一、安裝準(zhǔn)備

yum -y install openssl-devel opensslyum -y install gcc gcc-c++

二、OpenVPN服務(wù)端安裝過(guò)程

1.lzo下載與安裝

cd /apps  #安裝目錄wget ftp://www.wudonghang.com/soft/openvpn-2.1_rc15.tar.gz #下載lzotar zxvf lzo-2.04.tar.gz  #解壓cd lzo-2.04./configure ; make ; make install  #編譯與安裝 

2.openvpn下載與安裝

cd /appswget http://openvpn.net/release/openvpn-2.1_rc15.tar.gztar zxvf openvpn-2.1_rc15.tar.gzcd openvpn-2.1_rc15./configure ; make ; make install

3.服務(wù)器端設(shè)置

cp -r /apps/openvpn-2.1_rc15/ /etc/openvpn #用easy-rsa生成服務(wù)器證書(shū)客戶端證書(shū) 

4.初始化參數(shù)

將解壓目錄的easy-rsa目錄復(fù)制到 /etc/openvpn下

cd /etc/openvpn/easy-rsa/2.0./varssource vars 

5.生成CA證書(shū)

./clean-all./build-ca 

6.建立server key(一直回車）

./build-key-server server

7.生成diffie hellman參數(shù)

./build-dh 

8.復(fù)制ca證書(shū)，服務(wù)端證書(shū)到OpenVPN配置目錄

復(fù)制代碼 代碼如下:
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/

9.生成client key

./build-key client1 #與server key 設(shè)置一致

如要生成多個(gè)vpn賬戶，則與client1一樣生成其他客戶端證書(shū)如

./build-key client2./build-key client3

10.生成客戶端配置文件client1.ovpn

vi /etc/openvpn/easy-rsa/2.0/keys/client1.ovpn

clientremote 192.168.80.129 1194dev tun #說(shuō)明連接方式是點(diǎn)對(duì)點(diǎn)的連接，如要以以太網(wǎng)的方式則可以將tun修改為tapproto tcpresolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client1.crtkey client1.keyns-cert-type servercomp-lzoroute-delay 2route-method exeverb 3

11.打包客戶端配置文件證書(shū)等

tar czf keys.tgz ca.crt ca.key client1.crt client1.csr client1.key client1.ovpnmv keys.tgz /root 

12.創(chuàng)建并編輯服務(wù)器端配置文件server.conf

port 1194proto tcpdev tun #說(shuō)明連接方式是點(diǎn)對(duì)點(diǎn)的連接，如要以以太網(wǎng)的方式則可以將tun修改為tapca /etc/openvpn/easy-rsa/2.0/keys/ca.crtcert /etc/openvpn/easy-rsa/2.0/keys/server.crtkey /etc/openvpn/easy-rsa/2.0/keys/server.keydh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway"push "route 172.18.2.0 255.255.255.0" #路由轉(zhuǎn)發(fā)到內(nèi)網(wǎng)網(wǎng)段push "dhcp-option DNS 172.18.2.1"push "dhcp-option DNS 8.8.8.8"keepalive 10 120comp-lzopersist-keypersist-tunclient-to-client #如果不加則各個(gè)客戶端之間將無(wú)法連接 

13.對(duì)防火墻的相關(guān)設(shè)置

echo 1 > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADEiptables-save > /etc/sysconfig/iptablessed -i 's/eth0/venet0/g' /etc/sysconfig/iptables # dirty vz fix for iptables-saveecho "net.ipv4.ip_forward=1" >> /etc/sysctl.conf