yum安装openvpn2.4

1.查看当前的系统版本，及内核信息

[root@openvpn ~]# uname -r

2.6.32-696.el6.x86_64

[root@openvpn ~]# cat /etc/redhat-release

CentOS release 6.9 (Final)

2.安装依赖环境安装包

yum -y install openssl openssl-devel lzo openvpneasy-rsa

3.创建/etc/openvpn/

mkdir /etc/openvpn -p

4.将内容全部拷贝到/etc/openvpn/

cp -pr /usr/share/easy-rsa/2.0/* /etc/openvpn/

5.vim vars #根据自己需要修改

export KEY_COUNTRY="US" #国家修改成中国

export KEY_PROVINCE="CA" #省

export KEY_CITY="SanFrancisco" #城市

export KEY_ORG="Fort-Funston" #组织

export KEY_EMAIL="me@myhost.mydomain" #你的邮箱

export KEY_OU="MyOrganizationalUnit" #组织

5.source vars

[root@openvpn openvpn]# source vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys

6.按照提示执行./clean-all

[root@openvpn openvpn]# ./clean-all

7.生成ca证书

[root@openvpn openvpn]# ./build-ca #一路回车就好

Generating a 2048 bit RSA private key

.....................................+++

...................................................+++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BeiJing]:

Organization Name (eg, company) [BeiJing]:

Organizational Unit Name (eg, section) [yunwei]:

Common Name (eg, your name or your server's hostname) [BeiJing CA]:

Name [EasyRSA]:

7.生成服务端证书和密钥

[root@openvpn openvpn]# ./build-key-server server

Generating a 2048 bit RSA private key

......................................................+++

............+++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BeiJing]:

Organization Name (eg, company) [BeiJing]:

Organizational Unit Name (eg, section) [yunwei]:

Common Name (eg, your name or your server's hostname) [server]:

Name [EasyRSA]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BJ'

localityName          :PRINTABLE:'BeiJing'

organizationName      :PRINTABLE:'BeiJing'

organizationalUnitName:PRINTABLE:'yunwei'

commonName            :PRINTABLE:'server'

name                  :PRINTABLE:'EasyRSA'

Certificate is to be certified until Aug 28 09:05:01 2027 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

8.创建Diffie-Hellman，确保key穿越不安全网络的命令

[root@openvpn openvpn]# ./build-dh 

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

9.生成客户端证书和密钥

[root@openvpn openvpn]# ./build-key client #一路回车加两个y就好

10.编辑配置文件

[root@openvpn openvpn]# vim server.conf

local 10.0.0.5  #本地IP地址  

port 19923     #服务启动的端口可以自己修改

proto tcp        #使用TCP协议

dev tun           

 

ca /etc/openvpn/keys/ca.crt   

cert /etc/openvpn/keys/server.crt

key /etc/openvpn/keys/server.key

dh /etc/openvpn/keys/dh2048.pem

 

ifconfig-pool-persist /etc/openvpn/ipp.txt     

 

server 172.16.0.0 255.255.255.0     

push "route 172.16.1.0 255.255.255.0" #此为内网的IP地址网段       

client-to-client                      

 

keepalive 20 120 

comp-lzo           

 

user root    

group root    

 

persist-key

persist-tun        

status openvpn-status1.log   

log-append openvpn1.log    

verb 1      

mute 20

11.配置路由转发

[root@openvpn openvpn]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf

12.生成客户端秘钥

[root@openvpn openvpn]# source vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys

[root@openvpn openvpn]# ./build-key xx #生成一个xx的客户端秘钥

13.启动openvpn服务。

[root@openvpn openvpn]# /etc/init.d/openvpn start

Starting openvpn:                                          [  OK  ]

14.windows端下载openvpn2.3.6客户端。

15.将linux服务端的ca证书和keys下面所有的xx的文件全部上传到windows的openvpn中的config里面。

[root@openvpn openvpn]# sz -y keys/ca.* keys/xx.*

16.编辑客户端配置文件

client 

proto tcp 

dev tun  

remote 10.0.0.5 19923

ca ca.crt  

cert fuhua.crt

key fuhua.key     

resolv-retry infinite

nobind

mute-replay-warnings

keepalive 20 120

comp-lzo

user root

group root

persist-key

persist-tun

status openvpn-status.log

log-append openvpn.log

verb 3

mute 20

#注意：此文件必须是ovpn.

17.连接服务器 

#截取一段log日志，显示已经连接上了。

Wed Aug 30 18:37:14 2017 C:\WINDOWS\system32\route.exe ADD 172.16.0.0 MASK 255.255.255.0 172.16.0.9

Wed Aug 30 18:37:14 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4

Wed Aug 30 18:37:14 2017 Route addition via IPAPI succeeded [adaptive]

Wed Aug 30 18:37:14 2017 Initialization Sequence Completed

Wed Aug 30 18:37:14 2017 MANAGEMENT: >STATE:1504089434,CONNECTED,SUCCESS,172.16.0.10,10.0.0.5