解决方法：

# ln -s /usr/local/lib/sasl2 /usr/lib/sasl2

问题二：
Jan 15 20:24:43 localhost postfix/smtpd[3048]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory

原因:系统已经安装sasl-cyrus 删除掉，然后编译重装

useradd -M -o -r -d /www/mysql -s /bin/bash -c "MySQL Server" -u 27 mysql

./configure --prefix=/usr/local/mysql5 --sysconfdir=/etc --enable-assembler --with-mysqld-ldflags=-all-static --localstatedir=/www/mysql --with-big-tables --with-low-memory --with-extra-charsets=all --enable-thread-safe-client

make

make install

cp support-files/my-large.cnf /etc/my.cnf (针对512M的,不同的内存有不同的配置文件)

cp support-files/mysql.server /etc/rc.d/init.d/mysqld5

chmod 755 /etc/rc.d/init.d/mysqld

chkconfig --add mysqld

/usr/local/mysql5/bin/mysql_install_db --user=mysql

vi /etc/ld.so.conf

增加
/usr/local/mysql5/lib/mysql/

保存ldconfig

修改 /etc/profile

export PATH=$PATH:/usr/local/mysql5/bin

设置密码

mysqladmin -u root password 'password'

2:iconv

wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.11.tar.gz

./configure --prefix=/usr
make
make install

ldconfig

3:gd

wget http://www.libgd.org/releases/gd-2.0.35.tar.gz
./configure
make
make install

4:t1lib

./configure

make without_doc
make install

5:freetds

wget ftp://ftp.ibiblio.org/pub/Linux/ALPHA/freetds/stable/freetds-stable.tgz

tar zvxf freetds-stable.tgz
cd freetds-0.64
./configure --prefix=/usr/local/freetds --with-tdsver=8.0 --enable-msdblib
make
make install

6:libxm2

wget ftp://xmlsoft.org/libxml2/libxml2-sources-2.6.29.tar.gz

./configure
make
make install

7:php

./configure --prefix=/usr/local/php5 --enable-exif --with-iconv=/usr --with-xml=/usr/local --with-curl=/usr --with-gdbm --with-gettext --enable-track-vars --with-calendar=shared --enable-magic-quotes --enable-trans-sid --enable-wddx --enable-ftp --enable-inline-optimization --with-gd=/usr/local --with-zlib --enable-gd-native-tt --with-t1lib=/usr/local --with-jpeg-dir=/usr --with-zlib-dir=/usr --with-ttf --with-freetype-dir=/usr --with-gd --with-png-dir=/usr --with-jpeg-dir=/usr --with-mysql=/usr/local/mysql5 --enable-force-cgi-redirect --with-apxs2=/usr/local/apache2/bin/apxs --with-mssql=/usr/local/freetds --with-pdo-mysql=/usr/local/mysql5

修改httpd.conf

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

修改默认首页 index.php

cp php.ini-dist /usr/local/php5/lib/php.ini

修改php.ini文件
register_globals = On

Server:

* Red Hat Enterprise Linux (Server including virtualization):
2515dd4e215225dd

+ Red Hat Enterprise Linux Virtualization Platform:
49af89414d147589

Client:

* Red Hat Enterprise Linux Desktop:
660266e267419c67

+ Red Hat Enterprise Linux Desktop + Workstation Option:
da3122afdb7edd23

+ Red Hat Enterprise Linux Desktop + Workstation + DualOS Option
(Virtualization):
7fcc43557e9bbc42

+ Red Hat Enterprise Linux Desktop + DualOS Option (Virtualization):
fed67649ff918c77

测试过，可行！

或者
./configure --prefix=/usr/local/named --enable-threads --with-openssl=/usr/local/openssl

make
make install

--enable-threads 开启多线程支持

groupadd bind
useradd -g bind -d /usr/local/named -s /sbin/nologin bind

cd /usr/local/named

mkdir etc

sbin/rndc-confgen > etc/rndc.conf

cd etc

tail -10 rndc.conf | head -9 | sed s/#\ //g > named.conf

mkdir /usr/local/named/var

chmod 777 /usr/local/named/var

cd /usr/local/named/var

vi localhost.zone

$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1

建立named.local文件
vi named.local

$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.

1 IN PTR localhost.

dig命令直接生成named.root文件

dig > named.root

vi common.zone
内容如下

zone "." IN {
type hint;
file "named.root";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

vi /usr/local/named/etc/named.conf
主要内容如下

options {
directory "/usr/local/named/var";
pid-file "named.pid";
version "I am bind";
listen-on {x.x.x.x;};
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

include "common.zone";

chown -R bind:bind /usr/local/named

启动服务测试一下
/usr/local/named/sbin/named -c /usr/local/named/etc/named.conf -u bind &

查看状态

/usr/local/named/sbin/rndc status

为了方便建立启动脚本：

vi /etc/rc.d/init.d/named

#!/bin/bash
# named a network name service.
# chkconfig: 545 35 75
# description: a name server

if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in
start)
if [ -x /usr/local/named/sbin/named ]; then
/usr/local/named/sbin/named -c /usr/local/named/etc/named.conf -u bind && echo . && echo 'BIND9 server started'
fi
;;
stop)
kill `cat /usr/local/named/var/named.pid` && echo . && echo 'BIND9 server stopped'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
reload)
/usr/local/named/sbin/rndc reload
;;
status)
/usr/local/named/sbin/rndc status
;;
*)
echo "$0 start | stop | restart |reload |status"
;;
esac

chmod 755 /etc/rc.d/init.d/named

***********************************************************************
***********************************************************************

加入log配置

mkdir /usr/local/named/log

vi /usr/local/named/var/log.conf

logging {
channel warning
{ file "/usr/local/named/log/dns_warnings" versions 3 size 100m;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns
{ file "/usr/local/named/log/dns_logs" versions 3 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; };
category queries { general_dns; };
};

chown -R bind:bind /usr/local/named

说明：
1：print-time是设定在日志中是否需要写入时间，print-severity是设定在日志中是否需要写入消息级别，print-category是设定在日志中是否需要写入日志类别。
2：severity是指定记录消息的级别。在bind中主要有以下几个级别（按照严重性递减的顺序）：

critical
error
warning
notice
info
debug [ level ]
dynamic

定义了某个级别后，系统会记录包括该级别以及比该级别更严重的级别的所有消息。比如定义级别为error，则会记录critical和error两个级别的信息。一般情况下，我们记录到info级别就可以了。

然后在/usr/local/named/etc/named.conf 加入下列语句

include "log.conf";

/usr/local/named/sbin/rndc reconfig

默认是不启用日志的，你可以通过

/usr/local/named/sbin/rndc status

看到：
query logging is OFF

所以我们用以下命令启用log日志

/usr/local/named/sbin/rndc querylog

27-Dec-2006 23:02:57.118 general: error: dns_master_load: localhost.zone:2: unexpected end of line
27-Dec-2006 23:02:57.118 general: error: dns_master_load: localhost.zone:1: unexpected end of input
27-Dec-2006 23:02:57.118 general: error: zone localhost/IN: loading master file localhost.zone: unexpected end of input

解决办法：

localhost.zone配置文件里TTL前加上$

解决办法：

将Bind得tar包解压后,在其/lib/isc/unix/socket.c里面找到需要修改的代码:
首先找到这个 (在1297行附近):

#if defined(USE_CMSG) || defined(SO_BSDCOMPAT)
int on = 1;

改成:
#if defined(USE_CMSG)
int on = 1;

************************************************************
#ifdef SO_BSDCOMPAT
if (setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT,
(void *)&on, sizeof on) < 0) {
isc__strerror(errno, strbuf, sizeof(strbuf));
UNEXPECTED_ERROR(__FILE__, __LINE__,
"setsockopt(%d, SO_BSDCOMPAT) %s: %s",
sock->fd,
isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
ISC_MSG_FAILED, "failed"),
strbuf);

/* Press on... /*
}
#endif

买不到就先看在线版的吧，希望是同一本

Perl 语言编程

作者:Larry Wall, Tom Christiansen, and Jon Orwant 译者:何伟平

Expanding the scope of the VPN to include additional machines on either the client or server subnet.

