openvpn centos搭建

openvpn基本环境安装

$ yum install -y epel-release
$ yum update -y
$ yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
$ yum install -y easy-rsa
$ yum install -y openvpn

设置日志目录

mkdir -p /var/log/openvpn/
chown openvpn:openvpn /var/log/openvpn

服务器证书生成

cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key

证书放置统一目录

$ mkdir -p /etc/openvpn/server/certs
$ cp -a pki/ca.crt /etc/openvpn/server/certs
$ cp -a pki/private/server.key /etc/openvpn/server/certs
$ cp -a pki/issued/server.crt /etc/openvpn/server/certs
$ cp -a pki/dh.pem /etc/openvpn/server/certs
$ cp -a ta.key /etc/openvpn/server/certs

服务器openvpn基本配置

vim /etc/openvpn/server.conf

port 1194   # 监听的端口号
proto udp   # 服务端用的协议，udp 能快点，所以我选择 udp
dev tun
ca /etc/openvpn/server/certs/ca.crt  #   CA 根证书路径
cert /etc/openvpn/server/certs/server.crt  # open VPN 服务器证书路径
key /etc/openvpn/server/certs/server.key  # open VPN 服务器密钥路径，This file should be kept secret
dh /etc/openvpn/server/certs/dh.pem  # Diffie-Hellman 算法密钥文件路径
tls-auth /etc/openvpn/server/certs/ta.key 0 #  tls-auth key，参数 0 可以省略，如果不省略，那么客户端
# 配置相应的参数该配成 1。如果省略，那么客户端不需要 tls-auth 配置
server 10.8.0.0 255.255.255.0   # 该网段为 open VPN 虚拟网卡网段，不要和内网网段冲突即可。open VPN 默认为 10.8.0.0/24
keepalive 10 120
comp-lzo
persist-key
persist-tun
user openvpn  # open VPN 进程启动用户，openvpn 用户在安装完 openvpn 后就自动生成了
group openvpn
log /var/log/openvpn/server.log  # 指定 log 文件位置
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log
verb 3
explicit-exit-notify 1

启动openvpn

 openvpn --daemon --config /etc/openvpn/server.conf

客户端证书生成模板

vim /etc/openvpn/client/sample.ovpn

client
proto udp
dev tun
remote x.x.x.x 1194 //服务器公网ip和端口
route-nopull //指定ip段路由转发
route 10.8.0.0 255.255.255.0 vpn_gateway
route 172.16.0.0 255.255.255.192 vpn_gateway
ca ca.crt
cert admin.crt
key admin.key
tls-auth ta.key 1
remote-cert-tls server
persist-tun
persist-key
comp-lzo
verb 3
mute-replay-warnings

客户端证书生成脚本

vim /etc/openvpn/client/open_user.sh

set -e
OVPN_USER_KEYS_DIR=/etc/openvpn/client/keys
EASY_RSA_VERSION=3
EASY_RSA_DIR=/etc/openvpn/server/easy-rsa/
PKI_DIR=$EASY_RSA_DIR/pki

for user in "$@"
do
        if [ -d "$OVPN_USER_KEYS_DIR/$user" ]; then
                rm -rf $OVPN_USER_KEYS_DIR/$user
                rm -rf  $PKI_DIR/reqs/$user.req
                sed -i '/'"$user"'/d' $PKI_DIR/index.txt
        fi
        cd $EASY_RSA_DIR
        # 生成客户端 ssl 证书文件
        ./easyrsa build-client-full $user nopass
        # 整理下生成的文件
        mkdir -p  $OVPN_USER_KEYS_DIR/$user
        cp $PKI_DIR/ca.crt $OVPN_USER_KEYS_DIR/$user/   # CA 根证书
        cp $PKI_DIR/issued/$user.crt $OVPN_USER_KEYS_DIR/$user/   # 客户端证书
        cp $PKI_DIR/private/$user.key $OVPN_USER_KEYS_DIR/$user/  # 客户端证书密钥
        cp /etc/openvpn/client/sample.ovpn $OVPN_USER_KEYS_DIR/$user/$user.ovpn # 客户端配置文件
        sed -i 's/admin/'"$user"'/g' $OVPN_USER_KEYS_DIR/$user/$user.ovpn
        cp /etc/openvpn/server/certs/ta.key $OVPN_USER_KEYS_DIR/$user/ta.key  # auth-tls 文件
        cd $OVPN_USER_KEYS_DIR
        zip -r $user.zip $user
done
exit 0

生成客户端证书

sh ./open_user.sh xxx

注意事项：

1、路由相关

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -vnL -t nat
vim /etc/sysctl.conf //打开路由转发

net.ipv4.ip_forward = 1

sysctl -p

2、服务配置中的监听端口记得放开

end

openvpn centos搭建

注意事项：

推荐阅读更多精彩内容