需要一下rpm包及资源:
net-tools-2.0-0.25.20131004git.el7.x86_64.rpm
openvpn-2.4.8-1.el7.x86_64.rpm
pkcs11-helper-1.11-3.el7.x86_64.rpm
https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

安装openvpn及相关工具

  1. yum localinstall openvpn-2.4.8-1.el7.x86_64.rpm pkcs11-helper-1.11-3.el7.x86_64.rpm
  2. yum localinstall net-tools-2.0-0.25.20131004git.el7.x86_64.rpm

服务端证书生成

为了简化证书生成流程这里使用easy-rsa工具包。

  1. 先创建一个工作目录用来存放生成证书中要用到的各种文件

    1. mkdir /etc/openvpn/easy-rsa

  2. 准备证书生成相关文件

    1. cp -r 解压后的EasyRSA-3.0.8.tgz /etc/openvpn/easy-rsa/

  3. 准备生成证书用的CSR相关配置

    1. cat <<EOF > /etc/openvpn/easy-rsa/vars
    2. #公司信息,根据情况自定义
    3. set_var EASYRSA_REQ_COUNTRY    "CHN"ANHUI
    4. set_var EASYRSA_REQ_PROVINCE    "ANHUI"
    5. set_var EASYRSA_REQ_CITY    "HEFEI"
    6. set_var EASYRSA_REQ_ORG    "YSF"
    7. set_var EASYRSA_REQ_EMAIL    "ysf@ysf.com"
    8. set_var EASYRSA_REQ_OU        "ysf"
    9. #证书有效期
    10. set_var EASYRSA_CA_EXPIRE    3650
    11. set_var EASYRSA_CERT_EXPIRE    3650
    12. EOF

  4. 生成CA证书 ```bash [root@root easy-rsa]# cd /etc/openvpn/easy-rsa/ [root@root easy-rsa]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki ./easyrsa build-ca [root@root easy-rsa]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017

Enter New CA Key Passphrase:#设置一个密码,下面给证书签名时会用到,这里我设置为:888888 Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus ……………………………………………………………………………………………………………………………………………………………………………………………………………………………………+++ ……………..+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

Common Name (eg: your user, host, or server name) [Easy-RSA CA]:设置CN,直接回车使用默认:Easy-RSA CA

CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt

  2. 1. 生成服务端证书

[root@root easy-rsa]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key …………………..+++ ……..+++

writing new private key to ‘/etc/openvpn/easy-rsa/pki/private/server.key.VWbGpsGSpM’

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

Common Name (eg: your user, host, or server name) [server]:设置CN,直接回车使用默认:server

Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server.req key: /etc/openvpn/easy-rsa/pki/private/server.key

  2. 1. 使用`CA`给服务端证书签名
  3. ```bash
  4. [root@root easy-rsa]# ./easyrsa sign server server
  6. Note: using Easy-RSA configuration from: ./vars
  8. Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
  11. You are about to sign the following certificate.
  12. Please check over the details shown below for accuracy. Note that this request
  13. has not been cryptographically verified. Please be sure it came from a trusted
  14. source or that you have verified the request checksum with the sender.
  16. Request subject, to be signed as a server certificate for 3650 days:
  18. subject=
  19.    commonName                = server
  22. Type the word 'yes' to continue, or any other input to abort.
  23.  Confirm request details: yes #输入yes确认
  24. Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
  25. Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:#输入上边步骤4中生成CA时设置的密码
  26. Check that the request matches the signature
  27. Signature ok
  28. The Subject's Distinguished Name is as follows
  29. commonName            :ASN.1 12:'server'
  30. Certificate is to be certified until Apr  2 04:27:27 2030 GMT (3650 days)
  32. Write out database with 1 new entries
  33. Data Base Updated
  35. Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
  1. 生成DH证书 ```bash [root@root easy-rsa]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ………………………………

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

  2. 1. 生成ta密钥
  3. ```bash
  4. openvpn --genkey --secret /etc/openvpn/ta.key
  1. 将server端证书和密钥都统一放到/etc/openvpn/目录下,方便管理和配置。
    1. [root@root openvpn]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/
    2. [root@root openvpn]# cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/
    3. [root@root openvpn]# cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/
    4. [root@root openvpn]# cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
    5. [root@root openvpn]# ls -l
    6. total 36
    7. -rw------- 1 root root    1172 Apr  4 12:52 ca.crt
    8. drwxr-x--- 2 root openvpn 4096 Nov  1 20:11 client
    9. -rw------- 1 root root     424 Apr  4 12:52 dh.pem
    10. drwxr-xr-x 4 root root    4096 Apr  4 12:27 easy-rsa
    11. drwxr-x--- 2 root openvpn 4096 Nov  1 20:11 server
    12. -rw------- 1 root root    4547 Apr  4 12:52 server.crt
    13. -rw------- 1 root root    1704 Apr  4 12:52 server.key
    14. -rw------- 1 root root     636 Apr  4 12:50 ta.key

