一、安裝準備

yum -y install openssl-devel opensslyum -y install gcc gcc-c++

二、OpenVPN服務端安裝過程

1.lzo下載與安裝

cd /apps  #安裝目錄wget ftp://www.wudonghang.com/soft/openvpn-2.1_rc15.tar.gz #下載lzotar zxvf lzo-2.04.tar.gz  #解壓cd lzo-2.04./configure ; make ; make install  #編譯與安裝 

2.openvpn下載與安裝

cd /appswget http://openvpn.net/release/openvpn-2.1_rc15.tar.gztar zxvf openvpn-2.1_rc15.tar.gzcd openvpn-2.1_rc15./configure ; make ; make install

3.服務器端設置

cp -r /apps/openvpn-2.1_rc15/ /etc/openvpn #用easy-rsa生成服務器證書客戶端證書 

4.初始化參數

將解壓目錄的easy-rsa目錄復制到 /etc/openvpn下

cd /etc/openvpn/easy-rsa/2.0./varssource vars 

5.生成CA證書

./clean-all./build-ca 

6.建立server key(一直回車）

./build-key-server server

7.生成diffie hellman參數

./build-dh 

8.復制ca證書，服務端證書到OpenVPN配置目錄

復制代碼 代碼如下:
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/

9.生成client key

./build-key client1 #與server key 設置一致

如要生成多個vpn賬戶，則與client1一樣生成其他客戶端證書如

./build-key client2./build-key client3

10.生成客戶端配置文件client1.ovpn

vi /etc/openvpn/easy-rsa/2.0/keys/client1.ovpn

clientremote 192.168.80.129 1194dev tun #說明連接方式是點對點的連接，如要以以太網的方式則可以將tun修改為tapproto tcpresolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client1.crtkey client1.keyns-cert-type servercomp-lzoroute-delay 2route-method exeverb 3

11.打包客戶端配置文件證書等

tar czf keys.tgz ca.crt ca.key client1.crt client1.csr client1.key client1.ovpnmv keys.tgz /root 

12.創建并編輯服務器端配置文件server.conf

port 1194proto tcpdev tun #說明連接方式是點對點的連接，如要以以太網的方式則可以將tun修改為tapca /etc/openvpn/easy-rsa/2.0/keys/ca.crtcert /etc/openvpn/easy-rsa/2.0/keys/server.crtkey /etc/openvpn/easy-rsa/2.0/keys/server.keydh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway"push "route 172.18.2.0 255.255.255.0" #路由轉發到內網網段push "dhcp-option DNS 172.18.2.1"push "dhcp-option DNS 8.8.8.8"keepalive 10 120comp-lzopersist-keypersist-tunclient-to-client #如果不加則各個客戶端之間將無法連接 

13.對防火墻的相關設置

echo 1 > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADEiptables-save > /etc/sysconfig/iptablessed -i 's/eth0/venet0/g' /etc/sysconfig/iptables # dirty vz fix for iptables-saveecho "net.ipv4.ip_forward=1" >> /etc/sysctl.conf