openvpn介绍http://openvpn.sourceforge.net/ ,不多说了.
openvpn可工作于两种模式：
一种是IP遂道路由模式,主要应用于点对点
一种是基于以太网的遂道桥模式, 应用于点对多点,有多个分支机构
本文介绍的配置实例是第一种
拓扑图:
局域网1: OFFICE主机装redhat9.0 两块网卡
eth1接公网 61.131.58.x ,
eth0接 内网192.168.1.56
vpn 10.1.0.1
A主机 192.168.1.222
局域网2:
HOME主机装redhat9.0两块网卡
eth0 接公网 218.85.158.244
eth1 接内网 192.168.0.235
vpn 10.1.0.2
B主机 192.168.0.45

环境:redhat9.0+lzo+openssl+openvpn
openssl用来进行加密，lzo用来进行数据压缩
下载地址 http://prdownloads.sourceforge.net/openvpn/openvpn-2.0_beta7.tar.gz
http://www.oberhumer.com/opensource/lzo/download/lzo-1.08.tar.gz

先检查openssl是否已安装
rpm –qa | grep openssl
没有请先装openssl, openssl如何安装就不介绍了
我将openvpn-2.0.beta7.tar.gz和lzo-1.08.tar.gz下载到/home
#cd /home
#tar zxvf lzo-1.08.tar.gz
#cd lzo-1.08.
#./comfigure
#make
#make install
#tar zxvf openvpn-2.0_beta7.tar.gz
#cd openvpn-2.0_beta7
#./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib
#make
#make install
#mkdir /etc/openvpn
#cd /etc/openvpn
#openvpn --genkey --secret static.key
将static.key从office主机复制到home主机的/etc/openvpn目录中
office#scp static.key root@218.85.158.244:/etc/openvpn
office#cd /home/openvpn-2.0_beta7/sample-config-files
office#cp static-office.conf /etc/openvpn
office#cp firewall.sh /etc/openvpn
office#cp openvpn-startup.sh /etc/openvpn
office#cp office.up /etc/openvpn
修改static-office.conf ,firewall.sh ,openvpn-startup.sh,office.up
我们先来看office主机的这几个配置文件
static-office.conf配置如下:
dev tun0
remote 218.85.158.244 #为对端的公网ip
ifconfig 10.1.0.1 10.1.0.2 #为本端和对端的vpn ip地址
secret /etc/openvpn/static.key #密钥
port 5000
comp-lzo
ping 15
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3

office主机的firewall.sh脚本如下:
#!/bin/bash
PRIVATE=192.168.1.0/24
LOOP=127.0.0.1

iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i eth1 -s $LOOP -j DROP
iptables -A FORWARD -i eth1 -s $LOOP -j DROP
iptables -A INPUT -i eth1 -d $LOOP -j DROP
iptables -A FORWARD -i eth1 -d $LOOP -j DROP

iptables -A FORWARD -p tcp --sport 137:139 -o eth1 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth1 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth1 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth1 -j DROP

iptables -A FORWARD -s ! $PRIVATE -i eth0 -j DROP


iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

iptables -A INPUT -p udp --dport 5000 -j ACCEPT #openvpn默认使用udp 5000端口

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT #这两句很重要
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o eth1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s $PRIVATE -o eth1 -j MASQUERADE

office.up脚本配置如下:
#!/bin/bash
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.1.0.2 #此处是对端的vpn ip地址
openvpn-startup.sh脚本配置如下:
#!/bin/bash
dir=/etc/openvpn
$dir/firewall.sh
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
openvpn --config /etc/openvpn/static-office.conf


home主机的4个配置文件
static-home.conf如下
dev tun0
remote 61.131.58.194
ifconfig 10.1.0.2 10.1.0.1
secret /etc/openvpn/static.key
port 5000
comp-lzo
ping 15
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3

firewall.sh如下
#!/bin/bash
PRIVATE=192.168.0.0/24
LOOP=127.0.0.1
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i eth0 -s $LOOP -j DROP
iptables -A FORWARD -i eth0 -s $LOOP -j DROP
iptables -A INPUT -i eth0 -d $LOOP -j DROP
iptables -A FORWARD -i eth0 -d $LOOP -j DROP

iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP

iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP

iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

iptables -A INPUT -p udp --dport 5000 -j ACCEPT

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE

home.up脚本如下:
#!/bin/bash
route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.0.1
openvpn-startup.sh脚本如下:
#!/bin/bash
dir=/etc/openvpn
$dir/firewall.sh
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
openvpn --config /etc/openvpn/static-home.conf
最后需要注意的是在office和home主机的/etc/modules.conf都要加上一行:
alias char-major-10-200 tun
在office主机上
office#cd /etc/openvpn
office#./openvpn-startup.sh
office#./office.up
在home主机上
home#cd /etc/openvpn
home#./openvpn-startup.sh
home#./home.up
A主机的default gateway设为192.168.1.56
B主机的default gateway设为192.168.0.235
在A主机上ping 192.168.0.45
在home主机上用tcpdump监听
home#tcpdump -i tun0
应该有echo request和echo reply
不行的话，在home#ping 10.1.0.1看两个vpn网关是否通
http://openvpn.sourceforge.net/ 上还有howto，faq,examples可参考
欢迎与我交流,
QQ：35907960
Mail:yanypunix@yahoo.com.cn