linux下openvpn2.3.4服务器部署

admin

二、部署openvpn    本次部署openvpn服务器，因为使用了最新的openvpn2.3.4，而这个包里面没有包含最重要的证书制作部分：easy-rsa    openvpn官网也给出明确说明：Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages    所以，我们需要事先下载好easyrsa，可以到GitHub上进行下载，配置过程将在下面第3步进行，本次部署使用了easy-rsa3，与easy-rsa2.0的操作完全不同，网上其它关于easy-rsa2.0的教程不适合本次部署    在部署openvpn之前，最好用ntpdate同步一下服务器的时间，否则生成证书的时间也不准确，会造成那个什么centificate error等的错误！
, Y# N. o& G$ }) q; n; I: L9 R1、安装lzo
    lzo是致力于解压速度的一种数据压缩算法123[root@vpn ~]# tar xf lzo-2.08.tar.gz[root@vpn ~]# cd lzo-2.08[root@vpn lzo-2.08]# ./configure && make && make install2、安装openvpn1234567[root@vpn ~]# tar xf openvpn-2.3.4.tar.gz[root@vpn ~]# cd openvpn-2.3.4[root@vpn openvpn-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib[root@vpn openvpn-2.3.4]# make && make install[root@vpn openvpn-2.3.4]# [root@vpn openvpn-2.3.4]# which openvpn/usr/local/sbin/openvpn      #看到这里，说明安装openvpn成功3、配置easyrsa服务端    openvpn-2.3.4软件包不包含证书（ca证书，服务端证书，客户端证书）制作工具，所以还需要单独下载easy-rsa，最新的为easy-rsa3    Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages（来源openvpn官网）123456789101112[root@vpn ~]# unzip easy-rsa-master.zip [root@vpn ~]# mv easy-rsa-master easy-rsa[root@vpn ~]# cp -R easy-rsa/ openvpn-2.3.4/[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/[root@vpn easyrsa3]# cp vars.example vars[root@vpn easyrsa3]# vim varsset_var EASYRSA_REQ_COUNTRY "CN"set_var EASYRSA_REQ_PROVINCE "Beijing"set_var EASYRSA_REQ_CITY "Beijing"set_var EASYRSA_REQ_ORG "nmshuishui Certificate"set_var EASYRSA_REQ_EMAIL "353025240@qq.com"set_var EASYRSA_REQ_OU "My OpenVPN"4、创建服务端证书及key（1）初始化123456789[root@vpn easyrsa3]# lseasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types[root@vpn easyrsa3]# [root@vpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki（2）创建根证书12345678910111213141516171819202122[root@vpn easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key.............................................+++........+++writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key'Enter PEM pass phrase:                      #输入密码，此密码用途证书签名Verifying - Enter PEM pass phrase:          #确认密码-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:nmshuishui  #输入一个Common Name CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt（3）创建服务器端证书1234567891011121314151617181920[root@vpn easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key................................+++......+++writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [server]:nmshuishui-BJ  #该Common Name一定不要与创建根证书时的                                                                          #Common Name一样，这是血与泪的教训  Keypair and certificate request completed. Your files are:req: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.reqkey: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key（4）签约服务器端证书123456789101112131415161718192021222324252627282930[root@vpn easyrsa3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars  You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject=    commonName                = nmshuishui  Type the word 'yes' to continue, or any other input to abort.  Confirm request details: yes        #输入yes继续Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnfEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入刚才创建根证书时的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName            :PRINTABLE:'nmshuishui'Certificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days) Write out database with 1 new entriesData Base Updated Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt（5）创建Diffie-Hellman，确保key穿越不安全网络的命令：12345678[root@vpn easyrsa3]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./varsGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time...................................................................................................................................................................................................................+..........................................................................................................................+..................................................+.....................................................+..................................................................................................................................+............+............................................................................................................+...+............+...............+..............................................+.........................+..................................+.................+............................................................+..................................+........................................................................................................................................+................................................................+.......................................+...................................................................................................................................................++*++* DH parameters of size 2048 created at /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem5、创建客户端证书（1）在根目录下建立client目录123[root@vpn easyrsa3]# cd[root@vpn ~]# mkdir client[root@vpn ~]# cp -R easy-rsa/ client/（2）初始化123456789[root@vpn ~]# cd client/easy-rsa/easyrsa3/[root@vpn easyrsa3]# lseasyrsa  openssl-1.0.cnf  vars  vars.example  x509-types[root@vpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki（3）创建客户端key及生成证书12345678910111213141516171819202122[root@vpn easyrsa3]# ./easyrsa gen-req nmshuishui Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key....................................................+++.................................................................................................................................................................................+++writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key'Enter PEM pass phrase:            #输入密码Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [nmshuishui]:nmshuishui   #输入nmshuishui                      Keypair and certificate request completed. Your files are:req: /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.reqkey: /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key（4）将得到的nmshuishui.req导入并签约证书12345678910111213141516171819202122232425262728293031323334353637383940[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/[root@vpn easyrsa3]#   #导入req[root@vpn easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req nmshuishui Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: nmshuishuiYou may now use this name to perform signing operations on this request. [root@vpn easyrsa3]#     #签约证书[root@vpn easyrsa3]# ./easyrsa sign client nmshuishui Note: using Easy-RSA configuration from: ./vars  You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject=    commonName                = nmshuishui  Type the word 'yes' to continue, or any other input to abort.  Confirm request details: yes       #输入yesUsing configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnfEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入创建根证书时的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName            :PRINTABLE:'nmshuishui'Certificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days) Write out database with 1 new entriesData Base Updated Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt   #签约成功（5）服务端及客户端生成的文件
. O. T1 S+ M' }2 |- Y服务端：（/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki）文件夹12345678/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem客户端：（/root/client/easy-rsa）12/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key/root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key   #这个文件被我们导入到了服务端文件，所以那里也有（6）拷贝服务器密钥及证书等到openvpn目录1234[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt openvpn-2.3.4/[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem openvpn-2.3.4/（7）拷贝客户端密钥及证书等到client目录123[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client [root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt /root/client[root@vpn ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client（8）为服务端编写配置文件当安装好openvpn时候，它会提供一个server配置的文件例子1/root/openvpn-2.3.4/sample/sample-config-files/server.conf将此例子拷贝openvpn目录，然后配置123456789101112131415161718192021[root@vpn ~]# cp openvpn-2.3.4/sample/sample-config-files/server.conf openvpn-2.3.4/[root@vpn ~]# vim openvpn-2.3.4/server.conflocal 192.168.1.104    #（自己vps IP）port 1194proto udpdev tunca /root/openvpn-2.3.4/ca.crtcert /root/openvpn-2.3.4/server.crtkey /root/openvpn-2.3.4/server.key # This file should be kept secretdh /root/openvpn-2.3.4/dh.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 8.8.8.8"keepalive 10 120comp-lzomax-clients 100persist-keypersist-tunstatus openvpn-status.logverb 3（9）开启系统转发功能12345[root@vpn ~]# vim /etc/sysctl.confnet.ipv4.ip_forward = 0  改成 net.ipv4.ip_forward = 1[root@vpn ~]# sysctl -p[root@vpn ~]# sysctl -a | grep net.ipv4.ip_forwardnet.ipv4.ip_forward = 1（10）封装出去的数据包（eth0是你的vps外网的网卡）：1/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE三、下载openvpn客户端，并进行配置1、将客户端密钥及证书等拷出到windows备用123[root@vpn ~]# cd client/[root@vpn client]# lsca.crt  easy-rsa  nmshuishui.crt  nmshuishui.key    #带后缀的这三个2、安装openvpn-gui工具
（1）将D:\Program Files (x86)\OpenVPN\sample-config\client.ovpn复制到D:\Program Files (x86)\OpenVPN\config（2）将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下（3）编辑D:\Program Files (x86)\OpenVPN\config\client.ovpn，修改为12345678910111213clientdev tunproto udpremote 192.168.1.104 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crt //这里需要证书cert nmshuishui.crtkey nmshuishui.keycomp-lzoverb 3

admin

   1.2 准备 OpenVPN 安装目录

        因为此文件是使用源码安装,所以选择的程序安装目录为: /usr/local/openvpn 目录, 配置文件目录为/etc/openvpn 目录
& z5 {1 D; o/ ~4 t
9 O6 `& w- H6 o% u        程序目录: /usr/local/openvpn
; S, h3 V0 q) g% m( ]) t) e. ^' l
3 u" M  i2 T% [# X& H) c        配置目录: /etc/openvpn
- X2 W3 D- f+ N9 K4 X1 x2 e. w- C
, e  s% N% u- a/ V. G2. 开始安装 OpenVPN
( D. }' q; N1 K
  g; X# p. r4 ]3 f   2.1 编译 OpenVPN

" j' Z+ N9 ?% s, s. Y& Y        [root@client ~]#cd /home/src/openvpn
! m- S% @2 V/ d- Z
. K5 a/ `+ m1 n1 ~        [root@client openvpn]#tar zxvf lzo-2.03.tar.gz
4 J8 k& v, j. o5 [5 C
2 D4 S- _- M6 h# C( j        [root@client openvpn]#cd lzo-2.03
3 q: B# b6 O; Y2 h1 ~8 C
) C+ {6 ~+ R* W8 P& L% u        [root@client lzo-2.03]#./configure && make && make install

' {. x, h+ r& N3 f, J5 h9 c" H        编辑/etc/ld.so.conf

        [root@client lzo-2.03]#cat >> /etc/ld.so.conf << EOF

( T9 k0 q: t; _/ G! ], x4 c          /lib

          /lib64

5 x! a- x: J$ m          /usr/lib

          /usr/lib64

          /usr/local/lib
8 [. q! C' R6 G. z1 n; F
+ u$ V! T" t' L  J( Z% }+ {/ m          /usr/local/lib64
6 J" n/ S0 [% n, V
' g5 `" e: S  o% Z* a6 f- X/ ~          EOF

5 |/ a0 \9 d3 b9 Q4 d( y' g        编辑完后运行
3 D2 P+ A4 G2 Y2 g# e3 E
/ d0 u$ b3 ^+ W2 O; H4 Z! q        [root@client lzo-2.03]#ldconfig

        使动态连接库文件生效,接下来编译 openvpn

* O- j& _, F8 M# r) D; B8 }' X        [root@client openvpn]# tar zxvf openvpn-2.0.9.tar.gz
( M+ B! W  k, ~  b
        [root@client openvpn]# cd openvpn-2.0.9

        [root@client openvpn-2.0.9]# ./configure –prefix=/usr/local/openvpn && make && make install

        [root@client openvpn-2.0.9]#tree /usr/local/openvpn
* V! n* {1 k' K4 y
        应该有以下输出
6 k6 k" @! U- O6 e2 E. h9 Q
        [root@client ~]# tree /usr/local/openvpn/

        /usr/local/openvpn/
+ }' }8 l' t7 l  a& c) U# [. _* Z
) j2 `& X" m: Z/ w        |-- man
1 L: h1 Z4 J3 s# B/ a8 F
) \' W0 r, e8 @4 d9 {        | `-- man8
+ o: [. s* x* x( r
        |      `-- openvpn.8

        `-- sbin
- ]* K1 j- ~2 ^) N2 r
6 @+ i; b: ~6 U% w& U% k        |-- key

        `-- openvpn
; C) M* Y( h" R; P  q/ H) L
- T! b& N  w+ K5 G+ [7 S+ z1 y        3 directories, 3 files

3. 配置的 OpenVPN Server
! D8 z* E: |' W' H) p
   3.1 建立配置环境
) G/ {& Q8 f4 \( y
       [root@client ~]# mkdir -p /etc/openvpn
. |+ d, W" U; A' m, N
9 y" H5 x0 \1 k( w7 h5 O       [root@client ~]# cp -R /home/src/openvpn/openvpn-2.0.9/easy-rsa /etc/openvpn

       [root@client ~]# cd /etc/openvpn/easy-rsa/2.0/
  z  B% L! m  x  Z  z7 j7 @, T
       此目录下以许多程序及脚本, 以下为使用到的程序及脚本说明

       vars                  脚本, 是用来创建环境变量,设置所需要要的变量的脚本
! q( }; _9 h3 A$ a
       clean-all             脚本,是创建生成 ca 证书及密钥文件所需要的文件及目录
& G  e; h: S; D; i! Y9 A
    build-ca           脚本, 生成 ca 证书(交互)

    build-dh           脚本, 生成 Diffie-Hellman 文件(交互)
9 ]& f- \- _, l3 a) n  u4 T
    build-key-server   脚本, 生成服务器端密钥(交互)

% E! O; M* l* Z7 t$ b. c    build-key          脚本, 生成客户端密钥(交互)
8 t) ]" r- G& Y+ n+ @
9 g7 @* K# g% P$ Q    pkitool            脚本, 直接使用 vars 的环境变量设置, 直接生成证书(非交互)

/ o! f# G+ q, m, K  F3.2 生成 CA 证书及密钥[注意字符输入不要出错]
2 v  l! d1 ?  M2 h% o( X
  Q( M! E6 d: ^# D/ a    [root@client 2.0]# . ../vars
$ E9 v' Y- q( }$ I. D
    [root@client 2.0]# chmod +rwx *
- b5 B* R7 j  U  _
    初始化 keys 目录,创建生成 ca 证书及密钥文件所需要的文件和目录
1 c& q$ `1 A' R& I5 o8 v; l9 X( c
" @2 e1 D6 H& l, M0 U( H/ o    [root@client 2.0]# ./clean-all
$ \9 Q: @' k! S* _
   编辑 vars 文件,生成环境变量, vars 里的参数根据自己需要改变.

  {) d0 q( c8 A& U   export KEY_SIZE=1024                     #生成密钥的位数

2 K  I, o3 K" W, n   export KEY_COUNTRY=CN                    #定义所在的国家编码, 2 个字符

   export KEY_PROVINCE=BeiJing              #定义所在的省份

   export KEY_CITY=BeiJing                  #定义所在的城市

, p& ~( |5 j# J, q$ V   export KEY_ORG=”VPN Test org”            #定义所在的组织

; K- ^" O# H$ v; L4 Z; L% S   export KEY_OU=”VPN COM”                  #定义所在的单位

   export KEY_EMAIL=”china.client@gmail.com” #定义你的邮件地址
# W( A/ l$ Z& O$ Q- W4 b1 a8 a
    修改好 vars 文件后就可以开始生成 ca 证书及密钥文件了!

    [root@client 2.0]# source ./vars
1 }5 p/ y+ P8 k5 ]& k; {
: M8 j- B# {7 C" x2 ~    生成 Root Ca 证书, 用于签发 Server 和 Client 证书
: z! g( \6 Q) }7 ~1 z: k' p
' }/ b! j  [$ s# x4 S0 g- p# Z3 o    [root@client 2.0]#./build-ca
# i( t. W5 _) D
4 s8 J7 E0 U* E2 ]    [root@client 2.0]# ls keys
- r9 v! [, D4 j! X2 I, |
    可以看到已经生成了 ca.crt ca.key 文件
' e" a. p+ ~7 e1 W
    生成 Diffie-Hellman 文件

    [root@client 2.0]#./build_dh
! y  U  p. \4 `0 a! M6 l
* Y' ?+ |. _9 j+ w$ f    [root@client 2.0]#ls -l keys/dh2048.pem

    可以看到生成了 2048 位的 Diffie-Hellman 文件
: J! L0 P3 _3 Q& i+ r; k0 m
    生成服务器使用的 VPN server Ca 证书

* J: p1 v  e: A7 o) ~; B& R    [root@client 2.0]#./build-key-server server

    server 是你为 CA 证书起的一个名字, 以 server 名字为例,生成的服务器使用的 CA 证书文件为: server.crt server.key
4 X; D! @: ?, A/ L
    将生成的 CA 证书及密钥拷贝到/etc/openvpn 下
' M; z$ {0 ]  O
    [root@client 2.0]#cp keys/{ca.crt,ca.key,server.crt, server.key, dh2048.pem} /etc/openvpn/

3.3 生成客户端 CA 证书及密钥

    生成客户端 CA 证书及密钥使用:build-key 程序即可

    [root@client 2.0]#./build-key client
; V3 p7 d4 c' N: k
    将在 keys 目录下生成 client.crt client.csr client.key 三个客户端证书
2 w; B1 b: B4 Y, `+ j) M) z3 i
    将 ca.crt ca.key client.crt client.csr client.key 五个文件打包,以备客户端 vpn 使用
1 w( E; Q$ ~5 I. }" A! y- `0 z
1 E  s7 u3 G4 D& W: w1 ?1 M    [root@client2.0]#tar zcvf client.vpn.key.tar.gz keys/{ca.crt,ca.key,client.crt,client.csr,client.key}

3.4 生成 openvpn 配置文件
) v1 J' ?1 t7 [3 e* U0 `9 G: }. o
' J# O' F5 w3 D( N/ o) T: T    创建 openvpn 配置文件最好的方法是先看 openvpn 的样例文件,在源码目录下的 sample-config-files 下,本例为
. g/ V1 h! J' E5 w2 R( X
    /home/src/openvpn/openvpn-2.0.9/sample-config-files
5 f6 j' x1 p1 x0 D! V
    服务器端配置文件名: server.conf

    客户端配置文件名为: client.conf
+ P& k4 J2 S% \2 [( z# i; u
    可以根据需要修改.
0 `1 ]6 @8 y% ]; Z, ]9 F; ~
    本例的配置文件 为:/etc/openvpn/openvpn.conf
- d$ W/ {8 L3 v, u7 B7 t7 d/ ^
     #########################################################################

