#cd /root
#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
#tar zxvf  lzo-2.03.tar.gz
#cd lzo-2.03
#./configure && make && make install

再安裝 openvpn 2.1.1 (lzo 必須要先安裝，不然下面的安裝會出錯)
#cd /root
#wget http://openvpn.net/release/openvpn-2.1.1.tar.gz
#tar zxvf openvpn-2.1.1.tar.gz
#cd openvpn-2.1.1
#./configure && make && make install

# cd /root

# cp -rv openvpn-2.1.1/easy-rsa ./

(如果是用 tar 方式安裝，則 easy-rsa 會在 openvpn-2.1.1 的資料夾裡。)

# cd  ~/easy-rsa

# vi vars

export KEY_COUNTRY="TW"

export KEY_PROVINCE="Taiwan"

export KEY_CITY="Taipei"

export KEY_ORG="TomatoVPN"

export KEY_EMAIL="y...@email.com"

# source ./vars

# ./clean-all

# ./build-ca
(以下為問答交談的畫面，請注意輸入，因為不能使用刪除鍵。)

Country Name (2 letter code) [TW]:

State or Province Name (full name) [Taiwan]:

Locality Name (eg, city) [Taipei]:

Organization Name (eg, company) [TomatoVPN]:

Organizational Unit Name (eg, section) []:Home

Common Name (eg, your name or your server’s hostname) [TomatoVPN CA]:

Name []:Home

Email Address [y...@email.com]:

—–[建立 vpn server 的相關 key 組]—————————————————————

# ./build-key-server vpnsrv

……

Country Name (2 letter code) [TW]:

State or Province Name (full name) [Taiwan]:

Locality Name (eg, city) [Taipei]:

Organization Name (eg, company) [TomatoVPN]:

Organizational Unit Name (eg, section) []:Home

Common Name (eg, your name or your server’s hostname) [vpnsrv]:

Name []:Home

Email Address [y...@email.com]:

…….. (以下兩個都按 Enter 跳過。)

A challenge password []:

An optional company name []:

……..
(以下兩個都回答 y 即可)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

——[dh1024]————————————————————

# ./build-dh

—–[以下為  VPN SERVER 填寫到 tomatovpn 對應的欄位---------------------------------------------

Certificate Authority -> 開啟 ca.crt 並全選->複製 -> 貼上

Server Certificate -> 開啟 vpnsrv.crt 並全選->複製 -> 貼上

Server Key -> 開啟 vpnsrv.key 並全選->複製 -> 貼上

Diffie Hellman parameters ->開啟 dh1024.pem 並全選->複製 -> 貼上

================================================================

[Client-Part]

# cd /tmp

# cp -rv easy-key client

( If you want to copy second client key.) -> 非必要步驟

(# cp -rv easy-key client1) -> 非必要步驟

# cd client

# source ./vars

# ./build-key vpnclient1

Generating a 1024 bit RSA private key

………………………………………………………………………………………………………………………++++++

…………++++++

writing new private key to ‘vpnclient1.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [TW]:

State or Province Name (full name) [Taiwan]:

Locality Name (eg, city) [Taipei]:

Organization Name (eg, company) [TomatoVPN]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) [vpnclient1]:

Name []:

Email Address [y...@email.com]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

(以下兩個可以按 Enter 跳過)

A challenge password []:

An optional company name []:

Using configuration from /tmp/client/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :’TW’

stateOrProvinceName : ‘Taiwan’

localityName : ‘Taipei’

organizationName :PRINTABLE:’TomatoVPN’

commonName :PRINTABLE:’vpnclient1′

emailAddress :IA5STRING:’y...@email.com’

Certificate is to be certified until Jul 19 11:17:27 2019 GMT (3650 days)

(以下兩項也是都回答 y 即可)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

—[到這裡為止，該做的 KEY 都做完了。]—————————————————

(接下來要 sign vpnclient1 的 key 了)

# cp keys/vpnclient1.csr ../easy-rsa/keys/

# cp keys/vpnclient1.key ../easy-rsa/keys/

# cd ../easy-rsa

# source ./vars

# ./sign-req vpnclient1

Using configuration from /tmp/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :PRINTABLE:’TW’

stateOrProvinceName :PRINTABLE:’Taiwan’

localityName :PRINTABLE:’Taipei’

organizationName :PRINTABLE:’TomatoVPN’

commonName :PRINTABLE:’vpnclient1′

emailAddress :IA5STRING:’y...@email.com’

Certificate is to be certified until Jul 19 11:20:48 2019 GMT (3650 days)

(以下兩個回答 y 即可)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

======================================================================

ca ca.crt
cert vpnclient1.crt
key vpnclient1.key

以上3個為 vpnclient 的 KEY。

======================================================================

此版更新後，原 sshd 的部份，會多出 remote port。

如果用 ap 做 gateway 的話，請勾選 remote port 並指定 port number。

如果不是用 ap 做 gateway 的話，請不要勾選 remote port。謝謝。

官網: http://tomatovpn.keithmoyer.com/2009/08/125vpn34-release.html

至於新增什麼功能，請看下面:

• Upgraded to OpenVPN 2.1rc19
• AES speed improvements (Thanks fyellin!)
• More "Accept DNS configuration" options (strict/exclusive)
• Add (dynamic) HOWTO links to GUI for key generation
• TLS renegotiation time setting
• WINS options pushed/accepted along with other DNS options
• Option to not push server LAN route to clients
• Option to leave comp-lzo directive out of confi altogether (now "Disable", "None" is equivalent to the old "Disable")
• Non-VPN changes (also sent to Jon for inclusion in Tomato)
  • Multiple MAC addresses can share an IP for Static DHCP
  • EditDNS added to Dynamic DNS providers
• Various code cleanups/improvements

