Linux配置OpenVpn服务端和客户端教程

2013年08月30日

OpenVpn安装教程:http://www.myzhenai.com/thread-15394-1-2.html http://www.myzhenai.com.cn/post/871.html
OpenVpn本地配置:http://www.myzhenai.com.cn/post/767.html http://www.myzhenai.com/thread-15104-1-2.html
以前只是配置成功了pptp服务端和客户端,因为在配置Openvpn的时候总是会出现某种这样那样的错误,过了这么久,猛然回头再看一看这些问题,好像似有所悟.于是重新着手配置Openvpn服务端和客户端并成功连接上.如果出现连接上服务端了却上不了网,可以修改服务器时间看看.
服务端安装请参考上边的链接,linux下的客户端安装请参考以上的链接,我是以GNOME桌面环境演示的,如果是KDE或其他桌面环境的,请搜索相关教程.

[RucLinux@localhost ~]$ su root
密码:
[root@localhost RucLinux]# ssh -p 1380 208.114.11.12
root@208.114.11.12's password: 
Last login: Fri Aug 23 15:27:23 2013 from 112.66.70.164
[root@server ~]# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.arcticnetwork.ca
 * extras: centos.arcticnetwork.ca
 * updates: centos.mirror.iweb.ca
base                                                     | 1.1 kB     00:00     
extras                                                   | 2.1 kB     00:00     
updates                                                  | 1.9 kB     00:00     
Setting up Update Process
No Packages marked for Update
[root@server ~]# yum install lzo*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.arcticnetwork.ca
 * extras: centos.mirror.rafal.ca
 * updates: www.cubiculestudio.com
Setting up Install Process
Nothing to do
[root@server ~]# yum install Lzo*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.arcticnetwork.ca
 * extras: centos.mirror.rafal.ca
 * updates: www.cubiculestudio.com
Setting up Install Process
No package Lzo* available.
  * Maybe you meant: lzop, lzo-devel, lzo
Nothing to do
[root@server ~]# yum install lzo lzo-devel
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.arcticnetwork.ca
 * extras: centos.arcticnetwork.ca
 * updates: www.cubiculestudio.com
Setting up Install Process
Nothing to do
[root@server ~]# rpm -qa lzo
lzo-2.02-2.el5.1
[root@server ~]# rpm -ql lzo
/usr/lib/liblzo2.so.2
/usr/lib/liblzo2.so.2.0.0
/usr/share/doc/lzo-2.02
/usr/share/doc/lzo-2.02/AUTHORS
/usr/share/doc/lzo-2.02/COPYING
/usr/share/doc/lzo-2.02/NEWS
/usr/share/doc/lzo-2.02/THANKS
[root@server ~]# rpm -ql lrzsz
/usr/bin/rb
/usr/bin/rx
/usr/bin/rz
/usr/bin/sb
/usr/bin/sx
/usr/bin/sz
/usr/share/locale/de/LC_MESSAGES/lrzsz.mo
/usr/share/man/man1/rz.1.gz
/usr/share/man/man1/sz.1.gz
[root@server ~]# rpm -qa lrzsz
lrzsz-0.12.20-22.1
[root@server ~]# rpm -qa openvpn
openvpn-2.2.2-1.el5
[root@server ~]# ls /etc/openvpn/
ca.crt           client-amao.key   dh1024.pem   openvpn-status.log  server.key
ca.key           client-jiayu.crt  easy-rsa     server.conf
client-amao.crt  client-jiayu.csr  ipp.txt      server.crt
client-amao.csr  client-jiayu.key  openvpn.log  server.csr
[root@server ~]# rm -rf /etc/openvpn/*
[root@server ~]# ls /etc/openvpn/
[root@server ~]# rpm -ql openvpn
/etc/openvpn
/etc/rc.d/init.d/openvpn
/usr/lib/openvpn
/usr/lib/openvpn/plugin
/usr/lib/openvpn/plugin/lib
/usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so
/usr/lib/openvpn/plugin/lib/openvpn-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn-2.2.2
/usr/share/doc/openvpn-2.2.2/AUTHORS
/usr/share/doc/openvpn-2.2.2/COPYING
/usr/share/doc/openvpn-2.2.2/COPYRIGHT.GPL
/usr/share/doc/openvpn-2.2.2/INSTALL
/usr/share/doc/openvpn-2.2.2/PORTS
/usr/share/doc/openvpn-2.2.2/README
/usr/share/doc/openvpn-2.2.2/auth-pam.txt
/usr/share/doc/openvpn-2.2.2/contrib
/usr/share/doc/openvpn-2.2.2/contrib/OCSP_check
/usr/share/doc/openvpn-2.2.2/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn-2.2.2/contrib/README
/usr/share/doc/openvpn-2.2.2/contrib/multilevel-init.patch
/usr/share/doc/openvpn-2.2.2/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn-2.2.2/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn-2.2.2/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn-2.2.2/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn-2.2.2/contrib/pull-resolv-conf
/usr/share/doc/openvpn-2.2.2/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn-2.2.2/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn-2.2.2/down-root.txt
/usr/share/doc/openvpn-2.2.2/sample-config-files
/usr/share/doc/openvpn-2.2.2/sample-config-files/README
/usr/share/doc/openvpn-2.2.2/sample-config-files/client.conf
/usr/share/doc/openvpn-2.2.2/sample-config-files/firewall.sh
/usr/share/doc/openvpn-2.2.2/sample-config-files/home.up
