lizongbo at 618119.com 工作,生活,Android,前端,Linode,Ubuntu,nginx,java,apache,tomcat,Resin,mina,Hessian,XMPP,RPC

2010年10月27日

在Ubuntu Server 10.04上通过源代码编译安装OpenVPN 2.1.3

Filed under: Linux — 标签:, , , , — lizongbo @ 22:13

在Ubuntu Server 10.04上通过源代码编译安装OpenVPN 2.1.3
Linux是在linode.com购买的vps
1.下载OpenVPN稳定版本2.1.3的源码:
root@618119.com:/usr/local/app# wget http://openvpn.net/release/openvpn-2.1.3.tar.gz
来源:
http://openvpn.net/index.php/open-source/downloads.html
2.解压源代码:
root@618119.com:/usr/local/app# tar -zxvf -2.1.3.tar.gz
3.编译前先检查配置:
root@618119.com:/usr/local/app/openvpn-2.1.3# ./configure –prefix=/usr/local/app/openvpn
系统提示:
LZO library available from http://www.oberhumer.com/opensource/lzo/
configure: error: Or try ./configure –disable-lzo
4.安装liblzo2-dev库
root@618119.com:/usr/local/app/openvpn-2.1.3# apt-get install liblzo2-dev
由于在安装nginx时是用openssl源代码进行编译的,这里使用Openssl最新版的源代码进行编译:
(openssl源码下载参考: http://618119.com/archives/2010/10/22/174.html)
5,再次配置:
root@618119.com:/usr/local/app/openvpn-2.1.3# ./configure –prefix=/usr/local/app/openvpn –with-ssl-lib=/usr/local/app/-1.0.0a –with-ssl-headers=/usr/local/app/-1.0.0a/include
6.编译并安装
root@618119.com:/usr/local/app/openvpn-2.1.3# make
root@618119.com:/usr/local/app/openvpn-2.1.3# make install
7.准备生成根证书信息:
root@618119.com:/usr/local/app/openvpn-2.1.3# cd easy-rsa/2.0/
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# vi ./vars
涉及编辑修改的内容为:
export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”Guangdong”
export KEY_CITY=”Shenzhen”
export KEY_ORG=”*.618119.com”
export KEY_EMAIL=”lizongbo@gmail.com

8.开始准备生成根证书:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/keys
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./clean-all
Please source the vars script first (i.e. “source ./vars”)
Make sure you have edited it to reflect your configuration.
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/keys
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./clean-all

root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-ca
Generating a 1024 bit RSA private key
…..++++++
………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [*.618119.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [*.618119.com CA]:
Name []:
Email Address [lizongbo@gmail.com]:

9.生成OpenVPN服务器证书:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-key-server openvpn.618119.com
Generating a 1024 bit RSA private key
…………..++++++
……………………………………….++++++
writing new private key to ‘openvpn.618119.com.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [*.618119.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [openvpn.618119.com]:
Name []:
Email Address [lizongbo@gmail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:618119.com
An optional company name []:
Using configuration from /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’CN’
stateOrProvinceName   :PRINTABLE:’Guangdong’
localityName          :PRINTABLE:’Shenzhen’
organizationName      :T61STRING:’*.618119.com’
commonName            :PRINTABLE:’openvpn.618119.com’
emailAddress          :IA5STRING:’lizongbo@gmail.com
Certificate is to be certified until Oct 21 05:49:51 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
10.生成OpenVPN客户端证书:

root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-key vpnclient.618119.com
Generating a 1024 bit RSA private key
…………………………..++++++
……………++++++
writing new private key to ‘vpnclient.618119.com.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [*.618119.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [vpnclient.618119.com]:
Name []:
Email Address [lizongbo@gmail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:618119.com
An optional company name []:
Using configuration from /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’CN’
stateOrProvinceName   :PRINTABLE:’Guangdong’
localityName          :PRINTABLE:’Shenzhen’
organizationName      :T61STRING:’*.618119.com’
commonName            :PRINTABLE:’vpnclient.618119.com’
emailAddress          :IA5STRING:’lizongbo@gmail.com
Certificate is to be certified until Oct 21 05:53:31 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

11.生成dh(Diffie-Hellman)文件:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-dh

12.创建配置文件目录和日志目录:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# mkdir /usr/local/app/openvpn/conf
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# mkdir /usr/local/app/openvpn/conf/keys
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# mkdir /usr/local/app/openvpn/log
13.将生成的key文件目录复制到/usr/local/app/openvpn/conf
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# cp /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/keys/* /usr/local/app/openvpn/conf/keys
14.从例子文件中复制服务器配置文件。
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# cp /usr/local/app/openvpn-2.1.3/sample-config-files/server.conf   /usr/local/app/openvpn/conf/

