一、安装openvpn
1.更新软件包
yum -y update
2.安装epel扩展源
yum -y install epel-release
3.安装openvpn和easy-rsa
yum -y install openvpn easy-rsa
4.复制easy-rsa文件
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
\rm 3 3.0
cd 3.0.6/
find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
# 10年证书
vim vars
set_var EASYRSA_CERT_EXPIRE 3650
二、生成CA证书
1.创建一个新的 PKI 和 CA
./easyrsa init-pki
2.创建新的CA,不使用密码
./easyrsa build-ca nopass
3.生成的信息
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
......................+++
................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.6/pki/private/ca.key.pClvaQ1GLD'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.6/pki/ca.crt
三、创建服务端证书
1.创建服务端证书
./easyrsa gen-req server nopass
2.生成的信息
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........................+++
..............................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.6/pki/private/server.key.wy7Q0fuG6A'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: 回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.6/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.6/pki/private/server.key
3.签约服务端证书
./easyrsa sign server server
4.生成的信息
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 7 14:54:08 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.8/pki/issued/server.crt
5.创建 Diffie-Hellman
./easyrsa gen-dh
6.生成的信息,时间较长
............................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.6/pki/dh.pem
7.整理Server证书到/etc/openvpn/server目录
cd /etc/openvpn/server
cp /etc/openvpn/easy-rsa/3.0.8/pki/dh.pem .
cp /etc/openvpn/easy-rsa/3.0.8/pki/ca.crt .
cp /etc/openvpn/easy-rsa/3.0.8/pki/issued/server.crt .
cp /etc/openvpn/easy-rsa/3.0.8/pki/private/server.key .
四、创建客户端证书
1.复制用于生成客户证书的文件
cp -r /usr/share/easy-rsa/ /etc/openvpn/client # 首次创建客户端使用
cd /etc/openvpn/client/easy-rsa/
\rm 3 3.0 # 首次创建客户端使用
cd 3.0.8/
find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars # 首次创建客户端使用
2.创建一个新的 PKI,第一次建用户的时候需要,以后都不需要再执行
./easyrsa init-pki
3.生成客户端证书
./easyrsa gen-req tab_ding nopass
当然你也可以生成有密码的客户证书
4.生成的信息
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................+++
............+++
writing new private key to '/etc/openvpn/client/easy-rsa/3.0.6/pki/private/client.key.FkrLzXH9Bm'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [tab_ding]: 回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.8/pki/reqs/tab_ding.req
key: /etc/openvpn/client/easy-rsa/3.0.8/pki/private/tab_ding.key
5.签约客户端证书
cd /etc/openvpn/easy-rsa/3.0.8/
./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.6/pki/reqs/tab_ding.req tab_ding
./easyrsa sign client tab_ding
yes
签约密码123456
6.整理用于客户端证书到/etc/openvpn/client目录
cd /etc/openvpn/client
cp /etc/openvpn/easy-rsa/3.0.8/pki/ca.crt . # 首次创建客户端才执行
cp /etc/openvpn/easy-rsa/3.0.8/pki/issued/tab_ding.crt .
cp /etc/openvpn/client/easy-rsa/3.0.8/pki/private/tab_ding.key .
7.创建客户端IP分配目录和私有配置
mkdir /etc/openvpn/ccd # 首次创建客户端才执行
vim /etc/openvpn/ccd/tab_ding
# 添加以下内容
ifconfig-push 10.60.0.9 10.60.0.10
push "route 172.21.100.0 255.255.255.0"
8.客户端配置文件,以tab_ding.ovpn为例
client
remote 172.21.100.98 1194
proto tcp
dev tun
comp-lzo
ca ca.crt
cert tab_ding.crt
key tab_ding.key
route-delay 2
route-method exe
verb 3
9.客户端要用到的文件如下
ca.crt
tab_ding.crt
tab_ding.key
tab_ding.ovpn
五、服务器配置及启动
1.新建配置文件
touch /etc/openvpn/server.conf
2.填写以下内容
port 1194
proto tcp-server
dev tun
server 10.60.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
client-config-dir /etc/openvpn/ccd
persist-key
keepalive 10 60
reneg-sec 0
comp-lzo
tun-mtu 1468
tun-mtu-extra 32
mssfix 1400
push persist-key
;push persist-tun
;push redirect-gateway def1
push dhcp-option DNS 172.21.100.11
;push dhcp-option DNS 8.8.8.8
;push dhcp-option DNS 8.8.4.4
status openvpn-status.log
log openvpn.log
verb 3
3.系统配置和iptables转发
# 打开文件
vim /etc/sysctl.conf
# 添加内容
net.ipv4.ip_forward = 1
# 执行
sysctl -p
# iptables
iptables -t nat -A POSTROUTING -s 10.60.0.0/24 -o eth0 -j MASQUERADE
4.openvpn服务启动
systemctl start openvpn@server
六、附客户端IP分配表
ifconfig-push 10.60.0.1 10.60.0.2
ifconfig-push 10.60.0.5 10.60.0.6
ifconfig-push 10.60.0.9 10.60.0.10
ifconfig-push 10.60.0.13 10.60.0.14
......
openvpn只支持255.255.255.252 的子网,而且252的子网只有两个IP,一个分配给客户端,一个留给服务器用.
七、删除Openvpn账号
1.执行
cd /etc/openvpn/easy-rsa/3.0.8/
./easyrsa revoke someone
./easyrsa gen-crl
其中gen-crl会生成一份吊销证书的名单,放在/etc/openvpn/easy-rsa/3.0.6/pki/crl.pem文件里
2.在server.conf文件中增加此项
crl-verify /etc/openvpn/easy-rsa/3.0.8/pki/crl.pem
特别说明:吊销的证书不会立刻被删除文件,所以要再次创建相同的证书则要删除crt文件,通常放在pki/issued文件夹下。
八、网关模式配置
1. iptables
# 如果你的网关是使用iptable,并且iptable默认情况下阻止该服务,那么请使用以下配置使openvpn正常运行。 首先,让我们在openvpn端口上进行tcp连接。 如果您使用的是udp或其他端口号,请相应地更改此行。
iptables -A INPUT -i enp3s0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
# 允许TUN接口连接到OpenVPN服务器
iptables -A INPUT -i tun+ -j ACCEPT
# 允许通过其他接口转发TUN接口连接
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp3s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
# NAT VPN客户端流量到Internet。 运行“ ifconfig”命令时,根据您的tun0结果信息更改IP地址掩码。
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp3s0 -j MASQUERADE
# 如果您的默认iptables OUTPUT的值不是ACCEPT的话,则还需要以下行:
iptables -A OUTPUT -o tun+ -j ACCEPT
# 最后记得保存iptables的防火墙配置
2. 服务器配置
# OpenVPN Port, Protocol and the Tun
port 1194
proto tcp
dev tun
# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
#DH and CRL key
dh /etc/openvpn/server/dh.pem
#client-config-dir /etc/openvpn/ccd
# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
# Using the DNS from https://dns.watch
push "dhcp-option DNS 8.8.8.8"
#Enable multiple client to connect with same Certificate key
duplicate-cn
# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody
# OpenVPN Log
log-append /var/log/openvpn.log
verb 3
3.客户端配置
client
dev tun
proto tcp
remote 115.239.233.26 1194
ca ca.crt
cert tab_ding.crt
key tab_ding.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3