RHEL/Alma Linux/Rocky Linux/CentOS/Debian/Ubuntu Linux FreeBSD 服务器教程 | Windows Server 2003/2008/2012/2016/2019/2022服务器教程

OpenVPN 是一个开源的虚拟私人网络（VPN）实现软件，它可以用来建立安全的点对点或站点到站点连接。通过使用 OpenVPN，用户可以在不安全的网络上建立加密连接，确保数据传输的安全性和隐私性。

操作系统：CentOS-7.x

一、准备篇

1、关闭selinux

#执行以下命令

setenforce 0

sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config

2、防火墙设置

关闭firewall

systemctl stop firewalld.service #停止firewall

systemctl disable firewalld.service #禁止firewall开机启动

systemctl mask firewalld

systemctl stop firewalld

yum -y remove firewalld

安装iptables防火墙，开启tcp 1194端口

yum -y install iptables-services #安装

vi /etc/sysconfig/iptables

# sample configuration for iptables service

# you can edit this manually or use system-config-firewall

# please do not ask us to add additional ports/services to this default configuration

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

:wq! #保存退出

systemctl enable iptables.service #设置防火墙开机启动

systemctl restart iptables.service #启动防火墙使配置生效

3、设置系统时间

rm -rf /etc/localtime #先删除默认的时区设置

ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime #替换亚洲/上海作为默认时区

vi /etc/sysconfig/clock #添加时区

Zone=Asia/Shanghai

:wq! #保存退出

timedatectl set-local-rtc 0

hwclock --systohc -u #系统时钟和硬件时钟同步，当前系统时区不为 UTC，是CST时间，所有要加-u参数

date #显示系统时间

date -s "2024-03-13 15:24:00" #修改时间

watch -n 1 date #显示实时时间

yum install ntp

ntpdate ntp.aliyun.com #同步时间服务器

echo -e "0 0 * * * /usr/sbin/ntpdate ntp.aliyun.com &>/dev/null" >> /var/spool/cron/root #添加计划任务

systemctl restart crond.service #重启服务

4、开启内核转发

vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

sysctl -p #立即生效

5、系统参数优化

vi /etc/security/limits.conf #在最后一行添加以下代码

* soft nproc unlimited

* hard nproc unlimited

* soft nofile 1000000

* hard nofile 1000000

:wq! #保存退出

vi /etc/sysctl.conf #在最后一行添加以下代码

fs.file-max = 65535000

fs.nr_open = 65535000

kernel.pid_max=655350

vm.swappiness = 0

:wq! #保存退出

/sbin/sysctl -p

ulimit -a #查看

ulimit -n 1000000 #设置

6、安装依赖包

yum install openssl-devel lzo-devel pam-devel gcc

7、安装包下载

https://www.rpmfind.net/linux/epel/7/x86_64/Packages/o/openvpn-2.4.12-1.el7.x86_64.rpm #openvpn安装包

https://www.rpmfind.net/linux/epel/7/x86_64/Packages/p/pkcs11-helper-1.11-3.el7.x86_64.rpm #安装openvpn需要的依赖包

https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz #用来制作证书的工具

上传安装包到/data/soft目录

二、安装篇

1、安装openvpn

cd /data/soft

rpm -ivh pkcs11-helper-1.11-3.el7.x86_64.rpm

yum localinstall openvpn-2.4.12-1.el7.x86_64.rpm

yum list installed openvpn

注：安装完成后，会自动创建用户openvpn、用户组openvpn

2、制作证书

cd /data/soft

tar xfz EasyRSA-3.0.8.tgz -C /etc/openvpn/

mv /etc/openvpn/EasyRSA-3.0.8 /etc/openvpn/EasyRSA

chown -R root:root /etc/openvpn/EasyRSA -R

chmod 755 /etc/openvpn/EasyRSA -R

cp /etc/openvpn/EasyRSA/vars.example /etc/openvpn/EasyRSA/vars

vi /etc/openvpn/EasyRSA/vars #修改下面的信息，也可以不改，不影响使用

set_var EASYRSA_REQ_COUNTRY "CN"

set_var EASYRSA_REQ_PROVINCE "ShannXi"

set_var EASYRSA_REQ_CITY "Xian"

set_var EASYRSA_REQ_ORG "Ltd."

set_var EASYRSA_REQ_EMAIL "xx@xx.com"

set_var EASYRSA_REQ_OU "OpenVPN"

:wq! #保存退出

cd /etc/openvpn/EasyRSA

./easyrsa init-pki #初始化，在当前目录创建pki目录

./easyrsa --batch build-ca nopass #创建CA证书，不需要密码

./easyrsa gen-dh #生成dh密钥

./easyrsa build-server-full server nopass #签名请求，生成服务器证书，不需要密码

./easyrsa build-client-full client1 nopass #生成了一个名为"client1"的客户端证书，不需要密码

./easyrsa build-client-full client2 nopass #生成了一个名为"client2"的客户端证书，不需要密码

EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl #生成证书吊销列表（CRL），有效期为 3650 天，可以不设置，证书长期有效

openvpn --genkey --secret /etc/openvpn/ta.key #生成tls密钥，用密钥取代密码输入

#拷贝证书

cd /etc/openvpn/EasyRSA/pki

cp ca.crt /etc/openvpn

cp private/ca.key /etc/openvpn

cp dh.pem /etc/openvpn

cp issued/server.crt /etc/openvpn

cp private/server.key /etc/openvpn

cp crl.pem /etc/openvpn

3、创建openvpn服务端配置文件

rpm -ql openvpn |grep server.conf #查看当前版本

cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/

mv /etc/openvpn/server.conf /etc/openvpn/server.conf.bak

vi /etc/openvpn/server.conf #添加配置

port 1194 #端口

proto tcp #指定采用的传输协议，可以选择tcp或udp

dev tun #指定创建的通信隧道类型，可选tun或tap，一般设置为tun

sndbuf 0 #设置为0自动调整数据包发送缓冲区大小

rcvbuf 0 #设置为0自动调整数据包接收缓冲区大小

ca ca.crt #指定证书颁发机构（CA）的证书文件

cert server.crt #指定服务器的证书文件

key server.key #指定服务器的私钥文件

dh dh.pem #指定Diffie-Hellman参数文件

auth SHA512 #指定使用SHA512算法进行身份验证

tls-auth ta.key 0 #指定TLS密钥文件

topology subnet #指定虚拟网络拓扑结构为子网模式

server 10.8.0.0 255.255.255.0 #自定义虚拟网段，网段不能冲突

ifconfig-pool-persist ipp.txt #指定IP地址租约持久化文件

push "route 10.189.189.0 255.255.255.0" #vpn服务器所在的内网段，向客户端推送这条路由信息

push "redirect-gateway def1 bypass-dhcp" #重定向所有流量通过VPN，如果只访问内网，外网流量不通过vpn请注释掉此行

push "dhcp-option DNS 223.5.5.5" #dns服务器地址，必须和客户端设置相同，如果只访问内网，外网流量不通过vpn请注释掉此行

push "dhcp-option DNS 223.6.6.6" #dns服务器地址，必须和客户端设置相同，如果只访问内网，外网流量不通过vpn请注释掉此行

keepalive 10 120 #保持活动连接的时间和频率

cipher AES-256-CBC #加密算法为AES-256-CBC，必须和客户端设置相同

comp-lzo #启用数据压缩，必须和客户端设置相同

user openvpn #指定OpenVPN进程的运行用户

group openvpn #指定OpenVPN进程的运行组

persist-key #持久化密钥

persist-tun #持久化通道

status openvpn-status.log #指定状态日志文件

verb 3 #指定日志详细级别，必须和客户端设置相同

crl-verify crl.pem #指定证书吊销列表文件

client-to-client #允许客户端之间通信

max-clients 1000 #设置最大客户端连接数为1000

duplicate-cn #允许相同公共名称的客户端连接，一个账号可以多人同时登录

auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env #指定验证用户名和密码的脚本

script-security 3 #指定脚本安全级别，必须和客户端设置相同

username-as-common-name #使用用户名作为公共名称

:wq! #保存退出

mkdir -p /etc/openvpn/server/user/ #创建目录

vi /etc/openvpn/server/user/checkpsw.sh #创建密码检查脚本

#!/bin/sh

###########################################################

# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>

#

# This script will authenticate OpenVPN users against

# a plain text file. The passfile should simply contain

# one row per user with the username first followed by

# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/server/user/psw-file"