7 y: _! ~- ~6 b2 O: G5 b. X$ U     port 1723 #openvpn 默认端口为 1194
9 [% p1 L' F/ E/ t- C
# a0 G- |  Z. x2 g1 Z) x     proto tcp
. b+ E* P# M- K8 D' `
       dev tun
1 p2 K2 |/ ]# S% U  N
4 r3 O4 C- t8 |4 G, ?       #########################################################################

       # ca 证书及服务器证书以所在的文件目录为准,本例是放在了/etc/openvpn 目录下,与配置文件相同目录
0 V7 U( q- A$ w% @1 i6 T# V! R
       #########################################################################

9 q/ {+ S% n2 `& m  Y       ca ca.crt

       cert server.crt

       key server.key

       dh dh2048.pem

       server 172.16.0.0 255.255.0.0
, Q% V. J0 T0 Z9 \2 {
       push "dhcp-option DNS 202.106.0.20"
$ U5 z+ B/ X' _7 F  o
: U6 J' t1 u7 D       push "dhcp-option DNS 168.210.2.2"
1 P; K3 Q+ W! C5 i2 e6 A
       push "route 172.16.0.0 255.255.0.0"

# n6 [. z- O/ }/ Q       ifconfig-pool-persist ipp.txt

' _0 g5 q/ B! M- p0 o       keepalive 10 120
7 N2 r% @9 \$ L3 Q; U- D
+ I+ x) P" t. ~- J- }       comp-lzo

       user nobody

       group nobody

% r; Y% g0 B* S/ f       persist-key

# L% ~/ z8 o7 }2 ]( \* T( \       persist-tun
3 Z& t5 I) F5 E0 e
) m7 [4 U! ^( h% ?- e- Z, I/ c6 r0 U       status /var/log/openvpn-status.log
, D* J/ I, k4 u6 v% h' j
0 A3 Y8 Q9 ?/ p/ {/ @       verb 3

       #Client 之间可以相互访问
- G/ H2 c1 j6 c9 }! O$ L( T, ~
       client-to-client

       #允许一个用户多次访问
+ E5 B" I* W6 ^/ a; O$ s
! C. m: \3 g3 V5 z5 J       duplicate-cn
. g% s* q/ {. |# `- ]* H
       log /var/log/openvpn.log

6 K, e  |0 f2 `' }) E6 n+ i: L8 Y       log-append /var/log/openvpn.log
- L. T& y" t4 ^5 x6 n/ y* {
7 T" b3 d4 c/ b( g$ ]3 ]1 W       #########################################################################
- \" D' G8 V2 G$ F
6 K8 E0 y2 H' ?* \) A( I* D  3.5 创建 openvpn 的启动脚本
* A/ n1 h" ]( o3 S  Y
      openvpn 的启动脚本在源码目录: sample-scripts 目录下
: t" E+ F/ r, o: E
7 w6 E  a7 U) c9 r5 W      文件名为: openvpn.init
/ U" \- r8 a8 C, L
      将 openvpn.ini 拷贝到/etc/init.d 下,并重新命名为 openvpn

& g; j4 ~  ?2 x$ V* o7 u& Z      [root@client ~]#cp -f /home/src/openvpn/openvpn-2.0.9/sample-scripts/openvpn.init /etc/init.d/openvpn

+ b. l3 o' s- w! K      因为是用源码编译安装并指定了目录,所以需要修改/etc/init.d/openvpn 的 69 行

- |5 D* Q( v5 t0 S; g- Y       openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"

, H! S- v$ C6 ~/ R1 Z* f      修改为:

        openvpn_locations="/usr/local/openvpn/sbin/openvpn /usr/sbin/openvpn /usr/local/sbin/openvpn"

  3.6 将 openvpn 添加到系统自启动
9 n8 d3 L/ \- B4 n7 `
      [root@client ~]# chkconfig –add openvpn
, t8 p+ f" I, R# a/ Y" q
  3.7 启动/停止 openvpn 服务
# }/ h7 X0 e( a7 Y5 I; ^
& N, i- _* ]% ~; h         启动 openvpn 服务
. I$ `, H. o+ b( P4 t3 V
         [root@client ~]#service openvpn start

         停止 openvpn 服务
  B  z2 S+ X7 a  T( m
         [root@client ~]#service openvpn stop

admin

安装 LZO 代码:
cd /lzo-2.02
' x! h* a6 o7 G5 m./configure
make
make check
8 H* I9 l9 q1 i0 ?- \. d* Dmake install
安装 OpenVPN
代码:

( @$ h% B$ T- v( _! U" bcd /openvpn-2.0.5
6 ?+ O; P! Y+ t7 J/ j./configure
# 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行)
# ./configure --with-lzo-headers=/usr/local/include
#  --with-lzo-lib=/usr/local/lib
#  --with-ssl-headers=/usr/local/include/openssl
  W- y- ~+ i/ ~& E. d#  --with-ssl-lib=/usr/local/lib
6 F$ X: j* O4 ^0 ~  [* lmake
make install
" G6 n# @& C# N; F, a生成证书Key
初始化 PKI

2 `$ p! x. l6 K' J" }) t(如果没有 export 命令也可以用 setenv [name] [value] 命令)
9 U: w( v$ G+ e
  A7 G$ G+ `3 c9 t' J0 m代码:

  |6 V- E0 u' N/ Vcd /openvpn-2.0.5/easy-rsa
export D=`pwd`
! ^/ S2 W, x7 D' y8 V0 rexport KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
5 m7 f  }7 _, e# R& P% qexport KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
# G( h/ r% t9 P( d0 l( @- f8 m3 \5 mexport KEY_ORG="xiaohui.com"
export KEY_EMAIL="your-email [at] xiaohui.com"
7 N0 x4 ~& m+ C( ~$ W! j- RBuild:
代码:
! w5 j* O4 c6 p& w: a( X( G3 C
, _" O/ {2 Z& n8 Y+ ?9 {5 @' [./clean-all
' t7 D0 y  P7 y& i4 x: T- a2 q./build-ca

Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
0 m; K9 {2 Y) c" k" ?6 ]5 U/ UWhat you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
8 f: t2 h3 p& ?* B0 c6 ~- t) FFor some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
0 {: c& Y6 d8 q6 {6 o# e5 rCountry Name (2 letter code) [CN]:
( e% q2 _  ?! A, W5 g6 eState or Province Name (full name) [GD]:
& k. k" U: @3 L4 ^7 mLocality Name (eg, city) [SZ]:
Organization Name (eg, company) [xiaohui.com]:
Organizational Unit Name (eg, section) []:xiaohui.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [your-email [at] xiaohui.com]:
# 建立 server key 代码: 代码:
./build-key-server server

Generating a 1024 bit RSA private key
......++++++
....................++++++
5 \2 i  X! o: E7 ~writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
6 k5 i/ ]/ ?2 BThere are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
+ l: K$ k7 s# f0 A5 e: t* nCountry Name (2 letter code) [CN]:
! `- Y+ B, V/ A% Z. Y9 E& B$ ?State or Province Name (full name) [GD]:
; x1 j. L0 \* {7 l7 f# j* mLocality Name (eg, city) [SZ]:
Organization Name (eg, company) [xiaohui.com]:
# {- l  }1 [" g& E% a& N% zOrganizational Unit Name (eg, section) []:xiaohui.com
0 @$ f5 o/ t0 E% j; \6 kCommon Name (eg, your name or your server's hostname) []:server
Email Address [your-email [at] xiaohui.com]:

" h/ F6 r6 p, v. ~Please enter the following 'extra' attributes
to be sent with your certificate request
1 @4 |, E) B) Y6 v# N7 ]A challenge password []:abcd1234
' ?. ~+ Y  v% w* nAn optional company name []:xiaohui.com
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
6 I4 q, `( C. y% z9 X2 ZSignature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
4 f2 `$ c# B, v" h2 ~: pstateOrProvinceName   :PRINTABLE:'GD'
localityName          :PRINTABLE:'SZ'
+ v. J2 o8 f$ Z( ]: }1 PorganizationName      :PRINTABLE:'xiaohui.com'
organizationalUnitName:PRINTABLE:'xiaohui.com'
commonName            :PRINTABLE:'server'
0 l  m' H# |. f; D7 XemailAddress          :IA5STRING:'your-email [at] xiaohui.com'
4 r0 g( t- I2 p8 h" |; s, B% ?6 QCertificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y


" q; f9 v* \5 X& S% b' N6 X1 out of 1 certificate requests certified, commit? [y/n]y
8 A. F! k% {% e1 [! [Write out database with 1 new entries
- ]% e. }. c8 e) ~4 n( t4 bData Base Updated
2 t! y8 u: S. A+ U& o2 r1 l; V  U#生成客户端 key
) {3 a, [' u9 d2 i4 i
! L7 h* H! H$ d& y  i代码:

./build-key client1
Generating a 1024 bit RSA private key
.....++++++
4 _+ F0 X8 H2 G......++++++
writing new private key to 'client1.key'
-----
& E* h# `- e( b6 a4 aYou are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
& b) z/ B/ @" I  N; k5 J" aThere are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
9 H0 I  r+ Z: V1 i0 I8 z- ?7 f; `1 {Organization Name (eg, company) [xiaohui.com]:
Organizational Unit Name (eg, section) []:xiaohui.com
Common Name (eg, your name or your server's hostname) []:client1    #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [your-email [at] xiaohui.com]:
6 W: l" ~" {+ M
* E- }- k6 g8 P, Z1 G" d; APlease enter the following 'extra' attributes
) G2 q; u/ N1 o* b9 E0 V) |& f% _to be sent with your certificate request
* c2 W1 _6 }# L9 B/ s" ^1 ^- y4 HA challenge password []:abcd1234
4 h$ A- m& x4 W) q; YAn optional company name []:xiaohui.com
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
2 l4 M2 k2 ?7 I! ^4 j: jThe Subject's Distinguished Name is as follows
$ }2 {/ q  v5 T0 ccountryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GD'
3 G* F6 \6 P9 D9 a; V9 clocalityName          :PRINTABLE:'SZ'
organizationName      :PRINTABLE:'xiaohui.com'
organizationalUnitName:PRINTABLE:'xiaohui.com'
& d4 l6 _4 ]! X3 AcommonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'your-email [at] xiaohui.com'
) g8 e! c+ G% f# s- s& p3 d$ S" tCertificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
5 v9 t: p0 R3 t, {Sign the certificate? [y/n]:y
( ]4 i+ U0 p$ b/ h
2 B3 Y) h  C6 ]$ g  g
+ j( t* \8 b/ w4 `0 ~8 ~1 i1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次类推生成其他客户端证书/key
, W" x# f4 a! O6 J1 ]: U" ?, _
代码:
% H$ E1 @" z# ~% h/ u/ e
: k1 V) `6 v% M8 j' i. ~./build-key client2
./build-key client3
# Z# _+ Q/ F% R注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
生成 Diffie Hellman 参数 。代码:
' z+ I7 d" f$ r4 ~# h) t./build-dh
8 g% P$ `) K( L将 keys 下的所有文件打包下载到本地
代码:

5 x$ j5 p) ~0 s7 Utar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys
1 ]# ?4 `4 j- y+ \* Ncp mykeys.tar /home/xiaohui.comsys/public_html/mykeys.tar
将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 http://www.a.com/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除: 代码:
rm /home/xiaohui.comsys/public_html/mykeys.tar
也可以用其他方法把 key file搞到本地，例如 ftp.
$ _$ `- l: m7 _2 [8 K1 J0 ]创建服务端配置文件
从样例文件创建:
( N0 l3 n/ g  q# m
5 h/ i7 L) O) |代码:
2 E' v- m. @' I/ V
! }9 n9 K. S$ P' N1 o# f9 l( V+ \cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
cp server.conf /usr/local/etc  # cp服务器配置文件到/usr/local/etc
vi /usr/local/etc/server.conf
5 H+ x9 m6 X* a* f6 ?$ Q我建立的server.conf 的内容稍后另附.
. s- H1 u' q) y, E创建客户端配置文件
代码:
! r- G( s$ a( F- C1 D
4 K* m) |: u, N" o) \3 Xcd $dir/sample-config-files/  #进入源代码解压目录下的sample-config-files子目录
+ o5 k$ j+ b9 O- s2 k3 h" Gcp client.conf /usr/local/etc  #cp客户端配置文件到/usr/local/etc
. B8 ?1 v5 x, E4 qvi /usr/local/etc/client.conf
& I' E; y8 d5 P3 g我建立的client.conf 的内容稍后另附.
' m2 q1 C4 L/ @  @! {启动Openvpn: openvpn [server config file] 代码:
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf
" ?" u& {+ G( q* U' I; L( i* t8 o0 [- \

