OpenVPN的配置模板（二）之点对点模式 其实OpenVPN早期的版本仅有点对点模式，即仅有单一的客户端和服务器，官方称之为office模式。而一对多的服务器模式是在后续版本中才有的。在该模式下客户端与服务器采用静态密钥或者TLS密钥来验证彼此的身份，不使用证书的方式。此文主要整理了点对点模式的配置模板。生成静态密钥的命令是openvpn --genkey --secret /etc/openvpn/static.key服务端配置（使用静态密钥）#配置通讯协议以及标注服务器端 proto tcp-server #使用tun/tap设备，默认是tun dev tun #通讯端口 port 1194 #定义本地IP为10.8.0.1，对端（即客户端）IP为10.8.0.2 ifconfig 10.8.0.1 10.8.0.2 #配置连接建立后要执行的脚本，如添加路由等，默认不使用 ;up /etc/openvpn/office.up #静态密钥的路径 secret /etc/openvpn/static.key #加密算法 cipher AES-128-CBC #使用LZO压缩 comp-lzo adaptive #告知客户端使用LZO压缩 push "comp-lzo adaptive" #此选项使VPN在重连时不重新读取key且不会将tun设备关闭 persist-tun persist-key #配置日志级别 verb 4 #10秒钟ping一次对端以确定对方是否在线，60秒未响应则断开连接 keepalive 10 60 #将OpenVPN以openvpn用户和组的身份运行，提高安全性 user openvpn group openvpn #生成日志路径 log /var/log/openvpn.log log-append /var/log/openvpn.log客户端配置#配置协议 proto tcp-client dev tun port 1194 #服务器IP地址 remote x.x.x.x #在服务器中断后自动连接 resolv-retry infinite nobind #客户端本地IP为10.8.0.2，服务端IP为10.8.0.1 ifconfig 10.8.0.2 10.8.0.1 #静态密钥存放地址 secret /etc/openvpn/static.key cipher AES-128-CBC comp-lzo adaptive persist-tun persist-key verb 3 keepalive 10 60

OpenVPN的配置模板（一）之服务器模式 由于运维需要，我个人常使用OpenVPN打通机房之间内网的互连，但是配置较多老是忘记，于是抽空整理了一下不同工作模式的配置模板。服务器（Server）模式是单一服务器对多个客户端的模式，应用场景是出差员工通过移动设备、笔记本电脑拨入公司内网。使用账号密码认证、服务端配置模板如下：#通讯协议，可以选择TCP或者UDP，UDP更适合于在丢包率较大的环境使用 proto tcp #端口号 port 1194 #使用tun或者tap设备 dev tun #实现/24子网掩码换算，最大客户端有255个 topology subnet #设置子网，默认是10.8.0.0/24 server 10.8.0.0 255.255.255.0 #认证算法 auth SHA256 #加密算法 cipher AES-256-CBC #使用LZO压缩 comp-lzo adaptive #告知客户端通讯将采用LZO压缩 push "comp-lzo adaptive" #此处是全局路由选项，即告知客户端将所有流量通过VPN隧道发送，一般是不使用 push "redirect-gateway def1 bypass-dhcp" #推送DNS信息，下同 push "dhcp-option DNS 1.1.1.1" push "dhcp-option DNS 8.8.8.8" #服务器CA证书路径 ca /etc/openvpn/cert/ca.crt #diffie hellman密钥路径 dh /etc/openvpn/cert/dh1024.pem #服务器证书路径 cert /etc/openvpn/cert/server.crt #服务器密钥路径 key /etc/openvpn/cert/server.key #在SSL/TLS握手包的基础上增加额外的签名以提高安全性。 tls-auth /etc/openvpn/cert/ta.key #此选项使VPN在重连时不重新读取key且不会将tun设备关闭 persist-key persist-tun #通过yum安装的，可将其配置为以openvpn用户和组运行，增加安全性 user openvpn group openvpn #openvpn账号密码认证脚本 auth-user-pass-verify /etc/openvpn/openvpn3config/checkpsw.sh via-env #使用客户端提供的用户名作为common name username-as-common-name #不要求客户端提供证书 client-cert-not-required #脚本运行级别为3，否则无法认证用户名密码 script-security 3 #客户端配置文件，可以配置客户端的IP client-config-dir /etc/openvpn/ccd #生成日志 log /var/log/openvpn.log log-append /var/log/openvpn.log #将最大客户端设置为255 max-clients 255 #该选项允许客户端直接通讯而在路由上不经过网关 client-to-client #10秒钟ping一次对端以确定对方是否在线，60秒未响应则断开连接，适合客户端在NAT后使用 keepalive 10 60 nice 3 #日志级别设置 verb 4 mute 10客户端模板如下#声明为客户端 client #使用tun/tap设备，必须与服务端一直 dev tun #连接协议，必须与服务端一直 proto tcp #远程服务器的地址和端口号，可以是域名也可以是IP地址 remote IP or Domain name Portnum #在服务器中断后自动连接 resolv-retry infinite #不指定网卡 nobind #以下同服务端说明 persist-key persist-tun auth SHA256 cipher AES-256-CBC comp-lzo adaptive nice 0 verb 3 mute 10 #认证文件，即用户名密码，下次无需再输入 auth-user-pass pass.txt #ca证书路径，也可使用<ca></ca>的形式直接将证书粘贴于此 ca ca证书路径 #key应该与服务器一致 tls-auth ta.key

