***该文档使用openvpn路由模式
*** ### 系统及角色 |角色|系统及版本| |:---:|:---:| |服务器端|CentOS 8| |客户端|Windows 10| ### 软件及版本 |软件|版本| |:---:|:---:| |openvpn|2.4.10| |easy-rsa|3.0.8| ## 安装必要软件 ```bash yum install -y epel-release yum update -y yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel ``` ## 安装openvpn和easy-rsa ```bash yum install -y openvpn easy-rsa ``` ## 确定私有子网 *Server与Client的CVPN通信子网,不与现有网络冲突* 默认: 10.8.0.0/16 ## 配置证书密钥 *3.x版本easy-rsa配置过程如下* ```bash cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa ## 初始化证书生成环境 ./easyrsa init-pki ## 无密码生成ca证书与私钥,需要填写cn ./easyrsa build-ca nopass ## 生成server证书与私钥 ./easyrsa build-server-full server nopass ## 生成client证书与私钥 ./easyrsa build-client-full client1 nopass ./easyrsa build-client-full client2 nopass ## 生成dh.pem(可能需要几分钟) ./easyrsa gen-dh ## 生成ta.key openvpn --genkey --secret ta.key ``` *2.x版本easy-rsa配置过程如下* ```bash . ./vars ./clean-all ./build-ca ./build-key-server server ./build-key client1 ./build-key client2 ./build-dh openvpn --genkey --secret ta.key ``` ## 配置Server端 ### 创建必要目录 ```bash # 日志存放目录 mkdir -p /var/log/openvpn/ # 用户管理目录 mkdir -p /etc/openvpn/server/user # 配置权限 chown openvpn:openvpn /var/log/openvpn ``` ### 创建Server配置文件 *编辑/etc/openvpn/server/server.conf* ```bash ################################################# # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # Comments are preceded with '#' or ';' # ################################################# port 30003 proto tcp-server ## Enable the management interface # management-client-auth # management localhost 7505 /etc/openvpn/user/management-file dev tun # TUN/TAP virtual network device user openvpn group openvpn ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem tls-auth /etc/openvpn/easy-rsa/ta.key 0 ## Using System user auth. # plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login ## Using Script Plugins auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env script-security 3 # client-cert-not-required # Deprecated option verify-client-cert username-as-common-name ## Connecting clients to be able to reach each other over the VPN. client-to-client ## Allow multiple clients with the same common name to concurrently connect. duplicate-cn # client-config-dir /etc/openvpn/server/ccd # ifconfig-pool-persist ipp.txt server 10.8.8.0 255.255.255.0 push "dhcp-option DNS 114.114.114.114" push "dhcp-option DNS 1.1.1.1" push "route 172.19.0.0 255.255.0.0" ifconfig-pool-persist ipp.txt # comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead. compress lzo push "compress lzo" # cipher AES-256-CBC ncp-ciphers "AES-256-GCM:AES-128-GCM" ## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited. # explicit-exit-notify 1 keepalive 10 120 persist-key persist-tun verb 3 log /var/log/openvpn/server.log log-append /var/log/openvpn/server.log status /var/log/openvpn/status.log ``` 创建软链接 ***当前版本的openvpnsystem启动文件读取的配置文件为.service.conf*** ``` cd /etc/openvpn/server ln -sf server.conf .service.conf ``` 其中,checkpsw.sh文件(***检查密码脚本***)内容如下: */etc/openvpn/server/user/checkpsw.sh* ```bash #!/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman # # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/openvpn/server/user/psw-file" LOG_FILE="/var/log/openvpn/password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password= \"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password= \"${password}\"." >> ${LOG_FILE} exit 1 ``` 需要创建用户密码文件 */etc/openvpn/server/user/psw-file* ```bash # 格式如下 # username password opm probe.cc ``` 为psw-file配置权限 ```bash chmod 600 /etc/openvpn/server/user/psw-file chown openvpn:openvpn /etc/openvpn/server/user/psw-file ``` ipp.txt文件内容如下: *与server.conf同一目录* ```bash # 格式如下 # username,ip opm,10.8.8.8 ``` ### 防火墙配置 ```bash firewall-cmd --permanent --add-masquerade firewall-cmd --permanent --add-service=openvpn # 或者添加自定义端口 # firewall-cmd --permanent --add-port=1194/tcp firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.8.0/24 -o eth0 -j MASQUERADE firewall-cmd --reload ``` ### 启动服务 ```bash # 查看service名称 rpm -ql openvpn |grep service /usr/lib/systemd/system/openvpn-client@.service /usr/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/openvpn@.service # 启动 systemctl start openvpn-server@.service.service ``` ## 安装配置客户端 ### 安装openvpn *略* ## 配置客户端 ***下载ca.crt,client1.crt,client1.key,ta.key到客户端配置文件目录*** *客户端配置文件client.ovpn文件内容如下* ```bash # client proto tcp-client dev tun auth-user-pass # 替换下行中的publicIP为openvpn服务端ip或者域名,端口为服务端配置的端口 remote publicIP 30003 # 证书与私钥放在与client.ovpn同一目录下即可 ca ca.crt cert client1.crt key client1.key tls-auth ta.key 1 remote-cert-tls server auth-nocache persist-tun persist-key compress lzo verb 4 mute 10 ``` ## 其他 客户端配置文件及日志文件路径配置如下 1、右键点击桌面右下角的![avatar](./images/logo.png),在弹出的工具栏中先择"选项...",如下图 ![avatar](./images/options.png) 2、在“OpenVPN - 设置”窗口,点击“高级”,选择配置文件文件夹及日志文件文件夹,如下图 ![avatar](./images/set.png)