OpenVPN服务搭建
2019年01月10日
Server IP:10.0.40.50/24
系统版本:CentOS Linux release 7.5.1804
参考文档
https://openvpn.net/
https://blog.rj-bai.com/post/136.html
https://blog.rj-bai.com/post/132.html
https://www.cnblogs.com/ebay/p/7444008.html
https://www.cnblogs.com/olinux/p/5159530.html
https://www.cnblogs.com/LuckWJL/p/9776433.html
https://www.cnblogs.com/xiaoyou2018/p/9522172.html
https://www.cnblogs.com/kl876435928/p/7155354.html
https://blog.csdn.net/weixin_42250094/article/details/80384863
1. 更改YUM源
更改为阿里云yum源
# mkdir /etc/yum.repos.d/bak
# mv /etc/yum.repos.d/* /etc/yum.repos.d/bak
# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# yum clean all
# yum makecache
# yum repolist2. 软件安装
安装 openvpn、easy-rsa
# yum install -y openvpn
# yum install -y easy-rsa
# yum install -y iptables-services
已安装:
openvpn.x86_64 0:2.4.6-1.el7
easy-rsa.noarch 0:3.0.3-1.el7
iptables-services.x86_64 0:1.4.21-28.el7
作为依赖被安装:
pkcs11-helper.x86_64 0:1.11-3.el7
作为依赖被升级:
iptables.x86_64 0:1.4.21-28.el73. 复制所需文件
复制easy-rsa程序、openvpn server/client配置文件、其他所需文件至/etc/openvpn/目录,这样更便于管理
# cp -R /usr/share/easy-rsa/ /etc/openvpn/
# rm -f /etc/openvpn/easy-rsa/3
# rm -f /etc/openvpn/easy-rsa/3.0
# cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn/server/vpnserver.conf
# cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/client.conf /etc/openvpn/client/client.conf
# cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/client.conf /etc/openvpn/client/client.ovpn
# cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/3.0/vars
# tree /etc/openvpn
/etc/openvpn
├── client
│ ├── client.conf
│ └── client.ovpn
├── easy-rsa
│ └── 3.0.3
│ ├── easyrsa
│ ├── openssl-1.0.cnf
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── COMMON
│ ├── san
│ └── server
└── server
└── vpnserver.conf
5 directories, 11 files4. 生成 openvpn 必备文件
# cd /etc/openvpn/easy-rsa/3.0.3/
# ./easyrsa init-pki
# ./easyrsa build-ca nopass
# ./easyrsa gen-dh
# openvpn --genkey --secret /etc/openvpn/server/ta.key说明:
# ./easyrsa help
# ./easyrsa help init-pki
Removes & re-initializes the PKI dir for a clean PKI
# ./easyrsa help build-ca
Creates a new CA
cmd-opts is an optional set of command options from this list:
nopass - do not encrypt the CA key (default is encrypted)
subca - create a sub-CA keypair and request (default is a root CA)
# ./easyrsa help gen-dh
Generates DH (Diffie-Hellman) parameters
# openvpn --help
Generate a random key (only for non-TLS static key encryption mode):
--genkey : Generate a random key to be used as a shared secret,for use with the --secret option.
--secret file : Write key to file.5. 生成 server/client 端的证书和密钥
# ./easyrsa build-server-full vpnserver nopass
# ./easyrsa build-client-full user01 nopass说明:
# ./easyrsa help build-server-full
build-client-full <filename_base> [ cmd-opts ]
build-server-full <filename_base> [ cmd-opts ]
Generate a keypair and sign locally for a client or server
This mode uses the <filename_base> as the X509 CN.
