<p>
  <strong>1.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>openvpn<span style="font-family: '楷体';">介绍</span></strong>
</p>

<p>
  OpenVPN <span style="font-family: '宋体';">是一个基于</span> OpenSSL<span style="font-family: '宋体';">库的应用层</span> VPN <span style="font-family: '宋体';">实现。和传统</span> VPN <span style="font-family: '宋体';">相比,它的优点是简单易用。</span>vpn<span style="font-family: '宋体';">直译就是</span><span style="font-family: '宋体';">虚拟专用通道,是提供企业之间或者公司之间安全数据传输的隧道。</span>OpenVPN<span style="font-family: '宋体';">是一个全特性的</span>SSL VPN<span style="font-family: '宋体';">,它使用</span>2<span style="font-family: '宋体';">层或</span>3<span style="font-family: '宋体';">层的安全网络技术,使用的是工业标准的</span>SSL/TLS<span style="font-family: '宋体';">协议。</span>SSL(Secure Sockets Layer <span style="font-family: '宋体';">安全套接层</span>),<span style="font-family: '宋体';">及其继任者传输层安全(</span>TransportLayer Security<span style="font-family: '宋体';">,</span>TLS<span style="font-family: '宋体';">)是为网络通信提供安全及数据完整性的一种安全协议。</span>OpenVPN<span style="font-family: '宋体';">支持灵活的客户端授权方式,支持证书、智能卡、用户名和密码,允许用户可以通过防火墙连接到</span>VPN<span style="font-family: '宋体';">的虚拟接口,</span>OpenVPN<span style="font-family: '宋体';">不是</span><span style="font-family: '宋体';">一个基于</span>web<span style="font-family: '宋体';">代理的应用,也不是基于浏览器访问。</span>
</p>

<p>
  <strong>1.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>openvpn<span style="font-family: '楷体';">使用场景</span></strong>
</p>

<p style="margin-left: 52px;">
  a)<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="font-family: '宋体';">企业员工远程办公,通过远程</span>VPN<span style="font-family: '宋体';">连接到公司的服务器,访问公司</span>ERP<span style="font-family: '宋体';">、</span>OA<span style="font-family: '宋体';">等系统。</span>IT<span style="font-family: '宋体';">技术人员通过</span>VPN<span style="font-family: '宋体';">远程连接到机房进行系统维护。</span>
</p>

<p style="margin-left: 52px;">
  b)<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="font-family: '宋体';">总部与分支机构之间联通,打通分支与总部的连接</span>
</p>

<p style="margin-left: 52px;">
  c)<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="font-family: '宋体';">多</span>IDC<span style="font-family: '宋体';">机房之间的互联,实现多机房之间的互联互通,数据共享,文件传送</span>
</p>

<p>
  <span style="font-family: '宋体';">注意:</span>OpenVPN<span style="font-family: '宋体';">适用于功能性实现,对于大流量大带宽应用,建议使用点对点专线实现互联</span>
</p>

<p>
  &nbsp;
</p>

<hr />

<p>
  &nbsp;
</p>

<p>
  <span style="color: #0070c0; text-decoration: none;"><strong><span style="color: #0070c0; font-size: 24px; text-decoration: none;">2、openvpn<span style="color: #0070c0; font-family: '楷体'; text-decoration: none;">服务端安装与配置</span></span></strong></span>
</p>

<p>
  <strong>2.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="font-family: '楷体';">环境介绍</span></strong>
</p>

<p>
  <span style="font-family: '宋体';">实现模拟</span>OpenVPN<span style="font-family: '宋体';">功能的实验环境介绍:</span>
</p>

<p>
  <span style="font-family: '宋体';">使用两台内网内段</span>192.168.3.0/24<span style="font-family: '宋体';">的机器模拟公网环境,左侧的</span>lclient<span style="font-family: '宋体';">与右侧的</span>lanserver<span style="font-family: '宋体';">在不同的网段,正常情况下不能通信</span>
</p>

<p>
  &nbsp;
</p>

<p>
  &nbsp;
</p>

<p>
  <a href="https://clsn.io/wp-content/uploads/2018/03/wKioL1eYUTWxnsbKAAjbc4fW37Y331.png-wh_500x0-wm_3-wmp_4-s_1841022368.png" target="_blank" class="fancybox" data-fancybox-group="button"><img title="实验环境介绍.png" data-original="https://clsn.io/wp-content/uploads/2018/03/wKioL1eYUTWxnsbKAAjbc4fW37Y331.png-wh_500x0-wm_3-wmp_4-s_1841022368.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="openvpn配置" alt="wKioL1eYUTWxnsbKAAjbc4fW37Y331.png-wh_50" /></a>
</p>

<p>
  <span style="font-family: '宋体';">本次实验使用</span>vpnclient<span style="font-family: '宋体';">的另外一个接口</span>eth1<span style="font-family: '宋体';">模拟</span>lclient,IP<span style="font-family: '宋体';">地址为</span>10.0.0.17
</p>

<p>
  <strong>2.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="font-family: '楷体';">基础环境配置及依赖包安装</span></strong>
</p>

<p>
  2.2.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">开启内核参数</span>ip<span style="font-family: '楷体';">转发</span>
</p>

<p>
  <span style="font-family: '宋体';">在</span>vpnserver<span style="font-family: '宋体';">上开启</span>ip<span style="font-family: '宋体';">转发功能,编辑</span>/etc/sysctl.conf,<span style="font-family: '宋体';">修改</span>net.ipv4.ip_forward<span style="font-family: '宋体';">为</span>1
</p>

<pre class="brush:bash;toolbar:false">net.ipv4.ip_forward&nbsp;=&nbsp;1</pre>

<p>
  <span style="font-family: '宋体';">使用</span>-p<span style="font-family: '宋体';">选项使参数修改生效</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;~]#&nbsp;sysctl&nbsp;-p

net.ipv4.ip_forward = 1

<p>
  2.2.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">停止</span>iptables
</p>

<p>
  <span style="font-family: '宋体';">在全部测试完成前,暂时先停掉</span>iptables<span style="font-family: '宋体';">,以防止由于</span>iptables<span style="font-family: '宋体';">的原因造成的问题,全部调试完成后再对</span>iptables<span style="font-family: '宋体';">进行设置</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;~]#&nbsp;/etc/init.d/iptables&nbsp;stop

iptables: Setting chains to policy ACCEPT: filter          [ OK  ] iptables: Flushing firewall rules:                         [  OK  ] iptables: Unloading modules:                               [  OK  ] [root@vpnserver ~]# /etc/init.d/iptables stop

<p>
  2.2.3<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">安装基础依赖包</span>
</p>

<p>
  <span style="font-family: '宋体';">安装</span>openssl<span style="font-family: '宋体';">相关的依赖包</span>
</p>

<pre class="brush:bash;toolbar:false">yum&nbsp;install&nbsp;openssl*&nbsp;-y</pre>

<p>
  2.2.4<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">更新系统时间</span>
</p>

<p>
  <span style="font-family: '宋体';">使用</span>ntp<span style="font-family: '宋体';">同步系统时间</span>
</p>

<pre class="brush:bash;toolbar:false">ntpdate&nbsp;-u&nbsp;pool.ntp.org</pre>

<p>
  <span style="font-family: '宋体';">制定计划任务,每隔</span>5<span style="font-family: '宋体';">分钟进行时间同步</span>
</p>

<pre class="brush:bash;toolbar:false">echo&nbsp;'#sync&nbsp;system&nbsp;date&nbsp;from&nbsp;ntpserver'>>/var/spool/cron/root

echo ’/5    * /usr/sbin/ntpdate -u pool.ntp.org >/dev/null 2>&1’ »/var/spool/cron/root

<p>
  <span style="font-family: '宋体';">检查配置信息</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;~]#&nbsp;crontab&nbsp;-l

#sync system date from ntpserver /5    * /usr/sbin/ntpdate -u pool.ntp.org >/dev/null 2>&1

<p>
  &nbsp;
</p>

<p>
  <strong>2.3<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="font-family: '楷体';">安装</span>lzo<span style="font-family: '楷体';">包</span></strong>
</p>

<p>
  <span style="font-family: '宋体';">创建相应的安装包目录</span>
</p>

<pre class="brush:bash;toolbar:false">mkdir&nbsp;-p&nbsp;/server/tools

cd /server/tools/

<p>
  <span style="font-family: '宋体';">将相应的安装包上传至</span>tools<span style="font-family: '宋体';">目录</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;tools]#&nbsp;ll

total 1476 -rw-r–r–. 1 root root 594855 Jul 5 08:33 lzo-2.09.tar.gz -rw-r–r–. 1 root root 911158 Jul 5 08:33 openvpn-2.2.2.tar.gz

<p>
  <span style="font-family: '宋体';">安装</span>lzo<span style="font-family: '宋体';">源码包</span>
</p>