LOG_FILE="/var/log/openvpn/password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then

echo "${TIME_STAMP}: Could not open password file "${PASSFILE}" for reading." >> ${LOG_FILE}

exit 1

fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then

echo "${TIME_STAMP}: User does not exist: username="${username}", password=

"${password}"." >> ${LOG_FILE}

exit 1

fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then

echo "${TIME_STAMP}: Successful authentication: username="${username}"." >> ${LOG_FILE}

exit 0

fi

echo "${TIME_STAMP}: Incorrect password: username="${username}", password=

"${password}"." >> ${LOG_FILE}

exit 1

:wq! #保存退出

chmod 700 /etc/openvpn/server/user/checkpsw.sh

chown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh

vi /etc/openvpn/server/user/psw-file #创建账号密码，前面是账号，后面是密码

client1 123456

client2 123456

:wq! #保存退出

#设置权限

chmod 600 /etc/openvpn/server/user/psw-file

chown openvpn:openvpn /etc/openvpn/server/user/psw-file

# 查看service名

rpm -ql openvpn |grep service

systemctl restart openvpn@server #重启服务

systemctl enable openvpn@server #开机启动

4、拷贝客户端证书

从server上将生成的ca.crt、ta.key、client1.crt、client1.key、client2.crt、client2.key、文件下载到客户端

cp /etc/openvpn/ca.crt /etc/openvpn/client

cp /etc/openvpn/ta.key /etc/openvpn/client

cp /etc/openvpn/EasyRSA/pki/issued/client1.crt /etc/openvpn/client

cp /etc/openvpn/EasyRSA/pki/issued/client2.crt /etc/openvpn/client

cp /etc/openvpn/EasyRSA/pki/private/client1.key /etc/openvpn/client

cp /etc/openvpn/EasyRSA/pki/private/client2.key /etc/openvpn/client

5、编辑，把证书合并到一个文件里面

<ca>

ca.crt里面的内容

</ca>

<cert>

client1.crt里面的内容

</cert>

<key>

client1.key里面的内容

</key>

<tls-auth>

ta.key里面的内容

</tls-auth>

cd /etc/openvpn/client

vi /etc/openvpn/client/client1.ovpn #编辑，把证书合并到这个文件

client #指定配置文件为客户端配置

dev tun #指定使用TUN设备作为通信隧道类型

auth-user-pass #指定要求用户通过用户名和密码进行身份验证

proto tcp #指定使用TCP协议传输数据

sndbuf 0 #和服务端配置一样

rcvbuf 0 #和服务端配置一样

remote 10.189.189.197 1194 #指定连接服务器的IP地址和端口号

resolv-retry infinite #在连接失败时无限重试

nobind #不绑定到特定本地地址和端口

persist-key #和服务端配置一样

persist-tun #和服务端配置一样

remote-cert-tls server #开启证书登录

push "dhcp-option DNS 223.5.5.5" #和服务端配置一样，向客户端推送DNS服务器地址，如果只访问内网，外网流量不通过vpn请注释掉此行

push "dhcp-option DNS 223.5.6.6" #和服务端配置一样，向客户端推送DNS服务器地址，如果只访问内网，外网流量不通过vpn请注释掉此行

auth SHA512 #和服务端配置一样

cipher AES-256-CBC #和服务端配置一样

comp-lzo #和服务端配置一样

setenv opt block-outside-dns #阻止客户端使用除VPN外的DNS，科学上网有用，只访问内网需要注释掉此行

key-direction 1

verb 3

<ca>

-----BEGIN CERTIFICATE-----

MIIDKzCCAhOgAwIBAgIJAKqUKgImWthIMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV

