在 VPS 架设 OpenVPN

我的 VPS 是 CentOS 6.3,以下操作都在此台 VPS 登录进行操作。

首先需要检测 VPS 是否开启了 tun:

# cat /dev/net/tun

如果返回信息为 cat: /dev/net/tun: File descriptor in bad state 说明正常,否则发个 ticket 给 VPS 公司让他们帮忙开吧。

环境准备好之后,我们正式开始安装 OpenVPN 了。网上的教程绝大多数都是用源代码编译方式安装的,但我觉得这种方式不便于以后升级维护,这里我们使用 yum 来安装。

默认情况下 CentOS 的 yum 源没有 OpenVPN 的,先安装 EPEL 这个东西,使用命令:

# rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-3.noarch.rpm

成功后 yum 源里面就有 OpenVPN 了,安装它:

# yum install openvpn

然后把配置文件夹拷贝到 /etc/openvpn

# cp /usr/share/doc/openvpn-2.2.2/easy-rsa /etc/openvpn/

然后进入文件夹,生成 OpenVPN 需要的证书:

# cd /etc/openvpn/easy-rsa/2.0

根据需要修改 vars 配置文件,一般只需要改这几行:

export KEY_COUNTRY="CN" #国家
export KEY_PROVINCE="GD" #省份
export KEY_CITY="GZ" #城市
export KEY_ORG="woodelf" #组织机构
export KEY_EMAIL="wood_elf@126.com" #电子邮件地址

保存后使配置文件立即生效:

# source .vars

接着创建证书颁发机构:

# chmod +x build-ca
# ./build-ca server

Generating a 1024 bit RSA private key
........................++++++
....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:回车
State or Province Name (full name) [JS]:回车
Locality Name (eg, city) [WX]:回车
Organization Name (eg, company) [woodelf]:回车
Organizational Unit Name (eg, section) []:回车
Common Name (eg, your name or your server's hostname) [woodelf]:回车
Name []:回车
Email Address [wood_elf@126.com]:回车

创建 CA 之后来生成服务器证书:

# chmod +x build-key-server
# ./build-key-server server

Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:回车
State or Province Name (full name) [JS]:回车
Locality Name (eg, city) [WX]:回车
Organization Name (eg, company) [woodelf]:回车
Organizational Unit Name (eg, section) []:回车
Common Name (eg, your name or your server's hostname) [woodelf]:回车
Name []:回车
Email Address [wood_elf@126.com]:回车

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:回车
An optional company name []:回车
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'JS'
localityName          :PRINTABLE:'WX'
organizationName      :PRINTABLE:'woodelf'
commonName            :PRINTABLE:'woodelf'
emailAddress          :IA5STRING:'wood_elf@126.com'
Certificate is to be certified until Nov 18 17:25:15 2019 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

服务器证书生成完了,我们来生成客户端证书,理论上每个 OpenVPN 用户都有独立的证书。我使用的客户端名称为 client1,也可以按照情况建立多个:

# chmod +x build-key
# ./build-key client1

Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:回车
State or Province Name (full name) [JS]:回车
Locality Name (eg, city) [WX]:回车
Organization Name (eg, company) [woodelf]:回车
Organizational Unit Name (eg, section) []:回车
Common Name (eg, your name or your server's hostname) [woodelf]:回车
Name []:回车
Email Address [wood_elf@126.com]:回车

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:回车
An optional company name []:回车
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'JS'
localityName          :PRINTABLE:'WX'
organizationName      :PRINTABLE:'woodelf'
commonName            :PRINTABLE:'woodelf'
emailAddress          :IA5STRING:'wood_elf@126.com'
Certificate is to be certified until Nov 18 17:25:15 2019 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

最后生成 Diffie Hellman 参数:

# chmod +x build-dh
# ./build-dh

完成上面的过程后,把 /etc/openvpn/2.0/keys 里面的东西下载回来。接着把生成的几个文件拷贝到 OpenVPN 的配置目录:

# cd keys
# cp ca.crt server.crt server.key dh1024.pem /etc/openvpn/

接下来我们开始配置 OpenVPN 了,我的配置文件只是一个参考,可以根据实际情况修改。

首先返回 OpenVPN 的配置根目录:

# cd /etc/openvpn

然后编辑 server.conf,添加以下内容,端口和 DNS 地址可以按照自己的需求修改:

port 53
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
comp-lzo
user nobody
group nobody
keepalive 10 120
persist-key
persist-tun
verb 3

到这里服务器上的 OpenVPN 就配置好了,接下来设置下服务器系统,允许端口转发。

编辑 /etc/sysctl.conf,找到 net.ipv4.ip_forward = 0 改成 net.ipv4.ip_forward = 1 保存。然后执行 sysctl -p 这个命令。

输入 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 1.2.3.4 添加规则,注意最后 1.2.3.4 改成你的 VPS 的 IP 地址。

完成后用 /etc/init.d/iptables save 保存 iptables 设置,然后 /etc/init.d/iptables restart 重新启动下。

把 OpenVPN 添加到开机启动:

# chkconfig --level 235 openvpn on

需要在服务器上完成的操作到这里就结束了。

如果你的客户端是 Windows 系统,那么 OpenVPN 需要安装客户端才行,在这里下载最新版本的 Windows Installer 安装。

然后在下载回来 keys 文件夹里面找到 ca.crtclient1.crtclient1.key 这三个文件,放到 C:\Program Files\OpenVPN\config 里面。

同时在这里面新建一个名字为“client1.ovpn”的文本文件,输入下面内容:

client
dev tun
proto tcp
remote 1.2.3.4 53
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

记得换成你自己的 VPS IP 地址和端口。

好了,然后运行 Windows 客户端,直接连接即可。Linux 可通过 NetworkManager 等工具连接。