cmd-opts is an optional set of command options from this list:
nopass - do not encrypt the private key (default is encrypted)6. 整理所需文件
# tree /etc/openvpn/
/etc/openvpn/
├── client
│ ├── client.conf
│ └── client.ovpn
├── easy-rsa
│ └── 3.0.3
│ ├── easyrsa
│ ├── openssl-1.0.cnf
│ ├── pki
│ │ ├── ca.crt *
│ │ ├── certs_by_serial
│ │ │ ├── 5A0AF77CCAEE737ABA728B08E6E61A73.pem
│ │ │ └── E01EA2166C843FAD7E922BF9BE2587AF.pem
│ │ ├── dh.pem *
│ │ ├── index.txt
│ │ ├── index.txt.attr
│ │ ├── index.txt.attr.old
│ │ ├── index.txt.old
│ │ ├── issued
│ │ │ ├── user01.crt *
│ │ │ └── vpnserver.crt *
│ │ ├── private
│ │ │ ├── ca.key *
│ │ │ ├── user01.key *
│ │ │ └── vpnserver.key *
│ │ ├── reqs
│ │ │ ├── user01.req *
│ │ │ └── vpnserver.req *
│ │ ├── serial
│ │ └── serial.old
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── COMMON
│ ├── san
│ └── server
└── server
├── ta.key *
└── vpnserver.conf
10 directories, 29 files
------------------------------------------------------------------
# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/server/
# cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem /etc/openvpn/server/
# cp /etc/openvpn/easy-rsa/3.0.3/pki/reqs/vpnserver.req /etc/openvpn/server/
# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/vpnserver.crt /etc/openvpn/server/
# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/vpnserver.key /etc/openvpn/server/
# mkdir /etc/openvpn/client/user01/
# cp /etc/openvpn/server/ta.key /etc/openvpn/client/user01/
# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/user01/
# cp /etc/openvpn/easy-rsa/3.0.3/pki/reqs/user01.req /etc/openvpn/client/user01/
# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/user01.crt /etc/openvpn/client/user01/
# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/user01.key /etc/openvpn/client/user01/
------------------------------------------------------------------
# tree /etc/openvpn/server/
/etc/openvpn/server/
├── ca.crt
├── dh.pem
├── ta.key
├── vpnserver.conf
├── vpnserver.crt
├── vpnserver.key
└── vpnserver.req
------------------------------------------------------------------
# tree /etc/openvpn/client/
/etc/openvpn/client/
├── client.conf
├── client.ovpn
└── user01
├── ca.crt
├── ta.key
├── user01.crt
├── user01.key
└── user01.req7. 修改配置文件
Server端配置文件为:/etc/openvpn/server/vpnserver.conf
# mv /etc/openvpn/server/vpnserver.conf /etc/openvpn/server/vpnserver.conf.bak
# vi /etc/openvpn/server/vpnserver.conf
-----------------------------------------------------------------------------
local 10.0.40.50
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpnserver.key
cert /etc/openvpn/server/vpnserver.crt
tls-auth /etc/openvpn/server/ta.key 0
ifconfig-pool-persist /etc/openvpn/ipp.txt
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
server 10.5.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 202.106.0.20"
push "dhcp-option DNS 202.107.46.151"
push "dhcp-option DNS 114.114.114.114"
push "redirect-gateway def1 bypass-dhcp"
;push "route 10.0.0.0 255.255.0.0"
;push "route 10.5.0.0 255.255.0.0"
;push "route 10.7.0.0 255.255.0.0"
;push "route 10.8.0.0 255.255.0.0"
;push "route 10.9.0.0 255.255.0.0"
keepalive 20 120
cipher AES-256-CBC
comp-lzo
max-clients 50
persist-key
persist-tun
verb 3
-----------------------------------------------------------------------------配置文件说明:
可参考 /etc/openvpn/server/vpnserver.conf.bak 文件
# grep -v "^#" /etc/openvpn/server/vpnserver.conf.bak | grep -v "^$"
;local a.b.c.d -------------------------------------------#指定监听的本机IP(因为有些计算机具备多个IP地址),该命令是可选的,默认监听所有IP地址
port 1194 ------------------------------------------------#指定监听的端口号
