1. 制作证书:
    1. 安装:
      yum -y install easy-rsa
    2. 创建文件夹:
      mkdir server
      mkdir client
    3. 拷贝文件:
      \cp -a /usr/share/easy-rsa/3.*/*  /path/to/server
      \cp -a /usr/share/easy-rsa/3.*/*  /path/to/client
    4. 进入server目录:
      cd server
    5. 初始化:
      ./easyrsa init-pki
    6. 创建根证书(需输入密码):
      ./easyrsa build-ca
    7. 创建server端证书:
      ./easyrsa gen-req server nopass
    8. 给server端证书签名:
      ./easyrsa sign server server
    9. 创建dh:
      ./easyrsa gen-dh
    10. 进入client目录:
      cd client
    11. 初始化:
      ./easyrsa init-pki
    12. 创建client端证书:
      ./easyrsa gen-req client nopass
    13. 回到server目录:
      cd server
    14. 导入client端证书:
      ./easyrsa import-req /path/to/client/pki/reqs/client.req client
    15. 给client端证书签名:
      ./easyrsa sign client client
    16. 所需文件:
      # server端
      server/pki/ca.crt
      server/pki/private/server.key
      server/pki/issued/server.crt
      server/pki/dh.pem
      # client端
      server/pki/ca.crt
      server/pki/issued/client.crt
      client/pki/private/client.key
  2. 服务端:
    1. 安装:
      yum -y install openvpn
    2. 创建文件夹:
      mkdir /etc/openvpn/{server,client}
    3. 复制证书文件:
      cp  /path/to/ca.crt  /etc/openvpn/server/ca.crt
      cp  /path/to/server.crt  /etc/openvpn/server/server.crt
      cp  /path/to/server.key  /etc/openvpn/server/server.key
      cp  /path/to/dh.pem  /etc/openvpn/server/dh.pem
    4. 进入openvpn目录:
      cd /etc/openvpn
    5. 修改配置文件:
      vim server.conf
      port  1337
      proto  udp
      dev  tun
      ca  /etc/openvpn/server/ca.crt
      cert  /etc/openvpn/server/server.crt
      key  /etc/openvpn/server/server.key
      dh  /etc/openvpn/server/dh.pem
      server 100.100.100.0  255.255.255.0
      push  "redirect-gateway def1"
      push  "dhcp-option DNS 8.8.8.8"
      push  "dhcp-option DNS 114.114.114.114"
      push  "dhcp-option DNS 8.8.4.4"
      duplicate-cn
      keepalive  10  30
      comp-lzo
      persist-key
      client-to-client
      persist-tun
      daemon
      log-append   /var/log/openvpn/openvpn.log
      verb  3
      script-security  3
      auth-user-pass-verify  /etc/openvpn/checkpwd.sh via-env
      username-as-common-name
    6. 创建日志文件:
      mkdir  -p  /var/log/openvpn
      touch  /var/log/openvpn/openvpn.log
      touch  /var/log/openvpn/passwd.log
    7. 创建密码验证脚本:
      vim checkpwd.sh
      #!/bin/sh
      PASSFILE="/etc/openvpn/passwd"
      LOG_FILE="/var/log/openvpn/passwd.log"
      TIME_STAMP=`date "+%Y-%m-%d %T"`
      if [ ! -r "${PASSFILE}" ]; then
      echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
      exit 1
      fi
      CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
      if [ "${CORRECT_PASSWORD}" = "" ]; then
      echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
      exit 1
      fi
      if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
      echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
      exit 0
      fi
      echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
      exit 1
    8. 修改密码验证文件的权限:
      chmod +x checkpwd.sh
    9. 创建用户名、密码文件:
      vim passwd
      test_user test_pass
    10. 启动:
      systemctl start openvpn@server
  3. 客户端:
    1. 安装openvpn:
      yum -y install openvpn
    2. 从server端拷贝文件:
      scp root@x.x.x.x:/path/to/{ca.crt,client.crt,client.key} /etc/openvpn/
    3. 创建配置文件:
      vim /etc/open/client.o
      client
      dev tun
      proto udp
      remote  x.x.x.x  1337
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      auth-user-pass
      mute-replay-warnings
      remote-cert-tls  server
      comp-lzo
      ca  /etc/openvpn/ca.crt
      cert  /etc/openvpn/client.crt
      key  /etc/openvpn/client.key
    4. 进入目录:
      cd /etc/openvpn/
    5. 连接(需输入用户名和密码):
      openvpn client.ovpn
文档更新时间: 2020-08-08 20:40   作者:lee