<pre class="brush:bash;toolbar:false">cd&nbsp;/server/tools/

tar xf lzo-2.09.tar.gz cd lzo-2.09 ./configure make make install

<p>
  &nbsp;
</p>

<p>
  <span style="font-size: 16px;"><strong>2.4<span style="line-height: normal; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal;">&nbsp;&nbsp; </span><span style="font-family: '楷体';">安装</span>openvpn<span style="font-family: '楷体';">软件</span></strong></span>
</p>

<p>
  2.4.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">源码包安装</span>
</p>

<p>
  <span style="font-family: '宋体';">版本选择:目前最新的版本为</span>2.3.1<span style="font-family: '宋体';">,本次选用</span>Linux<span style="font-family: '宋体';">客户端和服务端的版本为</span>2.2.2<span style="font-family: '宋体';">,</span>windows<span style="font-family: '宋体';">客户端软件依然使用的是</span>2.3.1
</p>

<p>
  <span style="font-family: '宋体';">解压安装</span>OpenVPN<span style="font-family: '宋体';">源码包</span>
</p>

<pre class="brush:bash;toolbar:false">mkdir&nbsp;/application

tar xf openvpn-2.2.2.tar.gz -C /application/ cd /application/openvpn-2.2.2/ ./configure –with-lzo-lib=/usr/local/lib–with-lzo-headers=/usr/local/include make make install

<p>
  <span style="font-family: '宋体';">检查安装结果</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;openvpn-2.2.2]#&nbsp;which&nbsp;openvpn

/usr/local/sbin/openvpn

<p>
  <span style="font-family: '宋体';">生成软链接</span>
</p>

<pre class="brush:bash;toolbar:false">ln&nbsp;-s&nbsp;/application/openvpn-2.2.2/&nbsp;/application/openvpn</pre>

<p>
  2.4.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">生成</span>CA<span style="font-family: '楷体';">证书</span>
</p>

<p>
  <span style="font-family: '宋体';">进入制作证书所在目录,后续很多的操作都在此目录</span>
</p>

<pre class="brush:bash;toolbar:false">cd&nbsp;/application/openvpn-2.2.2/easy-rsa/2.0

[root@vpnserver 2.0]# ll total 128 -rwxrwxr-x. 1 sunny sunny  119 Nov 25  2011 build-ca   #生成CA证书 -rwxrwxr-x. 1 sunny sunny  352 Nov 25  2011 build-dh  #生成密码协议交换文件 -rwxrwxr-x. 1 sunny sunny  188 Nov 25  2011 build-inter -rwxrwxr-x. 1 sunny sunny  163 Nov 25  2011 build-key        #生成免密码客户端密钥对 -rwxrwxr-x. 1 sunny sunny  157 Nov 25  2011 build-key-pass   #生成带密码客户端密钥对 -rwxrwxr-x. 1 sunny sunny  249 Nov 25  2011 build-key-pkcs12 -rwxrwxr-x. 1 sunny sunny  268 Nov 25  2011 build-key-server    #生成服务端密钥对 -rwxrwxr-x. 1 sunny sunny  213 Nov 25  2011 build-req -rwxrwxr-x. 1 sunny sunny  158 Nov 25  2011 build-req-pass -rwxrwxr-x. 1 sunny sunny  428 Nov 25  2011 clean-all     #初始化配置,清空所有keys -rwxrwxr-x. 1 sunny sunny 1457 Nov 25  2011 inherit-inter -rwxrwxr-x. 1 sunny sunny  295 Nov 25  2011 list-crl -rw-rw-r–. 1 sunny sunny  413 Nov 25  2011 Makefile -rwxrwxr-x. 1 sunny sunny 7768 Oct 21  2010openssl-0.9.6.cnf -rwxrwxr-x. 1 sunny sunny 8325 Nov 25  2011openssl-0.9.8.cnf -rwxrwxr-x. 1 sunny sunny 8222 Nov 25  2011openssl-1.0.0.cnf -rwxrwxr-x. 1 sunny sunny 12675 Nov 25  2011 pkitool    #各证书生成主要调用此命令执行 -rw-rw-r–. 1 sunny sunny 9299 Nov 25  2011 README -rwxrwxr-x. 1 sunny sunny  918 Nov 25  2011 revoke-full     #证书吊销 -rwxrwxr-x. 1 sunny sunny  178 Nov 25  2011 sign-req -rwxrwxr-x. 1 sunny sunny 1841 Nov 25  2011 vars       #预先定义的证书基本信息 -rwxrwxr-x. 1 sunny sunny  714 Nov 25  2011 whichopensslcnf

<p style="text-indent: 28px;">
  <strong><span style="font-family: '宋体';">修改证书预定义信息</span>vars</strong>
</p>

<p>
  <span style="font-family: '宋体';">首先对</span>vars<span style="font-family: '宋体';">进行备份</span>
</p>

<pre class="brush:bash;toolbar:false">cp&nbsp;vars&nbsp;vars.sunny.ori</pre>

<p>
  <span style="font-family: '宋体';">编辑最后</span>11<span style="font-family: '宋体';">行修改为如下内容:</span>
</p>

<pre class="brush:bash;toolbar:false">export&nbsp;KEY_COUNTRY="CN"

export KEY_PROVINCE=“HB” export KEY_CITY=“WuHan” export KEY_ORG=“sunny” export KEY_EMAIL=“[email protected]” export KEY_[email protected] export KEY_CN=sunny export KEY_NAME=sunny export KEY_OU=sunny export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=1234

<p>
  <span style="font-family: '宋体';">注意:如果是</span>AD<span style="font-family: '宋体';">或者</span>ldap<span style="font-family: '宋体';">请根据自身内容进行填写</span>
</p>

<p>
  <span style="font-family: '宋体';">载入</span>vars<span style="font-family: '宋体';">配置,新开窗口制作证书时,需要重新加载</span>vars<span style="font-family: '宋体';">文件</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;source&nbsp;vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on/application/openvpn-2.2.2/easy-rsa/2.0/keys

<p>
  <span style="font-family: '宋体';">第一次会提示初始化配置,按提示操作,后续正常使用时不可执行此操作,它会清空</span>keys<span style="font-family: '宋体';">目录,并初始化序列</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;./clean-all

[root@vpnserver 2.0]# ll keys/ total 4 -rw-r–r–. 1 root root 0 Jul 7 16:57 index.txt -rw-r–r–. 1 root root 3 Jul 7 16:57 serial

<p>
  <span style="font-family: '宋体';">制作</span>CA<span style="font-family: '宋体';">证书,由于已经预先定义好了各个配置,一路回车,表示使用默认配置</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;./build-ca

Generating a 1024 bit RSA private key …++++++ ………………………………..++++++ writing new private key to ‘ca.key’

You are about to be asked to enter information that will beincorporated into your certificate request. What you are about to enter is what is called a Distinguished Nameor a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank.

Country Name (2 letter code) [CN]: State or Province Name (full name) [HB]: Locality Name (eg, city) [WuHan]: Organization Name (eg, company) [sunny]: Organizational Unit Name (eg, section) [sunny]: Common Name (eg, your name or your server’s hostname) [sunny]: Name [sunny]: Email Address [[email protected]]:

<p>
  <span style="font-family: '宋体';">查看生成的证书文件</span>,ca.crt<span style="font-family: '宋体';">就是新生成的证书文件,</span>ca.key<span style="font-family: '宋体';">就是私钥</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;ls&nbsp;-l&nbsp;keys

total 12 -rw-r–r–. 1 root root 1277 Jul 7 16:58 ca.crt   CA证书文件 -rw——-. 1 root root  916Jul  7 16:58 ca.key          CA的私钥 -rw-r–r–. 1 root root    0Jul  7 16:57 index.txt -rw-r–r–. 1 root root    3Jul  7 16:57 serial

<p>
  &nbsp;
</p>

<p>
  2.4.3<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">生成服务端证书与密钥</span>
</p>

<p>
  <span style="font-family: '宋体';">生成服务端证书调用的命令为</span>build-key-server<span style="font-family: '宋体';">,后面直接跟服务端证书名即可,这里服务端证书名取为</span>server
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;./build-key-server&nbsp;server

Generating a 1024 bit RSA private key ………………..++++++ ……………………………………..++++++ writing new private key to ‘server.key’

You are about to be asked to enter information that will beincorporated into your certificate request. What you are about to enter is what is called a Distinguished Nameor a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank.

