openvpn搭建：

基础环境：

服务端： CentOS 7.6

客户端：Windows 10

1、安装openvpn

yum -y install openvpn easy-rsa

2、安装完成后，检查openvpn和easy-rsa版本

Openvpn --version

​ easy-rsa：

3**😗*配置RSA

在此步骤中，我们将通过创建新的“ vars”文件来配置easy-rsa 3。 “ vars”文件包含Easy-RSA 3设置。

转到“ /etc/openvpn/”目录并复制“ easy-rsa”脚本。

cd /etc/openvpn/

cp -r /usr/share/easy-rsa/ /etc/openvpn/

cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn/

cp /usr/share/doc/openvpn-2.4.9/sample/sample-windows/sample.ovpn /etc/openvpn/client

cp -r /usr/share/doc/easy-rsa-3.0.7/vars.example /etc/openV**/easy-rsa/3.0/vars

cd /etc/openV**/easy-rsa/3.0

4、cd到/etc/openvpn/easy-rsa/3.0并编辑vars文件

备注：有的直接打开即可

5、给vars增加可执行权限

chmod +x vars

6、构建OpenVPN密钥

在此步骤中，我们将基于我们创建的easy-rsa 3’vars’文件构建OpenVPN密钥。 我们将构建CA密钥，服务器和客户端密钥，DH和CRL PEM文件。

我们将使用“ easyrsa”命令行构建所有这些键。 转到“/etc/openvpn/easy-rsa/ 3.0”目录。

初始化和建立CA

在构建任何密钥之前，我们需要初始化PKI目录并构建CA密钥。

启动PKI目录，并建立使用下面的命令CA密钥。

cd /etc/openvpn/easy-rsa/ 3.0

./easyrsa init-pki

./easyrsa build-ca

建服务器密钥
现在我们要构建服务器密钥，然后将构建名为“ openvpn”的服务器密钥。

使用以下命令构建服务器密钥“ openvpn”。

./easyrsa gen-req openvpn nopass

nopass =选项，用于禁用“ openvpn”密钥的密码。

并使用我们的CA证书签署“ openvpn”密钥。

系统将要求您输入“ CA”密码，输入密码，然后按Enter。 您将在“ pki / issued /”目录下获得**“** openvpn**.crt”证书文件**。