    客户端证书生成

    生成证书 ``` [root@root easy-rsa]# ./easyrsa gen-req test nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ………………+++ ……….+++ writing new private key to ‘/etc/openvpn/easy-rsa/pki/easy-rsa-13661.rmfNmd/tmp.mJ9AJb’

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

Common Name (eg: your user, host, or server name) [test]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/test.req key: /etc/openvpn/easy-rsa/pki/private/test.key

  1. 记住这个文件`/etc/openvpn/easy-rsa/pki/private/test.key`路径,下边会用到。<br />**签名**
  2. ```bash
  3. # 签名
  4. [root@root easy-rsa]# ./easyrsa sign-req client test
  5. Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
  6. Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
  7. You are about to sign the following certificate.
  8. Please check over the details shown below for accuracy. Note that this request
  9. has not been cryptographically verified. Please be sure it came from a trusted
  10. source or that you have verified the request checksum with the sender.
  11. Request subject, to be signed as a client certificate for 3650 days:
  12. subject=
  13.     commonName                = test
  14. Type the word 'yes' to continue, or any other input to abort.
  15.   Confirm request details: yes
  16. Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-13784.sXpDIp/tmp.XXJ1dH
  17. Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
  18. Check that the request matches the signature
  19. Signature ok
  20. The Subject's Distinguished Name is as follows
  21. commonName            :ASN.1 12:'test'
  22. Certificate is to be certified until May 11 09:23:36 2030 GMT (3650 days)
  23. Write out database with 1 new entries
  24. Data Base Updated
  25. Certificate created at: /etc/openvpn/easy-rsa/pki/issued/test.crt

证书文件/etc/openvpn/easy-rsa/pki/issued/test.crt,下边会用到

配置

主配置文件:/etc/openvpn/server.conf

  1. [root@root ~]# cat > /etc/openvpn/server.conf <<EOF
  2. local 0.0.0.0
  3. port 1194
  4. proto udp
  5. dev tun
  6. #user openvpn
  7. #group openvpn
  8. ca ca.crt
  9. cert server.crt
  10. key server.key
  11. dh dh.pem
  12. #客户端地址池
  13. server 192.168.255.0 255.255.255.0
  14. #内网网段
  15. push "route 172.16.0.0 255.240.0.0"
  16. ifconfig-pool-persist ipp.txt
  17. #心跳检测,10秒检测一次,2分钟内没有回应则视为断线
  18. keepalive 10 120
  19. #服务端值为0,客户端为1
  20. tls-auth ta.key 0
  21. cipher AES-256-CBC
  22. #传输数据压缩
  23. comp-lzo
  24. persist-key
  25. persist-tun
  26. status openvpn-status.log
  27. verb 3
  28. EOF

_

端口放行

  1. firewall-cmd --zone=public --add-port=1194/tcp --permanent
  2. firewall-cmd --zone=public --add-port=1194/udp --permanent
  3. firewall-cmd --reload

启动服务

  1. systemctl start openvpn@server
  2. systemctl enable openvpn@server

开启内核转发

  1. echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
  2. echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf

客户端配置文件

创建客户端配置文件/etc/openvpn/client/test.conf

  1. client
  2. dev tun   
  3. proto udp
  4. remote XX.XX.XX.XX 1194
  5. resolv-retry infinite
  6. nobind
  7. persist-key
  8. persist-tun
  9. remote-cert-tls server
  10. comp-lzo
  11. verb 3
  12. #CA证书
  13. ca ca.crt
  14. #客户端证书
  15. cert test.crt
  16. #客户端密钥
  17. key test.key
  18. #ta密钥
  19. tls-auth ta.key 1
  20. cipher AES-256-CBC

将所需要的证书从server端下放到xnile.ovpn所在的当前目录。

启动客户服务

  1. systemctl start openvpn-client@test.service
  2. systemctl enable openvpn-client@test.service

参考:
基础安装:
https://blog.dianduidian.com/post/openvpn-server%E6%90%AD%E5%BB%BA%E5%B9%B6%E4%BD%BF%E7%94%A8%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%AF%81%E4%B9%A6%E8%AE%A4%E8%AF%81/

优化参考:
https://luanlengli.github.io/2019/11/25/CentOS7%E9%83%A8%E7%BD%B2OpenVPN%E5%AE%9E%E7%8E%B0%E5%86%85%E7%BD%91%E4%BA%92%E9%80%9A.html