最近需要在一个网络比较严格的环境中搭建vpn，只有8090这个端口可以用，而且只能使用tcp协议。pptp安装和使用都很简单，具体详见之前我写的这篇文章《Ubuntu服务器中搭建PPTP VPN》，https://zhangnq.com/1287.html。不过这次如果再使用pptp估计会折腾很久，所以最后我选择了openvpn。

服务端（非bridge模式）

1、安装openvpn

apt-get install openvpn bridge-utils

2、生成证书文件

a.复制文件
mkdir /etc/openvpn/easy-rsa/
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
b.编辑/etc/openvpn/easy-rsa/vars
vi /etc/openvpn/easy-rsa/vars
根据实际情况修改如下配置内容，也可以随便设。
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL=me@myhost.mydomain
c.安装CA和创建服务器证书
cd /etc/openvpn/easy-rsa/
chown -R root:admin .  ## make this directory writable by the system administrators
chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all  ## Setup the easy-rsa directory (Deletes all keys)
./build-dh  ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
## If you get this error:
##    "The correct version should have a comment that says: easy-rsa version 2.x"
## Try This:
##     sudo ln -s openssl-1.0.0.cnf openssl.cnf
## Refer to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/998918
cd keys
openvpn --genkey --secret ta.key  ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
查看需要的证书是否都在/etc/openvpn/目录中。

3、编辑server配置文件

vi /etc/openvpn/server.conf
可以按照下面内容进行修改，各个配置信息详见说明或官方文档。配置模板也可以从这里（/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz）复制，然后修改。
;local a.b.c.d
port 8090
proto tcp
;proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
;server 10.8.0.0 255.255.255.0
server 172.30.178.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
push "dhcp-option DNS 114.114.114.114"
;push "dhcp-option DNS 208.67.220.220"
client-to-client
duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
log-append  openvpn.log
verb 3
;mute 20

如果报这个错误WARN: could not open database for 4096 bits.，运行以下命令即可。
touch /usr/share/openssl-blacklist/blacklist.RSA-4096

4、服务器相关配置

设置IP转发
iptables -t nat -A POSTROUTING -s 172.30.178.0/24 -o br0 -j MASQUERADE
命令中网段和网卡信息需要根据实际情况修改。
修改/etc/sysctl.conf的内容
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
重新载入/etc/sysctl.conf使其生效，sysctl –p 。
端口转发
如果openvpn是安装在kvm虚拟机中且网络是nat类型，需要设置下端口转发，具体命令如下所示。
iptables -D FORWARD 5 -t filter
iptables -D FORWARD 4 -t filter
iptables -t nat -A PREROUTING -p tcp --dport 8090 -j DNAT --to-destination 192.168.122.100:8090
iptables -t nat -A POSTROUTING -p tcp --dport 8090 -d 192.168.122.100 -j SNAT --to 192.168.122.1
重启openvpn，/etc/init.d/openvpn restart 。

客户端

1、生成客户端证书和密钥

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
source ./vars             ## execute the vars file
./pkitool client          ## create a cert and key named "client"
## Note: if you get a 'TXT_DB error number 2' error you may need to specify
## a unique KEY_CN, for example: KEY_CN=client ./pkitool client

2、客户端配置文件Client.ovpn参考设置如下所示

client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote xxx.xxx.xxx.xxx 8090
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20

3、生成客户端的配置文件

把下面几个文件打包，放入客户端安装目录中的config目录中。
client.ovpn
ca.crt
client.crt
client.key
ta.key

参考网址：
1、https://help.ubuntu.com/community/OpenVPN
2、http://wuliyasutai.blog.51cto.com/1544421/1348521

1. 还没有Trackbacks