VPN Service Deployment

！！！仅限交流学习！！！

HostName	IP	OS
vpnserver	192.168.163.252	CentOS7-2009

配置阿里云 yum源 && Epel源

curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

关闭selinux

[root@vpnserver ~]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 
[root@vpnserver ~]# reboot

安装 Easy-RSA && openvpn

yum -y install openvpn easy-rsa

配置EASY-RSA

mkdir /etc/openvpn/easy-rsa
cp -rvf /usr/share/easy-rsa/3
cp -rvf /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/

创建相关密钥

初始化PKI目录

cd /etc/openvpn/easy-rsa/
./easyrsa init-pki
./easyrsa build-ca nopass

创建服务器密钥

./easyrsa gen-req vpnserver nopass

CA证书签署vpnserver密钥

./easyrsa sign-req server vpnserver

创建客户端密钥

./easyrsa gen-req vpnclient nopass

CA证书签署vpnclient密钥

./easyrsa sign-req client vpnclient 

创建DH密钥

./easyrsa gen-dh

创建TLS认证密钥

openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key

创建CRL密钥

./easyrsa  gen-crl

拷贝生成的证书和server端密钥到/etc/openvpn/server

cp -prfv pki/ca.crt ../server/
cp -prfv pki/issued/vpnserver.crt ../server/
cp -prfv pki/private/vpnserver.key ../server/
cp ta.key ../server/ -prfv

拷贝生成的证书和client端密钥到/etc/openvpn/client

cp -rfvp pki/ca.crt ../client/
cp -rfvp pki/issued/vpnclient.crt ../client/
cp -rvfp pki/private/vpnclient.key ../client/
cp ta.key ../client/

拷贝 dh.pem && crl.pem 到/etc/openvpn/client

cp pki/dh.pem ../client/ -rfvp
cp pki/crl.pem ../client/ -rfvp 

拷贝 dh.pem && crl.pem 到/etc/openvpn/server

cp pki/dh.pem ../server/ -rfvp
cp pki/crl.pem ../server/ -rfvp 

编写openVPN Server端配置文件

复制模板到主配置目录中

 cp -rfvp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf  /etc/openvpn/server/

编辑配置文件 [[server Profile explained]]

port 1194
proto udp
dev tun
ca ca.crt
cert vpnserver.crt
key vpnserver.key  # This file should be kept secret
dh dh.pem
crl-verify crl.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
explicit-exit-notify 1

开启转发

修改内核模块

 echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf

关闭防火墙

firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --add-interface=tun0
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s  10.8.0.0/24 -o ens32 -j MASQUERADE
firewall-cmd --reload

CLINET

打包clinet目录

tar -zcvf client.tar.gz ./client/

安装lrzsz

yum install lrzsz -y

下载clinet.tar.gz到客户机

sz ./client.tar.gz 

openvpn for win

https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.12-I601-Win10.exe

解压包内容到客户机配置文件夹

安装位置下的config文件夹

直接在任务托盘中右键链接

到这里就成功了