/usr/share/doc/openvpn-2.2.2/sample-config-files/loopback-client
/usr/share/doc/openvpn-2.2.2/sample-config-files/loopback-server
/usr/share/doc/openvpn-2.2.2/sample-config-files/office.up
/usr/share/doc/openvpn-2.2.2/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn-2.2.2/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn-2.2.2/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn-2.2.2/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf
/usr/share/doc/openvpn-2.2.2/sample-config-files/static-home.conf
/usr/share/doc/openvpn-2.2.2/sample-config-files/static-office.conf
/usr/share/doc/openvpn-2.2.2/sample-config-files/tls-home.conf
/usr/share/doc/openvpn-2.2.2/sample-config-files/tls-office.conf
/usr/share/doc/openvpn-2.2.2/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn-2.2.2/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn-2.2.2/sample-keys
/usr/share/doc/openvpn-2.2.2/sample-keys/README
/usr/share/doc/openvpn-2.2.2/sample-keys/ca.crt
/usr/share/doc/openvpn-2.2.2/sample-keys/ca.key
/usr/share/doc/openvpn-2.2.2/sample-keys/client.crt
/usr/share/doc/openvpn-2.2.2/sample-keys/client.key
/usr/share/doc/openvpn-2.2.2/sample-keys/dh1024.pem
/usr/share/doc/openvpn-2.2.2/sample-keys/pass.crt
/usr/share/doc/openvpn-2.2.2/sample-keys/pass.key
/usr/share/doc/openvpn-2.2.2/sample-keys/pkcs12.p12
/usr/share/doc/openvpn-2.2.2/sample-keys/server.crt
/usr/share/doc/openvpn-2.2.2/sample-keys/server.key
/usr/share/doc/openvpn-2.2.2/sample-keys/ta.key
/usr/share/doc/openvpn-2.2.2/sample-scripts
/usr/share/doc/openvpn-2.2.2/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn-2.2.2/sample-scripts/bridge-start
/usr/share/doc/openvpn-2.2.2/sample-scripts/bridge-stop
/usr/share/doc/openvpn-2.2.2/sample-scripts/openvpn.init
/usr/share/doc/openvpn-2.2.2/sample-scripts/openvpn.init.orig
/usr/share/doc/openvpn-2.2.2/sample-scripts/ucn.pl
/usr/share/doc/openvpn-2.2.2/sample-scripts/verify-cn
/usr/share/man/man8/openvpn.8.gz
/usr/share/openvpn
/usr/share/openvpn/easy-rsa
/usr/share/openvpn/easy-rsa/1.0
/usr/share/openvpn/easy-rsa/1.0/README
/usr/share/openvpn/easy-rsa/1.0/build-ca
/usr/share/openvpn/easy-rsa/1.0/build-dh
/usr/share/openvpn/easy-rsa/1.0/build-inter
/usr/share/openvpn/easy-rsa/1.0/build-key
/usr/share/openvpn/easy-rsa/1.0/build-key-pass
/usr/share/openvpn/easy-rsa/1.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/1.0/build-key-server
/usr/share/openvpn/easy-rsa/1.0/build-req
/usr/share/openvpn/easy-rsa/1.0/build-req-pass
/usr/share/openvpn/easy-rsa/1.0/clean-all
/usr/share/openvpn/easy-rsa/1.0/list-crl
/usr/share/openvpn/easy-rsa/1.0/make-crl
/usr/share/openvpn/easy-rsa/1.0/openssl.cnf
/usr/share/openvpn/easy-rsa/1.0/revoke-crt
/usr/share/openvpn/easy-rsa/1.0/revoke-full
/usr/share/openvpn/easy-rsa/1.0/sign-req
/usr/share/openvpn/easy-rsa/1.0/vars
/usr/share/openvpn/easy-rsa/2.0
/usr/share/openvpn/easy-rsa/2.0/Makefile
/usr/share/openvpn/easy-rsa/2.0/README
/usr/share/openvpn/easy-rsa/2.0/build-ca
/usr/share/openvpn/easy-rsa/2.0/build-dh
/usr/share/openvpn/easy-rsa/2.0/build-inter
/usr/share/openvpn/easy-rsa/2.0/build-key
/usr/share/openvpn/easy-rsa/2.0/build-key-pass
/usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
/usr/share/openvpn/easy-rsa/2.0/build-key-server
/usr/share/openvpn/easy-rsa/2.0/build-req
/usr/share/openvpn/easy-rsa/2.0/build-req-pass
/usr/share/openvpn/easy-rsa/2.0/clean-all
/usr/share/openvpn/easy-rsa/2.0/inherit-inter
/usr/share/openvpn/easy-rsa/2.0/list-crl
/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
/usr/share/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
/usr/share/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
/usr/share/openvpn/easy-rsa/2.0/pkitool
/usr/share/openvpn/easy-rsa/2.0/revoke-full
/usr/share/openvpn/easy-rsa/2.0/sign-req
/usr/share/openvpn/easy-rsa/2.0/vars
/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
/var/run/openvpn
[root@server ~]# cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn
[root@server ~]# cd /etc/openvpn/easy-rsa/2.0/
[root@server 2.0]# ./vars
[root@server 2.0]# an-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/[root@server 2.0]# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
[root@server 2.0]# ./clean-all
[root@server 2.0]# ./build-ca
Generating a 1024 bit RSA private key
.....................................++++++
