事先需要準(zhǔn)備好網(wǎng)絡(luò)yum源，保證服務(wù)器可正常上網(wǎng)
關(guān)閉防火墻穴肘，關(guān)閉selinux

說(shuō)明：
此為內(nèi)網(wǎng)環(huán)境模擬連接
VPN服務(wù)器：192.168.0.110/24
客戶端為同一網(wǎng)段的其他ip就行
如果要模擬公司咧织，則需要在路由或者防火墻上開啟映射囤捻，然后客戶端的配置文件連接ip填路由或者防火墻的出口地址和端口

1. 下載 easy-rsa

cd /usr/local/src/
wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip

2. 配置并生成證書

mkdir /etc/openvpn
cp -arp /usr/local/src/easy-rsa-master/easyrsa3 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
cat > vars << EOF
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Sichuang"
set_var EASYRSA_REQ_CITY "Chengdu"
set_var EASYRSA_REQ_ORG "XXX.CN"
set_var EASYRSA_REQ_EMAIL "xxxx@ss.cn"
set_var EASYRSA_REQ_OU "xx.CN CD"
EOF

3.1初始化

sh easyrsa init-pki

3.2生成CA證書

sh easyrsa build-ca #過(guò)程中會(huì)輸入CA自己的PEM兩次密碼，給server和clent簽名使用奸披，還要輸入common name 通用名昏名，隨便設(shè)置個(gè)獨(dú)一無(wú)二的

3.3生成DH驗(yàn)證文件

sh easyrsa gen-dh

3.4生成服務(wù)器證書

sh easyrsa build-server-full server nopass  #過(guò)程中輸入server自己的PEM兩次密碼，還要輸入CA的PEM密碼(加了nopass就是取消pem密碼阵面，也是服務(wù)端啟動(dòng)密碼)

3.5生成客戶端證書

sh easyrsa build-client-full client #過(guò)程中輸入client自己的PEM兩次密碼轻局，還要輸入CA的PEM密碼

4.下載openvpn-2.3.9.zip

cd /usr/local/src
wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.9.tar.gz

5.準(zhǔn)備安裝環(huán)境和需要的軟件

yum groupinstall -y "Development tools"
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig net-tools

6. 配置編譯安裝openvpn

tar -xf openvpn-2.3.9.tar.gz
cd openvpn-2.3.9
./configure && make && make install

先用find確認(rèn)下openvpn是否被安裝成功

[root@localhost openvpn-2.3.9]# find / -name 'openvpn'
/etc/selinux/targeted/active/modules/100/openvpn
/usr/local/lib/openvpn
/usr/local/sbin/openvpn
/usr/local/share/doc/openvpn
/usr/local/src/openvpn-2.3.9/src/openvpn
/usr/local/src/openvpn-2.3.9/src/openvpn/openvpn

7. 配置 openvpn 服務(wù)器

cp /usr/local/src/openvpn-2.3.9/sample/sample-config-files/server.conf /etc/openvpn/
cp /usr/local/src/openvpn-2.3.9/sample/sample-config-files/openvpn-shutdown.sh /etc/openvpn/

8. 配置openvpn

cd /etc/openvpn
mv server.conf server.conf.bak
cat > server.conf << EOF
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"  #根據(jù)實(shí)際情況設(shè)置推送路由的網(wǎng)段
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
EOF
mkdir -p /var/log/openvpn
touch /var/log/openvpn/openvpn.log

9. 開啟路由轉(zhuǎn)發(fā)

echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p

10. 防火墻設(shè)置一條規(guī)則

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
iptables -L -n -t nat

11. 啟動(dòng)openvpn

/usr/local/sbin/openvpn --cd /etc/openvpn --daemon --config server.conf

查看進(jìn)程 ps -ef | grep openvpn

查看日志

[root@localhost openvpn]# tail -f /var/log/openvpn/openvpn.log
Sun Jan 23 23:13:29 2022 GID set to nobody
Sun Jan 23 23:13:29 2022 UID set to nobody
Sun Jan 23 23:13:29 2022 Listening for incoming TCP connection on [undef]
Sun Jan 23 23:13:29 2022 TCPv4_SERVER link local (bound): [undef]
Sun Jan 23 23:13:29 2022 TCPv4_SERVER link remote: [undef]
Sun Jan 23 23:13:29 2022 MULTI: multi_init called, r=256 v=256
Sun Jan 23 23:13:29 2022 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Jan 23 23:13:29 2022 IFCONFIG POOL LIST
Sun Jan 23 23:13:29 2022 MULTI: TCP INIT maxclients=100 maxevents=104
Sun Jan 23 23:13:29 2022 Initialization Sequence Completed

12.openvpn客戶端配置

下載openvpn軟件

mac版

Tunnelblick_3.5.5_build_4270.4461.dmg

windows版

openvpn-install-2.3.10-I601-x86_64.exe

13.1 安裝openvpn客戶端

13.2 添加配置文件client.ovpn,內(nèi)容如下

client
dev tun
proto tcp
remote 192.168.0.110 1194 #可以是ip或域名，如果有防火墻則需要把vpn服務(wù)器映射到防火墻端口上
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
#redirect-gateway def1  #開啟后膜钓，訪問(wèn)外網(wǎng)網(wǎng)頁(yè)流量走服務(wù)端
comp-lzo
verb 3

14.1 把服務(wù)器端下載的ca.crt嗽交，用戶名.crt ，用戶名.key和client.ovpn 拷貝到openVPN的安裝目錄下的config目錄

14.2 啟動(dòng)openVPN 颂斜，輸入client的PEM密碼如果openVPN圖標(biāo)變綠色表示成功夫壁！

15 吊銷證書

回到server端

cd /etc/openvpn/easy-rsa
./easyrsa revoke test
./easyrsa gen-crl
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/
echo crl-verify crl.pem >>/etc/openvpn/server.conf #第一次吊銷后，配置文件就不要在添加這條了
chmod o+r /etc/openvpn/crl.pem #每次吊銷證書后沃疮，都需要重新對(duì)這個(gè)crl.pem賦予權(quán)限
/usr/local/sbin/openvpn --cd /etc/openvpn --daemon --config server.conf