OpenVPN
Damoncai 10/25/2022 wogua, OpenVPN
# 第一章 服务端搭建
# 1.1 安装依赖
yum install -y gcc-c++ openssl openssl-devel net-tools lzo lzo-devel pam pam-devel
1
# 1.2 安装OpenVPN
下载
- 打开OpenVPN官网下载地址:https://openvpn.net/community-downloads/
- 下载
openvpn-2.5.3.tar.gz - 下载完成上传到服务器
或者
wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz
1
解压、编译、安装
# 解压
tar -zxf openvpn-2.5.3.tar.gz
# 进入该目录
cd openvpn-2.5.3/
# 配置
./configure --prefix=/usr/local/openvpn/
# 编译
make
# 安装
make install
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
添加环境变量
vim /etc/profile
PATH添加:/usr/local/openvpn/sbin,例如:
export PATH=$PATH:/usr/local/openvpn/sbin
1
2
3
2
3
立即生效
source /etc/profile
1
查看是否成功
openvpn --version
1
# 1.3 生成证书
下载
easy-rsa工具
- 打开GitHub地址https://github.com/OpenVPN/easy-rsa/releases
- 下载最新版easy-rsa的tgz包
- 下载完成上传服务器,或者使用wget直接下载
或者
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
1
解压
# 解压
tar -zxf EasyRSA-3.0.8.tgz
# 进入该目录
cd EasyRSA-3.0.8/
1
2
3
4
2
3
4
生成服务端与客户端证书
初始化
./easyrsa init-pki生成根证书
./easyrsa build-ca nopass1nopass表示不加密- 提示输入通用名,可以输入
服务器IP或者域名或者不输入,然后直接回车 - 此时看到提示
ca文件在/root/EasyRSA-3.0.8/pki/ca.crt
服务端:
创建服务端证书
./easyrsa gen-req server nopass1server即创建后的证书文件名,可自定义nopass表示不加密- 提示输入通用名,直接回车
给服务端证书做签名
./easyrsa sign server server1- 第一个
server代表签为服务端 - 第二个
server为服务端证书文件名 - 提示一些确认信息,输入
yes并回车
- 第一个
客户端:(如果需要多个客户端,每个客户端都需要一个唯一的证书。重复以下两步:client端文件名不相同即可,例如:client1 client2)
创建客户端证书
./easyrsa gen-req client nopass1nopass表示不加密client即创建后的文件名,可自定义- 提示输入通用名,直接回车
给客户端证书做签名
./easyrsa sign client client1- 第一个
client代表签为客户端 - 第二个
client为客户端证书文件名 - 提示一些确认信息,输入
yes并回车
- 第一个
# 1.4 配置服务端
拷贝证书
复制服务端秘钥至安装目录
# PS:当前命令还在上文的 /root/EasyRSA-3.0.8 目录下
cp -p pki/ca.crt pki/private/server.key pki/issued/server.crt /usr/local/openvpn/
1
2
2
复制服务端配置文件至安装目录
# 退出当前文件夹并进入openvpn源码文件夹
cd ../openvpn-2.5.3/
# 复制配置文件示例
cp ./sample/sample-config-files/server.conf /usr/local/openvpn/
1
2
3
4
2
3
4
生成其他文件
进入到安装目录
cd /usr/local/openvpn/
1
生成pem文件
openssl dhparam -out dh2048.pem 2048
1
生成key文件
openvpn --genkey tls-auth ta.key
1
# 1.5 修改配置文件
编辑配置文件
vim server.conf
1
修改如下配置
# 监听端口:默认1194,可自定义修改
port 1194
# # ca证书路径
ca /usr/local/openvpn/ca.crt
# # 服务器证书
cert /usr/local/openvpn/server.crt
# # 服务器秘钥
key /usr/local/openvpn/server.key
# 秘钥交换协议:注意名称
dh /usr/local/openvpn/dh2048.pem
# # 给客服端分配的地址池:不能和服务器内网ip一个网段
server 10.8.0.0 255.255.255.0
# # IP配置文件
ifconfig-pool-persist /usr/local/openvpn/ipp.txt
# # 开启DHCP
push "route 10.0.4.0 255.255.255.0"
# # DHCP分配dns
#push "dhcp-option DNS 114.114.114.114"
#push "dhcp-option DNS 223.5.5.5"
# # 没有这个key,注释掉
;tls-auth ta.key 0 # This file is secret
# # 传输数据压缩
comp-lzo
# # 状态文件
status /usr/local/openvpn/openvpn-status.log
# # 日志文件
log /usr/local/openvpn/openvpn.log
# client-config-dir /usr/local/openvpn/ccd
;dev tap
dev tun
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
保存退出
启动firewalld防火墙
systemctl start firewalld.service
开放openvpn的监听端口以及协议