Country Name (2 letter code) [CN]: State or Province Name (full name) [HB]: Locality Name (eg, city) [WuHan]: Organization Name (eg, company) [sunny]: Organizational Unit Name (eg, section) [sunny]: Common Name (eg, your name or your server’s hostname) [server]: Name [sunny]: Email Address [[email protected]]: Please enter the following ’extra’ attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:sunny Using configuration from/application/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows countryName          :PRINTABLE:‘CN’ stateOrProvinceName  :PRINTABLE:‘HB’ localityName         :PRINTABLE:‘WuHan’ organizationName     :PRINTABLE:‘sunny’ organizationalUnitName:PRINTABLE:‘sunny’ commonName            :PRINTABLE:‘server’ name                 :PRINTABLE:‘sunny’ emailAddress         :IA5STRING:‘[email protected]’ Certificate is to be certified until Jul  5 09:04:46 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

<p>
  <span style="font-family: '宋体';">着色的是手动输入的,需要两次确认</span>
</p>

<p style="text-indent: 28px;">
  <strong><span style="font-family: '宋体';">检查生成的证书密钥对</span></strong>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;ll&nbsp;keys/server*

-rw-r–r–. 1 root root 3943 Jul 7 17:04 keys/server.crt    #服务端证书 -rw-r–r–. 1 root root  757Jul  7 17:04 keys/server.csr  #服务端证书请求文件 -rw——-. 1 root root  916Jul  7 17:04 keys/server.key  #服务端私钥

<p>
  &nbsp;
</p>

<p>
  2.4.4<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">生成客户端证书与密钥</span>
</p>

<p>
  <span style="font-family: '宋体';">客户端生成证书是与客户的账号是一一对应的,每一个账号对应一个服务端证书文件</span>
</p>

<p>
  <span style="font-family: '宋体';">生成一个无密码验证密钥,使用命令</span>build-key
</p>

<p>
  <span style="font-family: '宋体';">新建一个</span>test<span style="font-family: '宋体';">客户端密钥,此账号无需密码验证</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;./build-key&nbsp;test

Generating a 1024 bit RSA private key ……………………………….++++++ ..++++++ writing new private key to ’test.key’

You are about to be asked to enter information that will beincorporated into your certificate request. What you are about to enter is what is called a Distinguished Nameor a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank.

Country Name (2 letter code) [CN]: State or Province Name (full name) [HB]: Locality Name (eg, city) [WuHan]: Organization Name (eg, company) [sunny]: Organizational Unit Name (eg, section) [sunny]: Common Name (eg, your name or your server’s hostname) [test]: Name [sunny]: Email Address [[email protected]]: Please enter the following ’extra’ attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:sunny Using configuration from/application/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows countryName          :PRINTABLE:‘CN’ stateOrProvinceName  :PRINTABLE:‘HB’ localityName         :PRINTABLE:‘WuHan’ organizationName     :PRINTABLE:‘sunny’ organizationalUnitName:PRINTABLE:‘sunny’ commonName           :PRINTABLE:’test’ name                 :PRINTABLE:‘sunny’ emailAddress         :IA5STRING:‘[email protected]’ Certificate is to be certified until Jul  5 09:13:01 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

<p>
  <span style="font-family: '宋体';">生成一个需要密码验证的客户端密钥</span>sunny,<span style="font-family: '宋体';">密码为</span>123456<span style="font-family: '宋体';">,生产环境此密码需要设置较复杂</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;./build-key-pass&nbsp;sunny

Generating a 1024 bit RSA private key …++++++ ………………………………………..++++++ writing new private key to ‘sunny.key’ Enter PEM pass phrase:                         #此处需要输入用户密码 Verifying - Enter PEM pass phrase:     #此处需要确认用户密码

You are about to be asked to enter information that will beincorporated into your certificate request. What you are about to enter is what is called a Distinguished Nameor a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank.

Country Name (2 letter code) [CN]: State or Province Name (full name) [HB]: Locality Name (eg, city) [WuHan]: Organization Name (eg, company) [sunny]: Organizational Unit Name (eg, section) [sunny]: Common Name (eg, your name or your server’s hostname) [sunny]: Name [sunny]: Email Address [[email protected]]:   Please enter the following ’extra’ attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:sunny Using configuration from/application/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows countryName          :PRINTABLE:‘CN’ stateOrProvinceName  :PRINTABLE:‘HB’ localityName         :PRINTABLE:‘WuHan’ organizationName      :PRINTABLE:‘sunny’ organizationalUnitName:PRINTABLE:‘sunny’ commonName           :PRINTABLE:‘sunny’ name                 :PRINTABLE:‘sunny’ emailAddress         :IA5STRING:‘[email protected]’ Certificate is to be certified until Jul  5 09:16:29 2026 GMT (3650 days) Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

<p>
  <span style="font-family: '宋体';">查看生成的客户端密钥</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;ls&nbsp;-l&nbsp;keys/{test,sunny}*

-rw-r–r–. 1 root root 3821 Jul 7 17:16 keys/sunny.crt -rw-r–r–. 1 root root  757Jul  7 17:16 keys/sunny.csr -rw——-. 1 root root 1041 Jul 7 17:16 keys/sunny.key -rw-r–r–. 1 root root 3816 Jul 7 17:13 keys/test.crt -rw-r–r–. 1 root root  757Jul  7 17:13 keys/test.csr -rw——-. 1 root root  916Jul  7 17:13 keys/test.key

<p>
  2.4.5<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">生成密码协议交换文件</span>
</p>

<p>
  <span style="font-family: '宋体';">使用命令</span>build-dh<span style="font-family: '宋体';">命令生成密码协议交换文件,直接执行命令即可。</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time …………………………………..+………………………..++++++* [root@vpnserver 2.0]# ls keys/dh1024.pem keys/dh1024.pem

<p>
  2.4.6<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">生成防攻击</span>key<span style="font-family: '楷体';">文件</span>
</p>

<p>
  <span style="font-family: '宋体';">生成防止攻击的</span>key<span style="font-family: '宋体';">文件</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;2.0]#&nbsp;openvpn&nbsp;--genkey&nbsp;--secret&nbsp;keys/ta.key

[root@vpnserver 2.0]# ll keys/ta.key -rw——-. 1 root root 636 Jul 7 17:22 keys/ta.key

<p>
  2.4.7<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">编辑服务端配置文件</span>
</p>

<p>
  <span style="font-family: '宋体';">创建配置文件目录</span>
</p>

<pre class="brush:bash;toolbar:false">mkdir&nbsp;/etc/openvpn

cd /etc/openvpn

<p>
  <span style="font-family: '宋体';">将</span>keys<span style="font-family: '宋体';">目录拷贝到配置文件目录</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;openvpn]#&nbsp;cp&nbsp;-ap&nbsp;/application/openvpn/easy-rsa/2.0/keys.

[root@vpnserver openvpn]# ll total 4 drwx——. 2 root root 4096 Jul 7 17:22 keys

<p>
  <span style="font-family: '宋体';">将服务端配置文件拷贝到</span>/etc/openvpn<span style="font-family: '宋体';">目录</span>
</p>

<pre class="brush:bash;toolbar:false">cp&nbsp;/application/openvpn/sample-config-files/server.conf&nbsp;server.bak</pre>

<p>
  <span style="font-family: '宋体';">将</span>server.bak<span style="font-family: '宋体';">中的有效指令重定向至</span>server.conf
</p>

<pre class="brush:bash;toolbar:false">grep&nbsp;-Ev&nbsp;"#|;|^$"&nbsp;server.bak&nbsp;>server.conf</pre>

<p>
  <span style="font-family: '宋体';">编辑</span>server.conf<span style="font-family: '宋体';">文件,修改后的文件内容如下:</span>
</p>

<pre class="brush:bash;toolbar:false">local&nbsp;192.168.3.201

port 52115 proto tcp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem server 10.8.0.0 255.255.255.0 push “route 192.168.18.0 255.255.255.0” ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log duplicate-cn client-to-client verb 3

<p>
  &nbsp;
</p>

<p>
  local<span style="font-family: '宋体';">本地监听的</span>IP<span style="font-family: '宋体';">地址</span>
</p>

<p>
  port<span style="font-family: '宋体';">本地监听的端口,默认为</span>1194<span style="font-family: '宋体';">,安全起见,建议修改</span>
</p>

<p>
  proto<span style="font-family: '宋体';">协议,这里使用</span>tcp<span style="font-family: '宋体';">协议,稳定性更好</span>
</p>

<p>
  dev tun,<span style="font-family: '宋体';">使用</span>tunnel<span style="font-family: '宋体';">接口,另外还有一种为</span>tap
</p>

<p>
  ca CA<span style="font-family: '宋体';">证书文件路径</span>
</p>

<p>
  cert<span style="font-family: '宋体';">服务端证书路径</span>
</p>

<p>
  key<span style="font-family: '宋体';">服务端密钥文件路径</span>
</p>

<p>
  dh<span style="font-family: '宋体';">证书密钥交换文件路径</span>
</p>

<p>
  server<span style="font-family: '宋体';">分配给客户端的</span>IP<span style="font-family: '宋体';">地址,即客户端拔号成功后获取到的</span>IP<span style="font-family: '宋体';">地址</span>
</p>

<p>
  push<span style="font-family: '宋体';">推送到客户端的路由信息,一般这里推送的是</span>vpnserver<span style="font-family: '宋体';">端的本地子网</span>
</p>

<p>
  ifconfig-pool-persist<span style="font-family: '宋体';">记录客户端所获取到的</span>IP<span style="font-family: '宋体';">地址信息列表,客户端重启后获取到与上次分配的</span>IP<span style="font-family: '宋体';">相同的</span>IP<span style="font-family: '宋体';">地址信息</span>
</p>

