架构：

环境：RHEL4.5

软件包：

lzo-1.08.tar.gz，openssl-0.9.8e.tar.gz，openvpn-2.0.9.tar.gz

openvpn-2.0.9-gui-1.0.3-install.exe 【windowns客户端】

1> 打开forward功能

vi /etc/sysctl.conf:

net.ipv4.ip_forward = 1

2>安装

tar zxvf openssl-0.9.8e.tar.gz

cd openssl/0.9.8e

./config –prefix=/usr/local/openssl

make

make install

cd

tar zxvf lzo-1.08.tar.gz

cd lzo

./configure –prefix=/usr/local/lzo

make

make install

cd ..

tar zxvf openvpn-2.0.9.tar.gz

cd openvpn-2.0.9

./configure --with-lzo-headers=/usr/local/lzo/inlcude --with-lzo-lib=/usr/local/lzo/lib

make

make install

3>生成证书：

cd /root/openvpn-2.0.9/easy-rsa

export D=`pwd`

export KEY_CONFIG=$D/openssl.cnf

export KEY_DIR=$D/keys

export KEY_SIZE=1024

export KEY_COUNTRY=CN

export KEY_PROVINCE=BJ

export KEY_CITY=BJ

export KEY_ORG="buaa"

export KEY_EMAIL=liang3391@126.com

b) ./clean-all

c) ./build-ca

./clean-all

./build-ca

--------------------------------------------------------------------

[root@smart007 easy-rsa]# ./clean-all

[root@smart007 easy-rsa]# ./build-ca

Generating a 1024 bit RSA private key

.....++++++

..........................................++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [SH]:

Locality Name (eg, city) [SH]:

Organization Name (eg, company) [BaCai]:

Organizational Unit Name (eg, section) []:SH

Common Name (eg, your name or your server's hostname) []:SH

Email Address [yimu1023@163.com]:

[root@smart007 easy-rsa]# cd keys/

[root@smart007 keys]# ls

ca.crt  ca.key  index.txt  serial

[root@smart007 keys]# cd ..

[root@smart007 easy-rsa]# ls

2.0          build-key-pass    clean-all    ppp          vars

build-ca     build-key-pkcs12  keys         README       Windows

build-dh     build-key-server  list-crl     revoke-crt

build-inter  build-req         make-crl     revoke-full

build-key    build-req-pass    openssl.cnf  sign-req

[root@smart007 easy-rsa]# ./build-key-server SH

Generating a 1024 bit RSA private key

...........................++++++

....++++++

writing new private key to 'SH.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [SH]:

Locality Name (eg, city) [SH]:

Organization Name (eg, company) [BaCai]:

Organizational Unit Name (eg, section) []:SH

Common Name (eg, your name or your server's hostname) []:SH

Email Address [yimu1023@163.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:smartvpp123456

An optional company name []:BaCai

Using configuration from /usr/local/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'SH'

localityName          :PRINTABLE:'SH'

organizationName      :PRINTABLE:'BaCai'

organizationalUnitName:PRINTABLE:'SH'

commonName            :PRINTABLE:'SH'

emailAddress          :IA5STRING:'yimu1023@163.com'

Certificate is to be certified until May  2 03:00:21 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@smart007 easy-rsa]#

--------------------------------------------------------------

4>生成客户端证书

在openvpn中，这种配置方法是每一个登陆的VPN客户端需要有一个证书，每个证书在同一时刻只能供一个客户端连接（如果有两个机器安装相同证书，同时拨服务器，都能拨上，但是只有第一个拨上的才能连通网络）。所以需要建立许多份证书。下面建立三份，名称分别为client1 – client3。

./build-key client1

Generating a 1024 bit RSA private key

.....++++++

......++++++

writing new private key to 'client1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [buaa]:

Organizational Unit Name (eg, section) []:gait

Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.

Email Address [support@cooldvd.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:abcd1234

An optional company name []:gait

Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName RINTABLE:'CN'

stateOrProvinceName RINTABLE:'GD'

localityName RINTABLE:'SZ'

organizationName RINTABLE:'dvdmaster'

organizationalUnitNameRINTABLE:'dvdmaster'

commonName RINTABLE:'client1'

emailAddress :IA5STRING:'support@cooldvd.com'

Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

#依次类推生成其他客户端证书/key:

./build-key client2

./build-key client3

注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.

g) 执行./build-dh

h) 生成的所有证书在/root/openvpn-2.0.9/easy-rsa/keys下。

i. 其中服务器需要的是ca.crt、server.crt、server.key、dh1024.pem，每个客户端需要的是ca.crt、client1-3.crt、client1-3.key。

7、 配置文件

a) cp /root/openvpn-2.0.9/sample-config-files/server.conf /usr/local/etc/server.conf

b) vi /usr/local/etc/server.conf

i. proto udp改成proto tcp

ii. ca那四行改成

ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt

cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt

key /root/openvpn-2.0.9/easy-rsa/keys/server.key

dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem

iii. server.conf 配置文件见（参考文件server.conf）

8、 启动服务：

a) 关闭服务器、防火墙上所有对SSH（22）、openvpn（1194）的拦截。

b) echo 1 > /proc/sys/net/ipv4/ip_forward

c) /usr/local/sbin/openvpn --config /usr/local/etc/server.conf

d) 为了实现开机启动，在/etc/rc.local后面添加

/usr/local/sbin/openvpn --config /usr/local/etc/server.conf > /dev/null 2>&1 &

4. 安装客户端

1、 从上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows”

a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe

2、 执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。

3、 将ca.crt、client1.crt、client1.key复制到C:\Program Files\OpenVPN\config。（不同用户使用不同的证书，每个证书包括.crt和.key两个文件，如client2.crt和client2.key）

4、 在/root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件，改名为C:\Program Files\OpenVPN\config\client.ovpn

a) proto udp改成proto tcp

b) remote那行改成

这里填写vpn服务器公网ip 1194（端口号）

c) ca那3行改为

ca ca.crt

cert client1.crt

key client1.key

d) 注释掉comp-lzo

erver.conf 配置文件见（参考文件client.ovpn）

SERVER端设置NAT可以使得VPN客户通过vpn隧道访问Internet，内部网络等