OpenVPN IPv6 安装方法
openvpn2.3更新,主要是修复和改进。把32位和64位Windows版本分开了,新的openvpn-gui支持繁体中文,不过貌似状态显示中中文乱码,以前的版本是不存在此问题的,还有虚拟网卡和OpenVPN程序分开两个文件夹了,不是很爽啊。
另外貌似openvpn官方网站被攻击了,又恰逢其旗下VPN服务privatetunnel的IP全部被封,是不是一伙人干的。
========
openvpn 2.3安装ipv6
Execute the following command to initial the environment
[root@lixxx-xx ~]# yum update
[root@lixxx-xx ~]# yum install gcc
[root@lixxx-xx ~]# yum install gcc-c++
[root@lixxx-xx ~]# yum install make
[root@lixxx-xx ~]# yum install dnsmasq
[root@lixxx-xx openvpn]# yum install openssl-devel
[root@lixxx-xx ~]# mkdir openvpn
[root@lixxx-xx ~]# cd openvpn
Then Download the OpenVPN 2.3 from the website
http://openvpn.net/index.php/download.html
1
[root@lixxx-xx openvpn]# wget http://xxxx.org/openvpn-2.3-alpha1.tar.gz
Then Download the LZO lib from the website
http://www.oberhumer.com/opensource/lzo/
1
[root@lixxx-xx openvpn]# wget http://xxxx.com/lzo-2.06.tar.gz
Setup the LZO library
[root@lixxx-xx openvpn]# tar -zxsf lzo-2.06.tar.gz
[root@lixxx-xx openvpn]# cd lzo-2.06
[root@lixxx-xx lzo-2.06]# ./configure
[root@lixxx-xx lzo-2.06]# make
[root@lixxx-xx lzo-2.06]# make install
Setup the OpenVPN 2.3
[root@lixxx-xx openvpn]# tar -zxsf openvpn-2.3-alpha1.tar.gz
[root@lixxx-xx openvpn]# cd openvpn-2.3-alpha1/
[root@lixxx-xx openvpn-2.3-alpha1]# ./configure
[root@lixxx-xx openvpn-2.3-alpha1]# make
[root@lixxx-xx openvpn-2.3-alpha1]# make install
Prepare the OpenVPN Server
1
2
3
4
[root@lixxx-xx openvpn-2.3-alpha1]# mkdir /etc/openvpn
[root@lixxx-xx openvpn-2.3-alpha1]# cp -r easy-rsa/ /etc/openvpn
[root@lixxx-xx openvpn-2.3-alpha1]# cp sample-config-files/server.conf /etc/openvpn/
[root@lixxx-xx openvpn-2.3-alpha1]# cd /etc/openvpn/easy-rsa/2.0/
Edit the variables
1
[root@lixxx-xx 2.0]# vim vars
//Edit the following values in the file vars in your favorite
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_EMAIL=mail@host.domain
Produce Keys
[root@lixxx-xx 2.0]# . /etc/openvpn/easy-rsa/2.0/vars
[root@lixxx-xx 2.0]# . /etc/openvpn/easy-rsa/2.0/clean-all
[root@lixxx-xx 2.0]# . /etc/openvpn/easy-rsa/2.0/build-ca
[root@lixxx-xx 2.0]# . /etc/openvpn/easy-rsa/2.0/build-key-server server
[root@lixxx-xx 2.0]# . /etc/openvpn/easy-rsa/2.0/build-dh
If it doen’t work, excute the command
1
cp openssl-1.0.0.cnf openssl.cnf
Then re-execute those command above.
Next, build clients’ keys
1
[root@lixxx-xx 2.0]# . /etc/openvpn/easy-rsa/2.0/build-key client1
//Relocate the following files to your client machine, by using tools such as pscp/scp
* ca.crt
* client1.crt
* client1.key
eg.
[root@lixxx-xx 2.0]# mkdir ~/client1
[root@lixxx-xx 2.0]# cd keys
[root@lixxx-xx keys]# cp ca.crt client1.crt client1.key ~/client1
[root@lixxx-xx keys]# cd ~
[root@lixxx-xx ~]# cd openvpn/openvpn-2.3-alpha1/sample-config-files/
[root@lixxx-xx sample-config-files]# cp client.conf ~/client1
[root@lixxx-xx ~]# zip -9 -r client1.zip ./client1
//On your Windows Machine, execute the following command (first put pscp.exe in the location)
D:\linode>pscp root@xxx.xxx.xxx.xxx:client1.zip client1.zip
Relocate the following files to make server work properly
* ca.crt
* ca.key
* dh1024.pem
* server.crt
* server.key
1
2
[root@lixxx-xx ~]# cd /etc/openvpn/easy-rsa/2.0/keys
[root@lixxx-xx keys]# cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
Install the OpenVPN service
[root@lixxx-xx ~]# cd ~/openvpn/openvpn-2.3-alpha1/
[root@lixxx-xx openvpn-2.3-alpha1]# cp sample-scripts/openvpn.init /etc/init.d/openvpn
[root@lixxx-xx openvpn-2.3-alpha1]# chkconfig –add openvpn
[root@lixxx-xx openvpn-2.3-alpha1]# chkconfig –level 345 openvpn on
Configure the server
1
[root@lixxx-xx ~]# vim /etc/openvpn/server.conf
//Add the following two lines in the file
push “redirect-gateway def1″
push “dhcp-option DNS 10.8.0.1″
//Save and Quit
[root@lixxx-xx ~]# vim /etc/sysctl.conf
//Edit the value in the file,
net.ipv4.ip_forward = 1
//Save and Quit
[root@lixxx-xx ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@lixxx-xx ~]# iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
[root@lixxx-xx ~]# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
[root@lixxx-xx ~]# iptables -A FORWARD -j REJECT
[root@lixxx-xx ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
[root@lixxx-xx ~]# vim /etc/rc.local
//Edit the file to make it like this
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/etc/init.d/dnsmasq restart
/etc/init.d/openvpn restart
touch /var/lock/subsys/local
//Save and Quit
1
[root@lixxx-xx ~]# vim /etc/dnsmasq.conf
//Add following content
listen-address=127.0.0.1,10.8.0.1
bind-interfaces
//Save and Quit
Start Service
1
2
3
[root@lixxx-xx ~]# /etc/init.d/openvpn start
[root@lixxx-xx ~]# /etc/init.d/dnsmasq restart
[root@lixxx-xx ~]# chkconfig dnsmasq on
Edit the client1.conf in the zip file which you downloaded form the server
//Add following two line
route-method exe
route-delay 2
//Edit the following lines to match your own environment
remote xxx.xxx.xxx.xxx 1194
ca ca.crt
cert client1.crt
key client1.key
That’s all. If you want to configure IPv6 OpenVPN, just do those editing
1. Editing the /etc/openvpn/server.conf, change the proto udp to proto udp6
2. Execute the command
service openvpn restart
3. Edit the client1.conf, change the server’s IPv4 address to IPv6 address, then change the proto udp to proto udp6
/etc/openvpn/easy-rsa/2.0/
来源:http://www.cyups.com/?p=370
========
OpenVPN IPv6 安装方法
本方法只做参考,最新的openvpn 2.30方法有所改变。
OpenVPN是一个用于创建VPN加 密通道的软件包,最早由James Yonan编写。大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。目前OpenVPN能在Solaris、Linux、 OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行,並包含了许多安全性的功能。
服务端
1.安装基础编译工具和OpenSSL
|
1
2
|
CentOS: yum install gcc gcc-c++ kernel-devel openssl-develUbuntu: apt-get install build-essential libssl-dev |
2. 下载LZO和OpenVPN以及IPv6 Patch并编译安装
|
1
2
3
4
5
6
7
8
9
|
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gzwget http://openvpn.net/release/openvpn-2.1.1.tar.gzwget https://github.com/downloads/jjo/openvpn-ipv6/openvpn-2.1.1-ipv6-0.4.11.patch.gz –no-check-certificategunzip -d openvpn-2.1.1-ipv6-0.4.11.patch.gztar zxvf *.tar.gzpatch –p0 < openvpn-2.1.1-ipv6-0.4.11.patchcd lzo-2.04 && ./configure && make && make installcd ../openvpn-2.1.1 && ./configure && make && make installcd .. && cp -r ./openvpn-2.1.1/easy-rsa/ -r /etc/openvpn #拷贝配置文件到/etc/openvpn |
Tips:
如果patch文件这样生成
diff –uN from-file to-file > to-file.patch则
patch –p0 < to-file.patch如果patch文件这样生成
diff –uNr from-docu to-docu >to-docu.patch则
patch –p1 < to-docu.patch
3.生成证书
初始化PKI
|
01
02
03
04
05
06
07
08
09
10
11
|
cd /etc/openvpn/2.0/export D=`pwd`export KEY_CONFIG=$D/openssl.cnfexport KEY_DIR=$D/keysexport KEY_SIZE=1024export KEY_COUNTRY=USexport KEY_PROVINCE=CAexport KEY_CITY=SanFranciscoexport KEY_ORG="logicmd" #引号要用英文半角符号export KEY_EMAIL="i[at]logicmd.net" #引号要用英文半角符号. vars |
4.创建证书颁发机构(CA)
|
1
2
|
./clean-all #这行命令是清空Keys文件夹下的所有文件./build-ca |
接下来的信息你可以自己填写
5. 建立server key
|
1
|
./build-key-server server |
接下来的信息你可以自己填写
6. 生成client key
|
1
|
./build-key client1 # client1 可以自定义 这个是客户的名字 |
接下来的信息你可以自己填写
7.以此类推建立其他客户端 key
当然你也可以不用,也可以在使用中在添加,不过比较麻烦,文章后会有教程
|
1
2
|
./build-key client2./build-key client3 |
注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.
8. 生成Diffie Hellman参数 (这个很重要)
|
1
|
./build-dh |
(如果这里发生错误,请尝试:openssl dhparam -out ./keys/dh1024.pem 1024)
9. 将 keys 下的client.key/crt和ca.crt打包下载到本地(可以通过winscp,http,ftp等等……)
|
1
2
|
#排除掉ca.key和server.keyfind ./ -name "*.crt" -or -name "*.key" -not -name "server.key" -not -name "ca.key" | xargs tar czvf yourkeys.tar.gz |
10.创建服务端配置文件
|
1
2
|
mkdir /etc/openvpn/2.0/confcp /root/openvpn-2.1.1/sample-config-files/server.conf /etc/openvpn/2.0/conf/server.conf |
11.用你最喜欢的编辑器编辑配置文件
(但是不建议记事本/notepad.exe),这里直接放出ipv4和ipv6的OpenVPN的配置文件
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
local YOUR.SERVER.IPV4.ADDRESSport 8888proto udpdev tunca /etc/openvpn/2.0/keys/ca.crtcert /etc/openvpn/2.0/keys/server.crtkey /etc/openvpn/2.0/keys/server.key # This file should be kept secretdh /etc/openvpn/2.0/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist /var/log/openvpn/ipp-udp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 10.8.0.1"push "dhcp-option DNS 8.8.8.8"push "dhcp-option DNS 8.8.4.4"keepalive 10 120cipher AES-128-CBC # AEScomp-lzo;max-clients 100user nobodygroup nobodypersist-keypersist-tunstatus openvpn-status-udp.loglog /var/log/openvpn/openvpn-udp.log;log-append openvpn.logverb 3 |
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
local YOUR.SERVER.IPV6.ADDRESSport 9999proto udp6dev tunca /etc/openvpn/2.0/keys/ca.crtcert /etc/openvpn/2.0/keys/server.crtkey /etc/openvpn/2.0/keys/server.key # This file should be kept secretdh /etc/openvpn/2.0/keys/dh1024.pemserver 10.8.1.0 255.255.255.0ifconfig-pool-persist /var/log/ipp-udp6.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 10.8.1.1"push "dhcp-option DNS 8.8.8.8"push "dhcp-option DNS 8.8.4.4"keepalive 10 120cipher AES-128-CBC # AEScomp-lzo;max-clients 100user nobodygroup nobodypersist-keypersist-tunstatus /var/log/openvpn-status-udp6.loglog /var/log/openvpn/openvpn-udp6.log;log-append openvpn.logverb 3 |
12.OpenVPN 访问外网的设置(如果不设置,你连上后只能在你和VPS之间建立VPN)
如果你跟偶一样很多类型VPN,很多NAT的话直接
|
1
|
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
如果你想精细控制不同NAT地址转发情况的话,可以分别设置
|
1
2
3
4
|
#OpenVPN IPv4iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE#OpenVPN IPv6iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE |
(如果你运行上面的出现 iptables: Unknown error 4294967295 这样的错误,可以尝试下面的)
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j SNAT –to-source [你的IP地址]
对于OpenVZ的VPS讲eth0换成venet0即可
继续输入
|
1
2
|
service iptables saveservice iptables restart |
修改包转发设置
|
1
|
sysctl -w net.ipv4.ip_forward=1 |
13. 设置 OpenVPN 服务器 reboot后自动启动 openvpn
|
1
2
3
4
5
6
|
vim /etc/rc.local#添加以下内容/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server-udp.conf &/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server-udp6.conf &sysctl -w net.ipv4.ip_forward=1iptables --table nat --append POSTROUTING --jump MASQUERADE |
虽说是前面save了iptables到系统文件,但是根据我的经验,VPS down掉重启后,还是需要重新设置iptables。
14.最后启动 OpenVPN
|
1
2
3
4
5
6
|
/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server-udp.conf &/usr/local/sbin/openvpn --config /etc/openvpn/2.0/conf/server-udp6.conf &#如要看到日志可以如此观看tail -f /var/log/openvpn/openvpn-udp.log#或者tail -f /var/log/openvpn/openvpn-udp6.log |
15.添加一个小脚本,用于继续添加客户端的KEY
|
01
02
03
04
05
06
07
08
09
10
11
12
13
|
#!/bin/bashcd /etc/openvpn/2.0/export D=`pwd`export KEY_CONFIG=$D/openssl.cnfexport KEY_DIR=$D/keysexport KEY_SIZE=1024export KEY_ORG="logicmd"export KEY_EMAIL="i[at]logicmd.net"export KEY_COUNTRY=USexport KEY_PROVINCE=CAexport KEY_CITY=SanFrancisco./vars./build-key |
客户端
1.分发配置文件给用户
将配置文件vpn.ovpn,证书 ca.crt client.crt client.key分发给用户。
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
|
clientdev tunproto udpremote YOUR.SERVERS.IPV4.DOMAINNAME 8888resolv-retry infinitenobind#个人感觉客户端不必,降权后不利于路由表管理;user nobody;group nobodypersist-keypersist-tunca ca.crtcert logicmd.crtkey logicmd.keyns-cert-type servercipher AES-128-CBC # AEScomp-lzoverb 2mute 20script-security 2# Here comes the route table.max-routes 1500 |
接下来按照 给VPN添加路由表 添加路由表即可。
2.客户端的安装
具体详见VPN配置手册
- Windows用户需要下载官网安装包 对于需要使用VPN Over IPv6的童鞋下载IPv6 Patched的openvpn.exe 替换掉X:\Program Files\OpenVPN\bin相应文件。
- Linux用户则应该按照本文开始服务器端的安装方法同样在客户端安装OpenVPN。Linux中OpenVPN的配置文件证书位置似乎不支持相对路径。
FAQ
1.Windows路由表速度过慢
删掉以下
|
1
2
|
route-method exeroute-delay 2 |
2.满屏幕的路由信息看着烦.opvn改成
|
1
2
|
verb 2mute 20 |
通过这个配置后,无论是ipv4还是ipv6都只能访问ipv4站点。
如何能够访问ipv6站点
openvpn官方网站被攻击,有三种可能:
1.某党派出的黑客
2.伊朗派出的黑客
3.以上二者联手
建议博主:搞个移动硬盘,把网站所有的文章,评论做个备份,这样网站如果被黑的话,整个数据被删除,网站也能很快的恢复。不建议只备份在网络硬盘上,面对国家派遣的黑客,网络硬盘也有攻破的危险。
感谢支持,我都是把数据库备份到gmail里,呵呵