<p>
  keepalive 10 120<span style="font-family: '宋体';">每隔</span>10<span style="font-family: '宋体';">秒客户端</span>ping<span style="font-family: '宋体';">服务端,确保服务端没有离线,超长为</span>120<span style="font-family: '宋体';">秒</span>
</p>

<p>
  comp-lzo<span style="font-family: '宋体';">允许压缩传输</span>
</p>

<p>
  status openvpn-status.log<span style="font-family: '宋体';">连接状态日志</span>
</p>

<p>
  log<span style="font-family: '宋体';">连接日志信息</span>
</p>

<p>
  duplicate-cn<span style="font-family: '宋体';">允许同一账号多人同时使用</span>
</p>

<p>
  client-to-client<span style="font-family: '宋体';">允许客户端与客户端之间通信</span>
</p>

<p>
  verb<span style="font-family: '宋体';">日志级别</span>
</p>

<p>
  ;max-clients 100<span style="font-family: '宋体';">最大客户端数量默认为</span>100<span style="font-family: '宋体';">个</span>
</p>

<p>
  &nbsp;
</p>

<p>
  &nbsp;
</p>

<p>
  <strong>2.5<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="font-family: '楷体';">启动服务端</span></strong>
</p>

<p>
  2.5.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">启动服务端</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;openvpn]#&nbsp;/usr/local/sbin/openvpn&nbsp;--config/etc/openvpn/server.conf&nbsp;&

[1] 22510 [root@vpnserver openvpn]# ps -ef|grep openvpn root      22510  22401 0 09:06 pts/0    00:00:00/usr/local/sbin/openvpn –config /etc/openvpn/server.conf root      22521  22401 0 09:06 pts/0    00:00:00 grep openvpn

<p>
  <span style="font-family: '宋体';">报错处理一:</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;openvpn]#&nbsp;less&nbsp;/var/log/openvpn.log

Options error: You must define private key file (–key) or PKCS#12file (–pkcs12) Use –help for more information.

<p>
  <span style="font-family: '宋体';">根据提示,表明配置文件中没有加入服务端的密钥文件路径,或者路径不对,检查</span>server.conf<span style="font-family: '宋体';">文件中</span>key<span style="font-family: '宋体';">文件的配置</span>
</p>

<pre class="brush:bash;toolbar:false">key&nbsp;/etc/openvpn/keys/server.key</pre>

<p>
  &nbsp;
</p>

<p>
  2.5.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">将</span>OpenVPN<span style="font-family: '楷体';">加入开机自启动</span>
</p>

<p>
  <span style="font-family: '宋体';">需要将</span>OpenVPN<span style="font-family: '宋体';">加入开机自启动</span>
</p>

<p>
  <span style="font-family: '宋体';">方法一:</span>
</p>

<p>
  <span style="font-family: '宋体';">将启动命令加入到</span>/etc/rc.local
</p>

<pre class="brush:bash;toolbar:false">echo&nbsp;&ldquo;/usr/local/sbin/openvpn&nbsp;--config&nbsp;/etc/openvpn/server.conf>/dev/null&nbsp;&nbsp;&&rdquo;>>/etc/rc.local</pre>

<p>
  <span style="font-family: '宋体';">方法二:</span>
</p>

<p>
  <span style="font-family: '宋体';">利用</span>sample-scripts<span style="font-family: '宋体';">下面的脚本</span>
</p>

<pre class="brush:bash;toolbar:false">cp&nbsp;/application/openvpn/sample-scripts/openvpn.init&nbsp;/etc/init.d/openvpn

chkconfig openvpn on chkconfig –list openvpn openvpn         0:off   1:off  2:on    3:on    4:on   5:on    6:off

<p>
  &nbsp;
</p>

<hr />

<p>
  &nbsp;
</p>

<p>
  <span style="color: #0070c0;"><strong><span style="font-size: 24px;">3、<span style="line-height: normal; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal;">&nbsp;&nbsp;&nbsp; </span>openvpn<span style="font-family: '楷体';">客户端安装与配置</span></span></strong></span>
</p>

<p>
  <strong>3.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>windows<span style="font-family: '楷体';">客户端安装与配置</span></strong>
</p>

<p>
  3.1.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">查看操作系统版本</span>
</p>

<p>
  <span style="font-family: '宋体';">这里提供了不同操作系统版本,可以根据自己操作系统的版本选择对应的客户端软件进行安装,</span>win8<span style="font-family: '宋体';">和</span>win10<span style="font-family: '宋体';">选择</span>win7<span style="font-family: '宋体';">客户端安装,在我的电脑上右键属性可以查看操作系统版本</span>
</p>

<p>
  3.1.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">安装</span>windows<span style="font-family: '楷体';">客户端软件</span>
</p>

<p>
  win10<span style="font-family: '宋体';">可以使用</span>win7<span style="font-family: '宋体';">客户端,这里以</span>win7-64<span style="font-family: '宋体';">位操作系统为例,进入</span>windows-win7-64<span style="font-family: '宋体';">位</span>
</p>

<p>
  <span style="font-family: '宋体';">双击&ldquo;</span>openvpn-install-2.3.11-I601-x86_64(win7).exe<span style="font-family: '宋体';">&rdquo;</span>
</p>

<p>
  <span style="font-family: '宋体';">点击</span>&rdquo;next&rdquo;
</p>

<p>
  <span style="font-family: '宋体';">点击&ldquo;</span>I Agree&rdquo;
</p>

<p>
  <span style="font-family: '宋体';">不做任何修改,点击</span>Next
</p>

<p>
  <span style="font-family: '宋体';">选择安装路径,按默认路径即可,</span>64<span style="font-family: '宋体';">位系统默认为</span>&rdquo;C:\Program Files\OpenVPN&rdquo;,<span style="font-family: '宋体';">其它系统路径会略有不同</span>
</p>

<p>
  <span style="font-family: '宋体';">点击</span>Install,<span style="font-family: '宋体';">如果提示是否信任,勾选&ldquo;</span>Always trust software from &hellip;&rdquo;,<span style="font-family: '宋体';">点击</span>Install
</p>

<p>
  <span style="font-family: '宋体';">点击</span>next<span style="font-family: '宋体';">进入下一步</span>
</p>

<p>
  <span style="font-family: '宋体';">点击</span>Finish<span style="font-family: '宋体';">完成安装</span>
</p>

<p>
  3.1.3<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span>windows<span style="font-family: '楷体';">客户端软件配置</span>
</p>

<p>
  3.1.4<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">拷坝证书文件</span>
</p>

<p>
  <span style="font-family: '宋体';">进入到</span>openvpn<span style="font-family: '宋体';">安装目录下的</span>config<span style="font-family: '宋体';">文件夹中,我的路径为&ldquo;</span>C:\Program Files\OpenVPN\config<span style="font-family: '宋体';">&ldquo;,新建</span>test<span style="font-family: '宋体';">目录,将</span>openvpnserver<span style="font-family: '宋体';">上</span>/etc/openvpn/keys<span style="font-family: '宋体';">目录下的证书文件</span>ca.crt,test.crt,test.key<span style="font-family: '宋体';">拷贝到</span>config<span style="font-family: '宋体';">目录中</span>config<span style="font-family: '宋体';">目录拷贝</span>
</p>

<p>
  <span style="font-family: '宋体';">在</span>test<span style="font-family: '宋体';">目录下新建</span>test.ovpn<span style="font-family: '宋体';">文件,此文件的模板为</span>/application/openvpn/sample-config-files/client.conf,<span style="font-family: '宋体';">此文件</span>test.ovpn<span style="font-family: '宋体';">内容如下:</span>
</p>

<pre class="brush:bash;toolbar:false">client

dev tun proto tcp remote 192.168.3.201 52115 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert test.crt key test.key ns-cert-type server comp-lzo verb 3

<p>
  3.1.5<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">连接测试</span>
</p>

<p>
  <span style="font-family: '宋体';">安装完成后桌面会出现一个</span><span style="font-family: '宋体';">图标,双击点开,右下角会出现一个带小锁的小图标</span><span style="font-family: '宋体';">,在图标上点击右键,选中账号</span>test<span style="font-family: '宋体';">,点击</span>Connect<span style="font-family: '宋体';">,如果没有密码,会直接连接,如果需要密码,则会提示输入密码</span>
</p>

<p style="text-indent: 0px;">
  <span style="font-family: '宋体';">拔号成功后,右下角会弹出提示</span>
</p>

<p style="text-indent: 0px;">
  <span style="font-family: '宋体';">并且原来灰色的图标会变为绿色</span><span style="font-family: '宋体';">,表示已经连接上了</span>
</p>

<p>
  3.1.6<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">连通性测试</span>
</p>

<p>
  <span style="font-family: '宋体';">此时</span>ping VPN<span style="font-family: '宋体';">服务器的内网口</span>192.168.18.201<span style="font-family: '宋体';">已通,但到</span>lanserver192.168.18.203<span style="font-family: '宋体';">不通</span>
</p>

