1.查看当前的系统版本,及内核信息
[root@openvpn ~]# uname -r
2.6.32-696.el6.x86_64
[root@openvpn ~]# cat /etc/redhat-release
CentOS release 6.9 (Final)
2.安装依赖环境安装包
yum -y install openssl openssl-devel lzo openvpneasy-rsa
3.创建/etc/openvpn/
mkdir /etc/openvpn -p
4.将内容全部拷贝到/etc/openvpn/
cp -pr /usr/share/easy-rsa/2.0/* /etc/openvpn/
5.vim vars #根据自己需要修改
export KEY_COUNTRY="US" #国家修改成中国
export KEY_PROVINCE="CA" #省
export KEY_CITY="SanFrancisco" #城市
export KEY_ORG="Fort-Funston" #组织
export KEY_EMAIL="me@myhost.mydomain" #你的邮箱
export KEY_OU="MyOrganizationalUnit" #组织
5.source vars
[root@openvpn openvpn]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys
6.按照提示执行./clean-all
[root@openvpn openvpn]# ./clean-all
7.生成ca证书
[root@openvpn openvpn]# ./build-ca #一路回车就好
Generating a 2048 bit RSA private key
.....................................+++
...................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [BeiJing]:
Organizational Unit Name (eg, section) [yunwei]:
Common Name (eg, your name or your server's hostname) [BeiJing CA]:
Name [EasyRSA]:
7.生成服务端证书和密钥
[root@openvpn openvpn]# ./build-key-server server
Generating a 2048 bit RSA private key
......................................................+++
............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [BeiJing]:
Organizational Unit Name (eg, section) [yunwei]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BeiJing'
organizationName :PRINTABLE:'BeiJing'
organizationalUnitName:PRINTABLE:'yunwei'
commonName :PRINTABLE:'server'
name :PRINTABLE:'EasyRSA'
Certificate is to be certified until Aug 28 09:05:01 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
8.创建Diffie-Hellman,确保key穿越不安全网络的命令
[root@openvpn openvpn]# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
9.生成客户端证书和密钥
[root@openvpn openvpn]# ./build-key client #一路回车加两个y就好
10.编辑配置文件
[root@openvpn openvpn]# vim server.conf
local 10.0.0.5 #本地IP地址
port 19923 #服务启动的端口可以自己修改
proto tcp #使用TCP协议
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 172.16.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0" #此为内网的IP地址网段
client-to-client
keepalive 20 120
comp-lzo
user root
group root
persist-key
persist-tun
status openvpn-status1.log
log-append openvpn1.log
verb 1
mute 20
11.配置路由转发
[root@openvpn openvpn]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
12.生成客户端秘钥
[root@openvpn openvpn]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys
[root@openvpn openvpn]# ./build-key xx #生成一个xx的客户端秘钥
13.启动openvpn服务。
[root@openvpn openvpn]# /etc/init.d/openvpn start
Starting openvpn: [ OK ]
14.windows端下载openvpn2.3.6客户端。
15.将linux服务端的ca证书和keys下面所有的xx的文件全部上传到windows的openvpn中的config里面。
[root@openvpn openvpn]# sz -y keys/ca.* keys/xx.*
16.编辑客户端配置文件
client
proto tcp
dev tun
remote 10.0.0.5 19923
ca ca.crt
cert fuhua.crt
key fuhua.key
resolv-retry infinite
nobind
mute-replay-warnings
keepalive 20 120
comp-lzo
user root
group root
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
#注意:此文件必须是ovpn.
17.连接服务器
#截取一段log日志,显示已经连接上了。
Wed Aug 30 18:37:14 2017 C:\WINDOWS\system32\route.exe ADD 172.16.0.0 MASK 255.255.255.0 172.16.0.9
Wed Aug 30 18:37:14 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Wed Aug 30 18:37:14 2017 Route addition via IPAPI succeeded [adaptive]
Wed Aug 30 18:37:14 2017 Initialization Sequence Completed
Wed Aug 30 18:37:14 2017 MANAGEMENT: >STATE:1504089434,CONNECTED,SUCCESS,172.16.0.10,10.0.0.5