!!!仅限交流学习!!!
HostName | IP | OS |
---|---|---|
vpnserver | 192.168.163.252 | CentOS7-2009 |
配置阿里云 yum源 && Epel源
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
关闭selinux
[root@vpnserver ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@vpnserver ~]# reboot
安装 Easy-RSA && openvpn
yum -y install openvpn easy-rsa
配置EASY-RSA
mkdir /etc/openvpn/easy-rsa
cp -rvf /usr/share/easy-rsa/3
cp -rvf /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
创建相关密钥
初始化PKI目录
cd /etc/openvpn/easy-rsa/
./easyrsa init-pki
./easyrsa build-ca nopass
创建服务器密钥
./easyrsa gen-req vpnserver nopass
CA证书签署vpnserver密钥
./easyrsa sign-req server vpnserver
创建客户端密钥
./easyrsa gen-req vpnclient nopass
CA证书签署vpnclient密钥
./easyrsa sign-req client vpnclient
创建DH密钥
./easyrsa gen-dh
创建TLS认证密钥
openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key
创建CRL密钥
./easyrsa gen-crl
拷贝生成的证书和server端密钥到/etc/openvpn/server
cp -prfv pki/ca.crt ../server/
cp -prfv pki/issued/vpnserver.crt ../server/
cp -prfv pki/private/vpnserver.key ../server/
cp ta.key ../server/ -prfv
拷贝生成的证书和client端密钥到/etc/openvpn/client
cp -rfvp pki/ca.crt ../client/
cp -rfvp pki/issued/vpnclient.crt ../client/
cp -rvfp pki/private/vpnclient.key ../client/
cp ta.key ../client/
拷贝 dh.pem && crl.pem 到/etc/openvpn/client
cp pki/dh.pem ../client/ -rfvp
cp pki/crl.pem ../client/ -rfvp
拷贝 dh.pem && crl.pem 到/etc/openvpn/server
cp pki/dh.pem ../server/ -rfvp
cp pki/crl.pem ../server/ -rfvp
编写openVPN Server端配置文件
复制模板到主配置目录中
cp -rfvp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/server/
编辑配置文件 [[server Profile explained]]
port 1194
proto udp
dev tun
ca ca.crt
cert vpnserver.crt
key vpnserver.key # This file should be kept secret
dh dh.pem
crl-verify crl.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
explicit-exit-notify 1
开启转发
修改内核模块
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
关闭防火墙
firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --add-interface=tun0
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens32 -j MASQUERADE
firewall-cmd --reload
CLINET
打包clinet目录
tar -zcvf client.tar.gz ./client/
安装lrzsz
yum install lrzsz -y
下载clinet.tar.gz到客户机
sz ./client.tar.gz
openvpn for win
https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.12-I601-Win10.exe
解压包内容到客户机配置文件夹
安装位置下的config文件夹
直接在任务托盘中右键链接