<pre class="brush:bash;toolbar:false">C:\Users\Administrator>ping&nbsp;192.168.18.201

正在 Ping 192.168.18.201 具有 32 字节的数据: 来自 192.168.18.201 的回复: 字节=32 时间<1ms TTL=64 来自 192.168.18.201 的回复: 字节=32 时间=1ms TTL=64 C:\Users\Administrator>ping 192.168.18.203 正在 Ping 192.168.18.203 具有 32 字节的数据: 请求超时。 请求超时。

<p>
  &nbsp;
</p>

<p style="text-indent: 0px;">
  <span style="font-family: '宋体';">查看</span>lanserver<span style="font-family: '宋体';">上的路由</span>
</p>

<pre class="brush:bash;toolbar:false">[root@lanserver&nbsp;~]#&nbsp;route&nbsp;-n

Kernel IP routing table Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 192.168.18.0    0.0.0.0         255.255.255.0   U    0      0        0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U    1002   0        0 eth0 0.0.0.0        192.168.18.2    0.0.0.0         UG   0      0        0 eth0

<p>
  <span style="font-family: '宋体';">在</span>windows<span style="font-family: '宋体';">上</span>ping 192.168.18.203,<span style="font-family: '宋体';">然后在</span>lanserver<span style="font-family: '宋体';">上抓包测试</span>
</p>

<pre class="brush:bash;toolbar:false">[root@lanserver&nbsp;~]#&nbsp;tcpdump&nbsp;icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocoldecode listening on eth0, link-type EN10MB (Ethernet), capture size 65535bytes 18:47:48.676249 IP 10.8.0.6 > 192.168.18.203: ICMP echo request,id 1, seq 17288, length 40 18:47:48.676288 IP 192.168.18.203 > 10.8.0.6: ICMP echo reply, id1, seq 17288, length 40

<p>
  <span style="font-family: '宋体';">可见有包过来,但没有回包,原因是</span>lanserver<span style="font-family: '宋体';">上有一条默认网关,但是指向的不是</span>vpnserver,<span style="font-family: '宋体';">解决办法有两个:</span>
</p>

<p>
  <span style="font-family: '宋体';">方法一:将</span>lanserver<span style="font-family: '宋体';">上的网关指向</span>vpnserver
</p>

<pre class="brush:bash;toolbar:false">[root@lanserver&nbsp;~]#&nbsp;route&nbsp;del&nbsp;default&nbsp;gw&nbsp;192.168.18.2

[root@lanserver ~]# route add default gw 192.168.18.201 [root@lanserver ~]# route -n Kernel IP routing table Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 192.168.18.0    0.0.0.0         255.255.255.0   U    0      0        0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U    1002   0        0 eth0 0.0.0.0        192.168.18.201  0.0.0.0         UG   0      0        0 eth0

<p>
  <span style="font-family: '宋体';">添加完成后,</span>windows<span style="font-family: '宋体';">客户端与</span>lanserver<span style="font-family: '宋体';">立刻就通了</span>
</p>

<p>
  <span style="font-family: '宋体';">方法二:单独添加一条到</span>10.8.0.0/24<span style="font-family: '宋体';">的路由</span>
</p>

<p>
  <span style="font-family: '宋体';">首先删除默认路由,删除成功后,客户端与</span>lanserver<span style="font-family: '宋体';">立马就不通了</span>
</p>

<pre class="brush:bash;toolbar:false">route&nbsp;del&nbsp;default&nbsp;gw&nbsp;192.168.18.201</pre>

<p>
  <span style="font-family: '宋体';">添加到</span>10.8.0.0/24<span style="font-family: '宋体';">网段的路由</span>
</p>

<pre class="brush:bash;toolbar:false">route&nbsp;add&nbsp;-net&nbsp;10.8.0.0/24&nbsp;gw&nbsp;192.168.18.201</pre>

<p>
  <span style="font-family: '宋体';">方法三:网关不在</span>vpnserver<span style="font-family: '宋体';">上,在</span>vpnserver<span style="font-family: '宋体';">上添加一条</span>NAT<span style="font-family: '宋体';">地址转换,将所有的</span>10.8.0.0/24<span style="font-family: '宋体';">网段的</span>IP<span style="font-family: '宋体';">都转成</span>192.168.18.201<span style="font-family: '宋体';">,在</span>iptables<span style="font-family: '宋体';">上添加如下语句</span>
</p>

<pre class="brush:bash;toolbar:false">iptables&nbsp;-t&nbsp;nat&nbsp;-APOSTROUTING&nbsp;-s&nbsp;10.8.0.0/24&nbsp;-o&nbsp;eth0&nbsp;-j&nbsp;MASQUERADE</pre>

<p>
  &nbsp;
</p>

<p>
  <span style="font-family: '宋体';">上面的命令也可以用如下命令替换</span>
</p>

<pre class="brush:bash;toolbar:false">iptables&nbsp;-t&nbsp;nat&nbsp;-APOSTROUTING&nbsp;-s&nbsp;10.8.0.0/24&nbsp;-o&nbsp;eth0&nbsp;-j&nbsp;SNAT&nbsp;--to-source&nbsp;192.168.18.201</pre>

<p>
  &nbsp;
</p>

<p>
  <span style="font-family: '宋体';">在</span>windows<span style="font-family: '宋体';">客户端上</span>ping,<span style="font-family: '宋体';">实际</span>IP<span style="font-family: '宋体';">为</span>10.8.0.6,<span style="font-family: '宋体';">而在</span>lanserver<span style="font-family: '宋体';">上抓包看到的源地址显示为</span>192.168.18.201
</p>

<pre class="brush:bash;toolbar:false">[root@lanserver&nbsp;~]#&nbsp;tcpdump&nbsp;-i&nbsp;eth0&nbsp;icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocoldecode listening on eth0, link-type EN10MB (Ethernet), capture size 65535bytes 19:21:52.889132 IP 192.168.18.201 >192.168.18.203: ICMP echo request, id 1, seq 18615, length 40 19:21:52.889154 IP 192.168.18.203 > 192.168.18.201: ICMP echoreply, id 1, seq 18615, length 40 19:21:53.904123 IP 192.168.18.201 > 192.168.18.203: ICMP echorequest, id 1, seq 18616, length 40 19:21:53.904144 IP 192.168.18.203 > 192.168.18.201: ICMP echoreply, id 1, seq 18616, length 40

<p style="text-indent: 32px;">
  <strong><span style="font-family: '宋体'; font-size: 16px;">小结:</span></strong>
</p>

<p>
  <span style="font-family: '宋体';">方法一优点实施简单,只需</span>lanserver<span style="font-family: '宋体';">网关指向</span>vpnserver<span style="font-family: '宋体';">即可,在某些网关指向路由器的情形下,可以在路由器上添加一条到远端</span>10.8.0.0/24<span style="font-family: '宋体';">的路由即可,缺点是需要经过路由器跳转,多了一跳</span>
</p>

<p>
  <span style="font-family: '宋体';">方法二需要在所有的</span>lanserver<span style="font-family: '宋体';">上添加路由,实施起来较麻烦。</span>
</p>

<p>
  <span style="font-family: '宋体';">方法三针对方法</span>2<span style="font-family: '宋体';">进行改进,不需要在每台机器上配置路由,缺点是无法显示出源</span>IP<span style="font-family: '宋体';">信息</span>
</p>

<p>
  <strong>3.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>linux<span style="font-family: '楷体';">客户端安装与配置</span></strong>
</p>

<p>
  3.2.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">安装</span>linux<span style="font-family: '楷体';">客户端软件</span>
</p>

<p>
  linux<span style="font-family: '宋体';">客户端软件的安装与服务端软件安装过程一样,也是需要先安装</span>lzo<span style="font-family: '宋体';">,然后源码编译</span>openvpn2.2.2,<span style="font-family: '宋体';">具体安装操作过程可参照</span><a href="#%E5%AE%89%E8%A3%85openvpn%E8%BD%AF%E4%BB%B6"><span style="font-family: '宋体';">服务端源码包安装</span>2.4.1</a>
</p>

<p>
  3.2.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">编辑客户端配置文件</span>
</p>

<p>
  <span style="font-family: '宋体';">新建配置文件目录</span>/etc/openvpn
</p>

<pre class="brush:bash;toolbar:false">mkdir&nbsp;/etc/openvpn

cd /etc/openvpn

<p>
  <span style="font-family: '宋体';">将</span>ca.crt,test.crt,test.key,client.conf<span style="font-family: '宋体';">上传</span>
</p>

<p style="margin-left: 28px;">
  1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>[root@vpnclient openvpn]# ls
</p>

<pre class="brush:bash;toolbar:false">ca.crt&nbsp;&nbsp;client.conf&nbsp;&nbsp;test.crt&nbsp;test.key</pre>