Including multiple machines on the server side when using a routed VPN (dev tun)

一旦VPN以一种客户端和服务端点对点的方式运作，那么就应该扩大范围，客户端不止能访问服务器，而且应该能访问服务器所在的网络的其他机器。

针对这个目的，我们举个例子，假设服务器的内网端使用的是10.66.0.0/24的网段，在OpenVPN服务器配置文件配置的server参数即VPN虚拟IP地址池用的是10.8.0.0/24网段。

首先，VPN客户端通过VPN能访问到10.66.0.0/24 子网，只只要在服务器端的配置文件配置以下参数就能简单做到：

push "route 10.66.0.0 255.255.255.0"

下一步，我们要把服务器端局域内网的网关设置为从VPN客户端10.8.0.0/24网段到OpenVPN服务器的路由（假如OpenVPN服务器和局域网网关不是同一台机器，这个设置就很有必要）。

下一步，我们要为从VPN客户端10.8.0.0/24网段到OpenVPN服务器所在的局域网的网关设置一个路由（假如OpenVPN服务器和局域网网关不是同一台机器，这个设置就很有必要）。

确认你应在在OpenVPN服务器上打开IP 和 TUN/TAP 的转发功能。

Including multiple machines on the server side when using a bridged VPN (dev tap)

使用以太网桥 的好处就是你可以方便，免费的获得它，而无需其他额外的配置。

Including multiple machines on the client side when using a routed VPN (dev tun)

一般典型的远程访问情况是，客户端都是以单机使用VPN。但是如果客户端是本地局域网的网关（如总公司）你希望每台在这个局域网的机器都能通过路由使用VPN。

举个例子，我们假设这个客户端的局域网使用的是192.168.4.0/24的子网，并且那个VPN客户端有一个通用名为client2的证书，我们的目的就是设置一个VPN通道，让客户端局域网内的所有机器能跟OpenVPN服务器局域网端的所有机器相互联系。
安装之前，有一些必须遵守的基本前提：

1:客户端局域网的子网(在我们这个例子中是192.168.4.0/24)不能通过在同一网段的服务器或者其他客户端站点的途径加入到VPN。任何一个子网想加入VPN的通道路由必须是唯一的。
2:客户端必须拥有一个唯一的通用名称在其证书中（我们这个例子叫“client2”），而且duplicate-cn 这个参数不能在OpenVPN服务器的配置文件里被启用。

首先，我们必须确信客户端的IP 和 TUN/TAP转发功能是打开的。

然后，我们将处理服务器端的配置文件进行一个必要的修改配置，假如服务器配置文件没有提到客户端配置文件的目录，那么添加如下一行。

client-config-dir ccd

上述指令表示，在一个运行的OpenVPN服务器上的默认目录下预先建立一个叫ccd的目录。 在Linux下默认目录是/etc/openvpn 而在Windows下，则是\Program Files\OpenVPN\config当一个新的客户端连接OpenVPN服务器的时候，服务器进程会针对客户端证书中的匹配通用名称来检查这个目录，如果找到与之匹配的文件，就会对这个客户端进行额外配置的处理。

下一步，我们要建立一个名叫 client2 的文件在ccd 目录下，在这个文件里有如下的控制语句：

iroute 192.168.4.0 255.255.255.0

这样，OpenVPN服务器就把192.168.4.0/24 网段的路由添加给client2

下一步，在服务器端的主配置文件上添加如下语句(不是ccd/client2 这个文件):

route 192.168.4.0 255.255.255.0

你可能会问？为什么要有 route 和 iroute 这多余重复的设置？ 理由是在iroute 控制从OpenVPN服务器到远程客户端的路由的时候，route控制着从内核到OpenVPN服务器（通过TUN接口）。两者都很重要。

下一步，问问你自己是否允许client2的网段（192.168.4.0/24）和OpenVPN服务器的其他客户之间有网络流量交换，如果是的话，那就在服务器的配置文件中添加如下语句：

client-to-client

push "route 192.168.4.0 255.255.255.0"

