OpenVPN 配置及使用

• 安装
• 使用
• 参考资料

OpenVPN 配置及使用, 实习时整理的文档

安装

1. EPEL(Extra Packages for Enterprise Linux)

   • 安装 EPEL

        sudo yum install epel-release
     

   • 若extras源未启用,则

        sudo yum --enablerepo=extras install epel-release
     

   • 检查EPEL源是否安装成功

        sudo yum repolist
     

2. 安装 openvpn

    sudo yum install openvpn
   

3. 安装 easy-rsa

    sudo yum install easy-rsa
   

4. 配置 easy-rsa

   • 复制 easy-rsa 到openvpn安装目录

       cp -R /usr/share/easy-rsa/{$rsa_dir}/ /etc/openvpn/easy-rsa/
       #本次安装使用了3.0.3
     

   • 配置证书密钥

       cd /etc/openvpn/easy-rsa/
     
       ./easyrsa init-pki
       ./easyrsa build-ca nopass
       ./easyrsa build-server-full server nopass
       ./easyrsa build-client-full client1 nopass
       ./easyrsa build-client-full client2 nopass
       ./easyrsa gen-dh
     
       openvpn --genkey --secret ta.key
     

5. 配置 openvpn

   • 创建所需目录

       #log
       mkdir -p /etc/openvpn/log/
       #user
       mkdir -p /etc/openvpn/server/user
       #ccd
       mkdir -p /etc/openvpn/server/ccd
     

   • 复制所需文件

       cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
       cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
       cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server/
       cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/
       cp /etc/openvpn/easy-rsa/pki/ta.key /etc/openvpn/server/
     

   • 创建Server配置文件 server/server.conf

       #################################################
       # This file is for the server side              #
       # of a many-clients <-> one-server              #
       # OpenVPN configuration.                        #
       #                                               #
       # Comments are preceded with '#' or ';'         #
       #################################################
       port 11904
       proto udp
       ## Enable the management interface
       # management-client-auth
       # management localhost 7505 /etc/openvpn/user/management-file
       dev tun     # TUN/TAP virtual network device
       user nobody
       group nobody
       max-clients 20
       ca /etc/openvpn/server/ca.crt
       cert /etc/openvpn/server/server.crt
       key /etc/openvpn/server/server.key
       dh /etc/openvpn/server/dh.pem
       ## Using System user auth.
       # plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
       ## Using Script Plugins
       #auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
       auth-user-pass-verify /etc/openvpn/server/user/auth.sh via-env
       script-security 3
       auth SHA512
       tls-auth /etc/openvpn/server/ta.key 0
       topology subnet
       # client-cert-not-required  # Deprecated option
       verify-client-cert
       username-as-common-name
       ## Connecting clients to be able to reach each other over the VPN.
       client-to-client
       ## Allow multiple clients with the same common name to concurrently connect.
       duplicate-cn
       # client-config-dir /etc/openvpn/server/ccd
       client-config-dir /etc/openvpn/server/ccd
       ifconfig-pool-persist /etc/openvpn/server/ipp.txt
       push "redirect-gatway def1 bypass-dhcp"
       ;server 10.8.1.0 255.255.255.0
       server 10.8.0.0 255.255.255.0
       push "dhcp-option DNS 8.8.8.8"
       #push "dhcp-option DNS 114.114.114.114"
       #push "dhcp-option DNS 1.1.1.1"
       push "route 10.93.0.0 255.255.255.0"
       ;route 10.8.1.0 255.255.255.0
       # comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
       compress lzo
       cipher AES-256-CBC
       ncp-ciphers "AES-256-GCM:AES-128-GCM"
       ## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
       # explicit-exit-notify 1
       keepalive 5 20
       persist-key
       persist-tun
       verb 3
       log /etc/openvpn/log/server.log
       log-append /etc/openvpn/log/server.log
       status /etc/openvpn/log/status.log
       crl-verify server/crl.pem
     

   • 配置文件软连接

       cd /etc/openvpn/server/
       ln -sf server.conf .service.conf
     

   • 创建用户密码文件

       tee /etc/openvpn/server/user/psw-file << EOF
       mytest mytestpass
       EOF
       chmod 600 /etc/openvpn/server/user/psw-file
       chown openvpn:openvpn /etc/openvpn/server/user/psw-file
     

   • 防火墙配置

       firewall-cmd --permanent --add-masquerade
       firewall-cmd --permanent --add-service=openvpn
       # 或者添加自定义端口
       # firewall-cmd --permanent  --add-port=1194/tcp
       firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
       firewall-cmd --reload
     

   • 启动服务

       # 查看service名
       rpm -ql openvpn |grep service
       /usr/lib/systemd/system/openvpn-client@.service
       /usr/lib/systemd/system/openvpn-server@.service
       /usr/lib/systemd/system/openvpn@.service
       # 启动
       systemctl start openvpn-server@.service.service
     

   • 配置客户端 从server上将生成的ca.crt、client1.crt、client1.key、ta.key文件下载到客户端，客户端配置内容C:\Program Files\OpenVPN\config\client.ovpn如下：

       client
       proto tcp-client
       dev tun
       auth-user-pass
       remote yourserver.domain 1194
       ca ca.crt
       cert client1.crt
       key client1.key
       tls-auth ta.key 1
       remote-cert-tls server
       auth-nocache
       persist-tun
       persist-key
       compress lzo
       verb 4
       mute 10
     

使用

略

参考资料

1. Install and Configure OpenVPN Server on RHEL / CentOS 8
2. 完整CentOS搭建OpenVPN服务环境图文教程
3. CentOS 配置 EPEL 软件源最新软件
4. Centos7.x 安装Openvpn详解