;proto tcp -----------------------------------------------#指定采用的传输协议,可以选择tcp或udp
proto udp
;dev tap -------------------------------------------------#指定创建的通信隧道类型,可选tun或tap
dev tun tap俗称网桥模式,tun俗称路由模式,tap在二层,tun在三层
tap往往结合路由表进行设定下一跳,而tun则往往要和iptables集合紧密来实现下一跳。
;dev-node MyTap ------------------------------------------#如果网络连接面板中有多个TAP-Win32适配器,需要指定适配器名称,非windows系统通常不需要
ca ca.crt ------------------------------------------------#指定CA证书的文件路径 —— CA:根证书 SSL/TLS root certificate
cert server.crt ------------------------------------------#指定服务器端的证书文件路径
key server.key # This file should be kept secret --------#指定服务器端的私钥文件路径 —— private key
每个client和server有独立的certificate/key,server和client使用相同的CA文件
dh dh2048.pem --------------------------------------------#指定迪菲赫尔曼参数的文件路径
;topology subnet -----------------------------------------#启用subnet模式,默认使用net30模式。
由于TAP-Win32驱动程序的TUN仿真模式的限制,
OpenVPN为每个客户端分配一个/ 30个子网,以提供与Windows客户端的兼容性。
server 10.8.0.0 255.255.255.0 ----------------------------#指定给VPN使用的网段,若是网卡桥接(双网卡),则不需要
ifconfig-pool-persist ipp.txt ----------------------------#client被分配IP地址记录在ipp.txt,下次连接使用文件中保存的IP
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 #为以太网桥接配置服务器模式。需要先使用系统的桥接功能,将TAP接口桥接到以太网接口
;server-bridge 然后手动配置桥接接口的IP/netmask:10.8.0.4/255.255.255.0
最后设置预留IP范围以分配给client(start=10.8.0.50 end=10.8.0.100)
除非是以太网桥接模式,否则把这行注释掉
;push "route 192.168.10.0 255.255.255.0" -----------------#向client推送路由,允许client到达服务器后面的其他私有子网
;push "route 192.168.20.0 255.255.255.0" 可以push所有内网网段或者使用 push "redirect-gateway def1 bypass-dhcp" 代替
;client-config-dir ccd -----------------------------------#附加注释(1)
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script ----------------------------------#创建一个脚本来动态修改防火墙,以响应来自不同客户机的访问
;push "redirect-gateway def1 bypass-dhcp" ----------------#启用会重定向所有client的默认网络通信都通过VPN,server需要启用NAT或者桥接TUN/TAP网卡
;push "dhcp-option DNS 208.67.222.222" -------------------#特定于windows的网络设置,可以推送DNS地址到客户端
;push "dhcp-option DNS 208.67.220.220"
;client-to-client ----------------------------------------#允许客户端与客户端相连接,默认情况下客户端只能与服务器相连接
;duplicate-cn --------------------------------------------#允许多个客户端使用相同的certificate/key或common name连接server
建议每个客户端使用独立的certificate/key
keepalive 10 120 -----------------------------------------#每10秒ping一次,120秒未收到回复,视为对端关闭
tls-auth ta.key 0 # This file is secret ------------------#提供额外的安全性,通过SSL/TLS,创建“HMAC防火墙”,帮助阻止DoS攻击和UDP端口泛滥
服务器端的第二个参数值为0,客户端的为1
cipher AES-256-CBC ---------------------------------------#指定加密方式,需要与客户端一致
;compress lz4-v2 -----------------------------------------#开启VPN连接压缩,推送压缩选项到客户端(适用于 v2.4+ 版本)
;push "compress lz4-v2"
;comp-lzo ------------------------------------------------#与旧客户端兼容的压缩,用compl -lzo,如果服务器端开启,客户端也必须开启
;max-clients 100 -----------------------------------------#允许的最大客户端并发连接数
;user nobody ---------------------------------------------#运行程序的user和group。目的是:在初始化之后降低OpenVPN守护进程的特权。
;group nobody 可以在非windows系统上启用
persist-key ----------------------------------------------#persist选项可以尽量避免访问在重启时由于用户权限降低而无法访问某些资源
persist-tun
status openvpn-status.log --------------------------------#连接状态日志文件显示当前连接,每分钟重写
;log openvpn.log ---------------------------------#将log信息记录在文件,每次覆盖。log-append是将log信息追加到文件
;log-append openvpn.log log和log-append不能同时启用
verb 3 ---------------------------------------------------#指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
0 is silent, except for fatal errors:除了致命错误不记录
4 is reasonable for general usage:一般使用较为合理
5 and 6 can help to debug connection problems:可以帮助调试连接问题
9 is extremely verbose:非常详细的
;mute 20 -------------------------------------------------#日志最多记录20条同一类别的连续消息