BAMMCENoYW5nZU1lMB4XDTI0MDMyNjA4MjkwNVoXDTM0MDMyNDA4MjkwNVowEzER

MA8GA1UEAwwIQ2hhbmdlTWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

AQDMWdwtgtLkAHsRSg13rHMdrXbEyYMIGX+45XJcV4uByqEYEQetjDVyFjPh5Lqh

3W6+vqUUreZK3LXvLr+P+STznFKlIy6wKAlpZnSCh6QxziDHE6Fkg68T/sjDC4ar

/aEEujYjAXUAqZmjksZq4L+wR3pGyJg6SslaxP9vrfEnQ1fhll//LQbaEDLYdywh

/Ay+lJkVLP5Yv5n/XIDtBF/+eDT92aMGKQWHVGth1+zSIOnnkGs9qO2RJTLESpu4

K/HKCPZkSbnwYx8JiiGj6Mcs1Li7WlFt1jQ782iYq41xgnyJi7vCW9XGAY4ZiDjQ

7DVuU1Xjvij2+bfOZjquEGX1AgMBAAGjgYEwfzAdBgNVHQ4EFgQUSQ4+53IfKl9e

kaisR1vgfmeQd6YwQwYDVR0jBDwwOoAUSQ4+53IfKl9ekaisR1vgfmeQd6ahF6QV

MBMxETAPBgNVBAMMCENoYW5nZU1lggkAqpQqAiZa2EgwDAYDVR0TBAUwAwEB/zAL

BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAEuNnIeQbCTLfLYVyfeD9lKG

JK0mer/TKsnoo5iEnXbER+HnLfQbKh3vYiD22lSJwwkZiRj/Qzy14fspRUYtM21H

Kv32LzvJLiemccGAl3uh01OMXLlNLhL/jwUNxGOe7xG63khb/gnpb0C1cte+l1/F

3VfzgrtlTyxVwPiXOO0H9JBIEeQ7YmI6w5Qk9TCVZsFo78rUQ6fGtK5Oc8g493Xu

AuBuogSfKFK+87vWL5etEF0xeGo5KRz2oGp0/0IcTvafZ/+llsgzIQU+wbIaw/CK

P5o3cXsEup+ZPN85be3lF+sb6N8Jem7a138C4e7joJIz0Fo4uHCnsZ5Vnj43Ffc=

-----END CERTIFICATE-----

</ca>

<cert>

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

9a:d9:7b:d8:5f:11:ae:b2:a8:39:00:16:a8:2c:4d:49

Signature Algorithm: sha256WithRSAEncryption

Issuer: CN=ChangeMe

Validity

Not Before: Mar 26 08:30:31 2024 GMT

Not After : Jun 29 08:30:31 2026 GMT

Subject: CN=client1

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:e8:d7:63:55:5a:83:14:4f:03:0f:21:80:d3:cd:

4e:45:68:73:91:9b:7b:96:b3:33:53:ec:24:ae:90:

a6:61:60:0f:4b:50:d0:39:47:b9:9e:0f:be:c1:5b:

06:5e:6e:fd:9d:d0:71:31:ae:5f:97:06:d3:51:c6:

61:3d:d6:ec:14:10:80:92:cd:8f:0a:75:f2:97:dc:

0f:fb:8c:6c:37:16:d9:a0:79:3e:93:3f:5e:4e:40:

1c:a8:7b:77:9f:be:34:23:9b:e5:18:67:36:4c:1e:

8e:4a:17:6c:76:21:0c:ce:6a:46:cc:3d:dd:79:ae:

a5:64:43:66:20:ee:69:00:e5:bf:2a:3b:ac:a6:e1:

f3:58:5a:2d:fb:c7:4d:dd:bc:56:65:c5:bd:6a:74:

11:47:16:1f:0f:fd:7d:ad:50:ec:30:70:eb:93:d5:

25:81:f7:ab:70:cb:41:83:ca:76:f8:40:07:e8:e0:

a2:a5:57:d4:a3:25:35:85:44:f0:81:e0:d6:2a:1f:

1c:b5:f5:11:7f:6f:ef:ab:87:89:d2:82:a6:c9:6e:

