Official website download: http://swupdate.openvpn.org/community/releases/
Source installation
Install server under CentOS
yum install -y lzo-devel openssl-devel pam-devel
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.10.tar.xz
xz -d openvpn-2.3.10.tar.xz
tar xvf openvpn-2.3.10.tar
cd openvpn-2.3.10
./configure
make
#获取可执行文件src/openvpn/openvpn
Create CA certificate, server certificate, client certificate
Certificate creation tool: https://github.com/OpenVPN/easy-rsa
Due to the problem of downloading via https, use SSH to download the easy-rsa tool here
#下载源码
git clone [email protected]:OpenVPN/easy-rsa.git
cd easy-rsa
cp -R easyrsa3 server
###################服务端证书制作#################
cd server
cp vars.example vars #一般情况下,默认的配置可以满足需求,也可以根据需要修改
./easyrsa init-pki #建立一个空的pki结构,生成一系列的文件和目录
./easyrsa build-ca #创建ca 密码 和 cn那么需要记住
./easyrsa gen-req server nopass #创建服务端证书 common name 最好不要跟前面的cn那么一样
./easyrsa sign server server #签约服务端证书
./easyrsa gen-dh #创建Diffie-Hellman
cd ../
cp -R easyrsa3 client
###################客户端端证书制作#################
cd client
./easyrsa init-pki
./easyrsa gen-req client #client可以用自己的名字,需要创建一个密码和 cn name,密码在OpenVPN连接服务端的时候用到,也可以在此命令后加上 nopass 参数不对密钥加密
#现在客户端的证书要跟服务端的交互,也就是签约,这样这个用户才能使用此vpn
#切换到server证书目录下
cd ../server
./easyrsa import-req ../client/pki/reqs/client.req client #导入req
./easyrsa sign client client #用户签约,根据提示输入服务端的ca密码
The files required by the server: ca.crt, server.crt, server.key, dh.pem
The files required by the client: ca.crt, client.crt, client.key
For detailed production process, please refer to Reference 2
OpenVPN configuration file
Refer to the configuration file in the source code: openvpn-2.3.10/sample/sample-config-files/server.conf
Server configuration server.conf
local 192.227.161.xx(跟自己vps IP)
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 3
Client configuration client.conf
client
dev tun
proto udp
remote 192.227.161.xx 1194 //主要这里修改成自己vps ip
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt //这里需要证书
cert qingliu.crt
key qingliu.key
comp-lzo
verb 3
Routing Policy Settings
sysctl
Setting : Allow packet forwardingsysctl -w net.ipv4.ip_forward=1
sysctl configures and displays kernel parameters in the /proc/sys directory. You can use sysctl to set or reset networking features such as IP forwarding, IP fragmentation removal, and source route checking. Users only need to edit the /etc/sysctl.conf file to perform the functions controlled by sysctl manually or automatically. The variable is the "/" in the directory structure is represented by ".", and it is linked layer by layer.
Common parameters:
-w Temporarily change the value of a specified parameter
-a Display all system parameters
-p Load system parameters from the specified file, if not specified, load from
/etc/sysctl.conf Followed parameter variables will display variables value of .
Immediately effective method:
- Will
net.ipv4.ip_forward = 1
write to /etc/sysctl.conf, executesysctl -p
sysctl -w net.ipv4.ip_forward=1
echo "1" > /proc/sys/net/ipv4/ip_forward
Method 1 takes effect permanently, methods 2 and 3 can take effect immediately, but
service network restart
the settings become invalid after the machine is restarted or executed.
Common kernel parameter variables:
# Enables packet forwarding
net.ipv4.ip_forward = 1
# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1
iptables
settings :
- Open port 1194:
iptables -I INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/20 -o eth0 -j MASQUERADE
- Save Settings:
service iptables save
iptables works in the user space, and the tool for defining rules is not a firewall itself, but a list of rules to achieve absolutely detailed access control functions. It can be read by netfilter in the kernel space, and the firewall can be implemented. The place where the kernel is placed must be a specific location, and it must be the place where the tcp/ip protocol stack passes. The place where the tcp/ip protocol stack must pass, and the place where the reading rules can be implemented is called netfilter. (network filter)
Common command parameter combinations:
iptables -vnL List iptables rules, match from top to bottom, if a match is successful, it will be executed, so sometimes pay attention to the order
of rules iptables –list-rules It is very convenient to imitate and add according to existing rules
Save the file /etc/sysconfig/iptables
run
Put the openvpn executable program, certificate and configuration file in the same folder and run the command./openvpn --config server.conf --daemon
Windows server
Download the window version of OpenVPN. Note that the suffix is to distinguish the version of the window system used by OpenVPN. After direct installation, put the configuration under the installation directory OpenVPN\config. You can create a folder to store it, and then you can configure the server and share the local network . Adapter , otherwise the client will not be able to access the external network even if it successfully connects to the server. In addition, close the firewall or set it to prompt mode, and click OK when starting the OpenVPN server.
window client
Download the installation package directly , double-click to install, save the configuration file and certificate to C:\Program Files\OpenVPN\config, note that the suffix of the configuration file is .ovpn, and you can start it.
Traffic obfuscation configuration
refer to:
Other similar proxy tools
- https://wiki.archlinux.org/index.php/Shadowsocks_ (Simplified Chinese)
- https://github.com/yinghuocho/firefly-proxy