1.安装依赖包
[root@les-net01 ~]# yum -y install epel-release
[root@les-net01 ~]# yum -y install openvpn unzip wget lrzsz
2.下载openvpn并解压
[root@les-net01 ~]# mkdir -p /home/download/openvpn
[root@les-net01 ~]# cd /home/download/openvpn/
[root@les-net01 openvpn]# wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.6.zip
[root@les-net01 openvpn]# unzip v3.0.6.zip
[root@les-net01 openvpn]# ls
[root@les-net01 openvpn]# mv easy-rsa-3.0.6/ easy-rsa
3.创建目录和配置变量
[root@les-net01 openvpn]# mkdir -p /etc/openvpn
[root@les-net01 openvpn]# cp -a easy-rsa/ /etc/openvpn/
[root@les-net01 openvpn]# cd /etc/openvpn/easy-rsa/easyrsa3/
[root@les-net01 easyrsa3]# cp vars.example vars
[root@les-net01 easyrsa3]# vim vars
[root@les-net01 easyrsa3]# cat vars | grep set_var | grep -vE '#set_var|# '
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "JiangSu"
set_var EASYRSA_REQ_CITY "NanJing"
set_var EASYRSA_REQ_ORG "abc"
set_var EASYRSA_REQ_EMAIL "xxxx@qq.com"
set_var EASYRSA_REQ_OU "abc tech"
4.初始化根证书
[root@les-net01 easyrsa3]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki
[root@les-net01 easyrsa3]# ./easyrsa build-ca
Enter New CA Key Passphrase: xxxx
Re-Enter New CA Key Passphrase: xxxx
............................
............................
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: xxxx
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
5.创建服务端证书
[root@les-net01 easyrsa3]# ./easyrsa gen-req server nopass
........................
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.EOhxZmUucy'
........................
Common Name (eg: your user, host, or server name) [server]:xxxx
........................
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
[root@les-net01 easyrsa3]# ./easyrsa sign server server
........................
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
[root@les-net01 easyrsa3]# ./easyrsa gen-dh
........................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
6.整理key相关文件
[root@les-net01 easyrsa3]# mkdir /etc/openvpn/ca
[root@les-net01 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/ca/
[root@les-net01 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/ca/
[root@les-net01 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/ca/
[root@les-net01 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/ca/
[root@les-net01 easyrsa3]# ls /etc/openvpn/ca/
ca.crt dh.pem server.crt server.key
7.Server配置文件
[root@les-net01 easyrsa3]# mkdir /etc/openvpn/config
[root@les-net01 easyrsa3]# cd /etc/openvpn/config/
[root@les-net01 config]# rpm -ql openvpn |grep server.conf
/usr/share/doc/openvpn-2.4.7/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf
/usr/share/doc/openvpn-2.4.7/sample/sample-config-files/xinetd-server-config
[root@les-net01 config]# cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf .
[root@les-net01 config]# grep '^[^#|;]' /etc/openvpn/config/server.conf >> server1.conf
[root@les-net01 config]# mv server.conf server.conf.bak
[root@les-net01 config]# mv server1.conf server.conf
[root@les-net01 config]# cat server.conf
8.server.conf配置说明(根据项目酌情修改)
#监听地址
local 0.0.0.0
# openvpn监听的端口(默认1194)
port 1194
# 采用TCP/UDP协议(默认udp)
proto udp
# 创建openvpn的通信隧道类型(默认tun)
# "dev tun"将会创建一个路由IP隧道,
# "dev tap"将会创建一个以太网隧道。
dev tun
# 设置SSL/TLS根证书(ca)、证书(cert)和私钥(key)。
ca /etc/openvpn/ca/ca.crt
cert /etc/openvpn/ca/server.crt
key /etc/openvpn/ca/server.key # 这个文件应该保密
# 指定迪菲·赫尔曼参数
dh /etc/openvpn/ca/dh.pem
# 设置服务器端模式,并提供一个VPN子网,以便于从中为客户端分配IP地址
server 10.8.0.0 255.255.255.0
push "route 192.168.3.0 255.255.255.0"
# 指定DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 114.114.114.114"
# 客户端之间互相通信
client-to-client
# 传输数据压缩
comp-lzo
