菜单

CentOS 6上陈设OpenVPN Server

2019年8月31日 - LINUX

CentOS 6上部署OpenVPN Server

参考资料:
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
http://www.unixmen.com/setup-openvpn-server-client-centos-6-5/
http://docs.ucloud.cn/software/vpn/OpenVPN4CentOS.html

背景介绍:
新近,GFW初阶针对VPN举办了遮挡,此前在VPS上搭建的PPTP/L2TP
VPN在稍微时候都起来变得不平稳了。
进而,筹算在VPS上再搭建一个OpenVPN Server,以备有时之需。

连锁陈设:
OS: CentOS 6.4 x86_64 Minimal

  1. 安装EPEL扩展库
    # yum install
    http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

  2. 设置所需依赖软件包
    # yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel
    automake pkgconfig

  3. 安装OpenVPN
    # yum install openvpn

  4. 下载easy-rsa 2.x
    # wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
    # unzip 2.x.zip
    # cd easy-rsa-release-2.x
    # cp -rf easy-rsa /etc/openvpn/

  5. 配置easy-rsa vars
    # cd /etc/openvpn/easy-rsa/2.0/
    # ln -s openssl-1.0.0.cnf openssl.cnf
    # chmod +x vars

修改vars文件中以下配置项:
# vim vars

...# Increase this to 2048 if you# are paranoid.  This will slow# down TLS negotiation performance# as well as the one-time DH parms# generation process.export KEY_SIZE=1024...# These are the default values for fields# which will be placed in the certificate.# Don't leave any of these fields blank.export KEY_COUNTRY="JP"export KEY_PROVINCE="JP"export KEY_CITY="Tokyo"export KEY_ORG="heylinux.com"export KEY_EMAIL="[email protected]"export KEY_OU="MyOrganizationalUnit"...

举办vars文件使意况变量生效:
# source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
  1. 更动所需的各个表明文件
    清除旧的注脚:
    # ./clean-all

调换服务器端CA证书,由于在vars文件中做过缺省设置,在现身互相分界面时,间接一路回车就能够:
# ./build-ca

Generating a 1024 bit RSA private key..............................++++++.....................................++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [JP]:State or Province Name (full name) [JP]:Locality Name (eg, city) [Tokyo]:Organization Name (eg, company) [heylinux.com]:Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [heylinux.com CA]:Name [EasyRSA]:Email Address [[email protected]]:

扭转服务器证书,依旧是在产出互相分界面时,直接一路回车,并在结尾询问[y/n]时输入y即可:
# ./build-key-server heylinux.com

Generating a 1024 bit RSA private key............++++++................++++++writing new private key to 'heylinux.com.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [JP]:State or Province Name (full name) [JP]:Locality Name (eg, city) [Tokyo]:Organization Name (eg, company) [heylinux.com]:Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [heylinux.com]:Name [EasyRSA]:Email Address [[email protected]]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'JP'stateOrProvinceName   :PRINTABLE:'JP'localityName          :PRINTABLE:'Tokyo'organizationName      :PRINTABLE:'heylinux.com'organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'commonName            :PRINTABLE:'heylinux.com'name                  :PRINTABLE:'EasyRSA'emailAddress          :IA5STRING:'[email protected]'Certificate is to be certified until Jan 26 09:49:38 2025 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

生成DH验证文件:
# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time................................+.............++*++*++*

生成TLS私密文件:
# cd keys
# openvpn –genkey –secret ta.key
# cd ..

