记录在Centos8上安装OpenVPN的经历，以及无法解决的问题_yum -y install easy-rsa

最近突然觉得买的云服务器没啥用，都在那里闲着。想着搞点事情，不要浪费资源。然后，就想部署个vpn试试看。可惜最后遇到了一个暂时无法解决的问题。在此写篇文章记录下，如果有人看到的话有什么好的解决办法可以一起探讨下。

环境：

Linux： OpenCloudOS 8.6（Centos8）

所需软件

openvpn（服务器端）： yum -y install openvpn
easy-rsa（证书生成管理）： yum -y install easy-rsa
iptables-service（流量转发）： yum -y install iptables-service

步骤

服务器端

1. 生成证书

复制一份easy-rsa到/etc/openvpn目录下

cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa

复制easy-rsa配置文件到/etc/openvpn/easy-rsa/3.0.8目录下,并重命名为vars

cp -r /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa/3.0.8/vars

初始化证书
如果以前的证书不要了,要从头开始创建证书就要从这一步开始

cd /etc/openvpn/easy-rsa/3.0.8
./easyrsa init-pki

创建根证书,会提示设置密码,此处我用nopass参数选择不要密码,

./easyrsa build-ca nopass

创建server端证书和私钥文件

./easyrsa gen-req server nopass

给server端证书签名,提示confirm request details:时,输入yes

./easyrsa sign server server

创建dh文件,秘钥交换算法

./easyrsa gen-dh

创建tls认证秘钥

openvpn --genkey --secret ta.key

拷贝证书文件到openvpn目录下:

mkdir /etc/openvpn/certs
cp ./pki/ca.crt /etc/openvpn/certs/
cp ./pki/dh.pem /etc/openvpn/certs/
cp ./pki/issued/server.crt /etc/openvpn/certs
cp ./pki/private/server.key /etc/openvpn/certs
cp ta.key /etc/openvpn/certs

创建server配置文件

拷贝配置文件模板

cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/

修改配置文件

cd /etc/openvpn
vim server.conf

#监听本机ip地址(这里填本机地址,云服务器上填的是内网地址不是公网地址，切记)
local 0.0.0.0

#监控本机端口号
port 1194

#指定采用的传输协议，可以选择tcp或udp
proto tcp

#指定创建的通信隧道类型，可选tun或tap,window服务器必须是tap
dev tun

#指定CA证书的文件路径
ca /etc/openvpn/certs/ca.crt

#指定服务器端的证书文件路径
cert /etc/openvpn/certs/server.crt

#指定服务器端的私钥文件路径
key /etc/openvpn/certs/server.key

#指定迪菲赫尔曼参数的文件路径
dh /etc/openvpn/certs/dh.pem

#指定虚拟局域网占用的IP地址段和子网掩码，不能和服务器eth0同网段
server 10.8.0.0 255.255.255.0

#服务器自动给客户端分配IP后，客户端下次连接时，仍然采用上次的IP地址(第一次 分配的IP保存在ipp.txt中，下一次分配其中保存的IP)。
ifconfig-pool-persist ipp.txt

#自动推送客户端上的网关及DHCP,此项开启了流量转发,有这项才能使用服务器代理上 网
push "redirect-gateway def1 bypass-dhcp"

#OpenVPN的DHCP功能为客户端提供指定的 DNS、WINS 等
push "dhcp-option DNS 114.114.114.114"

#允许客户端与客户端相连接，默认情况下客户端只能与服务器相连接
client-to-client

#允许同一个客户端证书多次登录,看需配置
#duplicate-cn

#每10秒ping一次，连接超时时间设为120秒
keepalive 10 120

#开启TLS-auth，使用ta.key防御攻击。服务器端的第二个参数值为0，客户端的为1。
tls-auth /etc/openvpn/certs/ta.key 0

#加密认证算法,2.4之前是AES-256-CBC
cipher AES-256-GCM

#使用lzo压缩的通讯,服务端和客户端都必须配置
comp-lzo

#最大连接用户
max-clients 100

#定义运行的用户和组,openvpn用户是安装的时候系统自动创建的
user openvpn
group openvpn

#重启时仍保留一些状态
persist-key
persist-tun

#输出短日志,每分钟刷新一次,以显示当前的客户端
status /var/log/openvpn-status.log

#日志保存路径
log /etc/openvpn/log/openvpn.log
log-append /etc/openvpn/log/openvpn.log

#指定日志文件的记录详细级别，可选0-9，等级越高日志内容越详细
verb 4

#相同信息的数量，如果连续出现 20 条相同的信息，将不记录到日志中
mute 20

下面这项只能udp连接开启
#explicit-exit-notify 1

#设置tls最低版本为1.3,连接的客户端如果是2.4以下则配置为1.0
tls-version-min 1.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

配置系统转发,需要代理上网的必须配置

允许转发

echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf

配置立即生效

sysctl -p

关闭firewall

systemctl stop firewalld
systemctl disable firewalld

启动iptables

systemctl enable iptables
systemctl start iptables

配置iptables转发流量,代理主要以iptables转发实现

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

允许tcp/udp 1194通过防火墙

iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT

保存规则并重启

service iptables save
systemctl restart iptables

创建启动的服务脚本文件

vim /lib/systemd/system/openvpn@.service

[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf

[Install]
WantedBy=multi-user.target
1
2
3
4
5
6
7
8
9
10
11

设置openvpn开机启动

systemctl enable openvpn@server

启动

systemctl start openvpn@server

查看状态

systemctl status openvpn@server
日志地址
/etc/openvpn/log/openvpn.log

客户端

服务器上操作

进入证书管理目录

cd /etc/openvpn/easy-rsa/3.0.8

生成客户端1的证书,客户端2依次类推

./easyrsa gen-req client1 nopass

注册客户端1的证书,要输入yes

./easyrsa sign client client1

将证书拷贝到一个目录存着

cp ./pki/issued/client1.crt /etc/openvpn/client
cp ./pki/private/client1.key /etc/openvpn/client

本地操作

下载地址： https://openvpn.net/community-downloads/

1.将client1.crt client1.key ta.key ca.crt四个文件下载到本地客户端目录的config

2.拷贝客户端sample-config目录下的client.ovpn文件到config目录下

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto tcp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
#remote my-server-1 1194
remote 124.222.29.42 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

# Verify server certificate by checking that the
# certificate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment
# and the extendedKeyUsage to
#   serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the data-ciphers option in the manpage
#cipher AES-256-CBC
cipher AES-256-GCM

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

#不保存密码
auth-nocache

# Silence repeating messages
mute 20
#使客户端中所有流量经过VPN,所有网络连接都使用vpn
redirect-gateway def1
tls-version-min 1.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

3.打开openvpn

遇到问题

1、当openvpn打开的时候，WiFi会断掉
解决： 暗影精灵9无法找到解决的按钮，有同学遇到这种问题可以参考，
VPN连接成功后， 无线网络适配器会自动断开
I need to make Windows 7 STOP disabling the wifi adapter when the wired LAN is connected

目前我打算换个vpn试下，准备试下 l2tp vpn

本文参考链接：
centos8安装配置openvpn实现服务器代理上网
在Linux系统上搭建内网VPN
CentOS搭建OpenVPN
OpenVpnCentos8部署