15.通过vi编辑配置文件/usr/local/app/openvpn/conf/server.conf,以下是修改了默认值或取消注释的配置项
port 11194 #将默认端口1194改成了11194

proto tcp  #使用过程中发现udp协议连接不稳定,查无法定位原因,于是改用TCP协议来尝试
;proto udp

ca /usr/local/app/openvpn/conf/keys/ca.crt
cert /usr/local/app/openvpn/conf/keys/server.crt
key /usr/local/app/openvpn/conf/keys/server.key
dh /usr/local/app/openvpn/conf/keys/dh1024.pem

ifconfig-pool-persist /usr/local/app/openvpn/conf/ipp.txt

push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”

user nobody
group nobody #也可以使用系统已有的nogroup组,如果使用nobody则需要groupadd命令进行添加,

status /usr/local/app/openvpn/log/openvpn-status.log
log         /usr/local/app/openvpn/log/openvpn.log
log-append  /usr/local/app/openvpn/log/openvpn-append.log

verb 5

15.指定配置文件来启动OpenVPN:
root@618119.com:/etc/openvpn# /usr/local/app/openvpn/sbin/openvpn –config /usr/local/app/openvpn/conf/server.conf
启动之后发现OpenVPN进程不存在。
root@618119.com:/usr/local/app/openvpn/log# tail *.log
查看日志看到下面这样的错误信息:
Sun Oct 24 07:10:38 2010 us=152299 failed to find GID for group nobody
Sun Oct 24 07:10:38 2010 us=152331 Exiting
16.运行下面的命令:
root@618119.com:/usr/local/app/openvpn/log# groupadd nobody

17.再次启动openvpn,程序启动成功.
root@618119.com:/etc/openvpn# /usr/local/app/openvpn/sbin/openvpn –config /usr/local/app/openvpn/conf/server.conf

18.在Ubunut Linux服务器上配置数据转发:

root@618119.com:~# sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@618119.com:~# sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

19.配置Ubuntu Linux上的OpenVPN客户端:
client.conf的配置如下:
client
remote *.*.*.* 11194 #指定端口,使用11194.
ca /usr/local/appr/openvpn/conf/keys/ca.crt
cert /usr/local/appr/openvpn/conf/keys/vpnclient.618119.com.crt
key /usr/local/appr/openvpn/conf/keys/vpnclient.618119.com.key
reneg-sec 0
comp-lzo yes
dev tun
proto tcp ##协议由udp改用tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user openvpn
group openvpn

20.在网络连接中进行连接。
openvpn连接上之后,再在本地浏览器访问http://www.youtube.com/http://twitter.com/,均可正常访问了。

WSun Oct 24 10:56:38 2010 us=259482 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
连接出错,可能是网络原因,可以多连几次。

21.window上使用OpenVPN,先下载windows客户端:
http://openvpn.net/release/openvpn-2.1.3-install.exe
安装之后在本地

22.将证书等文件在本地准备好,,然后客户端配置文件C:\Program Files\OpenVPN\bin\client.ovpn
———————————————————-client
remote *.*.*.* 11194
ca I:\\temp\\keys\\ca.crt
cert I:\\temp\\keys\\vpnclient.618119.com.crt
key I:\\temp\\keys\\vpnclient.618119.com.key
reneg-sec 0
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user openvpn
group openvpn

———————————————————-

23.在dos窗口下执行程序进行连接:

C:\Program Files\OpenVPN\bin>openvpn client.ovpn
Wed Oct 27 22:11:02 2010 NOTE: –user option is not implemented on Windows
Wed Oct 27 22:11:02 2010 NOTE: –group option is not implemented on Windows
Wed Oct 27 22:11:02 2010 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] bui
lt on Aug 20 2010
Wed Oct 27 22:11:02 2010 WARNING: No server certificate verification method has
been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 27 22:11:02 2010 NOTE: the current –script-security setting may allow t
his configuration to call user-defined scripts
Wed Oct 27 22:11:02 2010 LZO compression initialized
Wed Oct 27 22:11:02 2010 UDPv4 link local: [undef]
Wed Oct 27 22:11:02 2010 UDPv4 link remote: *.*.*.*:11194
Wed Oct 27 22:11:30 2010 [_.618119.com] Peer Connection Initiated with 173.25
5.196.174:11194
Wed Oct 27 22:11:37 2010 TAP-WIN32 device [本地连接 2] opened: \\.\Global\{FF3AE
A0C-A0ED-4068-882D-4C98D2CB50A9}.tap
Wed Oct 27 22:11:37 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
0.8.0.10/255.255.255.252 on interface {FF3AEA0C-A0ED-4068-882D-4C98D2CB50A9} [DH
CP-serv: 10.8.0.9, lease-time: 31536000]
Wed Oct 27 22:11:37 2010 Successful ARP Flush on interface [131077] {FF3AEA0C-A0
ED-4068-882D-4C98D2CB50A9}
Wed Oct 27 22:11:42 2010 Initialization Sequence Completed

相关参考文章:
1.openvpn官方文档:
http://openvpn.net/index.php/open-source/documentation/howto.html#install
2. Server 安装 OpenVPN Server:
http://www.douhua.im/2010/01/06/ubuntu-server-install-openvpn-server/
3.安装配置OpenVPN:
http://pityonline.info/?p=1054
4.Ubuntu 安装 openvpn:
http://space.itpub.net/7201003/viewspace-312657
5.出错信息:UDPv4 [ECONNREFUSED]: Connection refused (code=111)
http://readthefuckingmanual.net/error/383/

http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html

http://blog.darkices.com/archive/openvpn-server-side-dns-hijacking-to-solve-the-problem-of-pollution-dns.html
http://omobox.com/memo/tunnelier-instead-of-myentunnel.html

http://blog.darkices.com/archive/build-ssh-proxy-on-vps.html#comment-275

检查tun是否开启的命令:
dmesg|grep tun
或者:ls -l /dev/net/tun

参考:http://www.hostloc.com/thread-6106-5-589.html

没有评论 »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress