底下文章參考:
Raspberry Pi • View topic – [How to] Dynamic DNS and Openvpn server
chen: 安裝OpenVpn For Raspberry PI 的步驟
利用Raspberry Pi建立VPN server – TakoBear
安裝 OpenVPN
# apt-get install openvpn
建立目錄
# mkdir /etc/openvpn/easy-rsa/[@more@]
複製範例的設定檔到 /etc/openvpn/easy-rsa 目錄
# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
將 KEY_SIZE 的長度由 1024 改成 204,增加憑證難度
# sed -i ‘s/KEY_SIZE=1024/KEY_SIZE=2048/’ /etc/openvpn/easy-rsa/vars
修改憑證預設資訊
# sed -i ‘s/KEY_COUNTRY=”US”/KEY_COUNTRY=”TW”/’ /etc/openvpn/easy-rsa/vars
# sed -i ‘s/KEY_PROVINCE=”CA”/KEY_PROVINCE=”Taiwan”/’ /etc/openvpn/easy-rsa/vars
# sed -i ‘s/KEY_CITY=”SanFrancisco”/KEY_CITY=”E-Land”/’ /etc/openvpn/easy-rsa/vars
# sed -i ‘s/KEY_ORG=”Fort-Funston”/KEY_ORG=”Home”/’ /etc/openvpn/easy-rsa/vars
切換目錄
# cd /etc/openvpn/easy-rsa
開始建立憑證
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
清空舊有憑證
# ./clean-all
建立所需憑證
# ./build-ca
# ./build-key-server bananapi
# ./build-dh
# ./build-key banana
將 tls.key 移到 keys 資料夾下
# mv ./tls.key ./keys/
切換到 /etc/openvpn/easy-rsa/keys 目錄
# cd /etc/openvpn/easy-rsa/keys
複製 Server 端的檔案到 /etc/openvpn
# cp ca.crt ca.key dh2048.pem bananapi.crt bananapi.key /etc/openvpn
建立用來存放 Client 端所須檔案的目錄
# mkdir $HOME/openvpn-client-files
複製 Client 端所須檔案
# cp ca.crt banana.crt banana.key $HOME/openvpn-client-files
更改檔案名稱
# mv $HOME/openvpn-client-files/ca.crt $HOME/openvpn-client-files/capi.crt
更改檔案權限
# chmod +r $HOME/openvpn-client-files/banana.key
建立 /etc/openvpn/server.conf 設定檔
# vim /etc/openvpn/server.conf
port 34567
proto tcp
dev tun
;; Key File 設定
dh /etc/openvpn/dh2048.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bananapi.crt
key /etc/openvpn/bananapi.key
;; vpn 使用網段
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
;; 允許 client 間互相連接
;client-to-client
push “redirect-gateway def1”
;; DNS 設定
push “dhcp-option DNS 168.95.1.1”
push “dhcp-option DNS 140.111.66.1”
keepalive 5 30
;; 最大使用者量
max-clients 12
防火牆上的設定,如果原本就有防火牆,就要將規則個整合
# vim /etc/firewall.vpn
#!/bin/bash
# Enable ip_forward
echo “1” > /proc/sys/net/ipv4/ip_forward
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s “10.8.0.0/24” -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s “10.8.0.0/24” -j MASQUERADE
更改檔案權限
# chmod 700 /etc/firewall.vpn
設定開機時執行
在 /etc/rc.local 最後一行 exit 0 之前加入 sh /etc/firewall.vpn
# sed -i ‘/^exit 0/ish /etc/firewall.vpn’ /etc/rc.local
測試 OpenVPN 是否能正常執行
# /etc/init.d/openvpn start
[ ok ] Starting virtual private network daemon: server.
# netstat -antp | grep 34567
tcp 0 0 0.0.0.0:34567 0.0.0.0:* LISTEN 3617/openvpn
tun0 介面資訊
# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)