这将让OpenVPN服务器为client2客户网段跟其他连接的客户端进行广播通知。

最后一步，这一步经常会忘记，那就是为服务器局域网的网关添加一个直接从192.168.4.0/24到OpenVPN的路由（你可能不需要这一步，假如本身OpenVPN服务器就是这个服务器端局域网的网关）。假如你忘了这一步的设置，当尝试从192.168.4.8机器ping一个在服务器局域网内的机器（非OpenVPN自己ping自己），会输出一个不能到达机器的提示。 但是我们不能不知道如果路由一个ping的回复，因为我们根本不知道怎么到达192.168.4.0/24。 通常的经验做法是，在整个局域网路线通过VPN通道的时候（VPN服务器不是这个局域网的网关机器）之前，我们得保证所有VPN客户端网段到服务器端局域网网关的路由路径。

同样，如果客户端机器运行OpenVPN，而且也不是它本身局域网的网关，那么也得为那台提供其他机器可以通过VPN访问客户端所在局域网途径的机器设置一个从客户端机器到局域网网关的路由。

Including multiple machines on the client side when using a bridged VPN (dev tap)

这个需要更加复杂的设置（实际上可能并不复杂，但要去解释阐述会很复杂）：

1:你必须把客户端的TAP虚拟网络接口和客户端本地网卡进行桥接。
2:你必须手动为客户端的TAP虚拟网络接口设置IP/掩码。
3:你必须设置客户端的机器使用网桥所在网段的IP地址和掩码，可能会 查询OpenVPN服务器这边的DHCP服务。

具体文章看这里：WAP包月配合VPN上网原理简介

嘿嘿，是粤语的，幸亏以前经常看粤语片，还能马马虎虎听懂

有兴趣的朋友也可以去以下网站下载

openvpn的应用视频一

openvpn的应用视频二

相关pdf文档

Configuring OpenVPN to run automatically on system startup

The lack of standards in this area means that most OSes have a different way of configuring daemons/services for autostart on boot. The best way to have this functionality configured by default is to install OpenVPN as a package, such as via RPM on Linux or using the Windows installer.

Linux
If you install OpenVPN via an RPM package on Linux, the installer will set up an initscript. When executed, the initscript will scan for .conf configuration files in /etc/openvpn, and if found, will start up a separate OpenVPN daemon for each file.

Windows
The Windows installer will set up a Service Wrapper, but leave it turned off by default. To activate it, go to Control Panel / Administrative Tools / Services, select the OpenVPN service, right-click on properties, and set the Startup Type to Automatic. This will configure the service for automatic start on the next reboot.

When started, the OpenVPN Service Wrapper will scan the \Program Files\OpenVPN\config folder for .ovpn configuration files, starting a separate OpenVPN process on each file.

--------------------------------------------------------------------------------

Controlling a running OpenVPN process

Running on Linux/BSD/Unix

OpenVPN accepts several signals:

SIGUSR1 -- Conditional restart, designed to restart without root privileges
SIGHUP -- Hard restart
SIGUSR2 -- Output connection statistics to log file or syslog
SIGTERM, SIGINT -- Exit

Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal (if you are starting openvpn with an initscript, the script may already be passing a --writepid directive on the openvpn command line).

Running on Windows as a GUI
See the OpenVPN GUI page.

Running in a Windows command prompt window

On Windows, you can start OpenVPN by right clicking on an OpenVPN configuration file (.ovpn file) and selecting "Start OpenVPN on this config file".

Once running in this fashion, several keyboard commands are available:

F1 -- Conditional restart (doesn't close/reopen TAP adapter)
F2 -- Show connection statistics
F3 -- Hard restart
F4 -- Exit

Running as a Windows Service
When OpenVPN is started as a service on Windows, the only way to control it is:

Via the service control manager (Control Panel / Administrative Tools / Services) which gives start/stop control.
Via the management interface (see below).

Modifying a live server configuration

While most configuration changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically updated on-the-fly, and which will take immediate effect on the server without needing to restart the server process.

client-config-dir -- This directive sets a client configuration directory, which the OpenVPN server will scan on every incoming connection, searching for a client-specific configuration file (see the the manual page for more information). Files in this directory can be updated on-the-fly, without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client (or one which has disconnected, but where the server has not timed-out its instance object), kill the client instance object by using the management interface (described below). This will cause the client to reconnect and use the new client-config-dir file.

crl-verify -- This directive names a Certificate Revocation List file, described below in the Revoking Certificates section. The CRL file can be modified on the fly, and changes will take effect immediately for new connections, or existing connections which are renegotiating their SSL/TLS channel (occurs once per hour by default). If you would like to kill a currently connected client whose certificate has just been added to the CRL, use the management interface (described below).

