open\v\p\n部署 (centos7)

@关闭防火墙

    #systemctl stop firewalld

    #systemctl disable firewalld

    #setenforce 0

    #sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

@修改yum源

    #wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

    #yum clean all

    #yum makecache

    #yum install -y wget telnet vim

@安装epel源

    #yum install epel-release

@安装openvpn server

    #安装openvpn

    yum -y install openvpn easy-rsa

@创建服务端证书

    #复制easy-rsa文件

    cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa

    cd /etc/openvpn/easy-rsa/3.0.3/

    find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars

#生成CA证书

    ./easyrsa init-pki

    ./easyrsa build-ca nopass

#创建服务端证书

    ./easyrsa gen-req server nopass

#签约服务端证书

    ./easyrsa sign server server

#创建 Diffie-Hellman

    ./easyrsa gen-dh

#整理证书

    cd /etc/openvpn

    cp easy-rsa/3.0.3/pki/dh.pem .

    cp easy-rsa/3.0.3/pki/ca.crt .

    cp easy-rsa/3.0.3/pki/issued/server.crt .

    cp easy-rsa/3.0.3/pki/private/server.key .

@创建客户端证书

    #复制文件

    cp -r /usr/share/easy-rsa/ /etc/openvpn/client

    cd /etc/openvpn/client/easy-rsa/3.0.3/

    find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars

    #生成客户端证书

    ./easyrsa init-pki

    ./easyrsa gen-req client nopass

    #签约客户端证书

    cd /etc/openvpn/easy-rsa/3.0.3/

    ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/client.req client

    ./easyrsa sign client client

    #整理证书

    cd /etc/openvpn/client

    cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt .

    cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/client.crt .

    cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/client.key .

@服务器配置文件

    #vi /etc/openvpn/server.conf

        port 1194

        proto udp

        dev tun

        ca /etc/openvpn/ca.crt

        cert /etc/openvpn/server.crt

        key /etc/openvpn/server.key

        dh /etc/openvpn/dh.pem

        ifconfig-pool-persist /etc/openvpn/ipp.txt

        server 10.8.0.0 255.255.255.0

        push "route 10.8.0.0 255.255.255.0"

        push "redirect-gateway def1 bypass-dhcp"

        push "dhcp-option DNS 114.114.114.114"

        push "dhcp-option DNS 8.8.8.8"

        client-to-client

        keepalive 20 120

        comp-lzo

        user openvpn

        group openvpn

        persist-key

        persist-tun

        status      openvpn-status.log

        log-append  openvpn.log

        verb 1

        mute 20

@客户端配置文件

    #vi /etc/openvpn/client/client.ovpn

        client

        remote 服务器IP 1194

        proto udp

        dev tun

        comp-lzo

        ca ca.crt

        cert client.crt

        key client.key

        route-delay 2

        route-method exe

        redirect-gateway def1

        dhcp-option DNS 8.8.8.8

        dhcp-option DNS 8.8.4.4

        dhcp-option DNS 4.2.2.1

        dhcp-option DNS 4.2.2.2

        verb 3

@启动OpenVPN和端口转发

    #启动OpenVPN

    systemctl start openvpn@server

    #安装iptables

    yum -y install iptables iptables-services

    #添加策略

    vi /etc/sysconfig/iptables

    ..................

    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

    添加：-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT

    ..................

    #开启端口

    systemctl restart iptables.service

    iptables -F

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -j MASQUERADE

    #开启转发

    vi /etc/sysctl.conf

    net.ipv4.ip_forward = 1

    sysctl -p

@开机启动

    #chmod +x /etc/rc.d/rc.local

    #vi /etc/rc.d/rc.local

    # OpenVPN

    systemctl restart openvpn@server

    systemctl restart iptables.service

    iptables -F

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -j MASQUERADE

    sysctl -p

@windows客户端

    #下载OpenVPN Gui（官网下载）安装。

    #拷贝上面5个文件（ca.crt、client.crt、client.key、client.opvn）到 C:\Users\User\OpenVPN\config目录下面。

    #打开OpenVPN Gui，右击连接即可。