explicit-exit-notify 1 -----------------------------------#当服务器重新启动时通知客户端,以便它能够自动重新连接
-----------------------------------------------------------------------------------------------------------
(1) 要将特定的IP地址分配给特定的客户端,或者如果连接的客户端背后有一个私有子网,该子网也应该具有VPN访问权限,
对于特定于客户机的配置文件,使用子目录“ccd”
示例:假设客户端具有证书公用名“BitZ”,在他的连接机器后面也有一个小的子网:192.168.40.128/255.255.255.248
首先,取消注释这些行:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
然后创建一个 ccd/BitZ 文件,with this line:
iroute 192.168.40.128 255.255.255.248
这将允许 BitZ 的私有子网访问VPN。
这个示例只在路由而不是桥接的情况下才有效,例如,您正在使用“dev tun”和“server”指令
假设您想给 BitZ 一个固定的VPN IP地址:10.9.0.1
首先,取消注释这些行:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
然后将这一行添加到ccd/Thelonious:
ifconfig-push 10.9.0.1 10.9.0.2
(2) push "redirect-gateway def1 bypass-dhcp" 和 push "route 10.0.0.0 255.255.0.0" 两种方式选一种即可实现互通8. 开启路由转发
根据配置文件可知:
Server地址为10.0.40.50
client获取到的IP为10.5.0.0/24网段
要想实现Client与Server所在内网互通,需要Server开启路由转发、并将Client地址NAT为Server的内网地址
# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
# sysctl -p9. 配置NAT
Linux的NAT是通过netfilter实现的,iptables和firewalld则是netfileter的管理工具
这里使用iptables来实现NAT功能
(1) 安装 iptables 服务
# yum install -y iptables iptables-services(2) iptables放行openvpn流量
# iptables -t filter -A OUTPUT -s 10.0.40.50 -m state --state ESTABLISHED -j ACCEPT
# iptables -t filter -A INPUT -d 10.0.40.50 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -t filter -A INPUT -d 10.0.40.50 -p tcp --dport 22 -m state --state NEW -j ACCEPT
# iptables -t filter -A INPUT -d 10.0.40.50 -p udp --dport 1194 -m state --state NEW -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i tun0 -m state --state NEW -j ACCEPT
# iptables -t filter -P INPUT DROP
# iptables -t filter -P OUTPUT DROP
# iptables -t filter -P FORWARD DROP(3) iptables实现NAT
# iptables -t nat -A POSTROUTING -s 10.5.0.0/24 -o ens32 -j MASQUERADE(4) iptables配置保存
# service iptables save
# systemctl enable iptables10. 开启openvpn服务
# systemctl start openvpn-server@vpnserver
# systemctl enable openvpn-server@vpnserver服务启动方式参照文档 /usr/share/doc/openvpn-2.4.6/README.systemd
# more /usr/share/doc/openvpn-2.4.6/README.systemd
-----------------------------------------------------------------------------
Say your server configuration is /etc/openvpn/server/tun0.conf,
you start this VPN service like this:
# systemctl start openvpn-server@tun0
A client configuration file in /etc/openvpn/client/corpvpn.conf
is started like this:
# systemctl start openvpn-client@corpvpn
-----------------------------------------------------------------------------11. 配置客户端
客户端需要的文件为 /etc/openvpn/client/user01/ 下的文件,以及客户端的配置文件
(1) 配置客户端配置文件
Client端的配置文件,Windows和Mac是.ovpn格式的文件。Linux是.conf格式的文件
vi /etc/openvpn/client/user01/user01.ovpn
-----------------------------------------------------------------------------
client
dev tun
proto udp
remote 10.0.40.50 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert 001.crt
key 001.key
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
-----------------------------------------------------------------------------配置文件说明:
可参考 /etc/openvpn/client/client.conf 文件:
# grep -v "^#" /etc/openvpn/client/client.conf | grep -v "^$"
client ----------------------------------#指定为客户端模式,并从服务器获取某些配置文件指令
;dev tap --------------------------------#tap/tun模式,和server端保持一致
dev tun
;dev-node MyTap -------------------------#windows下 如果网络连接面板中有多个TAP-Win32适配器,需要指定适配器名称
;proto tcp ------------------------------#使用TCP/UDP协议,和server端保持一致
proto udp
remote my-server-1 1194 -----------------#server端的 hostname/IP 和端口号,可以有多条
;remote my-server-2 1194
;remote-random --------------------------#为实现负载和冗余,从列表中随机选择一个主机连接,否则按照指定顺序尝试连接