16:4f:11:aa:89:71:8d:42:73:75:55:34:2b:b2:93:

d3:de:91:ff:03:83:f8:af:f5:b3:5f:7f:36:09:f6:

08:d8:6c:4c:36:0f:e6:90:8c:db:fd:15:2b:55:6c:

e4:27

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

X509v3 Subject Key Identifier:

79:0E:78:BF:94:BA:5E:4E:DB:66:53:37:78:54:DD:93:2F:CE:22:8C

X509v3 Authority Key Identifier:

keyid:49:0E:3E:E7:72:1F:2A:5F:5E:91:A8:AC:47:5B:E0:7E:67:90:77:A6

DirName:/CN=ChangeMe

serial:AA:94:2A:02:26:5A:D8:48

X509v3 Extended Key Usage:

TLS Web Client Authentication

X509v3 Key Usage:

Digital Signature

Signature Algorithm: sha256WithRSAEncryption

b0:b5:d6:fc:6f:07:29:f3:d3:e6:d4:77:77:d6:e3:79:8b:88:

c2:22:c6:2b:00:9a:c2:ef:39:bc:5e:0e:65:82:da:16:79:d3:

40:38:9d:51:88:2d:8d:e5:dc:33:f1:fb:dc:b2:03:d3:a0:9d:

57:22:79:73:fe:13:2a:4d:f8:b5:0f:56:a8:38:64:5e:6e:90:

88:64:29:fa:9c:54:1c:02:73:4a:10:69:f2:1d:8c:90:de:2e:

9c:88:b8:8c:ce:88:a3:54:38:23:19:63:e8:4e:14:ab:56:b0:

3c:e8:71:a1:88:a1:06:3b:d1:b0:56:56:43:cc:5c:b1:88:73:

32:a6:7c:77:04:35:19:68:75:b7:90:7f:65:f9:3e:93:5a:ad:

4e:38:b1:14:5b:50:07:08:37:25:f8:d7:ac:06:83:1a:b3:ea:

5b:c4:26:15:10:11:cf:be:75:52:1d:b7:35:06:98:fc:5b:dd:

53:4f:5a:de:e0:4a:91:81:85:a8:bf:fe:3a:11:42:b4:58:5f:

84:96:5b:3e:af:55:d5:e9:08:6a:9d:7f:25:f8:70:1f:7b:56:

ce:52:2a:07:37:c8:55:d8:b5:a9:c4:46:7a:fe:50:69:ff:37:

5e:f9:19:4c:eb:ce:90:9e:d4:ea:9d:52:36:26:22:6f:ca:f4:

