linux安装Openvpn详解

软件版本

Centos - 7.x

easy-rsa - 3.0.3

OpenVPN - 2.4.6

安装

建议安装启用epel源，采用yum的方式安装openvpn。

yum install -y epel-release

yum update -y

yum install -y openssl lzo pamopenssl-devel lzo-devel pam-devel

yum install -y easy-rsa

yum install -y openvpn

使用路由还是桥接？

建议使用路由，除非你有一些需要桥接的特定场景，例如:

VPN需要能够处理非ip协议，如IPX

通过VPN运行应用程序，该VPN依赖于网络广播(如局域网游戏)

希望允许跨VPN浏览Windows文件共享，而无需设置Samba或WINS服务器

确定私有子网

Server 与 Client 的VPN通道子网，不要与已有环境的网络冲突即可。

默认：10.8.0.0/16

配置证书密钥

我们通过yum方式安装的easy-rsa 版本是3.x，直接从安装路径copy一份工具出来。这里用默认的 easy-rsa 3.x 来配置生成证书密钥。

cp -rf /usr/share/easy-rsa/3.0.3/etc/openvpn/server/easy-rsa

cd /etc/openvpn/server/easy-rsa

./easyrsa init-pki

./easyrsa build-ca nopass

./easyrsa build-server-full server nopass

./easyrsa build-client-full client1 nopass

./easyrsa build-client-full client2 nopass

./easyrsa gen-dh

openvpn --genkey --secret ta.key

bash

补充：easy-rsa 2.x 执行方式（下载地址）

. ./vars

./clean-all

./build-ca

./build-key-server server

./build-key client1

./build-key client2

./build-dh

openvpn --genkey --secret ta.key

配置 Server 端

创建使用的目录

# 日志存放目录

mkdir -p /var/log/openvpn/

# 用户管理目录

mkdir -p /etc/openvpn/server/user

# 配置权限

chown openvpn:openvpn /var/log/openvpn

bash

创建Server配置文件

编辑/etc/openvpn/server/server.conf文件，并写入以下内容：

#################################################

# This file is for the server side              #

# of a many-clients <->one-server              #

# OpenVPN configuration.                        #

#                                              #

# Comments are preceded with '#' or';'         #

#################################################

port 1194

proto tcp-server

## Enable the management interface

# management-client-auth

# management localhost 7505/etc/openvpn/user/management-file

dev tun    # TUN/TAP virtual network device

user openvpn

group openvpn

ca /etc/openvpn/server/easy-rsa/pki/ca.crt

cert/etc/openvpn/server/easy-rsa/pki/issued/server.crt

key /etc/openvpn/server/easy-rsa/pki/private/server.key

dh /etc/openvpn/server/easy-rsa/pki/dh.pem

tls-auth/etc/openvpn/server/easy-rsa/ta.key 0

## Using System user auth.

# plugin/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login

## Using Script Plugins

auth-user-pass-verify/etc/openvpn/server/user/checkpsw.sh via-env

script-security 3

# client-cert-not-required  # Deprecated option

verify-client-cert

username-as-common-name

## Connecting clients to be able to reacheach other over the VPN.

client-to-client

## Allow multiple clients with the samecommon name to concurrently connect.

duplicate-cn

# client-config-dir /etc/openvpn/server/ccd

# ifconfig-pool-persist ipp.txt

server 10.8.0.0 255.255.255.0

push "dhcp-option DNS114.114.114.114"

push "dhcp-option DNS 1.1.1.1"

push "route 10.93.0.0255.255.255.0"

# comp-lzo - DEPRECATED This option will beremoved in a future OpenVPN release. Use the newer --compress instead.

compress lzo

# cipher AES-256-CBC

ncp-ciphers"AES-256-GCM:AES-128-GCM"

## In UDP client mode or point-to-pointmode, send server/peer an exit notification if tunnel is restarted or OpenVPNprocess is exited.

# explicit-exit-notify 1

keepalive 10 120

persist-key

persist-tun

verb 3

log /var/log/openvpn/server.log

log-append /var/log/openvpn/server.log

status /var/log/openvpn/status.log

bash

注意！！！ 这里创建完配置文件后，需要做个配置文件的软连接，因为当前版本的openvpn systemd 启动文件中读取的是.service.conf配置。

cd /etc/openvpn/server/

ln -sf server.conf .service.conf

创建用户密码文件

格式是用户 密码以空格分割即可

tee /etc/openvpn/server/user/psw-file<< EOF

mytest mytestpass

EOF

chmod 600 /etc/openvpn/server/user/psw-file

chown openvpn:openvpn/etc/openvpn/server/user/psw-file

创建密码检查脚本

#!/bin/sh

###########################################################

# checkpsw.sh (C) 2004 Mathias Sundman

#

# This script will authenticate OpenVPNusers against

# a plain text file. The passfile shouldsimply contain

# one row per user with the username firstfollowed by

# one or more space(s) or tab(s) and thenthe password.

PASSFILE="/etc/openvpn/server/user/psw-file"

LOG_FILE="/var/log/openvpn/password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then

 echo "${TIME_STAMP}: Could not open password file\"${PASSFILE}\" for reading." >>  ${LOG_FILE}

 exit 1

fi

CORRECT_PASSWORD=`awk'!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}'${PASSFILE}`

if [ "${CORRECT_PASSWORD}" ="" ]; then

 echo "${TIME_STAMP}: User does not exist:username=\"${username}\", password=

\"${password}\"." >>${LOG_FILE}

 exit 1

fi

if [ "${password}" ="${CORRECT_PASSWORD}" ]; then

 echo "${TIME_STAMP}: Successful authentication:username=\"${username}\"." >> ${LOG_FILE}

 exit 0

fi

echo "${TIME_STAMP}: Incorrectpassword: username=\"${username}\", password=

\"${password}\"." >>${LOG_FILE}

exit 1

bash

防火墙配置

firewall-cmd --permanent --add-masquerade

firewall-cmd --permanent--add-service=openvpn

# 或者添加自定义端口

# firewall-cmd --permanent  --add-port=1194/tcp

firewall-cmd --permanent --direct--passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

firewall-cmd --reload

bash

启动服务

# 查看service名

rpm -ql openvpn |grep service

/usr/lib/systemd/system/openvpn-client@.service

/usr/lib/systemd/system/openvpn-server@.service

/usr/lib/systemd/system/openvpn@.service

# 启动

systemctl startopenvpn-server@.service.service

bash

配置客户端

从server上将生成的ca.crt、client1.crt、client1.key、ta.key文件下载到客户端，客户端配置内容C:\Program

Files\OpenVPN\config\client.ovpn如下：

#

client

proto tcp-client

dev tun

auth-user-pass

remote yourserver.domain 1194

ca ca.crt

cert client1.crt

key client1.key

tls-auth ta.key 1

remote-cert-tls server

auth-nocache

persist-tun

persist-key

compress lzo

verb 4

mute 10

转自嘉为教育-rhce认证_rhce培训_linux培训_linux认证_linux考证