客户端   192.168.1.0/24 
vpn服务端分配 192.168.18.0/24   服务端内网  192.168.9.0/24    一定不能和客户端内网一样

yum install openvpn easy-rsa -y

cd /usr/share/easy-rsa/2.0
vim vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SH"
export KEY_CITY="ShangHai"
export KEY_ORG="Company"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrganization"

./clean-all
source vars
./build-ca
Country Name (2 letter code) [CN]:  ----> 直接回车 
State or Province Name (full name) [SH]:  ----> 直接回车 
Locality Name (eg, city) [ShangHai]:  ----> 直接回车 
Organization Name (eg, company) [Company]:  ----> 直接回车 
Organizational Unit Name (eg, section) [MyOrganization]:  ----> 直接回车 
Common Name (eg, your name or your server's hostname) [Company CA]:  ----> 直接回车 
Name [EasyRSA]:  ----> 直接回车 
Email Address [[email protected]]:  ----> 直接回车 

./build-key-server dachuiServer
Country Name (2 letter code) [CN]:  ----> 直接回车 
State or Province Name (full name) [SH]:  ----> 直接回车 
Locality Name (eg, city) [ShangHai]:  ----> 直接回车 
Organization Name (eg, company) [Company]:  ----> 直接回车 
Organizational Unit Name (eg, section) [MyOrganization]:  ----> 直接回车 
Common Name (eg, your name or your server's hostname) [aliyunServer]:  ----> 直接回车 
Name [EasyRSA]:  ----> 直接回车 
Email Address [[email protected]]:  ----> 直接回车 


Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName           :PRINTABLE:'CN' 
stateOrProvinceName   :PRINTABLE:'SH' 
localityName          :PRINTABLE:'ShangHai' 
organizationName      :PRINTABLE:'Company' 
organizationalUnitName:PRINTABLE:'MyOrganization' 
commonName            :PRINTABLE:'aliyunServer' 
name                  :PRINTABLE:'EasyRSA' 
emailAddress          :IA5STRING:'[email protected]' 
Certificate is to be certified until Nov 29 07:31:54 2024 GMT (3650 days) 
Sign the certificate? [y/n]:y  ----> 选择y 
1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 


./build-key dachuiClient
Country Name (2 letter code) [CN]:  ----> 直接回车 
State or Province Name (full name) [SH]:  ----> 直接回车 
Locality Name (eg, city) [ShangHai]:  ----> 直接回车 
Organization Name (eg, company) [Company]:  ----> 直接回车 
Organizational Unit Name (eg, section) [MyOrganization]:  ----> 直接回车 
Common Name (eg, your name or your server's hostname) [aliyunClient]:  ----> 直接回车 
Name [EasyRSA]:  ----> 直接回车 
Email Address [[email protected]]:  ----> 直接回车 


Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName           :PRINTABLE:'CN' 
stateOrProvinceName   :PRINTABLE:'SH' 
localityName          :PRINTABLE:'ShangHai' 
organizationName      :PRINTABLE:'Company' 
organizationalUnitName:PRINTABLE:'MyOrganization' 
commonName            :PRINTABLE:'aliyunClient' 
name                  :PRINTABLE:'EasyRSA' 
emailAddress          :IA5STRING:'[email protected]' 
Certificate is to be certified until Nov 29 07:35:56 2024 GMT (3650 days) 
Sign the certificate? [y/n]:y ----> 选择y  


./build-dh  
Generating DH parameters, 2048 bit long safe prime, generator 2 
This is going to take a long time  

cd keys && openvpn --genkey --secret ta.key
cp dh2048.pem dachuiServer.crt dachuiServer.key ca.crt ta.key /etc/openvpn/
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
cat /etc/openvpn/server.conf
local 116.213.204.14
port 11956
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/dachuiServer.crt
key /etc/openvpn/dachuiServer.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 192.168.18.0 255.255.255.0   vpn分配地址
ifconfig-pool-persist ipp.txt
push "route 192.168.9.0 255.255.255.0"   路由到内网地址
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/ta.key
cipher AES-256-CBC
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log
verb 4

net.ipv4.ip_forward = 1  /etc/sysctl.conf   sysctl -p 
iptables -t nat -A POSTROUTING -s 192.168.18.0/24 -o eth0 -j MASQUERADE  tun0的数据转发到eth0（192.168.9.0/24）
/etc/init.d/openvpn start

客户端
从服务器拷贝ca.crt dachuiClient.crt  dachuiClient.key ta.key 到客户端

dacui.ovpn 
# 定义是一个客户端 
client 
# 定义使用路由IP模式，与服务端一致 
;dev tap 
dev tun 
# 定义Windows下使用的网卡名称,linux不需要 
;dev-node MyTap 
# 定义使用的协议，与服务端一致 
;proto tcp 
proto tcp 
# 指定服务端地址和端口,可以用多行指定多台服务器 
# 实现负载均衡（从上往下尝试） 
remote 121.40.135.148 1194 
;remote my-server-2 1194 
# 若上面配置了多台服务器，让客户端随机连接 
;remote-random 
# 解析服务器域名 
resolv-retry infinite 
# 客户端不需要绑定端口 
# Most clients do not need to bind to 
# a specific local port number. 
nobind 
# 也是为了让Openvpn也nobody运行（安全） 
# 注意：Windows不能设置 
;user nobody 
;group nobody 
# Try to preserve some state across restarts. 
persist-key 
persist-tun 
# 若客户端通过HTTP Proxy，在这里设置 
# 要使用Proxy，不能使用UDP为VPN的通讯协议 
;http-proxy-retry # retry on connection failures 
;http-proxy [proxy server] [proxy port #] 
# 无线网络有很多多余的头文件，设置忽略它 
;mute-replay-warnings 
# 重点，就是指定ca和客户端的证书 
ca ca.crt 
cert dachuiClient.crt 
key dachuiClient.key 
# 如果服务端打开了PAM认证模块，客户端需要另其有效 
;auth-user-pass 
;ns-cert-type server 
# If a tls-auth key is used on the server 
# then every client must also have the key. 
tls-auth ta.key 
# Select a cryptographic cipher. 
# If the cipher option is used on the server 
# then you must also specify it here. 
;cipher x 
# 使用lzo压缩，与服务端一致 
comp-lzo 
# Set log file verbosity. 
verb 3 
# Silence repeating messages 
;mute 20  

将文件ca.crt dachuiClient.crt  dachuiClient.key ta.key dachui.ovpn拷贝到C:\Program Files\OpenVPN\config\目录下

启动客户端
openvpn

results matching ""

No results matching ""