c4:d1:51:ce

-----BEGIN CERTIFICATE-----

MIIDRTCCAi2gAwIBAgIRAJrZe9hfEa6yqDkAFqgsTUkwDQYJKoZIhvcNAQELBQAw

EzERMA8GA1UEAwwIQ2hhbmdlTWUwHhcNMjQwMzI2MDgzMDMxWhcNMjYwNjI5MDgz

MDMxWjASMRAwDgYDVQQDDAdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A

MIIBCgKCAQEA6NdjVVqDFE8DDyGA081ORWhzkZt7lrMzU+wkrpCmYWAPS1DQOUe5

ng++wVsGXm79ndBxMa5flwbTUcZhPdbsFBCAks2PCnXyl9wP+4xsNxbZoHk+kz9e

TkAcqHt3n740I5vlGGc2TB6OShdsdiEMzmpGzD3dea6lZENmIO5pAOW/KjuspuHz

WFot+8dN3bxWZcW9anQRRxYfD/19rVDsMHDrk9UlgfercMtBg8p2+EAH6OCipVfU

oyU1hUTwgeDWKh8ctfURf2/vq4eJ0oKmyW4WTxGqiXGNQnN1VTQrspPT3pH/A4P4

r/WzX382CfYI2GxMNg/mkIzb/RUrVWzkJwIDAQABo4GUMIGRMAkGA1UdEwQCMAAw

HQYDVR0OBBYEFHkOeL+Uul5O22ZTN3hU3ZMvziKMMEMGA1UdIwQ8MDqAFEkOPudy

HypfXpGorEdb4H5nkHemoRekFTATMREwDwYDVQQDDAhDaGFuZ2VNZYIJAKqUKgIm

WthIMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0B

AQsFAAOCAQEAsLXW/G8HKfPT5tR3d9bjeYuIwiLGKwCawu85vF4OZYLaFnnTQDid

UYgtjeXcM/H73LID06CdVyJ5c/4TKk34tQ9WqDhkXm6QiGQp+pxUHAJzShBp8h2M

kN4unIi4jM6Io1Q4Ixlj6E4Uq1awPOhxoYihBjvRsFZWQ8xcsYhzMqZ8dwQ1GWh1

t5B/Zfk+k1qtTjixFFtQBwg3JfjXrAaDGrPqW8QmFRARz751Uh23NQaY/FvdU09a

3uBKkYGFqL/+OhFCtFhfhJZbPq9V1ekIap1/JfhwH3tWzlIqBzfIVdi1qcRGev5Q

af83XvkZTOvOkJ7U6p1SNiYib8r0xNFRzg==

-----END CERTIFICATE-----

</cert>

<key>

-----BEGIN PRIVATE KEY-----

MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDo12NVWoMUTwMP

IYDTzU5FaHORm3uWszNT7CSukKZhYA9LUNA5R7meD77BWwZebv2d0HExrl+XBtNR

xmE91uwUEICSzY8KdfKX3A/7jGw3FtmgeT6TP15OQByoe3efvjQjm+UYZzZMHo5K

F2x2IQzOakbMPd15rqVkQ2Yg7mkA5b8qO6ym4fNYWi37x03dvFZlxb1qdBFHFh8P

/X2tUOwwcOuT1SWB96twy0GDynb4QAfo4KKlV9SjJTWFRPCB4NYqHxy19RF/b++r

h4nSgqbJbhZPEaqJcY1Cc3VVNCuyk9Pekf8Dg/iv9bNffzYJ9gjYbEw2D+aQjNv9

FStVbOQnAgMBAAECggEAcoZ2smXZsWSHoaqd/g+unw8YQRdT+7Ta2z18cWxumdiw

zR/Lu1DfKLKf5eUKxeobzsLW2lPlapiN2lwUOmF7LwdK5mo7IC8RisZQCi9wjswr

cPYR5EU38o8wSWKpXSYl6Rnl3lHt8BTbcfABhj0NWn4ForIPPKm9agqIskvx0+E9

Ae4TzkFEAJCM7V1vWA2UX4+Wnj7+6oMd8qMEN+1PwtM+IUahTPFJQOc8PAW8tJi9

5h673xbwc+YpnDRU232KQGbto2eH6+eKVIJg50jis86aioLbAle/8272e9iSP1RP

Y8GTqH4czCpgFgs2JSDghUvj0Z1S9Snkd3xiICpRcQKBgQD9yiAYrQKMe7Wxm1J4

TeWBQsZkQPRebCvihj9T/2n4qVISpPZuO7Iuvhj7KNj2733zdiMnO39gw95NtfAn

qLKoavWFHw2BKnIA20Fw5pqnZjSSS2AlBoOQuQOb2iK/BoHt0mlIF2Mlb8Yuefzb

RoEZupdIRQz3Q9ptj+dGD3NL2QKBgQDq3o3wt2Jl0qfLKrZQ0BaFfQ5voWOz9Hqe

15RZ3KaOABSGCKJ7TWX9p0vTehEoZzBm2B5c2OtZea6gsnrC3JuoIuqdQ996ASXg

rU8VhGduDKReQj80cvwSmvcCdhicaQ25OWEUzu+6OWr+CyJu9uUUzm2M4DSrQF1h

AIW92LOv/wKBgG5Iql/utr/TdmZCp7jNqODd4pZoP4jUmtFqIxTeVe+PrLGba9cF

K+3x/6sM2hOciPAGM0p2KWkkVHMSj9S8Ez7qk9yQXO73QekrXimwnB4IZOn5xULx

rLR0IaRVS2oVatqs58FDIHuBMe66Ze3nmmxS0DDAiNzeaInZ0dd5GVIpAoGBAJHr