一次OpenVPN交叉编译笔记 说明为了让家宽打VPN隧道到IDC机房提高QOS级别，决定将OpenVPN移植到mips架构的OpenWrt出口路由器上，而路由器本身不带编译器，所以必须通过交叉编译的方式将OpenVPN源码编译成路由器（mips）平台可执行的二进制文件。编译环境及说明在编译OpenVPN之前必须先编译OpenSSL和LZO，全程应以root身份运行编译程序的主机系统：CentOS6.9 X86_64（VMware）执行程序的主机系统：OpenWrt,Barrier Breaker14.07,mips架构（QCA9533）下载相关工具链及确定安装目录mkdir -p /usr/local/openwrt/opensslmkdir -p /usr/local/openwrt/lzomkdir -p /usr/local/openwrt/openvpncd /usr/local/openwrt && wget http://archive.openwrt.org/barrier_breaker/14.07/atheros/generic/OpenWrt-Toolchain-atheros-for-mips_mips32-gcc-4.8-linaro_uClibc-0.9.33.2.tar.bz2 tar -xvf OpenWrt-Toolchain-atheros-for-mips_mips32-gcc-4.8-linaro_uClibc-0.9.33.2.tar.bz2mv OpenWrt-Toolchain-atheros-for-mips_mips32-gcc-4.8-linaro_uClibc-0.9.33.2/toolchain-mips_mips32_gcc-4.8-linaro_uClibc-0.9.33.2 ./toolchain编译OpenSSLcd /usr/local/openwrt && wget https://www.openssl.org/source/openssl-1.0.2o.tar.gz tar -zxvf openssl-1.0.2o.tar.gzcd openssl-1.0.2o && ./config --prefix=/usr/local/openwrt/openssl no-asm shared确保Makefile文件中有以下行，并且删除所有-m64选项CC=/usr/local/openwrt/toolchain/bin/mips-openwrt-linux-gccAR=/usr/local/openwrt/toolchain/bin/mips-openwrt-linux-arRANLIB=/usr/local/openwrt/toolchain/bin/mips-openwrt-linux-ranlibsed命令快速更改：sed -i 's/CC= gcc/CC=/usr/local/openwrt/toolchain/bin/mips-openwrt-linux-gcc/' Makefilesed -i 's/AR= ar/AR=/usr/local/openwrt/toolchain/bin/mips-openwrt-linux-ar/' Makefilesed -i 's/RANLIB=/usr/bin/ranlib/RANLIB= /usr/local/openwrt/toolchain/bin/mips-openwrt-linux-ranlib/' Makefilesed -i 's/-m64//g' Makefilemake -j4 && make install此时安装完毕，安装目录在/usr/local/openwrt/openssl目录下编译LZOcd /usr/local/openwrt && wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gztar -zxvf lzo-2.10.tar.gz && cd lzo-2.10./configure CC=/usr/local/openwrt/toolchain/bin/mips-openwrt-linux-gcc --host=mips-linux --prefix=/usr/local/openwrt/lzomake && make install编译OpenVPNcd /usr/local/openwrt && wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.1.tar.gztar -zxvf openvpn-2.3.1.tar.gz && cd openvpn-2.3.1./configure \CC=/usr/local/openwrt/toolchain/bin/mips-openwrt-linux-gcc \--host=mips-linux \--prefix=/usr/local/openwrt/openvpn/ \LZO_CFLAGS="-I/usr/local/openwrt/lzo/include" \LZO_LIBS="-L/usr/local/openwrt/lzo/lib -llzo2" \OPENSSL_CRYPTO_CFLAGS="-I/usr/local/openwrt/openssl/include" \OPENSSL_SSL_CFLAGS="-I/usr/local/openwrt/openssl/include" \OPENSSL_SSL_LIBS="-L/usr/local/openwrt/openssl/lib -lssl" \OPENSSL_CRYPTO_LIBS="-L/usr/local/openwrt/openssl/lib -lcrypto" \--disable-plugin-auth-pam \--with-ssl-lib=/usr/local/openwrt/openssl/lib \export C_INCLUDE_PATH=/usr/local/openwrt/openssl/includemake -j4 && make install将程序上传到OpenWrt路由器此时编译已全部完成，目录分别为/usr/local/openwrt/lzo/usr/local/openwrt/openssl/usr/local/openwrt/openvpn通过SCP将/usr/local/openwrt/openvpn/sbin/openvpn和/usr/local/openwrt/openssl/lib/libcrypto.so.1.0.0上传到路由器的/sbin和/lib目录下并赋予/sbin/openvpn执行权限即可chmod +x /sbin/openvpn

