Openvpn Example

openvpn sample documentation

1. Server deployment

  • 1.Install the software package

    1sudo apt-get install openvpn
    1. Generate certificate

       1# cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
       2# cd /etc/openvpn/easy-rsa/2.0/
       3# ./clean-all
       4# ./build-ca ; Fill in the information as prompted and create a root certificate
       5# ./build-key-server server ; Fill in the information as prompted and create a server key
       6# ./build-key shanghai ;Create client key for Shanghai
       7# ./build-key shenzhen ;Create client key, for Shenzhen
       8# ./build-key other ;Create client key, spare
       9The purpose of creating different keys is to distinguish connection areas and assign fixed IPs. It should be noted that the Common Name (eg, your name or your server’s hostname) cannot have the same name between each client, and the server key setting cannot have the same name, otherwise the generation will fail.
      10# ./build-dh ; Generate DH
      11# openvpn --genkey --secret ta.key; Generate tls-aut certificate
      12# cp server.crt server.key dh2048.pem ca.crt ta.key /etc/openvpn/
    1. Service configuration

       1# vi /etc/openvpn/server.conf ;Create configuration file
       2port 1195
       4dev tap
       5ca ca.crt
       6cert server.crt
       7key server.key # This file should be kept secret
       8dh dh2048.pem
      10ifconfig-pool-persist ipp.txt
      11push "route"
      12client-config-dir ccd
      13keepalive 10 120
      14tls-auth ta.key 0
      16user nobody
      17group nobody
      20status openvpn-status.log
      21verb 3
      22# vi /etc/openvpn/ipp.txt ; Assign client IP
    1. Gateway configuration, when starting the server, turn on IP forwarding at the same time, and set the local machine as the gateway to the office network

      1# vi /etc/openvpn/ ;Create startup script
      3/usr/sbin/openvpn --daemon --config /etc/openvpn/server.conf
      4sleep 5
      5echo 1 > /proc/sys/net/ipv4/ip_forward
      6ip ro add via dev tap0 src
      7ip ro add via dev tap0 src
      8(It is important to set src, otherwise other machines in the IDC can ping OA, but cannot ping on the gateway machine)
    1. Start the service

    1. Start the service after booting

      1echo "/etc/openvpn/" >> /etc/rc.local
    1. All IDC servers are configured with static routing, and the office network IP segment points to the gateway we created.

      1/sbin/ip ro add via
      2/sbin/ip ro add via

2. Client deployment

  • 1.Install the software package

    1apt-get install openvpn
    1. Upload the client key (ca.crt, shanghai.crt, shanghai.key, ta.key) generated on the server to the client's /etc/openvpn/conf/ directory
    1. Create client configuration file

       3remote 1194
       4dev tap
       6resolv-retry infinite
      10ca /etc/openvpn/conf/ca.crt
      11cert /etc/openvpn/conf/shanghai.crt
      12key /etc/openvpn/conf/shanghai.key
      13ns-cert-type server
      15verb 3
      16tls-auth /etc/openvpn/conf/ta.key 1
    1. Start the client

      1/usr/sbin/openvpn /etc/openvpn/conf/client.ovpn &

    Check whether the output is connected to the server normally and obtain the IP. You can also use ifconfig to check whether there is a tap device.

    1. Gateway settings

      1#There is a gateway in the IDC to forward packets to the OA, and the office network also needs a gateway to forward packets to the IDC.
      2#If the connection is successful, the client machine can now connect to the IDC device. We also need to set it as a gateway server so that other devices in the office network can connect to the IDC through it.
      3echo 1 > /proc/sys/net/ipv4/ip_forward
      4ip ro add via dev tap0
      5#Configure a static route on the office network router and point the packets in the IDC network segment to
      7#Testing, it is already interoperable.
    1. Create startup script

      3/usr/sbin/openvpn /etc/openvpn/conf/client.ovpn &
      4sleep 5
      5echo 1 > /proc/sys/net/ipv4/ip_forward
      6ip ro add via dev tap0
Lastmod: Friday, April 12, 2024

See Also: