OpenVPN Howto

简单的openvpn架设指南, 备份用.

首先openvpn的版本最好在2.1以上, ubuntu 10.10和debian 6都符合, 然后需要tun.

cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easyrsa

cd easyrsa

vim vars
# 到文件尾部修改里面的信息, 之后跑脚本无需再写

source ./vars

./clean-all
./build-ca
./build-key-server server # 服务器统一叫server无所谓
./build-dh

./build-key client1 # client1为用户名字

./revoke-full client1 # 注销client1用户

你需要将 ca.crt client1.crt client1.key 丢给用户.

Server配置修改

cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ./
gunzip server.conf.gz

vim server.conf

修改下列几项

# 端口
port 1194

# tcp还是udp
proto udp

# mtu, 推荐设成1300
tun-mtu 1300

# 改到刚刚生成的目录
ca easyrsa/keys/ca.crt
cert easyrsa/keys/server.crt
key easyrsa/keys/server.key

dh easyrsa/keys/dh1024.pem

# ip段, 请记住, 等下配置NAT用
server 10.8.0.0 255.255.255.0

# 取消注释, 默认推送设置成默认网关
push "redirect-gateway def1 bypass-dhcp"

客户端的配置几乎也是上面一样, 除了server和push.

NAT

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to ${服务器ip}