变迁客商端证书,比如eric与rainbow五个顾客:
# ./build-key eric

Generating a 1024 bit RSA private key.++++++..........................................................................++++++writing new private key to 'eric.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [JP]:State or Province Name (full name) [JP]:Locality Name (eg, city) [Tokyo]:Organization Name (eg, company) [heylinux.com]:nginxs.comOrganizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [eric]:Name [EasyRSA]:Email Address [[email protected]]:[email protected] enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'JP'stateOrProvinceName   :PRINTABLE:'JP'localityName          :PRINTABLE:'Tokyo'organizationName      :PRINTABLE:'nginxs.com'organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'commonName            :PRINTABLE:'eric'name                  :PRINTABLE:'EasyRSA'emailAddress          :IA5STRING:'[email protected]'Certificate is to be certified until Jan 26 09:52:03 2025 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

# ./build-key rainbow

Generating a 1024 bit RSA private key......................++++++......................++++++writing new private key to 'rainbow.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [JP]:State or Province Name (full name) [JP]:Locality Name (eg, city) [Tokyo]:Organization Name (eg, company) [heylinux.com]:Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [rainbow]:Name [EasyRSA]:Email Address [[email protected]]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'JP'stateOrProvinceName   :PRINTABLE:'JP'localityName          :PRINTABLE:'Tokyo'organizationName      :PRINTABLE:'heylinux.com'organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'commonName            :PRINTABLE:'rainbow'name                  :PRINTABLE:'EasyRSA'emailAddress          :IA5STRING:'[email protected]'Certificate is to be certified until Jan 26 09:52:49 2025 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated
  1. 编排服务器配置文件:
    # vim /etc/openvpn/server.conf

    port 1194proto udpdev tunca /etc/openvpn/easy-rsa/2.0/keys/ca.crtcert /etc/openvpn/easy-rsa/2.0/keys/heylinux.com.crtkey /etc/openvpn/easy-rsa/2.0/keys/heylinux.com.keydh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pemserver 10.192.170.0 255.255.255.0ifconfig-pool-persist ipp.txtpush “redirect-gateway def1 bypass-dhcp”push “dhcp-option DNS 172.31.0.2″push “dhcp-option DOMAIN-SEARCH ap-northeast-1.compute.internal”push “dhcp-option DOMAIN-SEARCH ec2.drawbrid.ge”client-to-clientkeepalive 10 120comp-lzouser nobodygroup nobodypersist-keypersist-tunstatus /var/log/openvpn/openvpn-status.loglog /var/log/openvpn/openvpn.loglog-append /var/log/openvpn/openvpn.logverb 3

疏解:在以上配置文件中,
行使了udp合同,较tcp合同来说,在非常糟糕的互联网状态下效果更加好;
钦定了ca, cert, key, dh等文件的切实可行路径;
分配了virtual IP地址段10.192.170.0给VPN客户端;
启用了ipp.txt作为顾客端和virtual
IP的对应表,以造福顾客端重新连接能够收获一致的IP;
启用了redirect-gateway的push作用,那样客商端会在一而再后默许设置为具备流量都因此服务器;
启用了dhcp-option的push作用,那样能够将EC2的暗中同意DNS解析配置推送到顾客端,并自动配置其DNS深入分析文件(如MacOS中的/etc/resolv.conf);
启用了client-to-client,使顾客端之间能够间接通信;
启用了nobody作为user和group来下滑OpenVPN的实行客商权限;
启用了TLS认证;
启用了lzo压缩;
点名了独立的日记文件;

创办日志文件目录:
# mkdir -p /var/log/openvpn
# chown openvpn:openvpn /var/log/openvpn

  1. 启动OpenVPN服务
    # /etc/init.d/openvpn start
    # chkconfig openvpn on

  2. 布置服务器,开启NAT数据转载和血脉相通端口
    # vim /etc/sysctl.conf

    …net.ipv4.ip_forward = 1…

# sysctl -p

# iptables -t nat -A POSTROUTING -s 10.192.170.0/24 -o eth0 -j
MASQUERADE

# iptables -A INPUT -p udp –dport 1194 -j ACCEPT
# iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# /etc/init.d/iptables save
# /etc/init.d/iptables restart
# chkconfig iptables on
在意:若是运用的是云主机如EC2,端口过滤相关的布署则要求跳过,然后到Security
Group中实行安装。

  1. 配置OpenVPN客户端
    将服务器端生成的相干注脚统一复制到一处,如针对rainbow客商:
    # mkdir -p /home/rainbow/tmp/openvpn_heylinux
    # cd /home/rainbow/tmp/openvpn_heylinux
    # cp -rpa /etc/openvpn/easy-rsa/2.0/keys/ta.key .
    # cp -rpa /etc/openvpn/easy-rsa/2.0/keys/ca.crt .
    # cp -rpa /etc/openvpn/easy-rsa/2.0/keys/rainbow.crt .
    # cp -rpa /etc/openvpn/easy-rsa/2.0/keys/rainbow.key .

配置rainbow客商的ovpn配置文件:
# vim rainbow.ovpn

clientdev tunproto udpremote 54.238.131.140 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert rainbow.crtkey rainbow.keyremote-cert-tls servertls-auth ta.key 1comp-lzoverb 3

将有关证书文件与ovpn配置打包:
# cd /home/rainbow/tmp
# tar cf openvpn_heylinux.tar openvpn_heylinux

将包裹过后的openvpn_heylinux.tar下载到本地;

在Windows中,下载并安装OpenVPN Client:
下载地址:http://openvpn.net/index.php/download.html
下一场将有关的证书文件和rainbow.ovpn配寄存到C:/Program
Files/OpenVPN/config目录下,到桌面双击OpenVPNLogo并采纳钦命的接纳就能够;

在MacOS中,下载并安装Tunnelblick:
下载地址:https://code.google.com/p/tunnelblick/
然后,将openvpn_heylinux.tar解压同等对待命名字为heylinux.com.tblk;
再通过Finder找到heylinux.com.tblk并双击就能够;

  1. 以下,是小编在MacOS中成功连接后的连锁截图:
    图片 1
    图片 2
    图片 3
    图片 4

http://www.bkjia.com/Linuxjc/1047403.htmlwww.bkjia.comtruehttp://www.bkjia.com/Linuxjc/1047403.htmlTechArticleCentOS 6上布置OpenVPN Server 参谋资料:
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
http://www.unixmen.com/set

一 、概念相关


 

1、vpn 介绍

  vpn
虚构专用互连网,是依附isp和另外的nsp,在公共互连网中创建专项使用的多少通讯互连网的技术。在vpn中私自两点时期的链接并从未理念的专网所需的端到端的物理链路,而是选择公共互连网财富动态构成的,能够驾驭为通过个人的隧道技艺在公共数据互连网上模拟出来的和专网有同样功用的点到点的专线手艺,所谓虚构是指没有须求去拉实际的远程物理线路,而是借用公共的Internet互连网达成。

2、vpn 作用

  vpn能够协理公司用的远程客户(出差,家里)公司的分之机构、商业同盟同伴及中间商等商家和融洽的集团里面互连网之间创设可信赖的平安连接只怕局域网连接,确定保证数据的加密安全传输和作业访问,对于运转技术员来讲,还足以连接不一样的机房为局域网,管理相关的业务流。

3、常见vpn功用的开源产品

  pptp vpn  

  最大优势在于不需求在windows客商端单独安装vpn客商端软件,windows私下认可就帮助pptp
vpn拨号功效。他是属于点对点的点子接纳,比较相符长途集团顾客拨号到信用合作社进展办公等利用,劣势比相当多小区及网络设施不支持pptp导致不恐怕访问。Openvpn和PPTP
VPN比较存在非常的多的优势,最强烈的是Openvpn协理NAT穿越,相当于说在nat意况下使用openvpn只必要三个在路由器上做一个端口映射就能够!无需别的路由的补助,要明白不是具备的路由器都帮忙配置NAT穿越,独有高等的路由器才提供这种效用!其次openvpn使用证书加密数据传输,安全性方便也优化PPTP
VPN,但在安顿方面比PPTP
VPN要复杂许多!而且openvpn顾客端登八头必要双击就能够接连服务器端,从感官上反而认为安全性低,由此上面介绍下openvpn使用user/pass格局客商验证登陆,使用这种办法申明客商登入在撤废顾客账号的时候借使删除密码文件中的记录就可以,非常的造福!

