客户端 192.168.1.0/24
vpn服务端分配 192.168.18.0/24 服务端内网 192.168.9.0/24 一定不能和客户端内网一样
yum install openvpn easy-rsa -y
cd /usr/share/easy-rsa/2.0
vim vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SH"
export KEY_CITY="ShangHai"
export KEY_ORG="Company"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrganization"
./clean-all
source vars
./build-ca
Country Name (2 letter code) [CN]: ----> 直接回车
State or Province Name (full name) [SH]: ----> 直接回车
Locality Name (eg, city) [ShangHai]: ----> 直接回车
Organization Name (eg, company) [Company]: ----> 直接回车
Organizational Unit Name (eg, section) [MyOrganization]: ----> 直接回车
Common Name (eg, your name or your server's hostname) [Company CA]: ----> 直接回车
Name [EasyRSA]: ----> 直接回车
Email Address [[email protected]]: ----> 直接回车
./build-key-server dachuiServer
Country Name (2 letter code) [CN]: ----> 直接回车
State or Province Name (full name) [SH]: ----> 直接回车
Locality Name (eg, city) [ShangHai]: ----> 直接回车
Organization Name (eg, company) [Company]: ----> 直接回车
Organizational Unit Name (eg, section) [MyOrganization]: ----> 直接回车
Common Name (eg, your name or your server's hostname) [aliyunServer]: ----> 直接回车
Name [EasyRSA]: ----> 直接回车
Email Address [[email protected]]: ----> 直接回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'Company'
organizationalUnitName:PRINTABLE:'MyOrganization'
commonName :PRINTABLE:'aliyunServer'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Nov 29 07:31:54 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> 选择y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
./build-key dachuiClient
Country Name (2 letter code) [CN]: ----> 直接回车
State or Province Name (full name) [SH]: ----> 直接回车
Locality Name (eg, city) [ShangHai]: ----> 直接回车
Organization Name (eg, company) [Company]: ----> 直接回车
Organizational Unit Name (eg, section) [MyOrganization]: ----> 直接回车
Common Name (eg, your name or your server's hostname) [aliyunClient]: ----> 直接回车
Name [EasyRSA]: ----> 直接回车
Email Address [[email protected]]: ----> 直接回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'Company'
organizationalUnitName:PRINTABLE:'MyOrganization'
commonName :PRINTABLE:'aliyunClient'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Nov 29 07:35:56 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> 选择y
./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
cd keys && openvpn --genkey --secret ta.key
cp dh2048.pem dachuiServer.crt dachuiServer.key ca.crt ta.key /etc/openvpn/
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
cat /etc/openvpn/server.conf
local 116.213.204.14
port 11956
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/dachuiServer.crt
key /etc/openvpn/dachuiServer.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 192.168.18.0 255.255.255.0 vpn分配地址
ifconfig-pool-persist ipp.txt
push "route 192.168.9.0 255.255.255.0" 路由到内网地址
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/ta.key
cipher AES-256-CBC
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 4
net.ipv4.ip_forward = 1 /etc/sysctl.conf sysctl -p
iptables -t nat -A POSTROUTING -s 192.168.18.0/24 -o eth0 -j MASQUERADE tun0的数据转发到eth0(192.168.9.0/24)
/etc/init.d/openvpn start
客户端
从服务器拷贝ca.crt dachuiClient.crt dachuiClient.key ta.key 到客户端
dacui.ovpn
# 定义是一个客户端
client
# 定义使用路由IP模式,与服务端一致
;dev tap
dev tun
# 定义Windows下使用的网卡名称,linux不需要
;dev-node MyTap
# 定义使用的协议,与服务端一致
;proto tcp
proto tcp
# 指定服务端地址和端口,可以用多行指定多台服务器
# 实现负载均衡(从上往下尝试)
remote 121.40.135.148 1194
;remote my-server-2 1194
# 若上面配置了多台服务器,让客户端随机连接
;remote-random
# 解析服务器域名
resolv-retry infinite
# 客户端不需要绑定端口
# Most clients do not need to bind to
# a specific local port number.
nobind
# 也是为了让Openvpn也nobody运行(安全)
# 注意:Windows不能设置
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# 若客户端通过HTTP Proxy,在这里设置
# 要使用Proxy,不能使用UDP为VPN的通讯协议
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# 无线网络有很多多余的头文件,设置忽略它
;mute-replay-warnings
# 重点,就是指定ca和客户端的证书
ca ca.crt
cert dachuiClient.crt
key dachuiClient.key
# 如果服务端打开了PAM认证模块,客户端需要另其有效
;auth-user-pass
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# 使用lzo压缩,与服务端一致
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
将文件ca.crt dachuiClient.crt dachuiClient.key ta.key dachui.ovpn拷贝到C:\Program Files\OpenVPN\config\目录下
启动客户端