firewall-cmd --add-port=1194/tcp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --complete-reload
1
2
3
4
5
6
2
3
4
5
6
# 1.6 编辑开机自启文件
vim /etc/init.d/openvpn
#!/bin/bash
#
# chkconfig: 2345 98 10
# description:openvpn service
#
/usr/local/openvpn/sbin/openvpn --connect-retry 5 30 --daemon --config /usr/local/openvpn/server.conf
1
2
3
4
5
6
2
3
4
5
6
授予执行权限 chmod 755 /etc/init.d/openvpn
添加服务 chkconfig --add openvpn
服务端至此结束
# 1.7 启动进程
openvpn --daemon --config /usr/local/openvpn/server.conf
1
# 第二章 Linux客户端配置
# 2.1 安装依赖
yum install -y gcc-c++ openssl glibc-headers openssl-devel net-tools lzo lzo-devel pam pam-devel
1
# 2.2 安装OpenVPN
下载
- 打开OpenVPN官网下载地址:https://openvpn.net/community-downloads/
- 下载
openvpn-2.5.3.tar.gz - 下载完成上传到服务器
或者
wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz
1
解压、编译、安装
# 解压
tar -zxf openvpn-2.5.3.tar.gz
# 进入该目录
cd openvpn-2.5.3/
# 配置
./configure --prefix=/usr/local/openvpn/
# 编译
make
# 安装
make install
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
添加环境变量
vim /etc/profile
PATH添加:/usr/local/openvpn/sbin,例如:
export PATH=$PATH:/usr/local/openvpn/sbin
1
2
3
2
3
立即生效
source /etc/profile
1
查看是否成功
openvpn --version
1
# 2.3 上传客户端配置文件
用ftp导出easyrsa3文件夹下的客户端证书文件
- pki/ca.crt
- pki/private/client.key
- pki/issued/client.crt
发到客户端服务器文件夹下/usr/local/openvpn/
# 2.4 创建client.conf
客户端服务器文件夹下/usr/local/openvpn/,创建client.conf
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xx.xx.xx.xx 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /usr/local/openvpn/ca.crt
cert /usr/local/openvpn/client.crt
key /usr/local/openvpn/client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
需要修改
- 远端服务器地址和端口
- 证书路径
# 2.5 启动
vim /etc/init.d/openvpn
#!/bin/bash
#
# chkconfig: 2345 98 10
# description:openvpn client
#
/usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/client.conf --log-append /usr/local/openvpn/openvpn.log
1
2
3
4
5
6
2
3
4
5
6
启动
/usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/client.conf --log-append /usr/local/openvpn/openvpn.log
1
# 第三章 Windows客户端配置
用ftp导出easyrsa3文件夹下的客户端证书文件
pki/ca.crt pki/private/client.key pki/issued/client.crt
下载Windows客户端并安装
打开https://openvpn.net/community-downloads/ 点击WINDOWS INSTALLER (NSIS)后面的下载链接进行下载 下载完成后安装
安装完成后,复制一份 C:\Program Files\OpenVPN\sample-config\client.ovpn 到 C:\Program Files\OpenVPN\config 路径下,并将导出的证书文件也存放在改路径下
编辑client.ovpn文件
需要修改
- 远端服务器地址和端口
保存并退出 双击桌面上的OpenVPN GUI 再右下角右击新出来的一个小电脑图片并选择连接
看到小图标变绿色就行
客户端至此完成
自动连接: 快捷方式右击,地址添加 --connect client.ovpn
# 第四章 静态IP
服务端配置
创建存放客户端静态IP文件夹
/usr/local/openvpn/ccd1在服务端配置文件夹路径
vim /usr/local/openvpn/server.conf # 添加 client-config-dir /usr/local/openvpn/ccd1
2
3
4cdd文件夹中的文件为对应客户端所使用的
登录名称vim /usr/local/openvpn/ccd/client-edge-service # 添加 ifconfig-push 10.8.0.2 10.8.0.31
2
3
4以上设置可配置使用
mac帐号登录的客户端ip地扯为10.8.0.2
注意事项
ifconfig-push 后面是紧跟着两个连续的成组IP地扯,以第一个为客户端的IP地扯。
可能有人会想为什么要制定两个IP,这是因为openvpn只支持255.255.255.252 的子网,而且252的子网只有两个IP,一个分配给客户端,一个留给服务器用。