.......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HN]:
Locality Name (eg, city) [HAIKOU]:
Organization Name (eg, company) [Openvpn]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [server@foxmail.com]:
[root@server 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
............++++++
........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HN]:
Locality Name (eg, city) [HAIKOU]:
Organization Name (eg, company) [Openvpn]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:
Name [changeme]:
Email Address [server@foxmail.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:        
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'HN'
localityName          :PRINTABLE:'HAIKOU'
organizationName      :PRINTABLE:'Openvpn'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'server@foxmail.com'
Certificate is to be certified until Aug 27 19:21:21 2023 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server 2.0]# ./build-key client-name
Generating a 1024 bit RSA private key
.......................++++++
..++++++
writing new private key to 'client-name.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HN]:
Locality Name (eg, city) [HAIKOU]:
Organization Name (eg, company) [Openvpn]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [client-name]:
Name [changeme]:
Email Address [server@foxmail.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'HN'
localityName          :PRINTABLE:'HAIKOU'
organizationName      :PRINTABLE:'Openvpn'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'client-name'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'server@foxmail.com'
Certificate is to be certified until Aug 27 19:22:34 2023 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+.....................................................................................................................+....+...........+.....................................+...+..................+..........+...................................+....+................................................+..................................+.........+................................................................................................................................................................................................................................+.....................+.............................................................................................................................+..............+..............................................................................+...............................+...............................+.............................................................................................................+..............+...+.+............+.............................................+..............................+...................................................................+.................+......................+..............................................+.........................+....+............................................................................................+...................................+..............+...........................................................+......................................................+.....................+.........................................................................+.+............................................+.......................................................................+.........+.............................................................................................................+.........+....................................+...............+.........+..............................................................................+...+.....................................+........................................+.................................................+..................+........................+.....................................................+..................................+........+...................................................................................................................+...+..+........................................................+.....................................................+.+............................................................................................