一、简介

本文示例运行环境

  1. 操作系统:CentOS Linux release 7

二、安装 openvpn

  1. 启用 EPEL 源 , 安装 OpenVPN
    yum install epel-release
yum install -y openvpn easy-rsa

三、配置

1. 生成 OpenVPN 密钥和证书
cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1 nopass
./easyrsa build-client-full client2 nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key
2. 证书所在位置
# ta.key
/etc/openvpn/server/easy-rsa/
# ca.crt
/etc/openvpn/server/easy-rsa/pki
# client1.crt
/etc/openvpn/server/easy-rsa/pki/issued
# client1.key 
/etc/openvpn/server/easy-rsa/pki/private
3. 编辑 openvpn 服务端配置文件

打开 server.conf 文件

vim /etc/openvpn/server/server.conf

复制粘贴以下内容

#################################################
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################
port 1194
proto tcp-server
## Enable the management interface
# management-client-auth
# management localhost 7505 /etc/openvpn/user/management-file
dev tun     # TUN/TAP virtual network device
user openvpn
group openvpn
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/server/easy-rsa/ta.key 0
## Using System user auth.
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login

# client-cert-not-required  # Deprecated option
verify-client-cert
## Connecting clients to be able to reach each other over the VPN.
client-to-client
## Allow multiple clients with the same common name to concurrently connect.
duplicate-cn
# client-config-dir /etc/openvpn/server/ccd
# ifconfig-pool-persist ipp.txt
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 1.1.1.1"
push "route 10.93.0.0 255.255.255.0"
# comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
compress lzo
# cipher AES-256-CBC
ncp-ciphers "AES-256-GCM:AES-128-GCM"
## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
# explicit-exit-notify 1
keepalive 10 120
persist-key
persist-tun
verb 3
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log

四、启动 openvpn 服务端

cd /etc/openvpn/server  ; openvpn  --config /etc/openvpn/server/server.conf --daemon

五、防火墙配置

  1. 启用内核 ip 转发

    sysctl -w net.ipv4.ip_forward=1

  2. 配置 iptables NAT

    firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --add-port=1194/tcp
firewall-cmd --reload

六、客户端安装文档

从server上将生成的ca.crt、client1.crt、client1.key、ta.key文件下载到客户端,客户端配置内容 C:\Program Files\OpenVPN\config\client.ovpn 如下:

client
proto tcp-client
dev tun
remote 改成服务器的IP 1194
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
auth-nocache
persist-tun
persist-key
compress lzo
verb 4
mute 10