原文:
https://blog.csdn.net/liuyunshengsir/article/details/100634293
开启IP转发
永久生效
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf
立即生效
sysctl -w net.ipv4.ip_forward=1
#先检查是否安装了iptables
service iptables status
#安装iptables
yum install -y iptables
#安装iptables-services
yum -y install iptables-services
#注册iptables服务,相当于以前的chkconfig iptables on
systemctl enable iptables.service
#开启服务
systemctl start iptables.service
#查看状态
systemctl status iptables.service
清空防火墙规则
>/etc/sysconfig/iptables
添加规则
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.16.77.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
保存防火墙规则
service iptables save
service iptables restart
配置镜像源
yum install -y epel-release
安装
yum install openvpn easy-rsa -y
查看版本号
openvpn --version
生成证书
cp -R /usr/share/easy-rsa/ /etc/openvpn/
cp -r /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easy-rsa/3.0.6/vars
生成pki
cd /etc/openvpn/easy-rsa/3.0.6
rm -rf /etc/openvpn/easy-rsa/3.0.6/pki
/etc/openvpn/easy-rsa/3.0.6/easyrsa init-pki
创建CA
创建时输入eduserver
/etc/openvpn/easy-rsa/3.0.6/easyrsa build-ca nopass
CA 只能创建一次,如果需要重新创建需要删除pki重来一次
创建服务端证书
/etc/openvpn/easy-rsa/3.0.6/easyrsa gen-req eduserver nopass
签约服务端证书
/etc/openvpn/easy-rsa/3.0.6/easyrsa sign server eduserver
创建Diffie-Hellman
/etc/openvpn/easy-rsa/3.0.6/easyrsa gen-dh
修改配置文件允许多次重复生成
vim /etc/openvpn/easy-rsa/3.0.6/pki/index.txt.attr
修改demoCA下 index.txt.attr
将unique_subject = yes改为unique_subject = no
生成客户端证书->test01
/etc/openvpn/easy-rsa/3.0.6/easyrsa gen-req test01 nopass
注册客户端
提示输入yes
/etc/openvpn/easy-rsa/3.0.6/easyrsa sign client test01
修改服务端配置文件
vim /etc/openvpn/server.conf
# local 安装openvpn的主机IP地址
local 10.100.0.152
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt
cert /etc/openvpn/easy-rsa/3.0.6/pki/issued/eduserver.crt
# This file should be kept secret
key /etc/openvpn/easy-rsa/3.0.6/pki/private/eduserver.key
dh /etc/openvpn/easy-rsa/3.0.6/pki/dh.pem
topology subnet
server 172.16.77.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.0.0"
push "route 10.0.0.0 255.0.0.0"
push "route 100.64.0.0 255.192.0.0"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
# 客户端最大可连接数目
max-clients 200
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
duplicate-cn
修改客户端配置文件test01.ovpn
vim test01.ovpn
client
dev tun
proto tcp
#server1
remote 116.62.103.51 1194
cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert test01.crt
key test01.key
comp-lzo
verb 3
客户端证书文件包括如下:
/etc/openvpn/easy-rsa/3.0.6/pki/ca.crt
/etc/openvpn/easy-rsa/3.0.6/pki/private/test01.key
/etc/openvpn/easy-rsa/3.0.6/pki/issued/test01.crt
再加上test01.ovpn,一共四个文件,都放到安装完openvpn程序以后的配置路径C:\Program Files\OpenVPN\config
openvpn做成服务
vim /usr/lib/systemd/system/openvpn.service
[Unit]
Description=openvpn service
After=network-online.target
Wants=network-online.target
[Service]
Type=forking
User=root
Group=root
ExecStart=/usr/sbin/openvpn --daemon --config /etc/openvpn/server.conf
ExecStop=/bin/kill -9 $MAINPID
Restart=on-failure
PrivateTmp=true
[Install]
WantedBy=multi-user.target
服务自启动
systemctl daemon-reload
systemctl enable openvpn
systemctl start openvpn
systemctl status openvpn