#apt-get update
#apt-get upgrade
update and upgrade package
#apt-get install openvpn
install openvpn package
#cd /etc/openvpn
#mkdir /etc/openvpn/easy-rsa/
#cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
copy sample file to /etc/openvpn folder
#edit /etc/openvpn/easy-rsa/vars
edit some vars for generate cert and key use
export KEY_COUNTRY="TW"
export KEY_PROVINCE="TW"
export KEY_CITY="TAIPEI"
export KEY_ORG="Cloud Service"
export KEY_EMAIL="tommy@csp.com"
#cd /etc/openvpn/easy-rsa/2.0
#source ./vars
#./clean-all
#./build-ca
#./build-key-server server
#./build-key client1
#./build-dh
create server certificate and client keys
#cd .../../
#mkdir cert
#cd cert
#mv ca.crt ca.key server.crt server.key dh1024.pem /etc/openvpn/cert/
move the keys that server needs
#cd ..
#vim server.conf
modify server.conf and add below content to it
=====================================================================
port 1195
proto udp
dev tun0
ca /etc/openvpn/cert/ca.crt
cert /etc/openvpn/cert/server.crt
key /etc/openvpn/cert/server.key # This file should be kept secret
dh /etc/openvpn/cert/dh1024.pem
;tls-auth /etc/openvpn/cert/ta.key 0 # This file is secret
server 172.16.0.192 255.255.255.192
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
push "route 192.168.0.0 255.255.0.0"
push "dhcp-option DNS x.x.x.x"
push "dhcp-option DNS x.x.x.x"
push "dhcp-option WINS x.x.x.x"
push "dhcp-option WINS x.x.x.x"
push "dhcp-option DOMAIN csp.com.tw"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
#vim /etc/network/interfaces
add wanip for vpn client connect use
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 172.16.0.10
netmask 255.255.255.0
up /etc/network/route up
down /etc/network/route down
auto eth1
iface eth1 inet static
address 210.200.200.200
netmask 255.255.255.128
gateway 210.200.200.1
#vim /etc/network/route
add eth0 routing table
#!/bin/sh
PATH=/sbin:/bin:/usr/bin:/usr/sbin
case $1 in
up)
route add 172.16.0.0 netmask 255.255.0.0 gw 172.16.0.1
route add 10.0.0.0 netmask 255.0.0.0 gw 172.16.0.1
;;
down)
route del 172.16.0.0 netmask 255.255.0.0. gw 172.16.0.1
route del 10.0.0.0 netmask 255.0.0.0 gw 172.16.0.1
;;
esac
#vim /etc/sysctl.conf
uncomment the line below
#net.ipv4.ip_forward=1 to net.ipv4_forward=1
#permit all traffice from vpn interface
iptables -t nat -A POSTROUTING -s 172.16.0.192/26 -o eth0 -j MASQUERADE
#/etc/init.d/openvpn start
start openvpn service
沒有留言:
張貼留言