A, client-server routing mode
Use tun, openssl, lzo compressed forwarding is enabled, generates a certificate, close selinux synchronization at time # 1 is mounted yum the install OpenVPN Easy-RSA -Y # 2 Profile cp /usr/share/doc/openvpn-2.4.7/sample/ configfiles-Sample / the server.conf / etc / OpenVPN CP -R & lt / usr / Share / Easy-RSA / / etc / OpenVPN / CP /usr/share/doc/easy-rsa-3.0.3/vars.example / etc / OpenVPN / easyrsa / 3.0.3 / VARS CD /etc/openvpn/easy-rsa/3.0.3/ directory structure ├── easyrsa ├── OpenSSL-1.0.cnf ├── VARS └──-X509 types ├ CA - the ├── Client ├── COMMON ├── San └── Server # 3 Creating PKI and CA issuing authority in /etc/openvpn/easy-rsa/3.0.3/ directory ./easyrsa init-pki # initialization PKI, generates an empty directory reqs Privata # 4 create a CA ./easyrsa build-ca nopass # prompted directly enter LL /etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key # 5 create a server certificate (private key) ./easyrsa Gen-REQ server nopass # generate a server key and certificate request file LL /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key LL /etc/openvpn/easy-rsa/3.0.3/pki/reqs /server.req # 6 issued the server certificate ./easyrsa Sign Server Server LS /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt # 7 created Diffie-Hellman, as a "symmetrical encryption" in key are both used in the subsequent data transmission. Gen-dh ./easyrsa LL /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem # 8 client certificate cp -r / usr / share / easyrsa / / etc / openvpn / client / easyrsa /usr/share/doc/easy-rsa-3.0.3/vars.example CP / etc / OpenVPN / Client / Easy-RSA / VARS CD /etc/openvpn/client/easy-rsa/3.0.3 ./easyrsa init-pki # pki directory generates cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt. Client certificate generation ./easyrsa gen-req zhangshijie nopass # + cryptographic keys may be configured REQ: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/zhangshijie.req Key: / etc / OpenVPN / client / easy-rsa / 3.0.3 / pki / private / zhangshijie.key issued the client certificate, enter the main directory cd /etc/openvpn/easy-rsa/3.0.3/ import client req file ./easyrsa import-req zhangshijie /etc/openvpn/client/easyrsa/3.0.3/pki/reqs/zhangshijie.req ./easyrsa Sign Client zhangshijie generate /etc/openvpn/easy-rsa/3.0.3/pki/issued/zhangshijie.crt # transfer certificate directory, the server certificate key mkdir / etc / OpenVPN / certs cd / etc / OpenVPN / certs / cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem. /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt cp. proto tcp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key cp. ├── ca.crt ├── dh.pem ├── server.crt └── server.key client public key a private key mkdir / etc / OpenVPN / Client / zhangshijie / CP /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt / etc / OpenVPN / Client / zhangshijie / CP /etc/openvpn/easyrsa/3.0 .3 / PKI / Issued / zhangshijie.crt / etc / OpenVPN / Client / zhangshijie / CP /etc/openvpn/client/easyrsa/3.0.3/pki/private/zhangshijie.key / etc / OpenVPN / Client / zhangshijie / # server-side configuration files grep -v "#" /etc/openvpn/server.conf | grep -v "^ $" local 172.20.134.25 # this machine monitor IP Port 1194 dev TUN CA /etc/openvpn/certs/ca.crt CERT /etc/openvpn/certs/server.crt dh /etc/openvpn/certs/dh.pem Server 192.168.36.0 255.255.255.0 # additional segment the Push "route 10.20.0.0 255.255.0.0" # end customers routing push Keepalive 10 120 cipher the CBC the AES-256- max-100 Clients User the nobody Group the nobody the persist Key- the persist-TUN Status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log /var/log/openvpn/openvpn.log the -append verb 3 MUTE 20 # start OpenVPN @ Server start systemctl SS -tnl see port to listen systemctl STOP firewalld systemctl disable firewalld Services iptables iptables the install-yum -Y log directory iptables.service enable systemctl systemctl Start iptables.service # emptied each rule ~] # iptables -F ~] # iptables the -X- ~] # iptables the -Z ~] # iptables NAT -F -t ~] # iptables -t NAT - X- ~] # iptables the -Z -t NAT routing forwarding Vim /etc/sysctl.conf is named net.ipv4.ip_forward and =. 1 sysctl -p iptables rules iptables -j #IP segment -t nat -A POSTROUTING -s 10.8.0.0/16 ip of 192.168.36.0 255.255.255.0 is configured Server iptables -A the INPUT -p the TCP --dport 1194 -j ACCEPT iptables -A the INPUT -m State --state the ESTABLISHED, the RELATED -j ACCEPT -Service Save iptables iptables -vnL mkdir / var / log / OpenVPN chown nobody.nobody / var / log / OpenVPN #客户端配置文件 cd /etc/openvpn/client/zhangshijie grep -Ev "^(#|$|;)" /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/client.conf client dev tun proto udp remote my-server-1-ip 1194 #填写server-ip resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client-name.crt key client-name.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC verb 3 tree /etc/openvpn/client/zhangshijie/ /etc/openvpn/client/zhangshijie/ ├── ca.crt Client.ovpn ├── ├── zhangshijie.crt └── zhangshijie.key client software installed, use administrator rights after installation ---- Device Manager to see if the newly added tap adapter card and drive properly, pay attention the version number copy the user's public and private key configuration file to the config directory of the client, the launcher test verification: cmd route -n within ping network server common errors: # error 1: CreateFile failed the ON TAP Device All TAP-the Win32 Adapters ON the this System . are currently in use to solve: device Manager --- "properties --- TAP device to see whether the normal network card driver uninstall the software, reboot the machine, download the appropriate version of the software https://build.openvpn.net/downloads/releases/latest /openvpn-install-latest-winxp-x86_64.exe # error 2: route Addition fallback to the Route.exe eRROR: Windows route the Add the Command failed The [Adaptive]: 1 returned error code to solve: that is not caused by the installation and start OpenVPN GUI with administrator privileges in Vista / Win7 / Win2003Win2008 and other systems, OpenVPN process does not have the appropriate permissions to modify system routing table. The solution is to re-install OpenVPN with administrator privileges, and start the selection of the right OpenVPN GUI with administrator privileges to open some will be prompted to use vista or later compatibility mode opens # Error 3: There are NO TAP ON the this-the Win32 Adapters System. Should bE of Able to the Create by You A TAP-the Win32 Adapter by going to Start -> All Programs -> OpenVPN -.> A new new TAP the Add-the Win32 Virtual ethernet Adapter If Vista / Win7 / Win10, execute with administrator privileges ### # #### think should be added to the internal network vpn-server routing records, so the next test can be accessed on the client after the addition, the route is still possible, the network should not have thought to add routes after the restart, data from the network card is out, the network address is also within the network.
openvpn server bridge mode
openvpn server routing mode password authentication + + mysql
Various modes
to be continued. . . . . . .