一、安装
yum install openvpn
# 配置证书软件
yum install easy-rsa
二、配置
# 找个地方生成证书文件
mkdir /opt/easy-rsa
cd /opt/easy-rsa/
cp -a /usr/share/easy-rsa/3.0.8/* .
# 如有需要可以修改
cp /usr/share/doc/easy-rsa/vars.example vars
# 初始化,在当前目录创建pki目录
./easyrsa init-pki
# 创建根目录,会提示设置密码(下面会用到),用于ca对之后生成的server和client证书签名时使用
./easyrsa build-ca
# 创建server端证书和私钥,nopass表示不加密私钥文件
./easyrsa gen-req server nopass
# server端证书签名,提示需要输入yes和创建ca根证书时候的密码
./easyrsa sign server server
# 创建Diffie-Hellman文件, 密钥交换时的Diffie-Hellman算法
./easyrsa gen-dh
# 创建client端证书和私钥文件,nopass表示不加密私钥文件
./easyrsa gen-req client nopass
# client端证书签名,提示需要输入yes和创建ca根证书时候的密码
./easyrsa sign client client
# 生成ta.key
cd /etc/openvpn/server/
openvpn --genkey --secret ta.key
1.服务端:
示例配置文件位置
/usr/share/doc/openvpn/sample/sample-config-files
复制配置文件到etc目录
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/server.conf
配置文件修改
# 端口 默认 1194
port 1194
# ca证书 配置上面生成的完整路径
ca /opt/easy-rsa/pki/ca.crt
# 服务端公钥位置
cert /opt/easy-rsa/pki/issued/server.crt
# 服务端私钥位置
key /opt/easy-rsa/pki/private/server.key # This file should be kept secret
# 证书校验算法 配置上面生成的完整路径
dh /opt/easy-rsa/pki/dh.pem
# ta.key在/etc/openvpn/server/目录下可以如下配置,否则需要写完整路径
tls-auth ta.key 0 # This file is secret
# 日志文件
log /var/log/openvpn.log
# 代理所有网络
push "redirect-gateway def1 bypass-dhcp"
# DNS解析服务器
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"
# 配置账号密码登录客户端需要ca证书(可选)
script-security 3
auth-user-pass-verify /etc/openvpn/server/auth_check.sh via-env
username-as-common-name# 不验证客户端证书
# verify-client-cert none
# auth_check.sh (据说openvpn官网提供,可根据实际情况修改)
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/server/password"
LOG_FILE="/etc/openvpn/server/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
2.客户端:
示例配置文件位置
/usr/share/doc/openvpn/sample/sample-config-files
客户端示例配置文件 clent.conf (下面是linux端配置修改位置)
cp /usr/share/doc/openvpn/sample/sample-config-files/clent.conf /etc/openvpn/client/client.conf
# 下面三个证书需去服务器下载,在上面 pki 目录里面
ca ca.crt
cert client.crt
key client.key
# 需服务器下载,ta.key位置/etc/openvpn/server/
tls-auth ta.key 1
# 开启账号密码登录,服务端需要配置验证脚本及开启验证
auth-user-pass
三、启动
服务端:
systemctl start openvpn-server@server
离线安装
一、下载
项目地址:https://github.com/OpenVPN/openvpn
本次安装版本openvpn-2.6.11.tar.gz
二、安装
tar -zxf openvpn-2.6.11.tar.gz
cd openvpn-2.6.11/
./configure
make
make install
三、配置
配置如上
四、启动
服务端:
/usr/local/sbin/openvpn --cd /etc/openvpn/server/ --daemon --config server.conf
备注:
1.错误:configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (/usr/bin/pkg-config) installed? Must be version 3.4.0 or newer for DCO
解决:
yum install libnl3-devel
2.错误:configure: error: libcap-ng package not found. Is the development package and pkg-config (/usr/bin/pkg-config) installed?
解决:
yum install libcap-ng-devel
3.错误:checking additionally if OpenSSL is available and version >= 1.0.2... configure: error: OpenSSL version too old
解决:
yum install openssl-devel
4.错误:configure: error: No compatible LZ4 compression library found. Consider --disable-lz4
解决:
yum install lz4-devel lz4
5.错误:configure: error: lzo enabled but missing
解决:
yum install lzo-devel lzo
6.错误:configure: error: libpam required but missing
解决:
yum install pam-devel
7.错误:configure: error: no acceptable C compiler found in $PATH
yum install gcc
更换yum源
先备份CentOS-Base.repo, 然后下载aliyun的
mv CentOS-Base.repo CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all
yum makecache
安装EPEL仓库
yum install epel-release