Status File

The default server.conf file has a line

status openvpn-status.log

which will output a list of current client connections to the file openvpn-status.log once per minute.

Using the management interface

The OpenVPN management interface allows a great deal of control over a running OpenVPN process. You can use the management interface directly, by telneting to the management interface port, or indirectly by using an OpenVPN GUI which itself connects to the management interface.

To enable the management interface on either an OpenVPN server or client, add this to the configuration file:

management localhost 7505

This tells OpenVPN to listen on TCP port 7505 for management interface clients (port 7505 is an arbitrary choice -- you can use any free port).

Once OpenVPN is running, you can connect to the management interface using a telnet client. For example:

ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 15 2005
Commands:
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : Kill the client instance(s) having common name cn.
kill IP:port : Kill the client instance connecting from IP:port.
log [on|off] [N|all] : Turn on/off realtime log display
+ show last N lines or 'all' for entire history.
mute [n] : Set log mute level to n, or show level if n is absent.
net : (Windows only) Show network info and routing table.
password type p : Enter password p for a queried OpenVPN password.
signal s : Send signal s to daemon,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n] : Show current daemon status info using format #n.
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : Show current version number.
END
exit
Connection closed by foreign host.
ai:~ #For more information, see the OpenVPN Management Interface Documentation.

配置OpenVPN在系统启动的时自动启动

因为没有这方面的标准，所以每个系统在启动的时候都有不同的启动进程/服务的方式，最好的办法就是安装专门为OpenVPN制作的各种安装包，比如在linux下的RPM包或者在windows下的安装包.

Linux
如果你在linux下使用RPM包安装OPenVPN，那么安装后会自动产生一个启动脚本，当脚本执行的时候，会自动在/etc/openvpn目录下寻找后缀为.conf的配置文件，如果找到配置文件，会自动启动相应配置文件的OpenVPN进程.

Windows
Windows下安装后，会产生一个服务，默认这个服务是关闭的，为了启动激活它，可以在控制面板/管理工具/服务, 选择OpenVPN服务。右键单击属性，设置为启动的时候自动运行。设置完以后下次系统重启，就会同时自动启动OpenVPN服务。

当启动OpenVPN服务的时候，会搜索\Program Files\OpenVPN\config目录下后缀为.ovpn的配置文件，并启动对应的OpenVPN进程。

控制运行中的OpenVPN进程

运行在Linux/BSD/Unix

OpenVPN接受下面几个信号:

SIGUSR1 – 有条件的重启，非root用户重启OpenVPN进程
SIGHUP – 重启
SIGUSR2 – 输出连接状态到log文件或者系统log
SIGTERM, SIGINT – 退出

在配置文件中使用writepid参数指定OpenVPN的pid文件， 好让你发送信号给这个pid文件（如果你用启动脚本启动OpenVPN，已经在OpenVPN的命令行里其通过了writepid参数)。

在windows下运行图形界面

具体请看 OpenVPN GUI page.

运行在windows下的命令提示窗口

在Windows下，你可以通过右键单击一个OpenVPN的配置文件（.opvn文件）然后选择"Start OpenVPN on this config file"启动OpenVPN.

这种方式一运行，这几个键盘命令能接受：

F1 – 有条件的重启(不关闭/重启TAP适配器)
F2 – 显示连接状态
F3 – 重启
F4 – 退出

做为Windows的服务启动

当OpenVPN做为windows的服务启动时，只有下列方法可以控制它：

通过服务控制管理器 (控制面板/管理工具/服务)来控制启动和停止。
通过管理界面 (看下面).

