一、简介
本文示例运行环境
- 操作系统:CentOS Linux release 7
二、安装 openvpn
- 启用 EPEL 源 , 安装 OpenVPN
yum install epel-release yum install -y openvpn easy-rsa
三、配置
1. 生成 OpenVPN 密钥和证书
cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1 nopass
./easyrsa build-client-full client2 nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key
2. 证书所在位置
# ta.key
/etc/openvpn/server/easy-rsa/
# ca.crt
/etc/openvpn/server/easy-rsa/pki
# client1.crt
/etc/openvpn/server/easy-rsa/pki/issued
# client1.key
/etc/openvpn/server/easy-rsa/pki/private
3. 编辑 openvpn 服务端配置文件
打开 server.conf 文件
vim /etc/openvpn/server/server.conf
复制粘贴以下内容
#################################################
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# Comments are preceded with '#' or ';' #
#################################################
port 1194
proto tcp-server
## Enable the management interface
# management-client-auth
# management localhost 7505 /etc/openvpn/user/management-file
dev tun # TUN/TAP virtual network device
user openvpn
group openvpn
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/server/easy-rsa/ta.key 0
## Using System user auth.
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
# client-cert-not-required # Deprecated option
verify-client-cert
## Connecting clients to be able to reach each other over the VPN.
client-to-client
## Allow multiple clients with the same common name to concurrently connect.
duplicate-cn
# client-config-dir /etc/openvpn/server/ccd
# ifconfig-pool-persist ipp.txt
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 1.1.1.1"
push "route 10.93.0.0 255.255.255.0"
# comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
compress lzo
# cipher AES-256-CBC
ncp-ciphers "AES-256-GCM:AES-128-GCM"
## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
# explicit-exit-notify 1
keepalive 10 120
persist-key
persist-tun
verb 3
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log
四、启动 openvpn 服务端
cd /etc/openvpn/server ; openvpn --config /etc/openvpn/server/server.conf --daemon
五、防火墙配置
-
启用内核 ip 转发
sysctl -w net.ipv4.ip_forward=1
-
配置 iptables NAT
firewall-cmd --permanent --add-masquerade firewall-cmd --permanent --add-port=1194/tcp firewall-cmd --reload
六、客户端安装文档
从server上将生成的ca.crt、client1.crt、client1.key、ta.key文件下载到客户端,客户端配置内容 C:\Program Files\OpenVPN\config\client.ovpn 如下:
client
proto tcp-client
dev tun
remote 改成服务器的IP 1194
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
auth-nocache
persist-tun
persist-key
compress lzo
verb 4
mute 10
张贴您的评论