<p>
  client.conf<span style="font-family: '宋体';">内容与</span>windows<span style="font-family: '宋体';">客户端下的</span>test.ovpn<span style="font-family: '宋体';">内容一样</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnclient&nbsp;openvpn]#&nbsp;cat&nbsp;client.conf

client dev tun proto tcp remote 192.168.3.201 52115 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert test.crt key test.key ns-cert-type server comp-lzo verb 3

<p>
  3.2.3<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">远程拔入</span>vpn
</p>

<p>
  <span style="font-family: '宋体';">使用与服务端类似的启动方式进行启动,开机自启方式可以加入</span>/etc/rc.local
</p>

<pre class="brush:bash;toolbar:false">[root@vpnclient&nbsp;openvpn]#&nbsp;/usr/local/sbin/openvpn&nbsp;--config/etc/openvpn/client.conf&nbsp;&nbsp;&

[1] 16347 [root@vpnclient openvpn]# Thu Jul 7 19:49:00 2016 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2][EPOLL] [eurephia] built on Jul  7 2016 Thu Jul  7 19:49:00 2016 NOTE:OpenVPN 2.1 requires ’–script-security 2’ or higher to call user-definedscripts or executables …此处省略若干行 Thu Jul  7 19:49:03 2016 ROUTEdefault_gateway=192.168.3.251 Thu Jul  7 19:49:04 2016TUN/TAP device tun0 opened Thu Jul  7 19:49:04 2016TUN/TAP TX queue length set to 100 Thu Jul  7 19:49:04 2016/sbin/ifconfig tun0 10.8.0.10 pointopoint 10.8.0.9 mtu 1500 Thu Jul  7 19:49:04 2016/sbin/route add -net 192.168.18.0 netmask 255.255.255.0 gw 10.8.0.9 Thu Jul  7 19:49:04 2016/sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.9 Thu Jul  7 19:49:04 2016Initialization Sequence Completed 拔号成功后,会多出一个接口tun0 [root@vpnclient openvpn]# ifconfig tun0 tun0      Linkencap:UNSPEC  HWaddr00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00            inetaddr:10.8.0.10  P-t-P:10.8.0.9  Mask:255.255.255.255           UP POINTOPOINTRUNNING NOARP MULTICAST  MTU:1500  Metric:1           RX packets:0errors:0 dropped:0 overruns:0 frame:0           TX packets:0errors:0 dropped:0 overruns:0 carrier:0           collisions:0txqueuelen:100           RX bytes:0 (0.0b)  TX bytes:0 (0.0 b)

<p>
  <span style="font-family: '宋体';">如果是带密码认证的用户,以</span>sunny<span style="font-family: '宋体';">为例,将</span>sunny.crt,sunny.key,sunny.ovpn<span style="font-family: '宋体';">上传至</span>/etc/openvpn,sunny.ovpn<span style="font-family: '宋体';">的内容如下:</span>
</p>

<pre class="brush:bash;toolbar:false">client

dev tun proto tcp remote 192.168.3.204 52115 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert sunny.crt key sunny.key ns-cert-type server comp-lzo verb 3 –script-security 3

<p>
  &nbsp;
</p>

<p>
  <span style="font-family: '宋体';">在</span>/etc/openvpn<span style="font-family: '宋体';">下新建密码文件</span>pass.txt
</p>

<pre class="brush:bash;toolbar:false">123456</pre>

<p>
  <span style="font-family: '宋体';">安全起见,修改</span>pass.txt<span style="font-family: '宋体';">权限为</span>400
</p>

<pre class="brush:bash;toolbar:false">chmod&nbsp;400&nbsp;/etc/openvpn/pass.txt</pre>

<p>
  <span style="font-family: '宋体';">启动客户端</span>
</p>

<pre class="brush:bash;toolbar:false">openvpn--config&nbsp;/etc/openvpn/sunny.ovpn&nbsp;--askpass&nbsp;/etc/openvpn/pass.txt&nbsp;&</pre>

<p>
  &nbsp;
</p>

<p>
  <span style="font-family: '宋体';">加入开机自启的方法:</span>
</p>

<pre class="brush:bash;toolbar:false">echo&nbsp;&lsquo;openvpn&nbsp;--config&nbsp;/etc/openvpn/sunny.ovpn&nbsp;--askpass/etc/openvpn/pass.txt&nbsp;>/dev/null&nbsp;&&rsquo;>>/etc/rc.local</pre>

<p>
  3.2.4<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">检查路由变化和连通性</span>
</p>

<p>
  <span style="font-family: '宋体';">测试到</span>192.168.18.203<span style="font-family: '宋体';">网络是通的,停掉</span>openvpn<span style="font-family: '宋体';">服务(</span>pkill openvpn<span style="font-family: '宋体';">)后,网络又断开了,</span>linux<span style="font-family: '宋体';">客户端配置成功</span>
</p>

<p>
  <a href="#%E8%BF%9E%E9%80%9A%E6%80%A7%E6%B5%8B%E8%AF%95"><span style="font-family: '宋体';">连通性问题处理方案与</span>windows<span style="font-family: '宋体';">客户端上一致,见</span>3.1.6</a>
</p>

<p>
  &nbsp;
</p>

<hr />

<p>
  &nbsp;
</p>

<p>
  <span style="color: #0070c0;"><strong><span style="font-size: 24px;">4、<span style="line-height: normal; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal;">&nbsp;&nbsp;&nbsp; </span>openvpn<span style="font-family: '楷体';">高可用方案</span></span></strong></span>
</p>

<p>
  <strong>4.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="font-family: '楷体';">使用</span>openvpn<span style="font-family: '楷体';">实现代理访问</span></strong>
</p>

<p>
  4.1.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">翻墙解决方案需求分析</span>
</p>

<p>
  <span style="font-family: '宋体';">与</span>web<span style="font-family: '宋体';">代理类似,客户的</span>IP<span style="font-family: '宋体';">地址通过代理访问后,源地址变成</span>vpnserver<span style="font-family: '宋体';">的外网</span>IP<span style="font-family: '宋体';">,客户端所有的上网行为都走</span>vpnserver,<span style="font-family: '宋体';">相当于是远端的</span>vpnserver<span style="font-family: '宋体';">去请求网页服务。之前的普通模式只是访问远端特定的内网服务器时,才会走</span>vpnserver<span style="font-family: '宋体';">,其它外网访问依然走客户端本地网络,如果这台</span>vpnserver<span style="font-family: '宋体';">在国外,可以通过此服务器访问国外的网站,请不要使用此方法用于非法用途,否则后果自负。</span>
</p>

<p>
  <span style="font-family: '宋体';">具体逻辑如下图所示:</span>
</p>

<p>
  <a href="https://clsn.io/wp-content/uploads/2018/03/wKioL1eYSv_SR_28AAEQIOFvqZE761.png-wh_500x0-wm_3-wmp_4-s_3462300254.png" target="_blank" class="fancybox" data-fancybox-group="button">&nbsp;</a>
</p>

<p>
  <a href="https://clsn.io/wp-content/uploads/2018/03/wKioL1eYSv_SR_28AAEQIOFvqZE761.png-wh_500x0-wm_3-wmp_4-s_3462300254.png" target="_blank" class="fancybox" data-fancybox-group="button"><img style="float: none;" title="openvpn代理访问(翻墙)逻辑图.png" data-original="https://clsn.io/wp-content/uploads/2018/03/wKioL1eYSv_SR_28AAEQIOFvqZE761.png-wh_500x0-wm_3-wmp_4-s_3462300254.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="openvpn配置" alt="wKioL1eYSv_SR_28AAEQIOFvqZE761.png-wh_50" /></a>
</p>

<p>
  4.1.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">代理访问解决方案配置</span>
</p>

<p>
  <span style="font-family: '宋体';">和普通配置相比,在</span>server.conf<span style="font-family: '宋体';">上增加如下配置</span>
</p>

<pre class="brush:bash;toolbar:false">push&nbsp;"redirect-gateway&nbsp;def1&nbsp;bypass-dhcp&nbsp;bypass-dns"

push “dhcp-option DNS 8.8.8.8” push “dhcp-option DNS 8.8.4.4”

<p>
  <span style="font-family: '宋体';">启动转发功能</span>
</p>

<pre class="brush:bash;toolbar:false">sed&nbsp;&ndash;i&nbsp;&lsquo;s#net.ipv4.ip_forward=&nbsp;0#&nbsp;net.ipv4.ip_forward=&nbsp;1#g&rsquo;/etc/sysctl.conf

sysctl –p

<p>
  <span style="font-family: '宋体';">开启防火墙</span>NAT<span style="font-family: '宋体';">映射</span>
</p>

<pre class="brush:bash;toolbar:false">iptables&nbsp;-t&nbsp;nat&nbsp;-A&nbsp;POSTROUTING&nbsp;-s&nbsp;10.8.0.0/24&nbsp;-o&nbsp;eth0&nbsp;-j&nbsp;MASQUERADE</pre>

