0.0 前提准备:
lzo-2.06
openssl-0.9.8
openvpn-2.2.2
1 证书生成
mkdir -p /etc/openvpn
cp -R easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
1.1 CA文件
vi vars
export KEY_COUNTRY="CH"
export KEY_PROVINCE="LN"
export KEY_CITY="Dalian"
export KEY_ORG="DTT"
export KEY_EMAIL="liu-wp@dalian-it.com"
./vars
source ./vars
./clean-all
##生成CA文件
./build-ca server
1.2 server key
./build-key-server server
如果出现下面错误:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
unable to load CA private key
根据你的版本号生成新的openssl.cnf
cp openssl-0.9.8.cnf openssl.cnf
1.3 client key
./build-key htit
A challenge password []: ##可以设定证书密码
1.4 生成Diffie Hellman参数
./build-dh
Filename	Needed By			Purpose				Secret
ca.crt		server + all clients		Root CA certificate		NO
ca.key		key signing machine only	Root CA key			YES
dh{n}.pem	server only			Diffie Hellman parameters	NO
server.crt	server only			Server Certificate		NO
server.key	server only			Server Key			YES
client1.crt	client1 only			Client1 Certificate		NO
client1.key	client1 only			Client1 Key			YES
1.5 配置文件
sample-config-files子目录 存放着配置文件样本
1.5.1 服务端文件配置
把keys目录拷贝到/etc/openvpn下,server.conf拷贝到/etc/openvpn下
cp -R keys /etc/openvpn/
server.conf
port 1194
proto udp
dev tun
ca   /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key  /etc/openvpn/server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.5.200"
push "dhcp-option DNS 192.168.5.201"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
script-security 3  ##openvpn 2.1以上版本需要添加该语句
1.5.2 客户端文件配置
里面的ca.crt、client1.crt和client1.key三个文件拷贝到OpenVPN安装路径下的\config目录里
创建client.ovpn
client
dev tun
proto udp
remote 192.168.4.96 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert lwp.crt
key lwp.key
ns-cert-type server
comp-lzo
verb 4
1.5.3 写成服务
copy sample-scripts/openvpn.init to /etc/rc.d/init.d/openvpn
chkconfig --add openvpn
mkdir /etc/openvpn
make .conf or .sh files in /etc/openvpn
1.5.4 VPN固定IP地址和访问客户端的私网地址
mkdir /etc/openvpn/ccd
# EXAMPLE: Suppose the client name
# having the certificate common name "htit2"
# also has a small subnet 192.168.40.128/255.255.255.248.
client-config-dir ccd
route 192.168.40.128 255.255.255.248
vi /etc/openvpn/ccd/htit2
##ifconfig-push local remote,指定客户端VPN IP地址为10.8.2.9
ifconfig-push 10.8.2.9 10.9.0.10
iroute 192.168.40.128 255.255.255.248
** 私网地址虽然一样,但在两个配置文件中都必须指定
编辑/etc/sysctl.conf,找到net.ipv4.ip_forward = 0改成net.ipv4.ip_forward = 1保存。
1.5.5 linux客户端的安装
通服务端安装,都必要的文件复制到/etc/openvpn下。
参考:

http://blog.chinaunix.net/uid-16974460-id-3293329.html

http://www.xiaohui.com/dev/server/20070514-install-openvpn.htm