OpenVPN

OpenVPN是一个用于创建虚拟专用网络加密通道的软件包,最早由James Yonan编写。

OpenVPN允许建立的VPN使用公开密钥、電子證書、或者用户名/密碼来进行身份验证。

它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。

目前OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista/Windows 7以及Android上运行,並包含了许多安全性的功能。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容。

1. Server

1.1. An easier way: OpenVPN Access Server

refer to http://openvpn.net/index.php/access-server/docs/quick-start-guide.html

1.1.1. Server Info

OpenVPN Access Server consists of three major components:

Free for 2 connections

1.1.2. Installation

Software Packages: http://openvpn.net/index.php/access-server/download-openvpn-as-sw.html

# wget http://swupdate.openvpn.org/as/openvpn-as-2.0.3-Ubuntu12.i386.deb
# dpkg -i openvpn-as-2.0.3-Ubuntu12.i386.deb
The Access Server has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log
Please enter "passwd openvpn" to set the initial
administrative password, then login as "openvpn" to continue
configuration here: https://www.greatwall.com:943/admin
To reconfigure manually, use the /usr/local/openvpn_as/bin/ovpn-init tool.
# passwd openvpn
# service openvpnas

在管理界面可以配置服务信息和管理用户;

直接访问access server,按用户登录,获取对应的ovpn配置文件导入对应客户端,完成连接配置。

1.2. 手动安装和配置OpenVPN Server

refer to http://openvpn.net/index.php/open-source/documentation/install.html

Depend lib:

Install on ubuntu

# apt-get install openvpn
# cd /usr/share/openvpn/

证书自动打包脚本:

wget https://github.com/OpenVPN/easy-rsa-old/archive/master.zip -O easy-rsa.zip
unzip easy-rsa.zip
cp -r easy-rsa-old-master/easy-rsa/2.0/ easy-rsa
cd easy-rsa
source ./vars
./clean-all
VPN_NAME="li3huo"
SVRNAME=$VPN_NAME"-server"
CLINAME=$VPN_NAME"-client"
PORT="8080"
SERVERIP="li3huo.com"

export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BJ"
export KEY_ORG="WhatEver"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_CN=$VPN_NAME
export KEY_OU=$VPN_NAME

export KEY_NAME=$SVRNAME

./build-ca
./build-dh

./build-key-server $SVRNAME
openvpn --genkey --secret keys/ta.key
export KEY_NAME=$CLINAME
./build-key $CLINAME

改配置

wget https://github.com/OpenVPN/openvpn/raw/master/sample/sample-config-files/{server.conf,client.conf}
vi /etc/openvpn/server.conf

#server
VPNSUBNET="10"."$((RANDOM%=255))"."$((RANDOM%=255))".0

sed "s/^port.\+/port $PORT/;
s/^server.\+/server $VPNSUBNET 255.255.255.0/;
s/^cert.\+/cert $SVRNAME.crt/;
s/^key.\+/key $SVRNAME.key/;
s/^;\(tls-auth.\+$\)/\1/;
s/^;\(push \"redirect-gateway.\+\)/\1/;
s/^;\(push \"dhcp-option.\+\)/\1/;
s/^;\(duplicate-cn\)/\1/" -i server.conf

mkdir $SVRNAME
cp server.conf dh1024.pem ta.key ca.crt $SVRNAME.crt $SVRNAME.key $SVRNAME
tar cvfz ../../$SVRNAME.tar.gz $SVRNAME


#client
sed "s/^remote.\+/remote $SERVERIP $PORT/;
s/^cert.\+/cert $CLINAME.crt/;
s/^key.\+/key $CLINAME.key/;
s/^;\(tls-auth.\+$\)/\1/" -i client.conf 

mkdir $CLINAME
cp client.conf ta.key ca.crt $CLINAME.crt $CLINAME.key $CLINAME
tar cfz ../../$CLINAME.tar.gz $CLINAME

1.3. Error Fix

1.3.1. IP Packet with unknown IP version=15 seen

refer to http://www.toofishes.net/blog/openvpn-and-aoe-interaction/

echo 'lo' > /sys/module/aoe/parameters/aoe_iflist

2. Client

2.1. Mac OS X

https://tunnelblick.net/

Tunnelblick is a free, open source graphic user interface for OpenVPN on OS X. It provides easy control of OpenVPN client and/or server connections.

2.2. iOS

https://itunes.apple.com/app/openvpn-connect/id590379981

This app is designed for both iPhone and iPad

3. Reference


CategoryTool

MainWiki: OpenVPN (last edited 2013-10-29 19:29:47 by twotwo)