<p>
  <span style="font-family: '宋体';">开放防火墙</span>
</p>

<pre class="brush:bash;toolbar:false">iptables&nbsp;-A&nbsp;INPUT&nbsp;-p&nbsp;udp&nbsp;-m&nbsp;state&nbsp;&ndash;state&nbsp;NEW&nbsp;&ndash;m&nbsp;udp&nbsp;&nbsp;--dport&nbsp;52115&nbsp;-j&nbsp;ACCEPT</pre>

<p>
  <strong>4.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="font-family: '楷体';">同一账号拔入不同服务器</span></strong>
</p>

<p>
  4.2.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">实现原理</span>
</p>

<p>
  <a href="https://clsn.io/wp-content/uploads/2018/03/wKioL1eYSv6C4vmZAADZQidMKzg408.png-wh_500x0-wm_3-wmp_4-s_1237740911.png" target="_blank" class="fancybox" data-fancybox-group="button"><img style="float: none;" title="openvpn单账号轮巡逻辑图.png" data-original="https://clsn.io/wp-content/uploads/2018/03/wKioL1eYSv6C4vmZAADZQidMKzg408.png-wh_500x0-wm_3-wmp_4-s_1237740911.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="openvpn配置" alt="wKioL1eYSv6C4vmZAADZQidMKzg408.png-wh_50" /></a>
</p>

<p>
  <span style="font-family: '宋体';">配置两台</span>vpnserver,<span style="font-family: '宋体';">第</span>2<span style="font-family: '宋体';">台服务器上同样也需要开启</span>net.ipv4.ip_forward<span style="font-family: '宋体';">,源码编译安装完成后,所有的证书制作过程不需要了,直接将</span>vpnserver1<span style="font-family: '宋体';">下</span>/etc/openvpn/keys<span style="font-family: '宋体';">目录拷贝到</span>vpnserver2<span style="font-family: '宋体';">中,这样两台</span>vpnserver<span style="font-family: '宋体';">的内容是一样的,除了接入的</span>IP<span style="font-family: '宋体';">地址不一样,只需要在客户端生成一个新的配置文件(</span>client.conf/test2.ovpn<span style="font-family: '宋体';">)</span>,
</p>

<p>
  4.2.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">同一账号拔入不同</span>vpnserver<span style="font-family: '楷体';">方案</span>
</p>

<p>
  <span style="font-family: '宋体';">在</span>vpnserver1<span style="font-family: '宋体';">上对证书文件目录打包</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver&nbsp;openvpn]#&nbsp;cd&nbsp;/tmp

[root@vpnserver tmp]# tar zcvf openvpn.tar.gz /etc/openvpn/ [root@vpnserver tmp]# scp openvpn.tar.gz 192.168.3.204:/tmp

<p>
  <span style="font-family: '宋体';">在</span>vpnserver2<span style="font-family: '宋体';">上解包</span>
</p>

<pre class="brush:bash;toolbar:false">[root@vpnserver2&nbsp;tmp]#&nbsp;tar&nbsp;xf&nbsp;openvpn.tar.gz&nbsp;-C&nbsp;/

[root@vpnserver2 tmp]# ls /etc/openvpn/ ipp.txt  keys  openvpn-status.log  server.bak server.conf

<p>
  <span style="font-family: '宋体';">修改</span>vpnsever2<span style="font-family: '宋体';">上的</span>server.conf<span style="font-family: '宋体';">文件</span>
</p>

<pre class="brush:bash;toolbar:false">local&nbsp;192.168.3.204

server10.8.1.0 255.255.255.0

<p>
  &nbsp;
</p>

<p>
  <span style="font-family: '宋体';">启动</span>vpnserver2
</p>

<pre class="brush:bash;toolbar:false">/usr/local/sbin/openvpn&nbsp;--config&nbsp;/etc/openvpn/server.conf&nbsp;&</pre>

<p>
  <span style="font-family: '宋体';">加入开机自启动</span>
</p>

<pre class="brush:bash;toolbar:false">echo&nbsp;"/usr/local/sbin/openvpn&nbsp;--config&nbsp;/etc/openvpn/server.conf>/dev/null&nbsp;&nbsp;&">>/etc/rc.local</pre>

<p>
  <span style="font-family: '宋体';">修改客户端配置文件,新增一个配置文件,除</span>IP<span style="font-family: '宋体';">地址外,其它均一样</span>
</p>

<p>
  <span style="font-family: '宋体';">一旦一台</span>vpnserver<span style="font-family: '宋体';">停掉了,需要手动将此链接断开,拔号到另外一台</span>vpnserver
</p>

<p>
  <span style="font-family: '宋体';">优点:无额外单点故障,配置简单</span>
</p>

<p>
  <span style="font-family: '宋体';">缺点:需要手工切换拔号服务器</span>
</p>

<p>
  <strong>4.3<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>OPENVPN<span style="font-family: '楷体';">负载均衡</span></strong>
</p>

<p>
  4.3.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">原理图解</span>
</p>

<p>
  <a href="https://clsn.io/wp-content/uploads/2018/03/wKioL1eYSv6C4vmZAADZQidMKzg408.png-wh_500x0-wm_3-wmp_4-s_1237740911.png" target="_blank" class="fancybox" data-fancybox-group="button">&nbsp;</a>
</p>

<p>
  <a href="https://clsn.io/wp-content/uploads/2018/03/wKioL1eYSv6C4vmZAADZQidMKzg408.png-wh_500x0-wm_3-wmp_4-s_1237740911.png" target="_blank" class="fancybox" data-fancybox-group="button"><img style="float: none;" title="openvpn单账号轮巡逻辑图.png" data-original="https://clsn.io/wp-content/uploads/2018/03/wKioL1eYSv6C4vmZAADZQidMKzg408.png-wh_500x0-wm_3-wmp_4-s_1237740911.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="openvpn配置" alt="wKioL1eYSv6C4vmZAADZQidMKzg408.png-wh_50" /></a>
</p>

<p>
  &nbsp;
</p>

<p>
  4.3.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">负载均衡实现</span>
</p>

<p>
  <span style="font-family: '宋体';">配置</span>server<span style="font-family: '宋体';">客户端分配不同的</span>IP<span style="font-family: '宋体';">地址</span>
</p>

<pre class="brush:bash;toolbar:false">server1

    server 10.8.0.0 255.255.255.0 server2     server 10.8.1.0255.255.255.0 server3 server 10.8.2.0 255.255.255.0

<p>
  <span style="font-family: '宋体';">在</span>vpnserver2<span style="font-family: '宋体';">上添加如下命令中的一条,做地址转换</span>
</p>

<p>
  <span style="font-family: '宋体';">方法</span>1<span style="font-family: '宋体';">:</span>
</p>

<pre class="brush:bash;toolbar:false">iptables&nbsp;-t&nbsp;nat&nbsp;-APOSTROUTING&nbsp;-s&nbsp;10.8.1.0/24&nbsp;-o&nbsp;eth0&nbsp;-j&nbsp;MASQUERADE</pre>

<p>
  &nbsp;
</p>

<p>
  <span style="font-family: '宋体';">方法</span>2<span style="font-family: '宋体';">:</span>
</p>

<pre class="brush:bash;toolbar:false">iptables&nbsp;-t&nbsp;nat&nbsp;-APOSTROUTING&nbsp;-s&nbsp;10.8.1.0/24&nbsp;-o&nbsp;eth0&nbsp;-j&nbsp;SNAT&nbsp;--to-source&nbsp;192.168.18.204</pre>

<p>
  &nbsp;
</p>

<p>
  &nbsp;
</p>

<p style="margin-left: 14px;">
  <span style="font-family: '宋体';">客户端配置配置文件修改</span>
</p>

<pre class="brush:bash;toolbar:false">remote&nbsp;192.168.3.201&nbsp;52115

remote 192.168.3.204 52115 remote-random resolv-retry 20

<p>
  <span style="font-family: '宋体';">这样只需要建一个配置文件即可,当一台</span>vpnserver<span style="font-family: '宋体';">断掉时,</span>20<span style="font-family: '宋体';">秒后自动连另外一台</span>vpnserver
</p>

<p>
  &nbsp;
</p>

<hr />

<p>
  &nbsp;
</p>

<p>
  <span style="color: #0070c0;"><strong><span style="font-size: 24px;">5、<span style="line-height: normal; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal;">&nbsp;&nbsp;&nbsp; </span>openvpn<span style="font-family: '楷体';">统一身份认证体系解决方案</span></span></strong></span>
</p>

<p>
  5.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>OpenVPN<span style="font-family: '楷体';">统一身份验证分类</span>
</p>

<p style="margin-left: 52px;">
  1)<span style="font: 9px/normal 'Times New Roman';">&nbsp; </span><span style="font-family: '宋体';">通过本地证书密钥认证</span>
</p>

<p style="margin-left: 52px;">
  2)<span style="font: 9px/normal 'Times New Roman';">&nbsp; </span><span style="font-family: '宋体';">本地文件认证</span>
</p>