+.....................+..........+...........................+.............................................................+........+...............................................................................................................................................+.............+.........................+..............................+................................................+....................+..................................................+...........+..........................................................................................+............................................................................................+................+......................+...................................................................................................................................+.....................................+..........+....................................................+...++*++*++*
[root@server 2.0]# cd keys
[root@server keys]# ls
01.pem  client-name.crt  index.txt           serial      server.key
02.pem  client-name.csr  index.txt.attr      serial.old
ca.crt  client-name.key  index.txt.attr.old  server.crt
ca.key  dh1024.pem       index.txt.old       server.csr
[root@server keys]# cp ca.crt ca.key dh1024.pem server.csr server.key server.crt /etc/openvpn/
[root@server keys]# ls /etc/openvpn/
ca.crt  dh1024.pem  server.conf  server.csr
ca.key  easy-rsa    server.crt   server.key
[root@server keys]# ls /etc/sysconfig/
authconfig  init             modules          rawdevices     sendmail
cbq         iptables         named            readonly-root  snmpd.options
console     iptables-config  netconsole       rhn            snmptrapd.options
crond       iptables.save    network          run-parts      syslog
httpd       lm_sensors       networking       samba          udev-stw
i18n        mkinitrd         network-scripts  saslauthd
[root@server keys]# cd ..
[root@server 2.0]# cd ..
[root@server easy-rsa]# cd ..
[root@server openvpn]# cd ..
[root@server etc]# cd ..
[root@server /]# vi /etc/sysconfig/iptables
[root@server /]# /etc/init.d/iptables save
将当前规则保存到 /etc/sysconfig/iptables:                 [确定]
[root@server /]# vi /etc/sysconfig/iptables
[root@server /]# vi /etc/sysconfig/iptables
[root@server /]# vi /etc/rc.local
[root@server /]# openvpn --config /etc/openvpn/server.conf &
[1] 29718
[root@server /]# service iptables restart
清除防火墙规则:                                           [确定]
把 chains 设置为 ACCEPT 策略:nat mangle filter            [确定]
正在卸载 Iiptables 模块:                                  [确定]
应用 iptables 防火墙规则:                                 [确定]
[1]+  Exit 1                  openvpn --config /etc/openvpn/server.conf
[root@server /]# service pptpd restart
Shutting down pptpd:                                       [确定]
Starting pptpd:                                            [确定]
Warning: a pptpd restart does not terminate existing 
connections, so new connections may be assigned the same IP 
address and cause unexpected results.  Use restart-kill to 
destroy existing connections during a restart.
[root@server /]# service openvpn restart
正在关闭openvpn:                                          [确定]
正在启动 openvpn:                                         [确定]
[root@server /]# ls /etc/openvpn/
ca.crt  dh1024.pem  ipp.txt      openvpn-status.log  server.crt  server.key
ca.key  easy-rsa    openvpn.log  server.conf         server.csr
[root@server /]# date
2013年 08月 30日 星期五 00:31:53 MSD
[root@server /]# yum install rtc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.arcticnetwork.ca
 * extras: centos.arcticnetwork.ca
 * updates: centos.mirror.iweb.ca
base                                                     | 1.1 kB     00:00     
extras                                                   | 2.1 kB     00:00     
updates                                                  | 1.9 kB     00:00     
Setting up Install Process
No package rtc available.
Nothing to do
[root@server /]# date
2013年 08月 30日 星期五 00:37:38 MSD
[root@server /]# rm -rf /etc/localtime
[root@server /]# date
2013年 08月 29日 星期四 20:39:16 UTC
[root@server /]# rm -rf /etc/localtime
[root@server /]# ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
[root@server /]# date
2013年 08月 30日 星期五 04:40:23 CST
[root@server /]# exit
logout

