Centos7 搭建Openv*n

操作系统版本：Centos 7.9
场景模拟：

在本地虚拟机上启动两台Centos7.9，Openvpn-server上配置两块网卡，VMnet8表示公网地址，VMnet1表示内网地址，后面一台使用VMnet1网卡表示局域网的业务服务器；

1.操作系统优化

#关闭selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
#关闭防火墙
systemctl stop firewalld && systemctl disable firewalld
#开启路由转发
sysctl -w net.ipv4.ip_forward=1
cat >> /etc/sysctl.conf <<EOF && sysctl -p
net.ipv4.ip_forward=1
EOF
1
2
3
4
5
6
7
8
9
10

2.配置epel源

#安装epel源
yum install -y epel-release
#清除yum缓存
yum clean all
#加载yum
yum makecache
1
2
3
4
5
6

3.安装openvpn及easy-rsa

yum -y install openvpn easy-rsa
1

4.生成证书

cd /usr/share/easy-rsa/3
1.初始化目录
./easyrsa init-pki # 初始化证书目录pki
2.制作CA
./easyrsa build-ca nopass
3.制作openvpn server证书
./easyrsa build-server-full server nopass # server是服务端证书名称，可以用其它名称
4.制作openvpn client证书
./easyrsa build-client-full client nopass # client是客户端证书名称，可以用其它名称
5.生成密钥交换文件（这一步需要时间比较久）
./easyrsa gen-dh
6.生成tls证书
cd pki && openvpn --genkey --secret ta.key
1
2
3
4
5
6
7
8
9
10
11
12
13

5.拷贝证书
将所有证书放在/etc/openvpn/pki下面，方便后期管理；

mkdir -p /etc/openvpn/pki
cp -arf /usr/share/easy-rsa/3/pki/ca.crt /etc/openvpn/pki
cp -arf /usr/share/easy-rsa/3/pki/dh.pem /etc/openvpn/pki
cp -arf /usr/share/easy-rsa/3/pki/ta.key /etc/openvpn/pki
cp -arf /usr/share/easy-rsa/3/pki/issued/server.crt /etc/openvpn/pki
cp -arf /usr/share/easy-rsa/3/pki/private/server.key /etc/openvpn/pki
1
2
3
4
5
6

5.配置Server端
编辑/etc/openvpn/server.conf文件，并写入以下内容，切记vpn虚拟地址池一定不能跟局域网网段冲突

dev tun
proto udp
port 1194
keepalive 10 120
max-clients 20
ca "/etc/openvpn/pki/ca.crt"            #最好修改为绝对路径
cert "/etc/openvpn/pki/server.crt"
key "/etc/openvpn/pki/server.key"
dh "/etc/openvpn/pki/dh.pem"
tls-auth "/etc/openvpn/pki/ta.key" 0
reneg-sec 0
remote-cert-tls client
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
server 172.31.100.0 255.255.255.0    #openvpn-client的虚拟地址池，切记不能跟局域网地址段冲突
topology subnet
ifconfig-pool-persist ipp.txt
client-config-dir client
persist-key
persist-tun
comp-lzo
push "route 172.31.100.0 255.255.255.0"  #服务端下发给客户端路由
push "route 136.142.53.0 255.255.255.0"
log-append /var/log/openvpn.log    
verb 3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

6.启动服务

systemctl enable openvpn@server --now
1

7.配置iptables规则

下面的源地址为上面配置中客户端的ip池
iptables -t nat -A POSTROUTING -s 172.31.100.0/24 -d 172.31.100.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.31.100.0/24 -d 136.142.53.0/24 -j MASQUERADE
1
2
3

8.客户端配置
将服务端生成的客户端证书、ca证书、tls证书、客户端配置文件放在openvpn客户端安装目录下的config下面，我这里是C:\Program Files\OpenVPN\config，客户端配置文件后缀必须是*.ovpn;

tls-client
pull
client
dev tun
proto udp
remote 192.168.192.129 1194 
resolv-retry infinite #自动重连
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
remote-cert-tls server
ns-cert-type server
key-direction 1
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

安装成功之后修改客户端配置文件路径即可成功连接；