admin

二、部署openvpn
/ k8 k! [2 X- t) D; K9 n! i: I
    本次部署openvpn服务器，因为使用了最新的openvpn2.3.4，而这个包里面没有包含最重要的证书制作部分：easy-rsa
' d/ q4 o. s: D( {& o, t% x$ R% M
    openvpn官网也给出明确说明：Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages

    所以，我们需要事先下载好easyrsa，可以到GitHub上进行下载，配置过程将在下面第3步进行，本次部署使用了easy-rsa3，与easy-rsa2.0的操作完全不同，网上其它关于easy-rsa2.0的教程不适合本次部署

    在部署openvpn之前，最好用ntpdate同步一下服务器的时间，否则生成证书的时间也不准确，会造成那个什么centificate error等的错误！
7 B- ^; J& _3 e2 K" {# b0 Q2 a
1、安装lzo
) Q+ p0 N1 Z: m. R3 B0 u
& g! Y& Y5 b" E. c" p3 k    lzo是致力于解压速度的一种数据压缩算法
. y) ~$ P, q* w+ n

3 X* `, y8 H+ J% t[root@vpn ~]# tar xf lzo-2.08.tar.gz
[root@vpn ~]# cd lzo-2.08
& ?. m$ V- @2 o* e4 A[root@vpn lzo-2.08]# ./configure && make && make install
2、安装openvpn

/ ?) ~6 {$ Y" S' L: h
[root@vpn ~]# tar xf openvpn-2.3.4.tar.gz
6 H) V3 S8 B( s# U1 G[root@vpn ~]# cd openvpn-2.3.4
. u' T5 I& W; I/ ~3 `4 [) a* V[root@vpn openvpn-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib
: g" ^7 O% g/ O! a4 n[root@vpn openvpn-2.3.4]# make && make install
1 V. q1 R3 I" {6 L; H[root@vpn openvpn-2.3.4]#
[root@vpn openvpn-2.3.4]# which openvpn
/usr/local/sbin/openvpn      #看到这里，说明安装openvpn成功
3、配置easyrsa服务端
) _/ Y) S6 B, G6 ^
    openvpn-2.3.4软件包不包含证书（ca证书，服务端证书，客户端证书）制作工具，所以还需要单独下载easy-rsa，最新的为easy-rsa3

% R" A# l5 S$ M" F' B; z  @( e+ e    Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages（来源openvpn官网）


* B3 m% c. x' V1 O! ?0 r, c: w[root@vpn ~]# unzip easy-rsa-master.zip
[root@vpn ~]# mv easy-rsa-master easy-rsa
5 v' e" h# P3 n, F[root@vpn ~]# cp -R easy-rsa/ openvpn-2.3.4/
[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/
[root@vpn easyrsa3]# cp vars.example vars
! `6 @  z6 S0 q[root@vpn easyrsa3]# vim vars
1 k6 o! Z. u1 nset_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Beijing"
set_var EASYRSA_REQ_CITY "Beijing"
, R% p6 K, k8 D, T: ^) I8 s: Vset_var EASYRSA_REQ_ORG "nmshuishui Certificate"
set_var EASYRSA_REQ_EMAIL "353025240@qq.com"
set_var EASYRSA_REQ_OU "My OpenVPN"
4、创建服务端证书及key
) s# i: k4 {# Y; R
（1）初始化

8 Y( M; d( X3 J* _
[root@vpn easyrsa3]# ls
easyrsa  openssl-1.0.cnf  vars  vars.example  x509-types
[root@vpn easyrsa3]#
[root@vpn easyrsa3]# ./easyrsa init-pki
; P; S, v' U/ N6 M+ \  B4 L
Note: using Easy-RSA configuration from: ./vars
5 c+ r3 ]4 H5 e4 X% a8 A! O
init-pki complete; you may now create a CA or requests.
! O, W& A! g! C% nYour newly created PKI dir is: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki
9 ^" w6 D4 g  o" ^9 j8 V1 d3 f（2）创建根证书



[root@vpn easyrsa3]# ./easyrsa build-ca
! k* U1 p& {0 E: d+ G+ Z4 H
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
/ u$ _; z: P, u0 A7 w2 m5 r% g5 z.............................................+++
........+++
writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key'
, J, u2 e/ j. N* N2 b; n- SEnter PEM pass phrase:                      #输入密码，此密码用途证书签名
* K) Q' s9 u' y! x( G) j* Y8 CVerifying - Enter PEM pass phrase:          #确认密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
+ P4 d  }; r' ?) u5 v0 oThere are quite a few fields but you can leave some blank
% h1 B( P  m( j% U( [For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:nmshuishui  #输入一个Common Name

CA creation complete and you may now import and sign cert requests.
. B* O3 R! F; D; d3 a. E2 ]Your new CA certificate file for publishing is at:
# O% [' f" K- s* o. Q7 Q/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt
（3）创建服务器端证书