  SSL VPN(openvpn)

  PPTP首要为常在外边移动照旧家庭办公的顾客着想的,而OpenVpn不但能够应用与PPTP的场所,依旧和针对性公司异地两地总根据地里面包车型客车vpn不间断按需链接,比如:ERP,OA及时广播发表工具等在总分集团集团中的应用,劣点:须要单独安装客商端软件。

  IPSEC VPN 

  也适合针对公司异地两地中分部也许七个IDC机房之间的VPN的不间断按需链接,而且在配置使用上更简明方便。IPSEC
Vpn的开源产品openswan.

4、openvpn介绍

  OpenVPN 是二个基于 OpenSSL 库的选取层 VPN 完成。和思想 VPN
比较,它的优点是简轻易单易用。

  OpenVPN允许参加创设VPN的单点使用分享金钥,电子证书,或然顾客名/密码来开展身份验证。它多量采纳了OpenSSL加密库中的SSLv3/TLSv1
斟酌函式库。OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS
X与Windows
3000/XP/Vista上运营,并蕴藏了无数安全性的效劳。它并非四个依照Web的VPN软件,也不与IPsec及其他VPN软件包包容。

  OpenVPN2.0后引进了客商名/口令组合的身份验证方式,它能够回顾顾客端证书,然而仍有一份服务器证书要求被当作加密。
OpenVPN全数的通信都根据八个十足的IP端口,
暗中认可且推荐应用UDP探究通信,同期TCP也被协理。OpenVPN连接能通过许多的代理服务器,何况可以在NAT的条件中很好地干活。服务端具备向顾客端“推送”有些网络布局音讯的机能,这个消息包涵:IP地址、路由安装等。OpenVPN提供了二种设想网络接口:通用Tun/Tap驱动,通过它们,
能够建设构造三层IP隧道,可能虚构二层以太网,前者能够传递任何项指标二层以太网络数据。传送的多寡可经过LZO算法压缩。在挑选情商时候,须要小心2个加密隧道中间的网络境况,如有高延迟可能丢包非常多的景况下,请采纳TCP公约作为底层合同,UDP商业事务由于存在无连接和重传机制,导致要隧道上层的商业事务进行重传,功效相当低下。

 

二、OpenVPN安装


 

  1. 条件表明

图片 5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. 准备职业

    # 关闭selinux
    setenforce 0
    sed -i ‘/^SELINUX=/c\SELINUX=disabled’ /etc/selinux/config

    # 安装openssl和lzo,lzo用于压缩简报数据加速传输速度
    yum -y install openssl openssl-devel
    yum -y install lzo

    #开启路由转载 echo “net.ipv4.ip_forward=1” >> /etc/sysctl.conf

  2. 源安装

    wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-10.noarch.rpm
    rpm -Uvh epel-release-7-10.noarch.rpm
    yum install openvpn -y
    yum install easy-rsa #安装easy-rsa生成密钥

 4. 转移密钥

首先配置环境变量:

# cp -R /usr/share/easy-rsa/ /etc/openvpn
# cat /etc/openvpn/easy-rsa/2.0/vars  | grep -v "^#"
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SH"
export KEY_CITY="SH"
export KEY_ORG="TY"
export KEY_EMAIL="lalala@test.com"
export KEY_OU="shop"
export KEY_NAME="EasyRSA"
export KEY_CN="server"  


生成秘钥:

# 初始化环境变量
cd /etc/openvpn/easy-rsa/2.0/
source vars

# 清除keys目录下所有与证书相关的文件
# 下面步骤生成的证书和密钥都在/usr/share/easy-rsa/2.0/keys目录里
./clean-all

# 生成根证书ca.crt和根密钥ca.key(一路按回车即可)
./build-ca

# 为服务端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)
./build-key-server server

# 每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接,下面建立2份
# 为客户端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)
./build-key client1
./build-key client2

