OpenVPN 可以使用任何單一 Port 來建立 VPN Tunnel
Linux Kernel 需要有 TUN/TAP 支援
Network device support > Universal TUN/TAP device driver support
準備檔案
wget http://openvpn.net/release/openvpn-2.0.8.tar.gz
安裝
tar zxf openvpn-2.0.8.tar.gz
cd openvpn-2.0.8
./configure && make install
cd easy-rsa/2.0
編輯 vars 指定變數
. vars (載入 vars)
./build-ca (產生 CA cert, keys/ca.*)
./build-key-server server (產生 Server Key, keys/server.*)
./build-dh (產生 DH parameters, keys/dh1024.pem)
./build-key client1 (產生 Client1 Key, keys/client1.*)
openvpn --genkey --secret keys/ta.key (產生 tls-auth Key)
mkdir /usr/local/etc/openvpn
cp -a keys /usr/local/etc/openvpn
Server 端設定
編輯 /usr/local/etc/openvpn/server.conf
dev tun
port 443
proto tcp # use tcp, could pass by proxy server
server 192.168.2.0 255.255.255.0
push "redirect-gateway" ; 自動將 Client 的 default gateway 設成經由 VPN Server 出去
push "dhcp-option DNS 168.95.192.1"
push "dhcp-option DNS 168.95.192.2"
client-to-client
ifconfig-pool-persist ipp.txt ; 此檔 Server 會自動產生
keepalive 10 120
tls-server
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
comp-lzo
persist-tun
persist-key
status openvpn-status.log
verb 3
client
dev tun
dev-node OpenVPN ; 此名稱需和 TAP-Win32 virtual ethernet adapter 連線名稱一致, 預設應是「區域連線n」, 按 F2 改名為 OpenVPN
proto tcp
remote 218.187.1.1 443 ; 218.187.1.1 為 Server IP
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3