OpenVPN可以在Linode主机和客户端之间建立一个安全的网络通道,客户端可以通过NAT方式从Linode主机访问Internet,由此实现隐藏自身IP或者翻墙的目的。
Gentoo系统安装OpenVPN前,建议先将系统做个Update,然后安装OpenVPN,安装时注意选上examples。
emerge -uDN -av world emerge -av openvpn
证书
OpenVPN自带的ESAY RSA工具,可以方便的创建根证书与服务器和客户端的密钥,工具安装在/usr/share/openvpn/easy-rsa目录。先编辑vars文件,设置变量的默认值。
linode easy-rsa # vi vars export KEY_COUNTRY="CN" export KEY_PROVINCE="SH" export KEY_CITY="Shanghai" export KEY_ORG="LiaoJL" export KEY_EMAIL="liaojl@liaojl.com"
读取环境变量,并清除已有的证书和密钥文件。
. vars ./clean-all
创建根证书
linode easy-rsa # ./build-ca Generating a 1024 bit RSA private key ............++++++ ......++++++ writing new private key to 'ca.key' Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [LiaoJL]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [LiaoJL CA]: Name []: Email Address [liaojl@liaojl.com]:
创建服务器证书
linode easy-rsa # ./build-key-server server Generating a 1024 bit RSA private key ..........................++++++ ..............................................++++++ writing new private key to 'server.key' Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [LiaoJL]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [server]: Name []: Email Address [liaojl@liaojl.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'Shanghai' organizationName :PRINTABLE:'LiaoJL' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'liaojl@liaojl.com' Certificate is to be certified until Apr 8 08:54:47 2021 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
创建客户端证书
linode easy-rsa # ./build-key i9000 Generating a 1024 bit RSA private key .........................++++++ ..............................++++++ writing new private key to 'i9000.key' Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [LiaoJL]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [i9000]: Name []: Email Address [liaojl@liaojl.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'Shanghai' organizationName :PRINTABLE:'LiaoJL' commonName :PRINTABLE:'i9000' emailAddress :IA5STRING:'liaojl@liaojl.com' Certificate is to be certified until Apr 8 08:55:44 2021 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
将证书与密钥文件复制到/etc/openvpn目录。
cp -R keys /etc/openvpn
OpenVPN配置文件
将Keys目录中的四个证书密钥文件ca.crt, server.crt, server.key, dh1024.pem复制到/etc/openvpn目录。然后从/usr/share/doc/openvpn-2.1.4/examples/sample-config-files目录复制配置文件server.conf.bz2,解压缩并重命名为openvpn.conf,配置如下:
port 11994 proto udp dev tun # SSL/TLS ca ca.crt cert server.crt key server.key # Diffie hellman parameters dh dh1024.pem # VPN subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp"
将默认端口改为11994,高端端口比较不容易被防火墙阻挡。
防火墙的配置
客户端拨入系统后,只建立了客户端到Linode主机之间的网络连接,要想实现翻墙或者隐藏IP的功能,还需要在Linode主机上通过iptables启动NAT功能。
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
DNS
如果你希望将客户端的DNS设置为Linode主机(10.8.0.1),然后安装dnsmasq包 ,并且在OpenVPN配置文件中,PUSH DNS记录。
push "dhcp-option DNS 10.8.0.1"
在Linode主机上开启DNSMASQ服务:
/etc/init.d/dnsmasq start rc-update add dnsmasq default
或者,也可以直接用Google的DNS服务器,推荐使用外部DNS而不是DNSMASQ方式:
push "dhcp-option DNS 8.8.8.8"
客户端配置
下载 OpenVPN Community Project ,然后将ca.crt, i9000.crt, i9000.key文件复制到OpenVPN安装目录的config子文件夹。编辑client.ovpn配置文件:
client dev tun proto udp remote linode.liaojl.com 11994 ca ca.crt cert i9000.crt key i9000.key comp-lzo verb 3
双击client.ovpn文件,或者通过OpenVPN GUI连接到VPN服务器。
There are currently no comments