修改正在运行的服务器的配置文件

大多数情况修改配置文件，都要重启服务才能生效，这里有2个比较特殊的参数，可以进行动态更新操作，并且立即生效而不用重启OpenVPN服务进程。

client-config-dir – 这个参数设置客户端配置文件的目录，OpenVPN服务器会检查相关进来的连接请求，然后在目录寻找相对应客户端的配置文件 (看指南页面 获取更多信息)。不用重启服务，在这个目录里的文件就能动态更新 。注意新的修改只对新的连接才生效，不对已经存在的连接不起作用。如果里希望指定的客户端配置文件立即生效与当前的连接 (或者连接已经断，但服务器的实例目标也还没过期), 可以通过管理接口杀掉客户端的实例物体(下面描述). 那么就可以用client-config-dir新的配置文件，重新连接客户端.

crl-verify – 这个参数的意思是证书废除名单文件，详细的描述在下面Revoking Certificates 这一节. CRL文件可以时实修改，并且立即生效，或者对那些已经连接的客户端重新协商SSL/TSL通道（默认每隔1小时）. 如果你想干掉那些正在连接，但其对应证书被追加到CTL的用户，可以通过管理接口进行操作 (下面详细介绍).

状态文件

默认服务端配置文件server.conf有下列一行

status openvpn-status.log

那个参数的作用是将每分钟输出一个现有用户连接列表到openvpn-status.log文件。

使用管理接口

OpenVPN管理接口 是一个很好的控制运行中的OpenVPN进程的方法。你可以使用管理接口通过telnet命令直接连接到管理接口的端口，或者直接使用 OpenVPN GUI 连接管理接口

如果要在OpenVPN服务端或者客户端启用管理接口， 你得在配置文件中添加以下这行：

management localhost 7505

这就告诉OpenVPN监听通过客户端通过管理接口访问TCP的7505端口 (7505端口是一个任意选择的端口，你可以选择任何一个没被使用的端口)。

一旦OpenVPN启动，我们可以用telnet客户端程序连接上管理接口，比如下面的例子：

ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 15 2005
Commands:
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : 杀掉通用名为cn的客户端。
kill IP:port : 杀掉来自指定ip和端口的客户端。
log [on|off] [N|all] : 打开/关闭时实的日志显示
+ 显示最后N条或者'所有' 历史日志.
mute [n] : Set log mute level to n, or show level if n is absent.
net : (只在windows下有效) 显示网络信息和路由表。
password type p : Enter password p for a queried OpenVPN password.
signal s : 发送信号给进程,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : 跟log一样,但是静态显示。
status [n] : 显示现在进程的状态信息。
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : 显示当前版本号.
END
exit
Connection closed by foreign host.
ai:~ #

更多信息，察看OpenVPN管理接口文档

Starting up the VPN and testing for initial connectivity

Starting the server

First, make sure the OpenVPN server will be accessible from the internet. That means:

opening up UDP port 1194 on the firewall (or whatever TCP/UDP port you've configured), or
setting up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server.
Next, make sure that the TUN/TAP interface is not firewalled.

To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line (or right-click on the .ovpn file on Windows), rather than start it as a daemon or service:

openvpn [server config file]

A normal server startup should look like this (output will vary across platforms):

Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef]
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed

Starting the client
As in the server configuration, it's best to initially start the OpenVPN server from the command line (or on Windows, by right-clicking on the client.ovpn file), rather than start it as a daemon or service:

openvpn [client config file]

A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message.

Now, try a ping across the VPN from the client. If you are using routing (i.e. dev tun in the server config file), try:

ping 10.8.0.1

If you are using bridging (i.e. dev tap in the server config file), try to ping the IP address of a machine on the server's ethernet subnet.

If the ping succeeds, congratulations! You now have a functioning VPN.

Troubleshooting

If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:

You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.

Solutions:

Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).

You get the error message: Initialization Sequence Completed with errors -- This error can occur on Windows if (a) You don't have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2.

Solution: Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2.

You get the Initialization Sequence Completed message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.

Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Win32 adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).

The connection stalls on startup when using a proto udp configuration, the server log file shows this line:

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxxhowever the client log does not show an equivalent line.

Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.

See the FAQ for additional troubleshooting information.

