安装

[root@instance-azku10wv ~]# yum install epel-release
[root@instance-azku10wv ~]# yum install openvpn

配置

把服务器端必要文件放到etc/openvpn/ 目录下(ca的证书、服务端的证书、秘钥)
就是上一篇文章中最后创建的ca.crt, server.crt, server.key

[root@instance-azku10wv easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/
[root@instance-azku10wv easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/
[root@instance-azku10wv easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/
[root@instance-azku10wv easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/

编写认证脚本

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
  
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
  
###########################################################
  
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
  
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
  
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
  
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
  
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

上面认证脚本保存到/etc/openvpn/checkpsw.sh中

配置脚本执行权限

chmod 755 /etc/openvpn/checkpsw.sh

配置用户密码文件

username1 password1
username2 password2

保存到 /etc/openvpn/psw-file 中

修改openvpn的server.conf

local 0.0.0.0     #监听地址
port 1194     #监听端口
proto udp     #监听协议
dev tun     #采用路由隧道模式
ca /etc/openvpn/ca.crt      #ca证书路径
cert /etc/openvpn/server.crt       #服务器证书
key /etc/openvpn/server.key  # This file should be kept secret 服务器秘钥
dh /etc/openvpn/dh.pem     #密钥交换协议文件
server 10.8.0.0 255.255.255.0     #给客户端分配地址池，注意：不能和VPN服务器内网网段有相同
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"      #给网关
push "dhcp-option DNS 8.8.8.8"        #dhcp分配dns
client-to-client       #客户端之间互相通信
keepalive 10 120       #存活时间，10秒ping一次,120 如未收到响应则视为断线
comp-lzo      #传输数据压缩
max-clients 100     #最多允许 100 客户端连接
user openvpn       #用户
group openvpn      #用户组
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
verb 3
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #指定用户认证脚本
username-as-common-name
verify-client-cert none

server端重启openvpn服务

openvpn --daemon --config /etc/openvpn/server.conf

验证

执行ifconfig, 会看到多一个虚拟网络接口

1641991420720.jpg