OpenVPN服务器启动脚本 该脚本为官方编写，位于/etc/init.d/openvpn目录请注意：本文章仅用于学习交流，该软件仅供运维需要使用，请勿使用该软件从事非法业务。#!/bin/sh -e ### BEGIN INIT INFO # Provides: OpenVPN # Required-Start: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog # Should-Start: network-manager # Should-Stop: network-manager # X-Start-Before: $x-display-manager gdm kdm xdm wdm ldm sdm nodm # X-Interactive: true # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: openvpn VPN service # Description: This script will start OpenVPN tunnels as specified # in /etc/default/openvpn and /etc/openvpn/*.conf ### END INIT INFO # Original version by Robert Leslie # <rob@mars.org>, edited by iwj and cs # Modified for openvpn by Alberto Gonzalez Iniesta <agi@inittab.org> # Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net> . /lib/lsb/init-functions test $DEBIAN_SCRIPT_DEBUG && set -v -x DAEMON=/usr/sbin/openvpn DESC="virtual private network daemon" CONFIG_DIR=/etc/openvpn test -x $DAEMON || exit 0 test -d $CONFIG_DIR || exit 0 # Source defaults file; edit that file to configure this script. AUTOSTART="all" STATUSREFRESH=10 OMIT_SENDSIGS=0 if test -e /etc/default/openvpn ; then . /etc/default/openvpn fi start_vpn () { if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then # daemon already given in config file DAEMONARG= else # need to daemonize DAEMONARG="--daemon ovpn-$NAME" fi if grep -q '^[ ]*status ' $CONFIG_DIR/$NAME.conf ; then # status file already given in config file STATUSARG="" elif test $STATUSREFRESH -eq 0 ; then # default status file disabled in /etc/default/openvpn STATUSARG="" else # prepare default status file STATUSARG="--status /run/openvpn/$NAME.status $STATUSREFRESH" fi # tun using the "subnet" topology confuses the routing code that wrongly # emits ICMP redirects for client to client communications SAVED_DEFAULT_SEND_REDIRECTS=0 if grep -q '^[[:space:]]*dev[[:space:]]*tun' $CONFIG_DIR/$NAME.conf && \ grep -q '^[[:space:]]*topology[[:space:]]*subnet' $CONFIG_DIR/$NAME.conf ; then # When using "client-to-client", OpenVPN routes the traffic itself without # involving the TUN/TAP interface so no ICMP redirects are sent if ! grep -q '^[[:space:]]*client-to-client' $CONFIG_DIR/$NAME.conf ; then sysctl -w net.ipv4.conf.all.send_redirects=0 > /dev/null # Save the default value for send_redirects before disabling it # to make sure the tun device is created with send_redirects disabled SAVED_DEFAULT_SEND_REDIRECTS=$(sysctl -n net.ipv4.conf.default.send_redirects) if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then sysctl -w net.ipv4.conf.default.send_redirects=0 > /dev/null fi fi fi log_progress_msg "$NAME" STATUS=0 start-stop-daemon --start --quiet --oknodo \ --pidfile /run/openvpn/$NAME.pid \ --exec $DAEMON -- $OPTARGS --writepid /run/openvpn/$NAME.pid \ $DAEMONARG $STATUSARG --cd $CONFIG_DIR \ --config $CONFIG_DIR/$NAME.conf || STATUS=1 [ "$OMIT_SENDSIGS" -ne 1 ] || ln -s /run/openvpn/$NAME.pid /run/sendsigs.omit.d/openvpn.$NAME.pid # Set the back the original default value of send_redirects if it was changed if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then sysctl -w net.ipv4.conf.default.send_redirects=$SAVED_DEFAULT_SEND_REDIRECTS > /dev/null fi } stop_vpn () { start-stop-daemon --stop --quiet --oknodo \ --pidfile $PIDFILE --exec $DAEMON --retry 5 if [ "$?" -eq 0 ]; then rm -f $PIDFILE [ "$OMIT_SENDSIGS" -ne 1 ] || rm -f /run/sendsigs.omit.d/openvpn.