搭建 OpenVPN 的核心目标是提供安全、可靠、灵活的网络连接解决方案。无论是远程办公、数据加密、分支互联,还是隐私保护,OpenVPN 都能很好地满足需求。
#注意centos系列OpenVPN是在epel源中
[root@centos7 ~]# yum list openvpn
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Available Packages
openvpn.x86_64 2.4.12-1.el7 epel
#easy-rsa是用来签发证书以及客户端私钥
[root@centos7 ~]# yum list easy-rsa
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Available Packages
easy-rsa.noarch 3.0.8-1.el7 epel[root@centos7 ~]# yum install openvpn easy-rsa -y准备相关配置文件
#准备证书颁发相关文件
[root@centos7 ~]# cp -r /usr/share/easy-rsa/3/ /etc/openvpn/easy-rsa
#准备颁发证书相关变量的配置文件
[root@centos7 ~]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars
#建议修改给CA和OpenVPN服务器颁发的证书的有效期,可适当加长
[root@centos7 ~]# vim /etc/openvpn/easy-rsa/vars
#CA的证书默认有效期为10年,可以适当延长,比如:36500天
set_var EASYRSA_CA_EXPIRE 36500
#服务器证书默为为825天,可适当加长,比如:3650天
set_var EASYRSA_CERT_EXPIRE 3650准备证书相关文件
初始化PKI和CA颁发机构环境
脚本easyrsa帮助用法
[root@centos7 ~]# cd /etc/openvpn/easy-rsa
[root@centos7 easy-rsa]# file ./easyrsa
./easyrsa: POSIX shell script, ASCII text executable
[root@centos7 easy-rsa]# ./easyrsa
初始化PKI生成PKI相关目录和文件
#初始化数据,在当前目录下生成pki目录及相关文件
[root@centos7 easy-rsa]# ./easyrsa init-pki
[root@centos7 easy-rsa]# tree .
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files创建 CA 机构证书环境
[root@centos7 easy-rsa]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
.............+++
.............+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #回车接受默认值
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt #生成自签名的证书文件
[root@centos7 easy-rsa]# tree pki/
pki/
├── ca.crt #生成的自签名的证书文件
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key #生成的私钥文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 7 files
[root@centos7 easy-rsa]# cat pki/serial
01
[root@centos7 easy-rsa]# ll pki/index.txt
-rw------- 1 root root 0 Jun 12 15:29 pki/index.txt
[root@centos7 easy-rsa]# ll pki/ca.crt pki/private/ca.key
-rw------- 1 root root 1176 Jun 12 15:29 pki/ca.crt
-rw------- 1 root root 1675 Jun 12 15:29 pki/private/ca.key准备服务端证书环境
创建服务端证书申请
#创建服务器证书申请文件,其中server是文件前缀
[root@centos7 easy-rsa]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.......................+++
....+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-16489.WSDofF/tmp.5LLtbt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #接受Common Name的默认值,直接回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req #生成请求文件
key: /etc/openvpn/easy-rsa/pki/private/server.key #生成私钥文件
[root@centos7 easy-rsa]# tree pki
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key #生成私钥文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req #生成请求文件
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial颁发服务端证书
查看颁发证书命令用法
[root@centos7 easy-rsa]# ./easyrsa help sign
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
sign-req <type> <filename_base>
Sign a certificate request of the defined type. <type> must be a known
type such as 'client', 'server', 'serverClient', or 'ca' (or a user-added type.)
This request file must exist in the reqs/ dir and have a .req file
extension. See import-req below for importing reqs from other sources.
颁发服务端证书
#将上面server.req的申请,颁发server类型的证书
[root@centos7 ~]# cd /etc/openvpn/easy-rsa
#第一个server表示证书的类型,第二个server表示请求文件名的前缀
[root@centos7 easy-rsa]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days: #可以看到vars文件指定的有效期
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入yes回车
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-16762.j8ywoY/tmp.8CmNvZ
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jun 9 07:53:02 2033 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt #生成服务器证书文件
验证结果
[root@centos7 easy-rsa]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── A0EA62CAFA8C5DD41382D00A8FE243EF.pem #生成的服务器证书文件
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt #生成的服务器证书文件
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 14 files
[root@centos7 easy-rsa]# diff pki/certs_by_serial/A0EA62CAFA8C5DD41382D00A8FE243EF.pem pki/issued/server.crt
[root@centos7 easy-rsa]#
#查看证书相关文件
[root@centos7 easy-rsa]# cat pki/serial
A0EA62CAFA8C5DD41382D00A8FE243F0
[root@centos7 easy-rsa]# cat pki/index.txt
V 330609075302Z A0EA62CAFA8C5DD41382D00A8FE243EF unknown /CN=server
[root@centos7 easy-rsa]# cat pki/serial.old
a0ea62cafa8c5dd41382d00a8fe243ef创建 Diffie-Hellman 密钥
#方法1
[root@centos7 easy-rsa]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
[root@centos7 easy-rsa]# ll pki/dh.pem
-rw------- 1 root root 424 Jun 12 16:00 pki/dh.pem
#方法2
[root@centos8 ~]#openssl dhparam -out /etc/openvpn/dh2048.pem 2048
[root@centos8 ~]#ll /etc/openvpn/dh2048.pem
-rw-r--r-- 1 root root 424 Aug 3 20:50 /etc/openvpn/dh2048.pem准备客户端证书环境
修改客户端证书有效期
[root@centos7 ~]# cd /etc/openvpn/easy-rsa/
#建议修改给客户端颁发证书的有效期,可适当减少,比如:90天
[root@centos7 easy-rsa]# vim /etc/openvpn/easy-rsa/vars
set_var EASYRSA_CERT_EXPIRE 90创建客户端证书申请
#生成客户端用户的证书申请
[root@centos7 easy-rsa]# ./easyrsa gen-req liwenjie nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.................................................+++
.................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-18611.QIJ8ff/tmp.jaDmqQ'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [liwenjie]: #接受默认值,直接回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/liwenjie.req #私钥文件
key: /etc/openvpn/easy-rsa/pki/private/liwenjie.key #证书申请文件
#生成两个新文件
[root@centos7 easy-rsa]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt
│ ├── certs_by_serial
│ │ └── A0EA62CAFA8C5DD41382D00A8FE243EF.pem
│ ├── dh.pem
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── issued
│ │ └── server.crt
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ ├── ca.key
│ │ ├── liwenjie.key #私钥文件
│ │ └── server.key
│ ├── renewed
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ │ ├── liwenjie.req #证书申请文件
│ │ └── server.req
│ ├── revoked
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ ├── serial
│ └── serial.old
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient颁发客户端证书
#颁发客户端证书
[root@centos7 easy-rsa]# ./easyrsa sign client liwenjie
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 90 days:
subject=
commonName = liwenjie
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入yes后回车
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-18773.At0CPR/tmp.SgSda6
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'liwenjie'
Certificate is to be certified until Sep 10 08:31:17 2023 GMT (90 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/liwenjie.crt #证书文件
[root@centos7 easy-rsa]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ ├── A0EA62CAFA8C5DD41382D00A8FE243EF.pem
│ └── CA185979930BF8C3C98CD56CCFDD1D84.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── liwenjie.crt #生成客户端证书
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ ├── liwenjie.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── liwenjie.req
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 19 files
[root@centos7 easy-rsa]# cat pki/index.txt
V 330609075302Z A0EA62CAFA8C5DD41382D00A8FE243EF unknown /CN=server
V 230910083117Z CA185979930BF8C3C98CD56CCFDD1D84 unknown /CN=liwenjie
[root@centos7 easy-rsa]# ll pki/issued/
total 16
-rw------- 1 root root 4438 Jun 12 16:31 liwenjie.crt
-rw------- 1 root root 4552 Jun 12 15:53 server.crt
[root@centos7 easy-rsa]# ll pki/certs_by_serial/
total 16
-rw------- 1 root root 4552 Jun 12 15:53 A0EA62CAFA8C5DD41382D00A8FE243EF.pem
-rw------- 1 root root 4438 Jun 12 16:31 CA185979930BF8C3C98CD56CCFDD1D84.pem客户端证书自动颁发脚本
如果需要颁发的客户端证书较多,可以使用下面脚本实现客户端证书的批量颁发
read -p "请输入用户的姓名拼音(如:${NAME}): " NAME
cd /etc/openvpn/easy-rsa/
./easyrsa gen-req ${NAME} nopass <<EOF
EOF
./easyrsa sign client ${NAME} <<EOF
yes
EOF将CA和服务器证书相关文件复制到服务器相应的目录
[root@centos7 ~]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server
[root@centos7 ~]# ll /etc/openvpn/server
total 20
-rw------- 1 root root 1176 Jun 12 16:53 ca.crt
-rw------- 1 root root 424 Jun 12 16:53 dh.pem
-rw------- 1 root root 4552 Jun 12 16:53 server.crt
-rw------- 1 root root 1704 Jun 12 16:53 server.key将客户端私钥与证书相关文件复制到服务器相关的目录
[root@centos7 ~]# mkdir /etc/openvpn/client/liwenjie/
[root@centos7 ~]# find /etc/openvpn/easy-rsa -name "liwenjie.key" -o -name "liwenjie.crt" -o -name ca.crt
[root@centos7 ~]# find /etc/openvpn/easy-rsa \( -name "liwenjie.key" -o -name "liwenjie.crt" -o -name ca.crt \) -exec cp {} /etc/openvpn/client/liwenjie \;
[root@centos7 ~]# ll /etc/openvpn/client/liwenjie/
total 16
-rw------- 1 root root 1176 Jun 12 16:59 ca.crt
-rw------- 1 root root 4438 Jun 12 16:59 liwenjie.crt
-rw------- 1 root root 1704 Jun 12 16:59 liwenjie.key配置 OpenVPN 服务器并启动服务
服务器端配置文件说明
[root@centos7 ~]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/
#服务器配置文件server.conf文件中以#或;开头的行都为注释
[root@centos7 ~]# grep -Ev "^#|^$" /etc/openvpn/server.conf
;local a.b.c.d #本机监听IP,默认为本机所有IP
port 1194 #端口
;proto tcp #协议,生产推荐使用TCP
proto udp #默认协议udp
;dev tap #创建以太网隧道设备,tap设备实现以太网帧通过Openvpn隧道,可提供非IP协议如IPX和AppleTalk等的支持,tap等当于一个以太网设备,它操作第二层数据包如以太网数据帧。
dev tun #创建IP路由隧道,生产推存使用tun.互联网使用tun,一个tun设备大多时候被用于基于IP协议的通讯。tun模拟了网络层设备,操作第三层数据包比如IP数据封包。
;dev-node MyTap #TAP-Win32的设备驱动。非windows系统不需要
ca ca.crt #ca证书文件
cert server.crt #服务器证书文件
key server.key #服务器私钥文件
dh dh2048.pem #dh参数文件
;topology subnet
server 10.8.0.0 255.255.255.0 #客户端连接后自动分配的IP网段,默认会给服务器分配此网段的第一个IP将做为客户端的网关,注意不要和内网网段相同
ifconfig-pool-persist ipp.txt #记录客户端和虚拟ip地址分配的文件
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 #配置网桥模式,无需配置,建议注释
;server-bridge
;push "route 192.168.10.0 255.255.255.0" #推送给客户端的到达服务器后面网段的静态路由,网关是服务器地址10.8.0.1
;push "route 192.168.10.100 255.255.255.255" #用255.255.255.255可实现只能访问内网单个主机的功能,比如:jumpserver
;push "route 192.168.20.0 255.255.255.0" #推送路由信息到客户端,以允许客户端能够连接到服务器背后的其它私有网络
;client-config-dir ccd #为特定客户端添加路由信息,此路由是客户端后面的网段而非服务端的网段,无需设置
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script #指定外部脚本文件,实现创建不同组的iptables规则,无需配置
;push "redirect-gateway def1 bypass-dhcp" #启用此配置后客户端所有流量都将通过VPN服务器进行转发,因此生产一般无需配置此项
;push "dhcp-option DNS 208.67.222.222" #推送DNS服务器地址,无需配置
;push "dhcp-option DNS 208.67.220.220"
;client-to-client #允许不同的客户端直接通信,不安全,生产环境一般无需配置
