Fedora 28/29 安装 ( Open V P N ) 结合 easy-rsa3
安装软件包:
[root@localhost ~]# yum -y install openvpn easy-rsa
复制easy-rsa 文件:
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa [root@localhost ~]# cd /etc/openvpn/easy-rsa/ [root@localhost easy-rsa]# cd 3.0.3/ [root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
创建PKI和CA:
[root@localhost 3.0.3]# pwd /etc/openvpn/easy-rsa/3.0.3 [root@localhost 3.0.3]# ./easyrsa init-pki #创建空的pki [root@localhost 3.0.3]# ./easyrsa build-ca nopass #创建新的CA,不使用密码
创建服务端证书:
[root@localhost 3.0.3]# ./easyrsa gen-req server nopass
签约服务端证书:
[root@localhost 3.0.3]# ./easyrsa sign server server
创建 Diffie-Hellman:
[root@localhost 3.0.3]# ./easyrsa gen-dh
创建客户端证书:
复制文件:
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa [root@localhost ~]# cd /etc/openvpn/client/easy-rsa/ [root@localhost easy-rsa]# cd 3.0.3/ [root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
生成证书:
[root@localhost 3.0.3]# pwd /etc/openvpn/client/easy-rsa/3.0.3 [root@localhost 3.0.3]# ./easyrsa init-pki #创建新的pki [root@localhost 3.0.3]# ./easyrsa gen-req yaoxu nopass
签约客户端证书:
[root@localhost 3.0.3]# cd /etc/openvpn/easy-rsa/3.0.3/ [root@localhost 3.0.3]# pwd /etc/openvpn/easy-rsa/3.0.3 [root@localhost 3.0.3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/yaoxu.req yaoxu
整理证书:
服务端:
[root@localhost ~]# mkdir /etc/openvpn/certs [root@localhost ~]# cd /etc/openvpn/certs/ [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem . [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt . [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt . [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key .
客户端证书:
[root@localhost certs]# mkdir /etc/openvpn/client/yaoxu/ [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/yaoxu/ [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/yaoxu.crt /etc/openvpn/client/yaoxu/ [root@localhost certs]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/yaoxu.key /etc/openvpn/client/yaoxu/ [root@localhost certs]# ll /etc/openvpn/client/yaoxu/
服务端配置文件示例:配置文件说明:https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf
[root@localhost ~]# vim /etc/openvpn/server/first.conf local vpn使用的网卡 port 1194 # vpn 端口 proto tcp # 可以使用 udp,速度更快 dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh.pem ifconfig-pool-persist /etc/openvpn/ipp.txt server 17.166.221.0 255.255.255.0 # server 虚拟地址池 push "route 192.168.1.0 255.255.255.0" # Push操作,适用于在客户端连接上vpn,给客户端路由表添加路由; push "redirect-gateway def1 bypass-dhcp" # 设置所有的流量走vpn push "dhcp-option DNS 223.5.5.5" push "dhcp-option DNS 223.6.6.6" client-to-client keepalive 20 120 comp-lzo #duplicate-cn user openvpn group openvpn persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 1 mute 20
客户端配置文件client.ovpn:
client #这个不能改 proto tcp #要与server.conf一致 dev tun #要与server.conf一致 remote 主机外网IP 12306 ca ca.crt cert yaoxu.crt key yaoxu.key #对应所下载的证书 resolv-retry infinite nobind mute-replay-warnings keepalive 20 120 comp-lzo #user openvpn #group openvpn persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 mute 20
配置转发(firewalld):注意包转发,此处较为关键;请确认配置正确;并保证防火墙打开; (此条转发命令需要注意,后期如果重启后服务中断,很可能因为此命令重启后失效,需要重新配置)
firewall-cmd --add-service=openvpn firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
vim /etc/sysctl.conf net.ipv4.ip_forward = 1 # 保存后执行:sysctl -p
# 设置firewall规则 IP 根据自己的情况确定 systemctl start firewalld.service firewall-cmd --statefirewall-cmd --zone=public --list-all firewall-cmd --add-service=openvpn --permanent firewall-cmd --add-port=1194/udp --permanent firewall-cmd --add-port=22/tcp --permanent firewall-cmd --add-source=10.10.1.0 --permanent firewall-cmd --query-source=10.10.1.0 --permanent firewall-cmd --add-masquerade --permanent firewall-cmd --query-masquerade --permanent firewall-cmd --reload
开启 openvpn 服务:
systemctl enable openvpn-server@first.service
systemctl start openvpn-server@first.service
配置客户端:
可以使用 openvpn 命令行
图形界面:
macos:Tunnelblick openvpn 命令行
linux: openvpn
openvpn (--daemon) --cd /etc/openvpn --config client.ovpn (--log-append /var/log/openvpn.log)
windows: openvpn.exe : http://www.fyluo.com/m/?post=198
保持更新,转载请注明出处;如果对您有帮助,请点击右下角推荐给予支持吧!非常感谢!
参考链接:
https://fedoraproject.org/wiki/Openvpn 官方文档,较为优秀;
https://www.cnblogs.com/olinux/p/5159530.html
https://blog.rj-bai.com/post/78.html#menu_index_14
https://blog.rj-bai.com/post/132.html#menu_index_11
https://blog.rj-bai.com/post/136.html 较为优秀
https://www.cnblogs.com/37yan/p/7171457.html
https://www.cnblogs.com/EasonJim/p/8449495.html
https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf 较为优秀
https://blog.cryse.org/article/centos7-openvpn
https://www.cnblogs.com/xiaoyou2018/p/9522172.html firewall-cmd 配置规则有帮助
https://wangchujiang.com/linux-command/c/firewall-cmd.html
https://www.cnblogs.com/luobiao320/p/7190918.html
https://www.cnblogs.com/EasonJim/p/8349519.html (macos 用户建议阅读)