% R7 j7 U2 e3 f5 q6 d% P
[root@vpn easyrsa3]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
................................+++
) F* i% g1 \  i......+++
writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key'
3 ?9 g9 a6 U* j& g! r  V8 w-----
You are about to be asked to enter information that will be incorporated
  G/ R+ t$ F6 N9 ~0 R/ I, Ainto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
/ \; F6 O" B9 _4 U* _$ v, \-----
Common Name (eg: your user, host, or server name) [server]:nmshuishui-BJ  #该Common Name一定不要与创建根证书时的
                                                                          #Common Name一样，这是血与泪的教训  
, v4 `# F/ i! U3 h6 Z9 J- HKeypair and certificate request completed. Your files are:
3 U) Y& K  r- r5 Ereq: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req
, H8 e8 u9 n1 x# C& L3 ~key: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key
（4）签约服务器端证书
6 m  ^9 g$ }0 Y

- p2 e' h! {5 H  o
: W) P/ c" _0 u2 }& k/ W[root@vpn easyrsa3]# ./easyrsa sign server server
0 E% N& B# |  S! Z8 j+ D& O
7 j9 s; D+ b4 b& V' iNote: using Easy-RSA configuration from: ./vars


, o0 i  C1 ?2 ~1 ]You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
9 V- f2 p0 Z( A  f$ Xhas not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
( U2 i& e7 ], a* t! [
Request subject, to be signed as a server certificate for 3650 days:
& P6 _' `) B# P. U: A. H  C% S
subject=
# v9 \8 W2 ?( V# r) ?2 G    commonName                = nmshuishui
" P8 l' \6 F% l7 O8 }

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes        #输入yes继续
9 J1 ]' {. j0 a" ?" O+ P. R* OUsing configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入刚才创建根证书时的密码
# B" I* p8 \: C- yCheck that the request matches the signature
! _  V% O4 p5 q# A# o  ~- q5 ^Signature ok
The Subject's Distinguished Name is as follows
; w1 f3 L- f, CcommonName            :PRINTABLE:'nmshuishui'
9 ]8 D; s% _  G2 @3 b2 ^Certificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days)
) m6 f5 J$ O0 V2 v% O  @! X
Write out database with 1 new entries
Data Base Updated

4 N& b0 {9 K4 U: M; z% _! fCertificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt
（5）创建Diffie-Hellman，确保key穿越不安全网络的命令：
0 I2 }0 t& q' o3 Y

! a9 Y. w0 N; ?
1 o2 ]9 d. o; v) h: L[root@vpn easyrsa3]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars
6 _. l5 O! @1 jGenerating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................................................................................................................................................................................................................+..........................................................................................................................+..................................................+.....................................................+..................................................................................................................................+............+............................................................................................................+...+............+...............+..............................................+.........................+..................................+.................+............................................................+..................................+........................................................................................................................................+................................................................+.......................................+...................................................................................................................................................++*++*
. @/ }. \  S0 ?6 Q- P8 ~
: ?  d! r. N& ^6 t  I8 `) @DH parameters of size 2048 created at /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem
5、创建客户端证书
5 f4 H$ m- S% x6 `
（1）在根目录下建立client目录
+ @- g) }6 _% r1 |% v
4 S1 A% f+ C% `+ ]0 e5 g  S
[root@vpn easyrsa3]# cd
[root@vpn ~]# mkdir client
[root@vpn ~]# cp -R easy-rsa/ client/
* \9 H3 {0 o5 A7 ~7 F# q+ U' k. L6 g（2）初始化
! V) A/ u8 u" N+ X5 q6 c. A
$ y( C4 S+ R1 \9 [5 R
4 @6 U, D5 V- z$ _5 Y  D( C2 x6 }[root@vpn ~]# cd client/easy-rsa/easyrsa3/
[root@vpn easyrsa3]# ls
easyrsa  openssl-1.0.cnf  vars  vars.example  x509-types
[root@vpn easyrsa3]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

1 }* s/ u% n; u! c9 Jinit-pki complete; you may now create a CA or requests.
# _3 j+ K- ~. E  w& bYour newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
（3）创建客户端key及生成证书
8 j! m% M. T, t2 ~9 Y' V+ A
) d% Z* R" ]4 h

/ g/ ^' }# d* W6 P[root@vpn easyrsa3]# ./easyrsa gen-req nmshuishui
4 G2 k, N2 j( y# A
4 N0 y) f, D8 j: G0 w6 x& BNote: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
5 y, p$ z7 s8 q. E....................................................+++
' i0 t! Z3 F! b  G/ h7 j0 j+ o/ z.................................................................................................................................................................................+++
* }0 _0 D" ]* V6 c" mwriting new private key to '/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key'
Enter PEM pass phrase:            #输入密码
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
: u5 S  A. u+ linto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
$ z" m9 m% \- l, }5 F( H* jFor some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
2 @8 K+ t4 b: m" X. \Common Name (eg: your user, host, or server name) [nmshuishui]:nmshuishui   #输入nmshuishui                     

, e4 N& Y7 r! X3 @/ E' t! iKeypair and certificate request completed. Your files are:
" A* S5 h& ?) O( L) A* @! Yreq: /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req
" L! n4 ?$ H: `( |. L- X+ Xkey: /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key
- }" ]( c: c( p2 A; }* ^（4）将得到的nmshuishui.req导入并签约证书


% p, v7 }/ e6 u[root@vpn ~]# cd openvpn-2.3.4/easy-rsa/easyrsa3/
  @$ e6 \3 w' w$ p$ x& n8 w) o  W[root@vpn easyrsa3]#   #导入req
) M' p- z9 ^1 P8 u2 P; P[root@vpn easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req nmshuishui
( C) B2 R- i/ P; |+ o! @
# L3 o: P" U' @  e% fNote: using Easy-RSA configuration from: ./vars
: F+ H" q$ A5 |6 i7 M
The request has been successfully imported with a short name of: nmshuishui
You may now use this name to perform signing operations on this request.
3 }) F# G3 P, C+ @* Z8 Y
2 v/ D( p) T+ `[root@vpn easyrsa3]#     #签约证书
[root@vpn easyrsa3]# ./easyrsa sign client nmshuishui
9 h4 W0 g" T- {
# B  V$ N( ^( ~% |Note: using Easy-RSA configuration from: ./vars