创建的服务器证书位于/etc/openvpn/easy-rsa/3.0.6/pki/issued/openvpn.crt

使用OpenSSL命令验证证书文件，并确保没有错误。出现下面的信息就代表你前面所做的操作是没问题的

[root@iZ2z 3.0]# openssl verify -CAfile pki/ca.crt pki/issued/openvpn.crt

pki/issued/openvpn.crt: OK

已创建所有服务器证书密钥。

· 服务器私钥位于“ pki / private / openvpn.key”。

· 服务器证书位于“ pki / issued / openvpn.crt”。

创建客户端密钥

现在我们需要为客户端构建密钥。 我们将生成名为“ client”的新客户端密钥。

[root@iZ2ze6x316 3.0]# ./easyrsa gen-req client nopass

使用我们的CA证书签署“ client01”密钥，如下所示

[root@iZ2ze6x316nfpp92hoq36xZ 3.0]# ./easyrsa sign-req client client01

键入“yes”以确认客户端证书请求，然后键入CA密码

已生成名为“ client”的客户端证书，请使用openssl命令验证客户端证书。

[root@iZ2ze6x3 3.0]# openssl verify -CAfile pki/ca.crt pki/issued/client.crt

pki/issued/client.crt: OK

7、生成Diffie-Hellman密钥（在/etc/openvpn/easy-rsa/3.0)目录中执行命令：

[root@iZ2ze6x3 3.0]# ./easyrsa gen-dh

8、复制server端和client端证书到制定位置

[root@iZ2ze6x316 openvpn]# cp easy-rsa/3.0/pki/ca.crt /etc/openvpn/server/

[root@iZ2ze6x31 server]# cp …/easy-rsa/3.0/pki/issued/openvpn.crt

./

[root@iZ2ze6x316 server]# cp …/easy-rsa/3.0/pki/private/openvpn.key ./

[root@iZ2ze6x316nf server]# cp …/easy-rsa/3.0/pki/dh.pem ./

[root@iZ2ze6x316n 3.0]# cp pki/ca.crt /etc/openvpn/client/

[root@iZ2ze6x31 3.0]# cp pki/issued/client.crt /etc/openvpn/client/

[root@iZ2ze6x31Z 3.0]# cp pki/private/client.key /etc/openvpn/client/

9、修改server.conf和client.ovpn

10、内核开启转发：

保存后执行sysctl -p

11、修改防火墙规则：

systemctl start firewalld.service

firewall-cmd --state

firewall-cmd --zone=public --list-all

firewall-cmd --add-service=openvpn* --permanent

firewall-cmd --add-port=1194/udp --permanent

firewall-cmd --add-port=22/tcp --permanent

firewall-cmd --add-source=10.8.0.0 --permanent

firewall-cmd --query-source=10.8.0.0 --permanent

firewall-cmd --add-masquerade --permanent

firewall-cmd --query-masquerade --permanent

firewall-cmd --reload

Centos6防火墙规则：

12、启动：systemctl start openvpn@server

13、客户端需要的证书

14、客户端证书打包下载到客户端电脑，并清空原来config目录，将证书解压放到config目录中，其他所有目录不动

附录：

[root@open-vpn openvpn]# grep -Ev "^#|^$" server.conf 
;local a.b.c.d
;local 8.1.17.6
;local 0.0.0.0
port 1199
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;push "route 172.16.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "route 172.16.2.20 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 119.29.29.29"
;client-to-client
duplicate-cn
keepalive 10 120
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
comp-lzo
max-clients 100
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
;log-append  openvpn.log
verb 3
;mute 20
;explicit-exit-notify 1
crl-verify  /etc/openvpn/easy-rsa/3.0.8/pki/crl.pem

client

# Edit this file, and save to a .ovpn extension
# so that OpenVPN will activate it when run
# as a service.
client
# Change 'myremote' to be your remote host,
# or comment out to enter a listening
# server mode.
remote 8.1.17.6

# Uncomment this line to use a different
# port number than the default of 1194.
port 1199

# Choose one of three protocols supported by
# OpenVPN.  If left commented out, defaults
# to udp.
; proto [tcp-server | tcp-client | udp]
proto udp
# You must specify one of two possible network
# protocols, 'dev tap' or 'dev tun' to be used
# on both sides of the connection.  'tap' creates
# a VPN using the ethernet protocol while 'tun'
# uses the IP protocol.  You must use 'tap'
# if you are ethernet bridging or want to route
# broadcasts.  'tun' is somewhat more efficient
# but requires configuration of client software
# to not depend on broadcasts.  Some platforms
# such as Solaris, OpenBSD, and Mac OS X only
# support 'tun' interfaces, so if you are
# connecting to such a platform, you must also
# use a 'tun' interface on the Windows side.

# Enable 'dev tap' or 'dev tun' but not both!
;dev tap
dev tun
# This is a 'dev tap' ifconfig that creates
# a virtual ethernet subnet.
# 10.3.0.1 is the local VPN IP address
# and 255.255.255.0 is the VPN subnet.
# Only define this option for 'dev tap'.
;ifconfig 10.3.0.1 255.255.255.0

# This is a 'dev tun' ifconfig that creates
# a point-to-point IP link.
# 10.3.0.1 is the local VPN IP address and
# 10.3.0.2 is the remote VPN IP address. 
# Only define this option for 'dev tun'.
# Make sure to include the "tun-mtu" option
# on the remote machine, but swap the order
# of the ifconfig addresses.
;tun-mtu 1500
;ifconfig 10.3.0.1 10.3.0.2

# If you have fragmentation issues or misconfigured
# routers in the path which block Path MTU discovery,
# lower the TCP MSS and internally fragment non-TCP
# protocols.
;fragment 1300
;mssfix

# If you have set up more than one TAP-Win32 adapter
# on your system, you must refer to it by name.
;dev-node my-tap

# You can generate a static OpenVPN key
# by selecting the Generate Key option
# in the start menu.
#
# You can also generate key.txt manually
# with the following command:
#   openvpn --genkey --secret key.txt
#
# key must match on both ends of the connection,
# so you should generate it on one machine and
# copy it to the other over a secure medium.
# Place key.txt in the same directory as this
# config file.
;secret key.txt
ca ca.crt
cert client.crt
key client.key
# Uncomment this section for a more reliable
# detection when a system loses its connection.
# For example, dial-ups or laptops that travel
# to other locations.
#
# If this section is enabled and "myremote"
# above is a dynamic DNS name (i.e. dyndns.org),
# OpenVPN will dynamically "follow" the IP
# address of "myremote" if it changes.
; ping-restart 60
; ping-timer-rem
; persist-tun
; persist-key
resolv-retry infinite
#tls-auth ta.key 1
keepalive 10 120
persist-key
persist-tun
# keep-alive ping
;ping 10
cipher AES-256-CBC
# enable LZO compression
comp-lzo
nobind
# moderate verbosity
verb 3
;mute 10
status client-status.log
;log-append client.log
route-method exe
route-delay 2