# 最多允许 20 客户端连接
max-clients 20
# 用户和用户组
user openvpn
group openvpn
# 指定用于记录客户端和虚拟IP地址的关联关系的文件
ifconfig-pool-persist ipp.txt
# 连接关闭时间
keepalive 10 120
# 用户名密码验证
#script-security 3
#auth-user-pass-verify /etc/openvpn/sh/checkpsw.sh via-env
#username-as-common-name
#verify-client-cert none
# 选择一种加密算法
cipher AES-256-CBC
# 持久化选项可以尽量避免访问那些在重启之后由于用户权限降低而无法访问的某些资源
persist-key
persist-tun
# 输出一个简短的状态文件,用于显示当前的连接状态,该文件每分钟都会清空并重写一次
status /var/log/openvpn/openvpn-status.log
# 默认情况下,日志消息将写入syslog中
# "log"方式在每次启动时都会清空之前的日志文件
log /var/log/openvpn/openvpn.log
# 为日志文件设置适当的冗余级别(0~9)。冗余级别越高,输出的信息越详细
verb 3
# 当客户端重新启动时,通知客户端可以自动重新连接。
explicit-exit-notify 1
9.启动程序
[root@les-net01 config]# mkdir /var/log/openvpn
[root@les-net01 config]# chown -R openvpn.openvpn /var/log/openvpn/
[root@les-net01 config]# chown -R openvpn.openvpn /etc/openvpn/*
[root@les-net01 config]# nohup openvpn /etc/openvpn/config/server.conf &
[1] 2163
10.创建客户端证书
[root@les-net01 download]# cd /home/download/
[root@les-net01 download]# mkdir /home/download/client
[root@les-net01 download]# ls
client openvpn
[root@les-net01 download]# cp -a openvpn/easy-rsa/ client/
[root@les-net01 download]# cd client/easy-rsa/easyrsa3/
[root@les-net01 easyrsa3]# ./easyrsa init-pki
.........................
Your newly created PKI dir is: /home/download/client/easy-rsa/easyrsa3/pki
[root@les-net01 easyrsa3]# ./easyrsa gen-req xxxx
.........................
Common Name (eg: your user, host, or server name) [xxxx]:
.........................
req: /home/download/client/easy-rsa/easyrsa3/pki/reqs/xxxx.req
key: /home/download/client/easy-rsa/easyrsa3/pki/private/xxxx.key
11.导入客户端证书
[root@les-net01 easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/
[root@les-net01 easyrsa3]# ./easyrsa import-req /home/download/client/easy-rsa/easyrsa3/pki/reqs/xxxx.req xxxx
.........................
You may now use this name to perform signing operations on this request.
[root@les-net01 easyrsa3]# ./easyrsa sign client xxxx
.........................
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
.........................
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/xxxx.crt
12.整理客户端文件
[root@les-net01 easyrsa3]# mkdir /etc/openvpn/client/xxxx
[root@les-net01 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/client/xxxx/
[root@les-net01 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/xxxx.crt /etc/openvpn/client/xxxx/
[root@les-net01 easyrsa3]# cp /home/download/client/easy-rsa/easyrsa3/pki/private/xxxx.key /etc/openvpn/client/xxxx/
13.Client静态Ip设置
13.1 创建客户端
[root@les-net01 ~]# cd /home/download/client/easy-rsa/easyrsa3/
[root@les-net01 ~]# ./easyrsa gen-req xf
[root@les-net01 ~]# cd /etc/openvpn/easy-rsa/easyrsa3/
[root@les-net01 ~]# ./easyrsa import-req /home/download/client/easy-rsa/easyrsa3/pki/reqs/xf.req xf
[root@les-net01 ~]# ./easyrsa sign client xf
[root@les-net01 ~]# mkdir /etc/openvpn/client/xf
[root@les-net01 ~]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/client/xf/
[root@les-net01 ~]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/xf.crt /etc/openvpn/client/xf/
[root@les-net01 ~]# cp /home/download/client/easy-rsa/easyrsa3/pki/private/xf.key /etc/openvpn/client/xf/
13.2 配置IP
[root@les-net01 ~]# cd /etc/openvpn/config/
[root@les-net01 config]# vim server.conf
增加一行
client-config-dir /etc/openvpn/config
[root@les-net01 config]# vim /etc/openvpn/config/xf
设置客户端和服务端IP(成对)
ifconfig-push 10.8.0.26 10.8.0.25
13.3 重启服务端
[root@les-net01 config]# ps -ef | grep openvpn
[root@les-net01 config]# kill -9 2433
[root@les-net01 config]# nohup openvpn /etc/openvpn/config/server.conf &
14.其他问题
14.1 Windows 客户端无法连接服务器及其他客户端
检查OpenVPN的网络分配、自身防火墙是否关闭、是否禁ping