  }1 u& V. |+ h! E3 |$ z- \$ d
9 W5 L& Y/ T( |3 }  @You are about to sign the following certificate.
8 K+ u8 B5 _/ H3 MPlease check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
+ g" a/ o8 E5 l/ P3 p, ]- v5 I# X; Wsource or that you have verified the request checksum with the sender.
0 h7 Q9 n9 a6 ]! u% |: P
5 F4 r8 k: t8 D% r% ERequest subject, to be signed as a client certificate for 3650 days:

- r* y9 {" `) R2 y- |6 {( J9 c7 Hsubject=
    commonName                = nmshuishui
% H2 F7 ?6 |* J: ?9 c6 I8 ~8 m4 @

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes       #输入yes
Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf
  `) X/ W8 y4 r. ?8 dEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入创建根证书时的密码
Check that the request matches the signature
1 J% m/ k: e: X3 @) C7 @Signature ok
: i' c5 N; l. P' HThe Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'nmshuishui'
Certificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days)
7 \2 d% L) `: k
( C, m* c  \- R) HWrite out database with 1 new entries
Data Base Updated

Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt   #签约成功
+ E  C8 T4 K& k; ]（5）服务端及客户端生成的文件

3 _% `. k" a: ]: ]8 }1 v, l服务端：（/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki）文件夹
  X' D9 g9 N( i) _9 m: x3 J

$ Y, C# ]/ n( a4 M/ x; L/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt
' k3 Z; R, J! t3 C- Q, s( L$ r; x0 @5 _/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req
& P0 y! P1 D9 p1 N; w/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req
% f( |+ H  w2 C  h- a3 M: U/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key
9 W' {7 U. T, w4 n4 Q% s/ X0 @/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key
6 m! m5 E; p2 i" b/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem
客户端：（/root/client/easy-rsa）
0 M9 u* o5 o% x0 S

/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key
/root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key   #这个文件被我们导入到了服务端文件，所以那里也有
（6）拷贝服务器密钥及证书等到openvpn目录
- x+ `* ~6 E* {& {# l

( ?# ]8 e% F3 m9 |[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt openvpn-2.3.4/
[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key openvpn-2.3.4/
' G$ |6 g7 B1 {# W5 u8 m$ W: ][root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt openvpn-2.3.4/
2 T1 Q0 ~# }* M' c) Q7 ~[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem openvpn-2.3.4/
( S$ F* ?- W" ^, s* I（7）拷贝客户端密钥及证书等到client目录


- h/ u6 S" S3 E2 v4 |9 e[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client
+ \% R0 v  ?# d& D) v; e% f0 [[root@vpn ~]# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt /root/client
' G2 S7 W; i7 I0 n[root@vpn ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client
  [1 y$ q8 l1 \" D0 J4 T（8）为服务端编写配置文件

  d2 R( K. }+ u1 z+ u当安装好openvpn时候，它会提供一个server配置的文件例子
! D) x9 O$ h  Q9 a3 k! B4 |
1
6 a" S) C! i" Q$ I& f: q6 w0 F/root/openvpn-2.3.4/sample/sample-config-files/server.conf
4 |0 u" J" [* ?' R* c4 Y# V将此例子拷贝openvpn目录，然后配置
) G  S! z6 M8 x7 Y# Q

) f( r  O" q/ i2 M& B+ s  ~9 P[root@vpn ~]# cp openvpn-2.3.4/sample/sample-config-files/server.conf openvpn-2.3.4/
[root@vpn ~]# vim openvpn-2.3.4/server.conf
! k5 o% M0 ]# y" D. Ylocal 192.168.1.104    #（自己vps IP）
5 V! p: J7 O+ i$ ^: J2 h& x  Gport 1194
- f# [5 ?, n  k) }proto udp
dev tun
* O' S( P& f( E- Fca /root/openvpn-2.3.4/ca.crt
% v: g; ?1 g1 P* Vcert /root/openvpn-2.3.4/server.crt
key /root/openvpn-2.3.4/server.key # This file should be kept secret
1 O5 b5 F+ [7 O  A, b& fdh /root/openvpn-2.3.4/dh.pem
: P4 `" Q' q2 b/ c/ jserver 10.8.0.0 255.255.255.0
, [1 I) q7 s2 j5 w9 eifconfig-pool-persist ipp.txt
+ S) t4 @& l5 K/ w* @push "redirect-gateway def1 bypass-dhcp"
3 M% h* A5 Q# M0 ?$ ^% {$ a) npush "dhcp-option DNS 8.8.8.8"
9 A4 ]: [+ p" q! N2 d; Tkeepalive 10 120
& k( V$ p: K9 Bcomp-lzo
max-clients 100
persist-key
) o) c% o6 ?% kpersist-tun
status openvpn-status.log
8 V3 Q- y# @( b# zverb 3
( l6 c: W, o3 n; U（9）开启系统转发功能

7 e4 t) F' Q4 |
[root@vpn ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 0  改成 net.ipv4.ip_forward = 1
[root@vpn ~]# sysctl -p
[root@vpn ~]# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
( X9 l' j' R0 e$ x2 r8 w! l! A（10）封装出去的数据包（eth0是你的vps外网的网卡）：
) V6 B9 v7 Y) w' d+ h7 L
# C! B2 S+ r6 q, Q: C1 A, H
' [& m0 y6 L3 m: f7 D) z# s/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE

admin

下载openvpn客户端，并进行配置
4 [. x( G7 }* x. X" X
% ]7 w/ i! S6 G/ |3 R( s  \1、将客户端密钥及证书等拷出到windows备用
, H# Z' O& S6 ~
4 c& {; \. i& F+ p1 Y
[root@vpn ~]# cd client/
[root@vpn client]# ls
  F% {. Y0 y/ g% A& e  `3 Yca.crt  easy-rsa  nmshuishui.crt  nmshuishui.key    #带后缀的这三个

2、安装openvpn-gui工具
  l6 C3 ^) T6 i) O$ [9 y
（1）将D:\Program Files (x86)\OpenVPN\sample-config\client.ovpn复制到D:\Program Files (x86)\OpenVPN\config

（2）将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下