以前帮朋友摸索过如何通过浏览器配置VPN的参数并激活. 后来不了了之, 就把安装记下来吧. 估计帮别人翻墙有用.

Installation

Use default Ubuntu packages

sudo apt install openvpn easy-rsa

Configuration Setup

setup server

• vi /etc/default/openvpn, add

   AUTOSTART="openvpn"
  

• cd /etc/openvpn/

   cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .
  

• vi easy-rsa/2.0/vars

   export D=/etc/openvpn/easy-rsa/2.0
   export KEY_COUNTRY="US"
   export KEY_PROVINCE="DE"
   export KEY_CITY="Newark"
   export KEY_ORG="IT"
   export KEY_EMAIL="c2.programmer@domain.com"
  

• cd /etc/openvpn/easy-rsa/2.0
• . ./vars
• ./clean-all
• ./build-ca
• ./build-key-server server ( a challenge password: 25b8c7de)
• ./build-key client1 You can repeat this step if you want to have more clients, just replace the parameter with client2, client3, etc.
• Now let’s create Diffie Hellman parameters: `./build-dh

• scp the following files to client1

   scp ca.crt client1.crt client1.key situ@client1_host
  

• then move these files to /etc/openvpn on the client.

config server

• vi /etc/openvpn/openvpn.conf

   dev tun
   proto tcp
   port 1194
  
   ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
   cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
   key /etc/openvpn/easy-rsa/2.0/keys/server.key
   dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
  
   user nobody
   group nogroup
   server 10.8.0.0 255.255.255.0
  
   persist-key
   persist-tun
  
   #status openvpn-status.log
   #verb 3
   client-to-client
  
   push "redirect-gateway def1"
  
   #log-append /var/log/openvpn
   comp-lzo
  

setup client

• vi /etc/openvpn/openvpn.conf

   dev tun0
   client
   proto tcp
   # e.g. 192.168.1.1
   remote ${remote_vpn_server} 1194
   resolv-retry infinite
   nobind
   user nobody
   group nogroup
  
   # Try to preserve some state across restarts.
   persist-key
   persist-tun
   ca ca.crt
   cert client1.crt
   key client1.key
   comp-lzo
  
   # Set log file verbosity.
   verb 3
  

configuration on both side

• configure IP forwarding and IPTables for doing NAT on the server:

   echo 1 > /proc/sys/net/ipv4/ip_forward
  
   sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  

You can verify the rule was written correctly with:

    sudo iptables -L -t nat

If you have a firewall you should make sure your VPN traffic can be routed.

If you made a mistake and want to remove all rules from IPTables:

    sudo iptables -F -t nat

• Now restart OpenVPN in both client and server and you should be set. Running ‘'’ifconfig’’’ and ‘'’route -n’’’ you should see a new interface, tun0, in both PC’s. Confirm you can connect with a ping to your new tun0 interfaces, for example:

   ping 10.8.0.1
  

start a client from command line

sudo: cd /etc/openvpn; sudo openvpn  --config /etc/openvpn/openvpn.conf; cd - 
Gnome: gksu -u root 'cd /etc/openvpn; openvpn --config /etc/openvpn/client.conf'
KDE: kdesu [-u root] -c 'cd /etc/openvpn; openvpn  --config /etc/openvpn/openvpn.conf; cd -'

DD-WRT router setup

https://www.dd-wrt.com/wiki/index.php/OpenVPN

verb 5 script-security 2 route 192.168.1.1 255.255.255.0 dhcp-option DNS 192.168.1.1 server 192.168.66.0 255.255.255.0

dev tun0 proto udp keepalive 10 120 dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem