准备工作
- 安装依赖运行环境
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig gcc gcc++
- 去官网下载OpenVPN源码包
Source archive file
并上传到服务器
编译安装OpenVPN
tar -zxvf openvpn.2.3.10.tar.gz && cd openvpn.2.3.10
./configure --prefix=/usr/local/openvpn
make && make install
可能遇到的问题:
- configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (/usr/bin/pkg-config) installed? Must be version 3.4.0 or newer for DCO 解决办法:安装libnl-genl-3
yum install libnl3-devel
- configure: error: libcap-ng package not found. Is the development package and pkg-config (/usr/bin/pkg-config) installed? 解决办法:安装libcap-ng-devel
yum install libcap-ng-devel
- configure: error: No compatible LZ4 compression library found. Consider –disable-lz4 解决办法:安装lz4-devel lz4
yum install lz4-devel lz4
- configure: error: lzo enabled but missing 解决办法:安装lzo-devel lzo
yum install lzo-devel lzo
- configure: error: libpam required but missing 解决办法:安装pam-devel
yum install pam-devel
- Missing python-docutils – skipping man page generation (openvpn.8)
Missing python-docutils – skipping man page generation (openvpn-examples.5)
解决办法:安装python3-docutils
yum install python3-docutils
不报错后再次执行编译安装命令:
./configure --prefix=/usr/local/openvpn
make && make install
生成服务端证书
- 创建/etc/openvpn目录
mkdir -p /etc/openvpn
- 安装openvpn最新的easy-rsa
cd ~
wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
mv easy-rsa-master easy-rsa
mkdir /etc/openvpn/easy-rsa
cp -r ~/easy-rsa/easyrsa3/* /etc/openvpn/easy-rsa/
- 准备生成证书用的
CSR
相关配置vim /etc/openvpn/easy-rsa/vars
#公司信息,根据情况自定义
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"
#证书有效期
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
- 生成
CA
证书 输入以下命令:cd /etc/openvpn/easy-rsa/
./easyrsa init-pki
Using Easy-RSA 'vars' configuration:
* /etc/openvpn/easy-rsa/vars
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /etc/openvpn/easy-rsa/pki
Using Easy-RSA configuration:
* /etc/openvpn/easy-rsa/vars
输入以下命令:
./easyrsa build-ca
Enter New CA Key Passphrase: ##输入CA密码,后面签名的时候会用到
Confirm New CA Key Passphrase: ##再次输入CA密码
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: ##输入描述,根据自己情况输入或者直接回车跳过
Notice
------
CA creation complete. Your new CA certificate is at:
* /etc/openvpn/easy-rsa/pki/ca.crt
- 生成服务端证书
./easyrsa gen-req server nopass
Common Name (eg: your user, host, or server name) [server]: ##输入描述,根据自己情况输入或者直接回车跳过
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /etc/openvpn/easy-rsa/pki/reqs/server.req
* key: /etc/openvpn/easy-rsa/pki/private/server.key
- 使用
CA
给服务端证书签名./easyrsa sign server server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: ##输入yes
Using configuration from /etc/openvpn/easy-rsa/pki/3b9bcc35/temp.1.1
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: ##输入之前设置的CA密码
Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa/pki/issued/server.crt
- 生成
DH
证书./easyrsa gen-dh
Notice
------
DH parameters of size 2048 created at:
* /etc/openvpn/easy-rsa/pki/dh.pem
- 生成
ta
密钥
/usr/local/openvpn/sbin/openvpn --genkey --secret /etc/openvpn/ta.key
- 整理server端证书和密钥统一放到
/etc/openvpn/
目录下,方便管理和配置。
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
此时/etc/openvpn/
目录应该有ca.crt
、server.key
、server.crt
、dh.pem
、ta.key
生成客户端证书
- 生成证书
./easyrsa gen-req cso nopass
(cso
)可替换成自己喜欢的名称
Common Name (eg: your user, host, or server name) [cso]: ##输入描述,根据自己情况输入或者直接回车跳过
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /etc/openvpn/easy-rsa/pki/reqs/cso.req
* key: /etc/openvpn/easy-rsa/pki/private/cso.key
- 签名
./easyrsa sign-req client cso
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: ##输入yes
Using configuration from /etc/openvpn/easy-rsa/pki/fe58e697/temp.1.1
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: ##输入之前设置的CA密码
Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa/pki/issued/cso.crt
- 整理client端证书和密钥统一放到
~/openvpn-client
目录下,方便管理和配置。
cp /etc/openvpn/easy-rsa/pki/ca.crt ~/openvpn-client
cp /etc/openvpn/easy-rsa/pki/private/cso.key ~/openvpn-client
cp /etc/openvpn/easy-rsa/pki/issued/cso.crt ~/openvpn-client
cp /etc/openvpn/ta.key ~/openvpn-client
此时~/openvpn-client
应该有ta.key
、ca.crt
、cs.ovpn
、cso.crt
、cso.key
启动OpenVPN服务端:
- 编辑服务端配置文件
vim /etc/openvpn/server.conf
local 0.0.0.0
port 3074
proto udp
dev tap-udp
dev-type tap
user root
#group nobody
ca ca.crt
cert server.crt
key server.key
dh dh.pem
#客户端地址池
server 10.251.0.0 255.255.0.0
#允许客户端之间互访
client-to-client
duplicate-cn
max-clients 99999
max-routes-per-client 999
#互推路由实现双网关互访
push "route 10.250.0.0 255.255.0.0"
#不更新密钥
reneg-sec 0
keepalive 10 360
#重发包频率,默认2
tls-timeout 1
tun-mtu 1500
#TCP不支持
fragment 1356
mssfix 1356
#服务端值为0,客户端为1
tls-auth ta.key 0
cipher AES-256-CBC
#传输数据压缩
comp-lzo
comp-noadapt
persist-key
persist-tun
#保存日志
status openvpn-status.log
#日志冗余级别
verb 3
- 启动OpenVPN服务端
/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf
测试客户端连接
- 编辑客户端配置文件
vim ~/openvpn-client/cs.ovpn
client
proto udp
dev tap-udp
dev-type tap
#此处修改为自己的公网IP
remote 1.1.1.1 3074
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tun-mtu 1500
#TCP不支持
fragment 1356
mssfix 1356
comp-noadapt
comp-lzo
#CA证书
ca ca.crt
#客户端证书
cert cso.crt
#客户端密钥
key cso.key
#ta密钥
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
将openvpn-client
文件夹内的文件打包下载,并放入OpenVPN客户端的config
文件夹,启动OpenVPN客户端测试连接