1. 請到 openvpn.net 或 openvpn.se 下載，最新 2.1 的版本來安裝。
1.1 : http://openvpn.net/index.php/open-source/downloads.html ,
Direct Link: http://openvpn.net/release/openvpn-2.1_rc18-install.exe
2. 根據官方HowTo的說明安裝Server部分
a. 產生各種key，利用/usr/share/doc/openvpn/examples/easy-rsa/2.0/的script & bat.

b.init-conifg.bat / init-conifg
c. 修改vars
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taoyuan"
export KEY_CITY="PingChenCity"
export KEY_ORG="CompanyName"
export KEY_EMAIL="m...@email.box"
2. 執行參數設定
../vars
vars.bat
3. 清除已有 Key
./clean-all
clean-all.bat
4. 產生RootCA憑證
./build-ca
build-ca.bat
Common Name 填 OpenVPN-CA 其他都預設就好
5. 產生Server用憑證
./build-key-server server
build-key-server.bat server
Common Name 填 server ；其他是非題就選y
2. 偷懶法產生Client憑證
./build-key client1 ,  common name : client1
./build-key client2,  common name: client2
./build-key client3,  common name: client3
依此類推
3. 產生Diffie Hellman parameters
./build-dh
build-dh.bat
4. 把ca.crt、ca.key、server.crt、server.key、dh1024.pem放到 /etc/openvpn
5. 修改/usr/share/doc/openvpn/examples/sample-config-files/server.conf
後放在 /etc/server.conf
1. proto tcp
2. push "redirect-gateway"
3. user nobody
4. group nogroup
6. 把ca.crt、client1.crt、client1.key放到 第一台Client的設定檔目錄
(例如:Windows 就是在C:\Program Files\OpenVPN\config)
(Linux則在/etc/openvpn)
7. 在client1機器上一樣把client.conf(或client.ovpn@windows)的sample檔案拿來改
(其他client自行類推)
1. proto tcp
2. remote [VPN主機位置] 1194 (443,1863)
3. cert client1.crt
key client1.key
3. 加上NAT的設定
1. 啟動 ip forward
修改 /etc/network/options
ip_forward=yes
2. 設定iptable 的NAT 對應->參考資料
/sbin/iptables -t nat -A POSTROUTING -d ! 10.8.0.0/255.255.255.0 -j MASQUERADE
3. 儲存iptable設定
mkdir /var/lib/iptables/
/etc/init.d/iptables save active
4. 完成啦！
=====================================================================
VPN Server -
Certificate Authority – ca.crt of content from BEGIN to END.
Server Certificate – server.crt of content from BEGIN to END.
Server Key – server.key of content from BEGIN to END.
Diffie Hellman parameters – dh1024.pem of content from BEGIN to END.
Then click Save to Save above keys & Certificate of content.

=====================================================================
vpn.bat of content as below:
@echo off
rem —————————————————–
set ONET=10.0.0.0
set OMASK=255.0.0.0
set OGW=10.1.2.254

set VNET=192.168.1.0
set VMASK=255.255.255.0
set VGW=192.168.1.254
set VIP=192.168.1.100

route -f
route add %ONET% mask %OMASK% %OGW%
route add %VNET% mask %VMASK% %VIP%
route add 123.126.1.0 mask %VMASK% 10.1.2.3
route add 0.0.0.0 mask 0.0.0.0 %VGW%
route print
pause

rem ipconfig /flushdns
rem ipconfig /registerdns
:END

rem  10.1.2.3 <–> 123.126.1.2 <–> 192.168.1.100
rem —————————————————–
=====================================================================
Proxy Setting:
1. 在 .ovpn 或 .conf 裡加入，如下列:
ntlm auth: (for ISA 200X)

http-proxy proxy.Server 80 proxy.txt ntlm

proxy.Server : 你的公司內部的 porxy server 的ip 或 wins name。
80 : proxy port number
proxy.txt : 這個檔案必須跟 .ovpn/.conf 放在同一個資料夾，格式: 第一行:  cpalm\usr999000 ，第二行: 密碼
ntlm : auth 的方式有 none (免認證)，basic ( ID/PW) ， ntlm (isa server 綁定 domain 的認證方式)。

basic auth: (for Squid proxy server )

http-proxy proxy.Server 3128 proxy.txt basic
=====================================================================
===tomato VPN Web GUI setting===
=====================================================================
1.Goto [Administration] > [Scripts]  Copy below into text-box then save.

—Copy Begin—
到 Administration -> Scheduler -> Custom1 -> 在 command 填入下列幾行:
service vpnserver1 start
sleep 5
service vpnserver2 start
—Copy End—

2.Goto [VPN Tunneling] > [Server] > [Server 1]
Basic:
Start with Router : Checked (打勾)
Interface Type: TAP
Protocol: TCP
Port: 443
Firewall : Automatic
Authorization Mode: Static Key
Then click [Save] to save above settings.
Advanced:
Respond to DNS: Checked (打勾)
Encryption cipher : Use Default
Compression : Disabled
Custom Configuration: Leave Blank
Then click [Save] to save above settings.
Keys:
Static Key generate command as below and open key.txt then copy content to keys of textbox.
"C:\Program Files\OpenVPN\bin\openvpn.exe" –pause-exit –verb 3 –genkey –secret "C:\Program Files\OpenVPN\config\key.txt"
Then click [Save] to save above settings.
3. Click [Start Now] to active VPN server 1.