;duplicate-cn #多个用户共用一个证书,一般用于测试环境,生产环境建议一个用户一个证书,无需开启
keepalive 10 120 #设置服务端活动的检测的间隔和超时时间,每隔10秒ping一次,120秒没有回应则认为已经断线
tls-auth ta.key 0 # This file is secret #访止DoS等攻击的安全增强配置,服务器和每个客户端都需要拥有此密钥文件。第二个参数在服务器端为0,客户端为1
cipher AES-256-CBC #加密算法
;compress lz4-v2 #启用Openvpn2.4.X新版压缩算法
;push "compress lz4-v2" #推送客户端使用新版压缩算法,和下面的comp-lzo不要同时使用
;comp-lzo #旧户端兼容的压缩配置,需要客户端配置开启压缩,openvpn2.4.X等新版可以不用开启
;max-clients 100 #最多支持的客户端数量
;user nobody #指定openvpn服务的用户
;group nobody #指定openvpn服务的组
persist-key #重启服务时默认会重新读取key文件,开启此配置后保持使用第一次的key文件,生产环境无需开启
persist-tun #Don’t close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts,生产环境建议无需开启
status openvpn-status.log #服务器状态记录文件,每分钟记录一次相关信息
;log openvpn.log #第一种日志记录方式,并指定日志路径,log会在openvpn启动的时候清空日志文件,不建议使用
;log-append openvpn.log #第二种日志记录方式,并指定日志路径,重启openvpn后在之前的日志后面追加新的日志,生产环境建议使用
verb 3 #设置日志级别,0-9,级别越高记录的内容越详细,0 表示静默运行,只记录致命错误,4 表示合理的常规用法,5 和 6 可以帮助调试连接错误。9 表示极度冗余,输出非常详细的日志信息
;mute 20 #对相同类别的信息只记录前20条到日志文件中
explicit-exit-notify 1 #当服务端重启后通知客户端自动重新连接服务器,此项配置仅能用于udp模式,tcp模式无需配置即能实现重新连接功能,且开启此项后tcp配置后将导致openvpn服务无法启动,所以tcp时必须不能开启此项
script-security 3 # 允许使用自定义脚本
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #指定自定义脚本路径
username-as-common-name #开启用户密码验证
client-cert-not-required #只支持用户和密码方式验证,不支持证书,无此配置表示需要证书和用户密码多种验证修改服务器端配置文件
[root@centos7 ~]# vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
#开启转发
[root@centos7 ~]# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
[root@centos7 ~]# sysctl -p
[root@centos7 ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE准备服务器日志相关目录
#CentOS7安装包时,自动创建相关用户和组openvpn
[root@centos7 ~]# getent passwd openvpn
openvpn:x:993:991:OpenVPN:/etc/openvpn:/sbin/nologin
[root@centos7 ~]# mkdir /var/log/openvpn
[root@centos7 ~]# chown openvpn.openvpn /var/log/openvpn
[root@centos7 ~]# ll -d /var/log/openvpn
drwxr-xr-x 2 openvpn openvpn 4096 Jun 12 21:44 /var/log/openvpn启动 OpenVPN 服务
准备 OpenVPN 服务的service文件
[root@centos7 ~]# cat /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
[root@centos7 ~]# systemctl daemon-reload
[root@centos7 ~]# systemctl enable --now openvpn@server
[root@centos7 ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:9000 *:*
LISTEN 0 32 *:1194 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 [::]:3306 [::]:*
LISTEN 0 70 [::]:33060 [::]:*
[root@centos7 ~]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-06-12 22:03:13 CST; 2min 1s ago
Main PID: 3140 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─3140 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Jun 12 22:03:13 centos7 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Jun 12 22:03:13 centos7 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.生成客户端用户的配置文件
#生成客户端文件,文件后缀必须为.ovpn
[root@centos7 ~]# grep '^[[:alpha:]].*' /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf > /etc/openvpn/client/liwenjie/client.ovpn
#修改配置文件,内容如下
[root@centos7 ~]# vim /etc/openvpn/client/liwenjie/client.ovpn
client
dev tun
proto tcp
remote www.xiaopohai.icu 1194 #生产中为OpenVPN服务器的FQDN或者公网IP
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert liwenjie.crt #记得修改
key liwenjie.key #记得修改
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3 #此值不能随意指定,否则无法通信
compress lz4-v2 #此项在OpenVPN2.4.X版本使用,需要和服务器端保持一致,如不指定,默认使用comp-lz压缩
[root@centos7 ~]# cd /etc/openvpn/client/liwenjie
[root@centos7 liwenjie]# tar cf liwenjie.tar ./配置部署 Windows 的 OpenVPN 客户端
官方客户端下载地址:
https://openvpn.net/community-downloads/
把以上生成的客户端证书放置到windows客户端默认安装目录下 C:\Program Files\OpenVPN\config 目录