$NAME.pid rm -f /run/openvpn/$NAME.status 2> /dev/null fi } case "$1" in start) log_daemon_msg "Starting $DESC" # first create /run directory so it's present even # when no VPN are autostarted by this script, but later # by systemd openvpn@.service mkdir -p /run/openvpn # autostart VPNs if test -z "$2" ; then # check if automatic startup is disabled by AUTOSTART=none if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then log_warning_msg " Autostart disabled." exit 0 fi if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then # all VPNs shall be started automatically for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do NAME=${CONFIG%%.conf} start_vpn done else # start only specified VPNs for NAME in $AUTOSTART ; do if test -e $CONFIG_DIR/$NAME.conf ; then start_vpn else log_failure_msg "No such VPN: $NAME" STATUS=1 fi done fi #start VPNs from command line else while shift ; do [ -z "$1" ] && break if test -e $CONFIG_DIR/$1.conf ; then NAME=$1 start_vpn else log_failure_msg " No such VPN: $1" STATUS=1 fi done fi log_end_msg ${STATUS:-0} ;; stop) log_daemon_msg "Stopping $DESC" if test -z "$2" ; then for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} stop_vpn log_progress_msg "$NAME" done else while shift ; do [ -z "$1" ] && break if test -e /run/openvpn/$1.pid ; then PIDFILE=`ls /run/openvpn/$1.pid 2> /dev/null` NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} stop_vpn log_progress_msg "$NAME" else log_failure_msg " (failure: No such VPN is running: $1)" fi done fi log_end_msg 0 ;; # Only 'reload' running VPNs. New ones will only start with 'start' or 'restart'. reload|force-reload) log_daemon_msg "Reloading $DESC" for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} # If openvpn if running under a different user than root we'll need to restart if egrep '^[[:blank:]]*user[[:blank:]]' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then stop_vpn start_vpn log_progress_msg "(restarted)" else kill -HUP `cat $PIDFILE` || true log_progress_msg "$NAME" fi done log_end_msg 0 ;; # Only 'soft-restart' running VPNs. New ones will only start with 'start' or 'restart'. soft-restart) log_daemon_msg "$DESC sending SIGUSR1" for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} kill -USR1 `cat $PIDFILE` || true log_progress_msg "$NAME" done log_end_msg 0 ;; restart) shift $0 stop ${@} $0 start ${@} ;; cond-restart) log_daemon_msg "Restarting $DESC." for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} stop_vpn start_vpn done log_end_msg 0 ;; status) GLOBAL_STATUS=0 if test -z "$2" ; then # We want status for all defined VPNs. # Returns success if all autostarted VPNs are defined and running if test "x$AUTOSTART" = "xnone" ; then # Consider it a failure if AUTOSTART=none log_warning_msg "No VPN autostarted" GLOBAL_STATUS=1 else if ! test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then # Consider it a failure if one of the autostarted VPN is not defined for VPN in $AUTOSTART ; do if ! test -f $CONFIG_DIR/$VPN.conf ; then log_warning_msg "VPN '$VPN' is in AUTOSTART but is not defined" GLOBAL_STATUS=1 fi done fi fi for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do NAME=${CONFIG%%.conf} # Is it an autostarted VPN ? if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then AUTOVPN=1 else if test "x$AUTOSTART" = "xnone" ; then AUTOVPN=0 else AUTOVPN=0 for VPN in $AUTOSTART; do if test "x$VPN" = "x$NAME" ; then AUTOVPN=1 fi done fi fi if test "x$AUTOVPN" = "x1" ; then # If it is autostarted, then it contributes to global status status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1 else status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}' (non autostarted)" || true fi done else # We just want status for specified VPNs. # Returns success if all specified VPNs are defined and running while shift ; do [ -z "$1" ] && break NAME=$1 if test -e $CONFIG_DIR/$NAME.conf ; then # Config exists status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1 else # Config does not exist log_warning_msg "VPN '$NAME': missing $CONFIG_DIR/$NAME.conf file !" GLOBAL_STATUS=1 fi done fi exit $GLOBAL_STATUS ;; *) echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart|soft-restart|status}" >&2 exit 1 ;; esac exit 0 # vim:set ai sts=2 sw=2 tw=0:

CentOS下编译安装OpenVPN2.1.4 安装依赖yum install openssl openssl-devel gcc wget -y下载OpenVPN2.1.4源码包和LZO2.05wget http://downloads.openwrt.org.cn/sources/openvpn-2.1.4.tar.gzwget http://downloads.openwrt.org.cn/sources/lzo-2.05.tar.gztar -zxvf openvpn-2.1.4.tar.gz && tar -zxvf lzo-2.05.tar.gzcd lzo-2.05.tar.gz/先编译安装lzo2.05./configuremake && make install 编译安装openvpn2.1.4cd openvpn-2.1.4/./configuremake && make install 使用easyrsa2.0生成证书cd easyrsa2.0/vi vars填写末尾六行eg：export KEY_SIZE=2048 export KEY_COUNTRY="US"export KEY_PROVINCE="CA"export KEY_CITY="LosAngeles"export KEY_ORG="Lonelyboy Networks"export KEY_EMAIL="lonelyboyzavier@gmail.com"保存后chmod +x varssource ./vars清空keys中的内容./clean-all生成2048位RSA服务器CA证书./build-ca生成服务器证书./build-key-server openvpnserver生成客户端证书./build-key clientname(自定义名)生成dh2048.pem文件./build-dh 一个客户端连接需要三个文件ca.crt ,client.crt,client.key拷贝至客户端即可mkdir /etc/openvpn && cd /etc/openvpntouch server.confmkdir cert (将ca.crt ，dh2048.pem，openvpnserver.crt，openvpnserver.key拷贝到cert文件夹)服务器端配置server.conf参考自定义协议）proto #端口号定义port XXXVPS使用tun需要母鸡支持dev tuntopology subnetserver 10.8.0.0 255.255.255.0自定义需要走VPN的IP路由push "route 172.31.9.0 255.255.255.0"auth SHA256cipher AES-256-CBCcomp-lzo adaptivepush "comp-lzo adaptive"通过服务端转发所有流量，默认不启用push "redirect-gateway def1 bypass-dhcp"向客户端通告DNS，可自定义push "dhcp-option DNS 114.114.114.114"push "dhcp-option DNS 8.8.8.8"配置证书文件路径ca /etc/openvpn/cert/ca.crtdh /etc/openvpn/cert/dh2048.pemcert /etc/openvpn/cert/openvpnserver.crtkey /etc/openvpn/cert/openvpnserver.keypersist-keypersist-tunuser nobody生成openvpn日志，verb为日志等级，默认为3log /var/log/openvpn.log log-append /var/log/openvpn.logmax-clients 10client-to-clientkeepalive 10 60nice 3verb 4mute 10iptables配置转发iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADEvi /etc/sysctl.conf net.ipv4.ip_forward=1 openvpn启动命令openvpn --config /etc/openvpn/server.conf