参考连接
https://www.fandenggui.com/post/centos7-install-openvpn.html#5-L50
https://openvpn.net/community-downloads/
https://my.oschina.net/u/3585265/blog/2221466
https://juejin.im/post/5b5985b1f265da0f875938d2
软件版本
- Centos - 7.x
- easy-rsa - 3.0.3
- OpenVPN - 2.4.6
安装
建议安装启用epel源,采用yum的方式安装openvpn。
yum install -y epel-release
yum update -y
yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
yum install -y easy-rsa
yum install -y openvpn
确定私网
默认:172.20.0.0/17
配置证书
我们通过yum方式安装的 easy-rsa 版本是3.x,直接从安装路径copy一份工具出来。这里用默认的 easy-rsa 3.x 来配置生成证书密钥。
cp -rf /usr/share/easy-rsa/3.0.3 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1 nopass
./easyrsa build-client-full client2 nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key
配置Server端
创建使用的目录
# 日志存放目录
mkdir -p /var/log/openvpn/
# 用户管理目录
mkdir -p /etc/openvpn/server/user
# 配置权限
chown openvpn:openvpn /var/log/openvpn
创建Server配置文件
port 1994
proto tcp-server
# Enable the management interface
# management-client-auth
# management localhost 7505 /etc/openvpn/user/management-file
dev tun # TUN/TAP virtual network device
# user nobaby
# group nobaby
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/server/easy-rsa/ta.key 0
## Using System user auth.
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
## Using Script Plugins
# auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
# script-security 3
# client-cert-not-required # Deprecated option
verify-client-cert
# username-as-common-name
## Connecting clients to be able to reach each other over the VPN.
client-to-client
## Allow multiple clients with the same common name to concurrently connect.
duplicate-cn
# client-config-dir /etc/openvpn/server/ccd
# ifconfig-pool-persist ipp.txt
server 172.21.0.0 255.255.255.0
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 114.114.115.115"
push "route 172.20.0.0 255.255.128.0"
# comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
compress lzo
cipher AES-256-CBC
# ncp-ciphers "AES-256-GCM:AES-128-GCM"
## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
# explicit-exit-notify 1
keepalive 10 120
persist-key
persist-tun
verb 3
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log
注意!!! 这里创建完配置文件后,需要做个配置文件的软连接,因为当前版本的 openvpn systemd 启动文件中读取的是.service.conf配置。
cd /etc/openvpn/server/
ln -sf server.conf .service.conf
创建用户密码文件
格式是用户 密码以空格分割即可
tee /etc/openvpn/server/user/psw-file << EOF
mytest mytestpass
EOF
chmod 600 /etc/openvpn/server/user/psw-file
chown openvpn:openvpn /etc/openvpn/server/user/psw-file
防火墙配置
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --add-service=openvpn
# 或者添加自定义端口
# firewall-cmd --permanent --add-port=1994/tcp
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 172.20.0.0/17 -o eth0 -j MASQUERADE
firewall-cmd --reload
启动服务
# 查看service名
rpm -ql openvpn |grep service
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
# 启动
openvpn --config /etc/openvpn/server/server.conf
# 查看报错日志
tail -f /var/log/openvpn/server.log
配置客户端(win10)
- 下载openvpn https://openvpn.net/community-downloads/
- 从server上将生成的ca.crt、client1.crt、client1.key、ta.key文件下载到客户端,客户端配置内容C:\Program Files\OpenVPN\config\client.ovpn
配置client.ovpn
#
client
proto tcp-client
dev tun
auth-user-pass
remote 210.14.159.141 1994
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
auth-nocache
persist-tun
persist-key
compress lzo
verb 4
mute 10
Linux OpenVPN 客户端连接配置
准备配置文件及证书文件
因为我们之前有安装过 OpenVPN 服务端,具体过程参见 OpenVPN 安装配置,在这里我们直接用它提供的配置文件即可。
注意: 我们之前安装的 OpenVPN 服务端集成了 LDAP 统一认证,所以我们不再需要服务端分配给客户端的证书及密钥,只需要配置文件及相应的 key 即可,还有就是我们需要新建账号密码文件 passwd 。
配置文件修改完成后, /etc/openvpn 目录结构如下所示:
[root@ns1 ~]# tree /etc/openvpn/
/etc/openvpn/
├── client
│ ├── ca.crt # 服务端提供
│ └── ta.key # 服务端提供
├── client.ovpn # 客户端配置文件
├── passwd # 账号密码文件,需要新建,第一行账号,第二行是密码
└── server
2 directories, 4 files
连接测试
配置完成后,我们用命令行相关命令进行测试,具体命令如下:
openvpn \
--daemon \
--cd /etc/openvpn \
--config client.ovpn \
--auth-user-pass /etc/openvpn/passwd \
--log-append /var/log/openvpn.log
命令参数说明:
--daemon # 后台运行
--cd # 配置文件目录路径
--config # 配置文件名称
--auth-user-pass # 指定账号密码文件
--log-append # 日志文件
- -end- -