启动VPN服务并初始化测试

启动服务器

首先.得确认OpenVPN能通过internet被访问,意思是:

1.在防火墙上已经打开UDP端口(或者无论是UDP还是TCP都已经被配置打开),
2.或者防火墙上已经设置了一个专门的端口forward指向OpenVPN服务器的UDP1194端口.

下一步, 确信你的TUN/TAP没被防火墙禁止.

为了简单调试，启动OpenVPN的最好的办法是用命令方式（或者右肩单击server.ovpn文件启动），这样就作为一个服务启动了:

openvpn [server config file]

正常服务启动，我们会看到如下信息:

Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef]
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed

启动客户端

跟服务器端得配置一样，启动客户端最好的方式是命令方式（或者在windows下右键单击client.ovpn文件启动）:

openvpn [client config file]

客户端正常启动，应该能看到跟服务器类似的信息，最后以显示“Initialization Sequence Completed”结束.

现在，我们可以通过VPN尝试ping命令，假如你使用路由模式（也就是说在服务器的配置文件中使用“dev tun”），运行下列命令:

ping 10.8.0.1

如果你使用以太网桥模式（也就是说在服务器配置文件中配置使用“dev tap”）, 你可以尝试ping服务器所在局域网的ip地址.

如果ping显示正常，恭喜你，你已经拥有一个正常功能的VPN.

排错

如果遇到OpenVPN初始化失败，或者ping失败，下面有一些共同的问题症状和解决办法:

1.你得到如下错误信息: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). 这个错误指出客户端不能跟服务器建立网络链接.

解决办法：

a.请确认客户端访问的服务器的机器名/IP和端口是正确的.
b.如果你的OpenVPN服务器是单网卡，并处在受保护的局域网中，请确认你你的网关防火墙使用了正确的端口转发规则。比如：你的OpenVPN机器的地址是192.168.4.4，但处在防火墙保护下，时刻监听着UDP协议1194的连接请求，那么负责维护192.168.4.x子网的网关就会有一个端口转发策略，即所有访问UDP协议1194端口的请求都被转发到192.168.4.4 。
c.打开服务器的防火墙允许UDP协议1194端口连接进来，（或者不管是TCP还是UDP协议在服务器的配置文件中配置了）。

2.你得到如下错误信息: Initialization Sequence Completed with errors – 这个错误可能发生在windows下（a）你没有启用DHCP客户端服务（b）你的XP SP2使用了某个第三方的个人防火墙。

解决办法: 启动DHCP客户端服务或者你确认你的XP SP2正确使用了个人防火墙.

3.你虽然获得了Initialization Sequence Completed 的信息，但ping测试还是失败了，那就通常是在服务器或者客户端的防火墙阻止过滤了在TUN/TAP设备结构上的网络流量。

解决办法: 关闭客户端的防火墙，如果防火墙过滤了TUN/TAP设备端口的流量。比如在Windows XP SP2系统，你可以到Windows 安全中心 -> Windows 防火墙 -> 高级 然后不要选择TAP-Win32 adapter设备 (即禁止TUN/TAP设备使用防火墙过滤 ，实质上就是告诉防火墙不要阻止VPN认证信息)。 同样在服务器端也要确认TUN/TAP设备不实用防火墙过滤 (也就是说在TUN/TAP接口上选择过滤是有一定的安全保障的. 具体请看下面一节的访问策略).

4.当以udp协议的配置文件启动的时候连接停止，服务器的日志文件显示如下一行信息：

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx

不管怎么样，这信息只在服务器端显示，在客户端是不会显示相同的信息。

解决办法: 你只拥有单向连接从客户端到服务器，从服务器到客户端的连接被防火墙挡住， 通常在客户端这边，防火墙（a）可能是个运行在客户端的个人防火墙软件（b）或者服务客户端的NAT路由 网关被设置为从服务器端访问客户端的UDP协议包被阻挡返回。

查看FAQ能得到更多故障解决的信息.

$streamPath = "./test.flv";
$newName = "myConvertedPic.jpg";
$imgW = 320;
$imgH = 240;
$imgQuality = 80;
$resultPath = "http://www.meinserver.de/snapit/".$newName.".jpg";
exec ("flv2jpg.exe", $streamPath, $newName, $imgW, $imgH, $imgQuality);