.crt client1
touch client01.ovpn
vim client01.ovpn
client
dev tap
proto tcp
remote A.B.C.D 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
第3章下载客户端证书
将keys 下的所有文件打包下载到本地
tar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys
cp mykeys.tar /home/dvdmastersys/public_html/mykeys.tar
将mykeys.tar 移到web public(绝对路径因人而异) 上, 然后用/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除
rm /home/dvdmastersys/public_html/mykeys.tar
第4章服务器端配置OpenVPN
4.1 创建目录/etc/openvpn
mkdir /etc/openvpn
4.2 复制服务器端证书和配置文件到/etc/openvpn
cd /root/openvpn/openvpn-2.2-beta3/sample-keys
cp dh1024.pem /etc/openvpn/
cd /root/openvpn/openvpn-2.2-beta3/sample-scripts
cp openvpn.init /etc/init.d/openvpn
cd /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0/keys
cp * /etc/openvpn/
# 进入源代码解压目录下的sample-config-files子目录
cd /root/openvpn/openvpn-2.2-beta3//sample-config-files/ cp server.conf /etc/openvpn/server.conf
4.3 配置OpenVPN服务端配置文件
vim /etc/openvpn/server.conf
################################################# # Sample OpenVPN 2.0 config file for #
# multi-client server. #
# # # This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# # # This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# # # Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
local A.B.C.D
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
proto tcp
;proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun
;tun-ipv6
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page).
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret # Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 202.112.50.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious" # also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT # the TUN/TAP interface to the internet in
# order for this to work properly).
# CA VEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CA VEAT:
# /faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option WINS 10.8.0.1"
push "dhcp-option DNS *.*.*.*"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HA VE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HA VING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one
# or the other (but not both).
;log openvpn.log
log-append /var/log/openvpn/openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
4.4 启动OpenVPN服务
cd /etc/init.d/
chkconfig openvpn on
service openvpn start
4.5 创建客户端配置文件
4.5.1 Linux客户端配置文件
cd $dir/sample-config-files/ #进入源代码解压目录下的sample-config-files子目录cp client.conf etc/openvpn/client.conf
vim etc/openvpn/client.conf
client
;dev tun
;tun-ipv6
;proto udp
dev tap
proto tcp
remote A.B.C.D 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
4.5.2 Windows客户端配置文件
vim client01.ovpn
client
dev tap
proto tcp
remote A.B.C.D 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
第5章服务器端配置iptables
服务器端配置iptables实现数据包转发
5.1 打开路由
VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet. 在linux host 上添加路由命令:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source A.B.C.D(本机IP 地址)
以下是写入iptables的命令文件：
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNA T --to-source A.B.C.D
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -d 127.0.0.1 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
#
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELA TED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
5.2 存盘
/etc/init.d/iptables save
5.3 重新启动iptables
/etc/init.d/iptables restart
1.注意事项
5.4 打开ip forward
需要将ip forward 打开. 不要用echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下:
sysctl -a | grep for
#显示结果:
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1
如果你的主机上列数值不是为1, 则要将其改成1
sysctl -w net.ipv4.ip_forward=1
编辑/etc/sysctl.conf
vim /etc/sysctl.conf
把net.ipv4.ip_forward 设置为1
net.ipv4.ip_forward = 1
执行以下命令来启用改变：
sysctl -p /etc/sysctl.conf
5.5 开启域名服务器
1.开始域名服务器
如果你需要访问一些已经被GFW封掉了域名的网站, 但你的OpenVPN 服务器没有被封的话，那么你需要在你的主机上开启name server, 并将dns push 给client。

一般的独立主机, 都带有private dns server
rpm -qa | grep bind
/etc/init.d/named start
2.注意事项
必须保证server.conf 配置中, 有这三个配置:
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 70.88.98.10" # name server 地址
push "dhcp-option DNS 70.88.99.11" # name server 地址
第6章客户端OpenVPN安装配置
6.1 安装OpenVPN
6.1.1 下载客户端OpenVPN
/community/releases/openvpn-2.2-beta3-install.exe
6.1.2 安装客户端OpenVPN
双击openvpn-2.2-beta3-install.exe，按默认方式安装。

6.2 配置客户端OpenVPN
1.将配置文件（client17整个目录）复制到C:\Program Files\OpenVPN\config中
安装结束后, 进入安装文件夹下的config 目录, 然后将上面建立的client.conf 文件从server 上下载到此文件夹, 并更名为client.ovpn
同时, 将mykeys.tar 中的下列证书文件解压到此文件夹:
ca.crt
ca.key
client1.crt
client1.csr
client1.key
第7章运行客户端OpenVPN
7.1Windows
双击client.ovpn 即可启动openvpn, 或者通过OpenVPN GUI 的控制启动VPN.
如果双击client.ovpn 没有反应, 则在任务栏点OpenVPN GUI 的小图标右键, 选择edit config, 将内容复制过去再保存. 然后再点右键中的connect即可.
1.右击任务栏中的“OpenVPN GUI”图标
2.选择Client17 Connect
当client 连接成功后, 在cmd 下执行ipconfig /all, 应该有这类似这样的输出
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-AA-B0-60-2B
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.5
DHCP Server . . . . . . . . . . . : 10.8.0.5
DNS Servers . . . . . . . . . . . : 10.8.0.1
70.88.98.10
70.88.99.11
Lease Obtained. . . . . . . . . . : 2006年5月25日5:13:52
Lease Expires . . . . . . . . . . : 2007年5月25日5:13:52
7.2 Linux
openvpn --config client7.conf
第8章OpenVPN证书管理
8.1 吊销证书
8.1.1 修正bug
Openvpn有一个bug, 如果你直接注销证书, 会出现一个报错:
Using configureation from f
error on line 282 of config file 'f'
所以，需要编辑f文件, 把[pkcs11_section]及其这个选择下的内容注释掉. 就可以了。

cd /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0
vim f
#[ pkcs11_section ]
#engine_id = pkcs11
#dynamic_path = /usr/lib/engines/engine_pkcs11.so
#MODULE_PATH = $ENV::PKCS11_MODULE_PATH
#PIN = $ENV::PKCS11_PIN
#init = 0
8.1.2准备工作
cd /root/.backup/easy-rsa/2.0/
export D=`pwd`
export KEY_CONFIG=$D/f
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="TSINGHUA"
export KEY_EMAIL="liu-w@"
export OPENSSL="/usr/bin/openssl"
8.1.3 吊销证书
./revoke-full test
Using configuration from /root/.backup/easy-rsa/2.0/f
Revoking Certificate 25.
Data Base Updated
Using configuration from /root/.backup/easy-rsa/2.0/f
test.crt: /C=CN/ST=BJ/L=BJ/O=TSINGHUA/CN=test/emailAddress=liu-w@ error 23 at 0 depth lookup:certificate revoked
Note the "error 23" in the last line. That is what you want to see, as it indicates that a certificate verification of the revoked certificate failed.
8.1.4 配置OpenVPN服务，使证书吊销生效
The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem
Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped.。