几个月前在ramhost.us上买了个vps,最便宜的,80mb内存,应急内存有128mb。因为想玩韩服的泡泡战士,要用vpn,所以想在ramhost的vps上搭建vpn。但ramhost的vps是基于openvz的,所以只能用openvpn,就有了本文了。

我的系统是 centos-5-i386-kloxo-hostinabox ,先用 cat /dev/net/tun 检查vps是否开启了tun,如果返回结果 cat: /dev/net/tun: File descriptor in bad state ,则表示开启了,没有的话找客服开通吧。

同样还需要用这个命令 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE 检查是否iptables_nat模块支持,返回 iptables: Unknown error 4294967295 就表示正常啦,不行就继续折磨客服吧。

好拉,准备工作都好了,就可以开始搭建了。

首先安装EPEL这东西:rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm

然后就直接把OpenVpn给yum下来:yum –y install openvpn

安装好后在这里:/usr/share/openvpn/easy-rsa ,我们把easy-rsa文件夹移出来,方便以后操作:cp -R /usr/share/openvpn/easy-rsa /etc/openvpn/ ,然后进入目录cd /etc/openvpn/easy-rsa/2.0 ,建立一个证书。

vi vars来编辑环境,进入后一直向下,最后几行按照自己情况修改:

export KEY_COUNTRY="CN"
       export KEY_PROVINCE="GD"
       export KEY_CITY="FS"
       export KEY_ORG="jzhone"
       export KEY_EMAIL="jzhoen [at] gmail.com"

然后保存后运行. vars使之生效。

接下来./build-ca server创建证书颁发机构。

Generating a 1024 bit RSA private key
       ……………………++++++
       ….++++++
       writing new private key to ‘ca.key’
       —–
       You are about to be asked to enter information that will be incorporated
       into your certificate request.
       What you are about to enter is what is called a Distinguished Name or a DN.
       There are quite a few fields but you can leave some blank
       For some fields there will be a default value,
       If you enter ‘.’, the field will be left blank.
       —–
       Country Name (2 letter code) [CN]:回车
       State or Province Name (full name) [GD]:回车
       Locality Name (eg, city) [FS]:回车
       Organization Name (eg, company) [jzhone]:回车
       Organizational Unit Name (eg, section) []:回车
       Common Name (eg, your name or your server’s hostname) []:回车
       Name []:回车
       Email Address [jzhone@gmail.com]:回车

然后生成服务器证书./build-key-server server

Generating a 1024 bit RSA private key
       …++++++
       ……………++++++
       writing new private key to ‘server.key’
       —–
       You are about to be asked to enter information that will be incorporated
       into your certificate request.
       What you are about to enter is what is called a Distinguished Name or a DN.
       There are quite a few fields but you can leave some blank
       For some fields there will be a default value,
       If you enter ‘.’, the field will be left blank.
       —–
       Country Name (2 letter code) [CN]:回车
       State or Province Name (full name) [GD]:回车
       Locality Name (eg, city) [FS]:回车
       Organization Name (eg, company) [jzhone]:回车
       Organizational Unit Name (eg, section) []:回车
       Common Name (eg, your name or your server’s hostname) [server]:回车
       Name []:回车
       Email Address [jzhone@gmail.com]:回车

Please enter the following ‘extra’ attributes
       to be sent with your certificate request
       A challenge password []:回车
       An optional company name []:回车
       Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
       Check that the request matches the signature
       Signature ok
       The Subject’s Distinguished Name is as follows
       countryName            PRINTABLE:’CN’
       stateOrProvinceName    PRINTABLE:’GD’
       localityName           PRINTABLE:’FS’
       organizationName       PRINTABLE:’jzhone’
       commonName             PRINTABLE:’server’
       emailAddress          :IA5STRING:’jzhone@gmail.com’
       Certificate is to be certified until Nov 18 17:25:15 2019 GMT (3650 days)
       Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
       Write out database with 1 new entries
       Data Base Updated