resolv-retry infinite -------------------#不断的解析server的域名(如果remote后面是hostname)
nobind ----------------------------------#不绑定到指定端口
;user nobody ----------------------------#运行程序的user和group,降低初始化后特权(非windows系统适用)
;group nobody
persist-key -----------------------------#尝试在重新启动时维持原有状态。
persist-tun
;http-proxy-retry -----------------------#连接失败后重连(http-proxy下)
;http-proxy [proxy server] [proxy port #] #附加注释(1)
;mute-replay-warnings -------------------#无线网络经常产生大量重复的数据包,设置此标志以使重复数据包警告静默
ca ca.crt -------------------------------#指定ca文件
cert client.crt -------------------------#指定client的证书文件
key client.key --------------------------#指定client的私钥文件
remote-cert-tls server ------------------#通过检查证书是否具有正确的密钥用法集来验证服务器证书,这是一个重要的预防措施,以防止潜在的攻击
tls-auth ta.key 1 -----------------------#若server端启用,则client端启用
cipher AES-256-CBC ----------------------#指定加密方式,和server端保持一致
comp-lzo----------------------------------#启用压缩,和server端保持一致
verb 3 ----------------------------------#设置日志详细等级(0-9)
;mute 20 --------------------------------#最大重复消息条数
-----------------------------------------------------------------------------------------------------------
(1) 若使用http代理连接vpn,代理地址和端口写在下面
若代理需要身份验证,使用
http-proxy [proxy server] [proxy port #] [authfile] [auth-method]
authfile是一个两行文件,username、password各占一行
auth-method可以省略
(2) 下载客户端所需文件
cd /etc/openvpn/client/user01
tar -cvf user01.tar *
sz user01.tar12. 验证
安装OpenVPN软件
OpenVPN 下载:https://openvpn.net/community-downloads/
将客户端所需文件解压至指定目录:
文件解压至 C:\Program Files (x86)\OpenVPN\config\ 下
目录结构如下:
------------------------------------------------------------
C:\>dir "C:\Program Files (x86)\OpenVPN\config\user01"
驱动器 C 中的卷没有标签。
卷的序列号是 B423-C4B8
C:\Program Files (x86)\OpenVPN\config\user01 的目录
2019/01/11 19:42 <DIR> .
2019/01/11 19:42 <DIR> ..
2019/01/10 19:24 1,172 ca.crt
2019/01/11 11:37 636 ta.key
2019/01/10 19:24 4,432 user01.crt
2019/01/10 19:24 1,704 user01.key
2019/01/11 15:17 200 user01.ovpn
2019/01/10 19:24 887 user01.req
6 个文件 9,031 字节
2 个目录 41,563,455,488 可用字节
------------------------------------------------------------安装、配置完成后,需要以管理员身份打开程序。
连接成功后便可在局域网外部访问Server端局域网资源。
MAC电脑,推荐使用 Viscosity
安装完成后双击 user01.ovpn 文件即可完成配置。
将内网 VPN Server 的地址映射到外网,client 配置文件地址修改为映射地址。
13. 注销用户(吊销证书)
# cd /etc/openvpn/easy-rsa/3.0.3
# ./easyrsa revoke user01
# ./easyrsa gen-crl说明:
# ./easyrsa help revoke
Note: using Easy-RSA configuration from: ./vars
revoke <filename_base>
Revoke a certificate specified by the filename_base
----------------------------------------------------------
# ./easyrsa help gen-crl
Note: using Easy-RSA configuration from: ./vars
gen-crl
Generate a CRL执行上述命令后用户证书不会被删除,只是更新了crl.pem文件
查看所有用户证书信息使用:
# find /etc/openvpn/ -type f -name "index.txt" | xargs cat
V 290107111118Z E01EA2166C843FAD7E922BF9BE2587AF unknown /CN=vpnserver
R 290107111134Z 190115093548Z 5A0AF77CCAEE737ABA728B08E6E61A73 unknown /CN=user01
V 290110134443Z 109BFE9E188C59791EAB659EE0F0DC7A unknown /CN=Haoduoyou
R 290112094349Z 190115095035Z AC685398CAB2352184FD5252E5891E8F unknown /CN=user02
V 表示可用,R 表示注销现在 user01 的证书仍可以连接到服务器,需要告知服务端 crl.pem 的位置
# vim /etc/openvpn/server/vpnserver.conf
crl-verify /etc/openvpn/easy-rsa/3.0.3/pki/crl.pem
# systemctl restart openvpn-server@vpnserver14. 命令粘贴
mkdir /etc/yum.repos.d/bak
mv /etc/yum.repos.d/* /etc/yum.repos.d/bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum install -y openvpn easy-rsa
cp -R /usr/share/easy-rsa/ /etc/openvpn/
rm -f /etc/openvpn/easy-rsa/3
rm -f /etc/openvpn/easy-rsa/3.0
cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn/server/vpnserver.conf
cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/client.conf /etc/openvpn/client/client.conf
cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/client.conf /etc/openvpn/client/client.ovpn
cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/3.0/vars
cd /etc/openvpn/easy-rsa/3.0.3/
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
openvpn --genkey --secret /etc/openvpn/server/ta.key
./easyrsa build-server-full vpnserver nopass
./easyrsa build-client-full user01 nopass
cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/3.0.3/pki/reqs/vpnserver.req /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/vpnserver.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/3.0.3/pki/private/vpnserver.key /etc/openvpn/server/
mkdir /etc/openvpn/client/user01/
cp /etc/openvpn/server/ta.key /etc/openvpn/client/user01/
cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/user01/
cp /etc/openvpn/easy-rsa/3.0.3/pki/reqs/user01.req /etc/openvpn/client/user01/
cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/user01.crt /etc/openvpn/client/user01/
cp /etc/openvpn/easy-rsa/3.0.3/pki/private/user01.key /etc/openvpn/client/user01/
mv /etc/openvpn/server/vpnserver.conf /etc/openvpn/server/vpnserver.conf.bak
vi /etc/openvpn/server/vpnserver.conf
************************************************************************************************************
local 10.0.40.50
port 8888
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpnserver.key
cert /etc/openvpn/server/vpnserver.crt
tls-auth /etc/openvpn/server/ta.key 0
ifconfig-pool-persist /etc/openvpn/ipp.txt
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
server 10.5.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 202.106.0.20"
push "dhcp-option DNS 202.107.46.151"
push "dhcp-option DNS 114.114.114.114"
push "redirect-gateway def1 bypass-dhcp"
;push "route 10.0.0.0 255.255.0.0"
;push "route 10.5.0.0 255.255.0.0"
;push "route 10.7.0.0 255.255.0.0"
;push "route 10.8.0.0 255.255.0.0"
;push "route 10.9.0.0 255.255.0.0"
keepalive 20 120
cipher AES-256-CBC
comp-lzo
max-clients 50
persist-key
persist-tun
verb 3
************************************************************************************************************
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
yum install -y iptables-services
iptables -t filter -A OUTPUT -s 10.0.40.50 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -d 10.0.40.50 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -d 10.0.40.50 -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -t filter -A INPUT -d 10.0.40.50 -p udp --dport 1194 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -m state --state NEW -j ACCEPT
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t nat -A POSTROUTING -s 10.5.0.0/24 -o ens32 -j MASQUERADE
service iptables save
systemctl enable iptables
systemctl start openvpn-server@vpnserver
systemctl enable openvpn-server@vpnserver
vi /etc/openvpn/client/user01.ovpn
************************************************************************************************************
client
dev tun
proto udp
remote 10.0.40.50 8888
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert 001.crt
key 001.key
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
************************************************************************************************************
cd /etc/openvpn/client/user01
tar -cvf user01.tar *
yum install -y lrzsz
sz user01.tar
cd /etc/openvpn/easy-rsa/3.0.3
./easyrsa revoke user01
./easyrsa gen-crl
vim /etc/openvpn/server/vpnserver.conf
crl-verify /etc/openvpn/easy-rsa/3.0.3/pki/crl.pem
systemctl restart openvpn-server@vpnserver