安装

建议安装启用epel源,采用yum的方式安装openvpn

  1. yum install -y epel-release
  2. yum update -y
  3. yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
  4. yum install -y easy-rsa
  5. yum install -y openvpn

确定私有子网

Server 与 Client 的VPN通道子网,不要与已有环境的网络冲突即可。
默认:10.8.0.0/16

配置证书密钥

我们通过yum方式安装的 easy-rsa 版本是3.x,直接从安装路径copy一份工具出来。这里用默认的 easy-rsa 3.x 来配置生成证书密钥。
当前下载的是版本号是3.0.8

  1. cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
  2. cd /etc/openvpn/server/easy-rsa
  3. ./easyrsa init-pki
  4. ./easyrsa build-ca nopass
  5. ./easyrsa build-server-full server nopass
  6. ./easyrsa build-client-full client1 nopass
  7. ./easyrsa build-client-full client2 nopass
  8. ./easyrsa gen-dh
  9. openvpn --genkey --secret ta.key

创建使用的目录

  1. # 日志存放目录
  2. mkdir -p /var/log/openvpn/
  3. # 用户管理目录
  4. mkdir -p /etc/openvpn/server/user
  5. # 配置权限
  6. chown openvpn:openvpn /var/log/openvpn

创建Server配置文件

编辑/etc/openvpn/server/server.conf文件,并写入以下内容:

  1. #################################################
  2. # This file is for the server side #
  3. # of a many-clients <-> one-server #
  4. # OpenVPN configuration. #
  5. # #
  6. # Comments are preceded with '#' or ';' #
  7. #################################################
  8. port 1194
  9. proto tcp-server
  10. ## Enable the management interface
  11. # management-client-auth
  12. # management localhost 7505 /etc/openvpn/user/management-file
  13. dev tun # TUN/TAP virtual network device
  14. user openvpn
  15. group openvpn
  16. ca /etc/openvpn/server/easy-rsa/pki/ca.crt
  17. cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
  18. key /etc/openvpn/server/easy-rsa/pki/private/server.key
  19. dh /etc/openvpn/server/easy-rsa/pki/dh.pem
  20. tls-auth /etc/openvpn/server/easy-rsa/ta.key 0
  21. ## Using System user auth.
  22. # plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
  23. ## Using Script Plugins
  24. auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
  25. script-security 3
  26. # client-cert-not-required # Deprecated option
  27. verify-client-cert
  28. username-as-common-name
  29. ## Connecting clients to be able to reach each other over the VPN.
  30. client-to-client
  31. ## Allow multiple clients with the same common name to concurrently connect.
  32. duplicate-cn
  33. # client-config-dir /etc/openvpn/server/ccd
  34. # ifconfig-pool-persist ipp.txt
  35. server 10.8.0.0 255.255.255.0 #10.8.0.0是自己设定的,不要与服务器内网网段冲突就行
  36. push "dhcp-option DNS 114.114.114.114"
  37. push "dhcp-option DNS 1.1.1.1"
  38. push "route 172.17.0.0 255.255.255.0" #172.17.0.0是服务器内网网段
  39. # comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
  40. compress lzo
  41. # cipher AES-256-CBC
  42. ncp-ciphers "AES-256-GCM:AES-128-GCM"
  43. ## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
  44. # explicit-exit-notify 1
  45. keepalive 10 120
  46. persist-key
  47. persist-tun
  48. verb 3
  49. log /var/log/openvpn/server.log
  50. log-append /var/log/openvpn/server.log
  51. status /var/log/openvpn/status.log

注意!!! 这里创建完配置文件后,需要做个配置文件的软连接,因为当前版本的 openvpn systemd 启动文件中读取的是.service.conf配置

  1. cd /etc/openvpn/server/
  2. ln -sf server.conf .service.conf

创建用户密码文件

格式是用户 密码以空格分割即可,如果需要多个账号,换行继续填写即可

  1. tee /etc/openvpn/server/user/psw-file << EOF
  2. mytest mytestpass
  3. EOF
  4. chmod 600 /etc/openvpn/server/user/psw-file
  5. chown openvpn:openvpn /etc/openvpn/server/user/psw-file

创建密码检查脚本

编辑 /etc/openvpn/server/user/checkpsw.sh,保存后授予执行权限

  1. #!/bin/sh
  2. ###########################################################
  3. # checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
  4. #
  5. # This script will authenticate OpenVPN users against
  6. # a plain text file. The passfile should simply contain
  7. # one row per user with the username first followed by
  8. # one or more space(s) or tab(s) and then the password.
  9. PASSFILE="/etc/openvpn/server/user/psw-file"
  10. LOG_FILE="/var/log/openvpn/password.log"
  11. TIME_STAMP=`date "+%Y-%m-%d %T"`
  12. ###########################################################
  13. if [ ! -r "${PASSFILE}" ]; then
  14. echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  15. exit 1
  16. fi
  17. CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
  18. if [ "${CORRECT_PASSWORD}" = "" ]; then
  19. echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
  20. \"${password}\"." >> ${LOG_FILE}
  21. exit 1
  22. fi
  23. if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  24. echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  25. exit 0
  26. fi
  27. echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
  28. \"${password}\"." >> ${LOG_FILE}
  29. exit 1

网络配置

确保防火墙为开启的状态,并添加如下配置,否则只能访问到装了vpn的那台机器,不能访问其内外中的其他机器

  1. //centos6及以下才需要这样操作,centos7已默认开启
  2. vim /etc/sysctl.conf
  3. net.ipv4.ip_forward = 1
  4. sysctl p(使之立即生效)
  1. firewall-cmd --permanent --add-masquerade
  2. firewall-cmd --permanent --add-service=openvpn
  3. # 或者添加自定义端口
  4. # firewall-cmd --permanent --add-port=1194/tcp
  5. firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  6. firewall-cmd --reload

或者为如下命令:

  1. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

启动服务

  1. # 查看service名
  2. rpm -ql openvpn |grep service
  3. /usr/lib/systemd/system/openvpn-client@.service
  4. /usr/lib/systemd/system/openvpn-server@.service
  5. /usr/lib/systemd/system/openvpn@.service
  6. # 启动
  7. systemctl start openvpn-server@.service.service
  8. # 或
  9. openvpn /etc/openvpn/server/server.conf &

配置客户端

从server上将生成的ca.crtclient1.crtclient1.keyta.key文件下载到客户端,客户端配置内容C:\Program Files\OpenVPN\config\245.ovpn如下:

  1. #
  2. client
  3. proto tcp-client
  4. dev tun
  5. auth-user-pass
  6. remote yourserver.domain 1194
  7. ca ca.crt
  8. cert client1.crt
  9. key client1.key
  10. tls-auth ta.key 1
  11. remote-cert-tls server
  12. auth-nocache
  13. persist-tun
  14. persist-key
  15. comp-lzo
  16. verb 4
  17. mute 10

image.png
记住密码
1. 在OpenVPN安装目录下\OpenVPN\config文件夹中找到vpnserver.ovpn文件。
2. 在文件最后一行加入auth-user-pass pass.txt保存。
3. 在同目录下创建pass.txt文件。
4. 文件中录入用户名和密码,用户名和密码独占一行

另外可以将crt,key这些直接配置在245.ovpn文件里面,如下
image.png

效果

image.png
image.png