centos安装配置OPEN*PN

安装程序

yum install -y epel-release && yum -y update && yum install -y easy-rsa openvpn 

生成证书密钥

创建PKI

mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/
./easyrsa init-pki

生成CA证书

 ./easyrsa build-ca

生成过程中需要创建CA密码，密码要记住。
输出：

[root@izwz9idz1lgutvrfidg8inz easy-rsa]#  ./easyrsa build-ca
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Enter New CA Key Passphrase:                      	设置CA密码，下面有用
Re-Enter New CA Key Passphrase:                   	确认密码
Generating RSA private key, 2048 bit long modulus
...........................+++
..+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:openvpnCA    随便输入证书名
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

为服务器生成证书密钥

server 为证书名称，可以自由替换
nopass 是免密码，避免启动openvpn服务需要输入证书密码

./easyrsa build-server-full  server nopass

输出：

[root@izwz9idz1lgutvrfidg8inz easy-rsa]# ./easyrsa build-server-full  server nopass
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.................................................+++
.............+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-14878.omWrcN/tmp.bsrEu4'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-14878.omWrcN/tmp.VTOMKj
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:      输入刚刚创建CA证书时设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Sep 13 15:11:37 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

为客户端生成证书密钥

根据需要的客户端证书数量创建证书，client1为证书名，可自由替换

# 创建名为client1的证书密钥
./easyrsa build-client-full  client1 
#不想客户端需要输入密码可以使用下面命令，建议使用密码
# ./easyrsa build-client-full  client1 nopass

输出：

[root@izwz9idz1lgutvrfidg8inz easy-rsa]# ./easyrsa build-client-full  client1
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
....................+++
........+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-15014.QOzFN6/tmp.uQz8Xk'
Enter PEM pass phrase:                                      为客户端证书设置密码
Verifying - Enter PEM pass phrase:							确认密码
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-15014.QOzFN6/tmp.YgmEO6
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:  输入刚刚创建CA证书时设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client1'
Certificate is to be certified until Sep 13 15:21:24 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

生成Diffie hellman 参数

./easyrsa gen-dh

生成TLS认证密钥

openvpn --genkey --secret ta.key

编辑openvpn服务器配置文件

1.复制配置示例文件

cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/server/server.conf

2.编辑配置文件

vim /etc/openvpn/server/server.conf

我使用的配置：

port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key  
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
tls-auth  /etc/openvpn/easy-rsa/ta.key 0 
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3

部分配置解释：

# 监听那个IP
;local a.b.c.d

# 监听那个端口
port 1194

# 监听TCP协议还是udp协议?
proto tcp
;proto udp

# "dev tun"路由
# "dev tap" 桥接模式
;dev tap
dev tun

# 刚刚创建的ca证书的位置
ca /etc/openvpn/easy-rsa/pki/ca.crt
# 刚刚创建的服务器证书的位置
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
#刚刚创建的服务器证书密钥的位置
key /etc/openvpn/easy-rsa/pki/private/server.key  

# 刚刚生成的Diffie hellman 参数文件位置
dh /etc/openvpn/easy-rsa/pki/dh.pem

#客户端连接的服务器网络拓扑方式
#参考链接：https://community.openvpn.net/openvpn/wiki/Topology
;topology subnet

# VPN使用子网，
server 10.8.0.0 255.255.255.0

# 记录客户端使用的虚拟IP地址文件，重启可重新分配给客户端
ifconfig-pool-persist ipp.txt


#设置客户端那些ip段走openvpn通道
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# 设置客户端所有流量都通过openvpn
push "redirect-gateway def1 bypass-dhcp"

# 配置客户端dns
;push "dhcp-option DNS 223.5.5.5"
;push "dhcp-option DNS 223.6.6.6"

#取消注释则客户端可以互相访问
;client-to-client

#取消注释则一个证书可以多个客户端使用
;duplicate-cn

# 每10秒Ping一次，如果在120秒的时间内没有收到Ping，则假设对端已经掉线
keepalive 10 120

# tls密钥 
tls-auth  /etc/openvpn/easy-rsa/ta.key 0 # This file is secret

# 加密方式，客户端配置需相同
cipher AES-256-CBC


#最大客户端数量
;max-clients 100

#减少openvpn系统权限
user nobody
group nobody

# 重启不重新读取或配置密钥、tun.
persist-key
persist-tun

#状态日志
status openvpn-status.log

# 日志，log每次重启截断，log-append追加
;log         openvpn.log
;log-append  openvpn.log

#日志等级
verb 3

设置NAT及防火墙

禁用防火墙

systemctl stop firewalld
systemctl disable firewalld

关闭selinux

setenforce 0

开启ipv4转发

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

安装iptables

yum install iptables-services

设置网卡nat

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

启动openvpn

设置并启动openvpn

systemctl enable openvpn-server@server
systemctl start openvpn-server@server.service

检查状态

netstat -tlunp  
systemctl status openvpn-server@server

准备客户端文件

复制证书密钥到一个文件夹下

mkdir /etc/openvpn/client/client1
cp /etc/openvpn/easy-rsa/pki/ca.crt  /etc/openvpn/client/client1/
cp /etc/openvpn/easy-rsa/pki/issued/client1.crt /etc/openvpn/client/client1/
cp /etc/openvpn/easy-rsa/pki/private/client1.key  /etc/openvpn/client/client1/
cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/client/client1/

编辑客户端配置文件

#windows、macOS
vim /etc/openvpn/client/client1/client1.ovpn
#linux
vim /etc/openvpn/client/client1/client1.conf

client
dev tun
proto tcp
remote 111.111.111.111 1194   #修改111.111.111.111为服务器ip地址；1194为openvpn端口
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
verb 3

windos客户端使用

1.下载安装OpenVPN GUI :

• CSDN下载:
  https://download.csdn.net/download/hantaozi/85614329

• 官方下载地址:
  https://openvpn.net/community-downloads/

• 官方github地址:
  https://github.com/OpenVPN/openvpn-gui
  

2.将刚刚服务器上准备的客户端文件夹【/etc/openvpn/client/client1/】复制到客户端【C:\Program Files\OpenVPN\config】目录下面。
3.打开OpenVPN

4.输入client1证书生成时设置的密码即可连接成功

常见问题

连接成功但流量不走openvpn

检查服务器配置文件是否设置了那些流量经过openvpn

 #设置客户端那些ip段走openvpn通道
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# 设置客户端所有流量都通过openvpn
push "redirect-gateway def1 bypass-dhcp"

TCP: connect to [AF_INET]111.111.111.111:1194 failed: Unknown error

检查端口是否可以访问

telnet 111.111.111.111 1194

检查防火墙设置，可能被iptables阻拦了

#清空iptables规则
iptables -F
#设置nat规则
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE