openvpn基本環(huán)境安裝

$ yum install -y epel-release
$ yum update -y
$ yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
$ yum install -y easy-rsa
$ yum install -y openvpn

設(shè)置日志目錄

mkdir -p /var/log/openvpn/
chown openvpn:openvpn /var/log/openvpn

服務(wù)器證書(shū)生成

cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key

證書(shū)放置統(tǒng)一目錄

$ mkdir -p /etc/openvpn/server/certs
$ cp -a pki/ca.crt /etc/openvpn/server/certs
$ cp -a pki/private/server.key /etc/openvpn/server/certs
$ cp -a pki/issued/server.crt /etc/openvpn/server/certs
$ cp -a pki/dh.pem /etc/openvpn/server/certs
$ cp -a ta.key /etc/openvpn/server/certs

服務(wù)器openvpn基本配置

vim /etc/openvpn/server.conf

port 1194   # 監(jiān)聽(tīng)的端口號(hào)
proto udp   # 服務(wù)端用的協(xié)議，udp 能快點(diǎn)吴攒，所以我選擇 udp
dev tun
ca /etc/openvpn/server/certs/ca.crt  #   CA 根證書(shū)路徑
cert /etc/openvpn/server/certs/server.crt  # open VPN 服務(wù)器證書(shū)路徑
key /etc/openvpn/server/certs/server.key  # open VPN 服務(wù)器密鑰路徑掩宜，This file should be kept secret
dh /etc/openvpn/server/certs/dh.pem  # Diffie-Hellman 算法密鑰文件路徑
tls-auth /etc/openvpn/server/certs/ta.key 0 #  tls-auth key剃袍，參數(shù) 0 可以省略宪肖，如果不省略，那么客戶端
# 配置相應(yīng)的參數(shù)該配成 1婴谱。如果省略甜橱，那么客戶端不需要 tls-auth 配置
server 10.8.0.0 255.255.255.0   # 該網(wǎng)段為 open VPN 虛擬網(wǎng)卡網(wǎng)段，不要和內(nèi)網(wǎng)網(wǎng)段沖突即可锈遥。open VPN 默認(rèn)為 10.8.0.0/24
keepalive 10 120
comp-lzo
persist-key
persist-tun
user openvpn  # open VPN 進(jìn)程啟動(dòng)用戶纫事，openvpn 用戶在安裝完 openvpn 后就自動(dòng)生成了
group openvpn
log /var/log/openvpn/server.log  # 指定 log 文件位置
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log
verb 3
explicit-exit-notify 1

啟動(dòng)openvpn

 openvpn --daemon --config /etc/openvpn/server.conf

客戶端證書(shū)生成模板

vim /etc/openvpn/client/sample.ovpn

client
proto udp
dev tun
remote x.x.x.x 1194 //服務(wù)器公網(wǎng)ip和端口
route-nopull //指定ip段路由轉(zhuǎn)發(fā)
route 10.8.0.0 255.255.255.0 vpn_gateway
route 172.16.0.0 255.255.255.192 vpn_gateway
ca ca.crt
cert admin.crt
key admin.key
tls-auth ta.key 1
remote-cert-tls server
persist-tun
persist-key
comp-lzo
verb 3
mute-replay-warnings

客戶端證書(shū)生成腳本

vim /etc/openvpn/client/open_user.sh

set -e
OVPN_USER_KEYS_DIR=/etc/openvpn/client/keys
EASY_RSA_VERSION=3
EASY_RSA_DIR=/etc/openvpn/server/easy-rsa/
PKI_DIR=$EASY_RSA_DIR/pki

for user in "$@"
do
        if [ -d "$OVPN_USER_KEYS_DIR/$user" ]; then
                rm -rf $OVPN_USER_KEYS_DIR/$user
                rm -rf  $PKI_DIR/reqs/$user.req
                sed -i '/'"$user"'/d' $PKI_DIR/index.txt
        fi
        cd $EASY_RSA_DIR
        # 生成客戶端 ssl 證書(shū)文件
        ./easyrsa build-client-full $user nopass
        # 整理下生成的文件
        mkdir -p  $OVPN_USER_KEYS_DIR/$user
        cp $PKI_DIR/ca.crt $OVPN_USER_KEYS_DIR/$user/   # CA 根證書(shū)
        cp $PKI_DIR/issued/$user.crt $OVPN_USER_KEYS_DIR/$user/   # 客戶端證書(shū)
        cp $PKI_DIR/private/$user.key $OVPN_USER_KEYS_DIR/$user/  # 客戶端證書(shū)密鑰
        cp /etc/openvpn/client/sample.ovpn $OVPN_USER_KEYS_DIR/$user/$user.ovpn # 客戶端配置文件
        sed -i 's/admin/'"$user"'/g' $OVPN_USER_KEYS_DIR/$user/$user.ovpn
        cp /etc/openvpn/server/certs/ta.key $OVPN_USER_KEYS_DIR/$user/ta.key  # auth-tls 文件
        cd $OVPN_USER_KEYS_DIR
        zip -r $user.zip $user
done
exit 0

生成客戶端證書(shū)

sh ./open_user.sh xxx

注意事項(xiàng)：

1、路由相關(guān)

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -vnL -t nat
vim /etc/sysctl.conf //打開(kāi)路由轉(zhuǎn)發(fā)

net.ipv4.ip_forward = 1

sysctl -p

2所灸、服務(wù)配置中的監(jiān)聽(tīng)端口記得放開(kāi)

end