接着生成客户端证书,每个客户端都有一个独立的证书,用命令./build-key client1生成,如果第二个就client2,如此类推。

Generating a 1024 bit RSA private key
       …..++++++
       ………++++++
       writing new private key to ‘client1.key’
       —–
       You are about to be asked to enter information that will be incorporated
       into your certificate request.
       What you are about to enter is what is called a Distinguished Name or a DN.
       There are quite a few fields but you can leave some blank
       For some fields there will be a default value,
       If you enter ‘.’, the field will be left blank.
       —–
       Country Name (2 letter code) [CN]:回车
       State or Province Name (full name) [GD]:回车
       Locality Name (eg, city) [FS]:回车
       Organization Name (eg, company) [jzhone]:回车
       Organizational Unit Name (eg, section) []:回车
       Common Name (eg, your name or your server’s hostname) [client1]:回车
       Name []:回车
       Email Address [jzhone@gmail.com]:回车

Please enter the following ‘extra’ attributes
       to be sent with your certificate request
       A challenge password []:回车
       An optional company name []:回车
       Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
       Check that the request matches the signature
       Signature ok
       The Subject’s Distinguished Name is as follows
       countryName            PRINTABLE:’CN’
       stateOrProvinceName    PRINTABLE:’GD’
       localityName          PRINTABLE:’FS’
       organizationName      PRINTABLE:’jzhone’
       commonName            PRINTABLE:’client1′
       emailAddress          :IA5STRING:’jzhone@gmail.com’
       Certificate is to be certified until Nov 18 17:31:21 2019 GMT (3650 days)
       Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
       Write out database with 1 new entries
       Data Base Updated

然后生成参数:./build-dh ,完成后把/etc/openvpn/easy-rsa/2.0/keys里面的东西下载回本地。一开始我不知道怎样下载,于是选择了复制到我相应ftp账户的文件夹里,然后设置文件权限,就可以下载了。

接下来开始配置OpenVpn。首先cd /etc/openvpn/easy-rsa/ ,然后vi server.conf新建一个配置文件,内容如下:

port 1194
       proto tcp
       dev tun
       ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
       cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
       key /etc/openvpn/easy-rsa/2.0/keys/server.key
       dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
       server 10.8.0.0 255.255.255.0
       push "redirect-gateway def1"
       push "dhcp-option DNS 8.8.8.8"
       push "dhcp-option DNS 8.8.4.4"
       client-to-client
       keepalive 10 120
       comp-lzo
       persist-key
       persist-tun
       verb 3

然后vi /etc/sysctl.conf ,找到net.ipv4.ip_forward = 0改成net.ipv4.ip_forward = 1,保存并执行sysctl -p

接着iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source 1.2.3.4添加规则,1.2.3.4改成你vps的ip地址。

跟着/etc/init.d/iptables save保存并/etc/init.d/iptables restart重启。

vi /etc/rc.local编辑,在最后加上/usr/sbin/openvpn –config /etc/openvpn/easy-rsa/server.conf &将OpenVpn加到开机启动,最后openvpn –config /etc/openvpn/easy-rsa/server.conf &就完成服务器上的操作了。

然后在这里下载并安装OpenVpn GUI,然后在下载回来的keys文件夹里把ca.crtclient1.crtclient1.key复制到C:\Program Files\OpenVPN\config。然后新建一个名为client1.ovpn的文件,内容如下:

client
       dev tun
       proto tcp
       remote 1.2.3.4 1194
       resolv-retry infinite
       nobind
       persist-key
       persist-tun
       ca ca.crt
       cert client1.crt
       key client1.key
       ns-cert-type server
       comp-lzo
       verb 3

依旧是将1.2.3.4换成你vps的ip地址,如果是Vista或者2008或者Windows7用户,需要将OpenVpn GUI 设置成xp sp3兼容性,并以管理员身份运行才行。如果还是不行就在上面的client1.ovpn文件的最后加上以下两行:

route-method exe

route-delay

然后双击托盘图标,即可成功连接。