# 创建迪菲·赫尔曼密钥,会生成dh2048.pem文件(生成过程比较慢,在此期间不要去中断它)
./build-dh

# 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)
openvpn --genkey --secret keys/ta.key

# 将证书文件复制到OpenVPN配置目录中
cd /etc/openvpn/easy-rsa/2.0/keys
cp dh2048.pem ca.crt server.crt server.key ta.key /etc/openvpn/server
cp /usr/share/doc/openvpn-2.4.3/sample/sample-config-files/server.conf /etc/openvpn/server/
  1. Server端配置比方,server.conf详解请参谋另四分之二篇章:OpenVPN
    Server端配置详解

    # cat /etc/openvpn/server/server.conf

    local 10.2.2.37
    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key # This file should be kept secret
    dh dh2048.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push “redirect-gateway def1 bypass-dhcp” #client连接后使用server的互联网境况 push “dhcp-option DNS 223.5.5.5” #经测量试验,需向client push DNS并且防火墙开启masquerade,client本领通过server访问互连网 client-to-client
    duplicate-cn
    keepalive 10 120
    cipher AES-256-CBC
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    log-append openvpn.log
    verb 3
    explicit-exit-notify 1
    script-security 3

    auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #配置使用密码验证
    client-cert-not-required
    username-as-common-name

  2. 防火墙配置

    首先运行firewalld
    systemctl status firewalld.service

    查看有何服务业已在列表中允许通过:
    # firewall-cmd –list-services
    dhcpv6-client http https ssh

    能够见见曾经有了dhcpv6-client, http, https, ssh四项,接下去增加openvpn:
    # firewall-cmd –add-service openvpn
    success
    # firewall-cmd –permanent –add-service openvpn
    success

    最终加多masquerade,测验开启此项,client技巧因而server访谈互连网:
    # firewall-cmd –add-masquerade
    success
    # firewall-cmd –permanent –add-masquerade
    success

    以下命令用于确认masquerade是还是不是丰硕成功:
    # firewall-cmd –query-masquerade
    yes

7.
运维服务,若兑现开机自运行请将以下命令参加/etc/rc.d/rc.local并予以rc.local可进行权限

openvpn --config /etc/openvpn/server/server.conf >> /dev/null 2>&1 &

 

三.、设置使用password登入详解


 

  1. 修改服务器端配置:

    # vim /etc/openvpn/server/server.conf
    在配置文件最前面增加如下几行数据
    script-security 3 system #允许通过境遇变量将密码传送给脚本
    auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #提供三个客商名密码对
    client-cert-not-required #不行使客商端证书,使用密码对
    username-as-common-name #使用表明客户名,不使用证书的common name

 

  1. 创建checkpsw.sh脚本,放在/etc/openvpn/路径下:

# cat /etc/openvpn/checkpsw.sh

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

 

  1. 创建psw-file文件:

    # cd /etc/openvpn/server
    # echo “shenzhen password%1” > psw-file #创造账号密码,能够多行,每行一组
    # chmod 400 psw-file #修改文件权限,笔者是用root权限实施的

 

  1. 重启服务:

    # ps -ef | grep openvpn|grep -v grep| awk ‘{print $2}’ |xargs kill
    # openvpn –config /etc/openvpn/server/server.conf >> /dev/null 2>&1 &

 

 

四、顾客端配置


 

  OpenVPN近来是被溪蟹状态,要求FQ去官方网址下载最新版本顾客端,下载之后要求从服务器打包生成的证件文件,解压到客商端安装目录下的config目录中,并创办客商端配置文件client.ovpn:

  客商端配置详解请参见另一篇文章:OpenVPN
Client端配置文件详阐述明

client
dev tun
proto udp
remote 139.219.193.3 1194
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
;cert client.crt
;key client.key
comp-lzo
verb 3
auth-user-pass             #客户端使用账号密码登录
reneg-sec 360000

  

  张开客商端,输入客商名密码登入。
登入难题可以参照服务端/etc/openvpn/server/openvpn.log

 

图片 6

 

 

 

 

 

参考:

https://openvpn.net/index.php/open-source/documentation.html

http://qiyishi.blog.51cto.com/5731577/1575758

http://blog.csdn.net/skykingf/article/details/50611061

相关文章

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图