安装软件包:
[root@localhost ~]# yum -y install openvpn easy-rsa
复制easy-rsa 文件:
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
[root@localhost ~]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# cd 3.0.3/
[root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
创建PKI和CA:
[root@localhost 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki #创建空的pki
[root@localhost 3.0.3]# ./easyrsa build-ca nopass #创建新的CA,不使用密码
创建服务端证书:
[root@localhost 3.0.3]# ./easyrsa gen-req server nopass
签约服务端证书:
[root@localhost 3.0.3]# ./easyrsa sign server server
创建 Diffie-Hellman:
[root@localhost 3.0.3]# ./easyrsa gen-dh
创建客户端证书:
复制文件:
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
[root@localhost ~]# cd /etc/openvpn/client/easy-rsa/
[root@localhost easy-rsa]# cd 3.0.3/
[root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
生成证书:
[root@localhost 3.0.3]# pwd
/etc/openvpn/client/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki #创建新的pki
[root@localhost 3.0.3]# ./easyrsa gen-req yaoxu nopass
签约客户端证书:
[root@localhost 3.0.3]# cd /etc/openvpn/easy-rsa/3.0.3/
[root@localhost 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/yaoxu.req yaoxu
整理证书:
服务端:
[root@localhost ~]# mkdir /etc/openvpn/certs
[root@localhost ~]# cd /etc/openvpn/certs/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key .
客户端证书:
[root@localhost certs]# mkdir /etc/openvpn/client/yaoxu/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/yaoxu/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/yaoxu.crt /etc/openvpn/client/yaoxu/
[root@localhost certs]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/yaoxu.key /etc/openvpn/client/yaoxu/
[root@localhost certs]# ll /etc/openvpn/client/yaoxu/
服务端配置文件示例:配置文件说明:https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf
[root@localhost ~]# vim /etc/openvpn/server/first.conf
local vpn使用的网卡
port 1194 # vpn 端口
proto tcp # 可以使用 udp,速度更快
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 17.166.221.0 255.255.255.0 # server 虚拟地址池
push "route 192.168.1.0 255.255.255.0" # Push操作,适用于在客户端连接上vpn,给客户端路由表添加路由;
push "redirect-gateway def1 bypass-dhcp" # 设置所有的流量走vpn
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
keepalive 20 120
comp-lzo
#duplicate-cn
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 1
mute 20
客户端配置文件client.ovpn:
client #这个不能改
proto tcp #要与server.conf一致
dev tun #要与server.conf一致
remote 主机外网IP 12306
ca ca.crt
cert yaoxu.crt
key yaoxu.key #对应所下载的证书
resolv-retry infinite
nobind
mute-replay-warnings
keepalive 20 120
comp-lzo
#user openvpn
#group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
配置转发(firewalld):注意包转发,此处较为关键;请确认配置正确;并保证防火墙打开; (此条转发命令需要注意,后期如果重启后服务中断,很可能因为此命令重启后失效,需要重新配置)
firewall-cmd --add-service=openvpn
firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 # 保存后执行:sysctl -p
# 设置firewall规则 IP 根据自己的情况确定
systemctl start firewalld.service
firewall-cmd --statefirewall-cmd --zone=public --list-all
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --add-port=1194/udp --permanent
firewall-cmd --add-port=22/tcp --permanent
firewall-cmd --add-source=10.10.1.0 --permanent
firewall-cmd --query-source=10.10.1.0 --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --query-masquerade --permanent
firewall-cmd --reload
开启 openvpn 服务:
systemctl enable openvpn-server@first.service
systemctl start openvpn-server@first.service
配置客户端:
可以使用 openvpn 命令行
图形界面:
macos:Tunnelblick openvpn 命令行
linux: openvpn
openvpn (--daemon) --cd /etc/openvpn --config client.ovpn (--log-append /var/log/openvpn.log)
windows: openvpn.exe : http://www.fyluo.com/m/?post=198
保持更新,转载请注明出处;如果对您有帮助,请点击右下角推荐给予支持吧!非常感谢!
参考链接:
https://fedoraproject.org/wiki/Openvpn 官方文档,较为优秀;
https://www.cnblogs.com/olinux/p/5159530.html
https://blog.rj-bai.com/post/78.html#menu_index_14
https://blog.rj-bai.com/post/132.html#menu_index_11
https://blog.rj-bai.com/post/136.html 较为优秀
https://www.cnblogs.com/37yan/p/7171457.html
https://www.cnblogs.com/EasonJim/p/8449495.html
https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf 较为优秀
https://blog.cryse.org/article/centos7-openvpn
https://www.cnblogs.com/xiaoyou2018/p/9522172.html firewall-cmd 配置规则有帮助
https://wangchujiang.com/linux-command/c/firewall-cmd.html
https://www.cnblogs.com/luobiao320/p/7190918.html
https://www.cnblogs.com/EasonJim/p/8349519.html (macos 用户建议阅读)