lYohlUuntkH+lmjc77EdwjNOtNAgK3K2g1/VO9FrcVTY1oH+00flgbGw3Coa+jJb

QXnz9zyO4hTK7oRUZYzvrI3qllSJlAvkAQdgTJZN2m0JgZVHfx7cEm0ADEhY6ILU

iGFSNBSiCbwuFMWWNTtZCS0GOxLOmXVjyrPph7HnAoGBAIF3udcuSAQusciA2ASy

MSBRMkJMVIxANWDgvMdOdTGWRbXA/IlKwyLDFXgZoQK/YGiLmWUaz50cy8hAJBL7

TOlL8arJzruVgnrjqhj3WDBZvogx05k3J85PRQ8dDad9BMCPWmFn+I5jGWv8rgVB

NpRp9zvWjwELAiOqQpUPfZa5

-----END PRIVATE KEY-----

</key>

<tls-auth>

#

# 2048 bit OpenVPN static key

#

-----BEGIN OpenVPN Static key V1-----

d2db59c6690bb3f05ce331fc66464f9f

5382329a16b515ebe402ae1458a97673

c160507123c76373f7be093b200ab838

9309113dafa8db1d1b1b80d9f7e355d9

25a2cecaa533d74d80951a0ecf50a334

15cb9d7fe1d3c828f20e2694e46982ae

49e32e889a401ad733b10bbfbffcaa13

d39ea0e0a324bde71064e3e5e83ed3a8

d7e5921528d4b0c75db07ee2ca271009

68b6343bcc5303446320a48dd1c2cc12

1937f4c2cbb180cf261caebb20447840

be1f9591ade5ced4056958150b6e107b

a7d14fe439576b9c270ce165c1b8346f

e31b66d96c5225e052ac75cc3e62c43d

ab4ac08a0807d3c2afc426bdd1325070

bc21d96dee5123ea5a2bf7f982570c16

-----END OpenVPN Static key V1-----

</tls-auth>

:wq! #保存退出

6、设置iptables防火墙转发规则，否则登录之后无法访问网络

iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 10.189.189.197

iptables-save > /etc/sysconfig/iptables #保存规则

systemctl restart iptables.service #启动防火墙使配置生效

cat /etc/sysconfig/iptables #防火墙配置文件

# Generated by iptables-save v1.4.21 on Tue Mar 19 15:57:47 2024

*nat

REROUTING ACCEPT [12975:2079674]

:INPUT ACCEPT [134:8032]

:OUTPUT ACCEPT [166:12426]

OSTROUTING ACCEPT [167:12486]

-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 10.189.189.197

COMMIT

# Completed on Tue Mar 19 15:57:47 2024

# Generated by iptables-save v1.4.21 on Tue Mar 19 15:57:47 2024

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [108908:56620509]

-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 10.8.0.0/24 -j ACCEPT

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Tue Mar 19 15:57:47 2024

7、设置目录权限

chown openvpn:openvpn /etc/openvpn/ -R #设置权限，重要，否则客户端登录不上去

systemctl restart openvpn@server #重启服务

三、测试篇

下载/etc/openvpn/client/client1.ovpn到本地客户端

Windows客户端

C:\Program Files\OpenVPN\config

放到这个目录

安装openvpn客户端

客户端下载地址：：https://www.techspot.com/downloads/5182-openvpn.html

安装完成之后打开客户端导入配置文件：client1.ovpn

输入用户名密码进行连接

直接输入内网地址即可访问办公室服务器

特别说明:

要实现只让特定流量通过 VPN 连接，而其他流量绕过 VPN 直接连接到互联网。

服务端配置文件只设置这个一个push，其他的push删掉

push "route 10.189.189.0 255.255.255.0" #vpn服务器所在的内网段，向客户端推送这条路由信息

客户端配置文件，删掉下面的这个参数

;setenv opt block-outside-dns #阻止客户端使用除VPN外的DNS,科学上网有用，只访问内网需要注释掉此行

至此，Linux系统安装部署Open-VPN服务器完成。