<p style="text-indent: 0px; margin-left: 52px;">
  <span style="font-family: '宋体';">本地新建账号密码文件,通过脚本验证本地的密码文件</span>
</p>

<p style="margin-left: 52px;">
  3)<span style="font: 9px/normal 'Times New Roman';">&nbsp; </span><span style="font-family: '宋体';">通过数据库认证</span>
</p>

<p style="text-indent: 0px; margin-left: 52px;">
  <span style="font-family: '宋体';">方法</span>1<span style="font-family: '宋体';">:利用脚本程序或</span>PHP<span style="font-family: '宋体';">程序不从本地文件读,从</span>Mysql<span style="font-family: '宋体';">数据库中读取</span>
</p>

<p style="text-indent: 0px; margin-left: 52px;">
  <span style="font-family: '宋体';">方法</span>2<span style="font-family: '宋体';">:使用</span>pam_mysql<span style="font-family: '宋体';">模块</span>
</p>

<p style="margin-left: 52px;">
  4)<span style="font: 9px/normal 'Times New Roman';">&nbsp; </span>LDAP<span style="font-family: '宋体';">统一用户认证</span>
</p>

<p>
  <span style="font-family: '宋体';">方法</span>1<span style="font-family: '宋体';">:</span>openvpn-auth-ldap
</p>

<p>
  <span style="font-family: '宋体';">方法</span>2<span style="font-family: '宋体';">:利用第一个文件认证的思路,去</span>LDAP<span style="font-family: '宋体';">查询,也可以和本地文件做比较</span>
</p>

<p style="margin-left: 52px;">
  5)<span style="font: 9px/normal 'Times New Roman';">&nbsp; </span>Radis<span style="font-family: '宋体';">(</span>Remote Authentication Dial In User Service<span style="font-family: '宋体';">)认证,主要用来验证、授权、计费</span>
</p>

<p style="margin-left: 52px;">
  6)<span style="font: 9px/normal 'Times New Roman';">&nbsp; </span><span style="font-family: '宋体';">利用微软的活动目录认证(可以和</span>LDAP<span style="font-family: '宋体';">打通)</span>
</p>

<p style="margin-left: 52px;">
  7)<span style="font: 9px/normal 'Times New Roman';">&nbsp; </span><span style="font-family: '宋体';">结合</span>U<span style="font-family: '宋体';">盾等设备认证</span>
</p>

<p>
  5.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>OpenVPN<span style="font-family: '楷体';">本地身份认证</span>
</p>

<p>
  5.2.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">服务端配置</span>
</p>

<p>
  <span style="font-family: '宋体';">在</span>/etc/openvpn/server.conf<span style="font-family: '宋体';">中添加如下配置</span>
</p>

<pre class="brush:bash;toolbar:false">#auth&nbsp;password&nbsp;added&nbsp;by&nbsp;sunny

script-security 3 auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env client-cert-not-required username-as-common-name

<p>
  <span style="font-family: '宋体';">说明:</span>
</p>

<p>
  script-security 3&nbsp; <span style="color: #0033cc; font-family: Batang;">使用</span><span style="color: #0033cc;">3</span><span style="color: #0033cc; font-family: Batang;">级别开启脚本使用功能</span>
</p>

<p>
  auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env<span style="color: #0033cc; font-family: Batang;">使用脚本验证本地文件</span>
</p>

<p>
  client-cert-not-required&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="color: #0033cc; font-family: Batang;">不验证客户端证书,如果启用证书和密码双重认证注释此行</span>username-as-common-name&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; <span style="color: #0033cc; font-family: Batang;">使用客户提供的</span><span style="color: #0033cc;">UserName</span><span style="color: #0033cc; font-family: Batang;">作为</span><span style="color: #0033cc;">CommonName</span>
</p>

<p style="text-indent: 0px; margin-left: 28px;">
  <span style="font-family: '宋体';">在</span>/etc/openvpn<span style="font-family: '宋体';">下新建脚本文件</span>checkpsw.sh
</p>

<pre class="brush:bash;toolbar:false">#!/bin/sh

########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <[email protected]>

# This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/openvpn/psw-file" LOG_FILE="/var/log/openvpn-password.log" TIME_STAMP=date&nbsp;"+%Y-%m-%d&nbsp;%T" ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file"${PASSFILE}" for reading." » ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=awk'!/^;/&&!/^#/&&$1=="'${username}'"{print&nbsp;$2;exit}'${PASSFILE} if [ "${CORRECT_PASSWORD}" = "" ]; then  echo "${TIME_STAMP}: User does not exist: username="${username}",password="${password}"." » ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then  echo "${TIME_STAMP}: Successful authentication:username="${username}"." » ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password:username="${username}", password="${password}"."» ${LOG_FILE} exit 1

<p>
  <span style="font-family: '宋体';">赋予可执行权限</span>
</p>

<pre class="brush:bash;toolbar:false">chmod&nbsp;u+x&nbsp;checkpsw.sh</pre>

<p>
  <span style="font-family: '宋体';">新建密码文件</span>/etc/openvpn/psw-file,<span style="font-family: '宋体';">前面是用户,后面是密码,每行一条,中间用空格或者</span>tab<span style="font-family: '宋体';">键隔开</span>
</p>

<pre class="brush:bash;toolbar:false">client01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;111111

client02        123456

<p>
  <span style="font-family: '宋体';">修改密码文件权限</span>
</p>

<pre class="brush:bash;toolbar:false">&nbsp;chmod&nbsp;400&nbsp;psw-file</pre>

<p>
  <span style="font-family: '宋体';">重启</span>openvpn
</p>

<pre class="brush:bash;toolbar:false">pkill&nbsp;openvpn

ps -ef|grep openvpn /etc/init.d/openvpn start ps -ef|grep openvpn

<p>
  5.2.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">客户端配置</span>
</p>

<p>
  5.2.2.1<span style="font: 9px/normal 'Times New Roman';">&nbsp;</span>windows<span style="font-family: '宋体';">客户端配置</span>
</p>

<p>
  <span style="font-family: '宋体';">编辑</span>test<span style="font-family: '宋体';">用户的客户端配置文件</span>test-192.168.3.201.ovpn<span style="font-family: '宋体';">,新增红色部分配置,修改后的配置如下:</span>
</p>

<pre class="brush:bash;toolbar:false">client

dev tun proto tcp remote 192.168.3.201 52115 resolv-retry infinite nobind persist-key persist-tun ca ca.crt ;cert test.crt ;key test.key ns-cert-type server comp-lzo verb 3 auth-user-pass

<p>
  &nbsp;
</p>

<p>
  &nbsp;
</p>

<p>
  5.2.2.2<span style="font: 9px/normal 'Times New Roman';">&nbsp;</span>linux<span style="font-family: '宋体';">客户端配置</span>
</p>

<p>
  Linux<span style="font-family: '宋体';">客户端配置文件如下:</span>
</p>

<pre class="brush:bash;toolbar:false">;cert&nbsp;test.crt

;key test.key auth-user-pass    auth-user-pass/etc/openvpn/psw-file

<p>
  &nbsp;
</p>

<p>
  <span style="font-family: '宋体';">新建密码文件</span>/etc/openvpn/psw-file<span style="font-family: '宋体';">,第一行为用户名,第二行为密码</span>
</p>

<pre class="brush:bash;toolbar:false">client02

123456

<p>
  <span style="font-family: '宋体';">修改权限为</span>400
</p>

<pre class="brush:bash;toolbar:false">chmod&nbsp;400&nbsp;/etc/openvpn/psw-file</pre>

<p>
  <span style="font-family: '宋体';">添加到开机自启动</span>
</p>

<pre class="brush:bash;toolbar:false">echo&nbsp;&ldquo;/usr/local/sbin/openvpn--config&nbsp;/etc/openvpn/client.conf&nbsp;>/dev/null&nbsp;&&rdquo;>>/etc/rc.local</pre>

<p>
  <span style="font-family: '宋体';">此功能需要编译时加入</span>--enable-password-save<span style="font-family: '宋体';">参数,即</span>
</p>

<pre class="brush:bash;toolbar:false">./configure&nbsp;--enable-password-save&nbsp;--with-lzo-lib=/usr/local/lib&nbsp;--with-lzo-headers=/usr/local/include</pre>

<p>
  <span style="font-family: '宋体';">否则会报如下错误:</span>
</p>

<pre class="brush:bash;toolbar:false">'Auth'&nbsp;password&nbsp;cannot&nbsp;be&nbsp;read&nbsp;from&nbsp;a&nbsp;file</pre>

<p>
  5.2.3<span style="font: 9px/normal 'Times New Roman';">&nbsp;&nbsp; </span><span style="font-family: '楷体';">连接测试</span>
</p>

<p>
  windows<span style="font-family: '宋体';">客户端直接拔号测试,会弹出用户密码输入框,输入</span>client01,111111
</p>

<p>
  linux<span style="font-family: '宋体';">客户端直接启动服务即可</span>
</p>

<p>
  &nbsp;
</p>

 http://blog.51cto.com/francis198/1830639