Connection to 208.114.11.12 closed.
[root@localhost RucLinux]# 

Linux 配置 OpenVpn 服务端 客户端 教程

Linux配置OpenVpn服务端和客户端教程


Linux 配置 OpenVpn 服务端 客户端 教程

Linux配置OpenVpn服务端和客户端教程


Linux 配置 OpenVpn 服务端 客户端 教程

Linux配置OpenVpn服务端和客户端教程


Linux 配置 OpenVpn 服务端 客户端 教程

Linux配置OpenVpn服务端和客户端教程


sicnature ---------------------------------------------------------------------
Your current IP address is: 54.196.182.102
Your IP address location: 美国
Your IP address country and region: 美国 美国
Your current browser is:
Your current system is:
Original content, please indicate the source:
同福客栈论坛 | 海南仙岛海南乡情论坛 | JiaYu Blog
sicnature ---------------------------------------------------------------------
Welcome to reprint. Please indicate the source http://www.myzhenai.com.cn/post/1276.html

1 评论

  • 海南胡说 2017年01月25日在6:52 上午

    Jan 25 06:24:11 localhost nm-openvpn[9451]: Authenticate/Decrypt packet error: cipher final failed
    Jan 25 06:24:21 localhost nm-openvpn[9451]: Authenticate/Decrypt packet error: cipher final failed
    Jan 25 06:24:31 localhost nm-openvpn[9451]: Authenticate/Decrypt packet error: cipher final failed
    Jan 25 06:24:41 localhost nm-openvpn[9451]: Authenticate/Decrypt packet error: cipher final failed
    Jan 25 06:24:51 localhost nm-openvpn[9451]: Authenticate/Decrypt packet error: cipher final failed
    Jan 25 06:25:02 localhost nm-openvpn[9451]: Authenticate/Decrypt packet error: cipher final failed
    Jan 25 06:25:12 localhost nm-openvpn[9451]: Authenticate/Decrypt packet error: cipher final failed
    Jan 25 06:25:20 localhost nm-openvpn[9451]: /sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
    Jan 25 06:25:20 localhost NetworkManager[9375]: [1485296720.808686] [nm-system.c:1399] check_one_route(): (tun0): error -12 returned from rtnl_route_del(): Netlink Error (errno = No such process)

    If this happens to you, you probably have a mismatch in the configuration between server and client on the “cipher”-option. (E.g.: cipher AES-128-CB / cipher AES-256-CB) This is not a problem of DD-WRT or OpenVPN but just a config issue which can happen if you follow some of those guidelines strictly without knowing what the config options mean.
    如果这发生在你身上,你可能有一个错配在配置服务器与客户端之间的“密码”选项。(例如:密码aes-128-cb /密码aes-256-cb)这不是问题 DD-WRT或OpenVPN只是配置问题可以发生如果你遵循一些准则,严格不知道什么配置选项。

    如果出现以上错误, 请看一看你服务端上的 /etc/openvpn/server.conf 配置文件里的 cipher AES-256-CBC 是不是开启了, 如果这一项开启了, 本地客户端配置里也要开启这一个加密

发表评论

电子邮件地址不会被公开。 必填项已用*标注