安装openvpn软件包

root@Server:~# apt-get install openvpn

//开启系统路由转发
root@Server:~# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
root@Server:~# sysctl -p
net.ipv4.ip_forward = 1

配置easy-rsa

//为vpn创建ca、服务器证书、客户端证书
//进入easy-rsa目录,复制vars样例文件,修改证书信息

root@Server:~# cd /usr/share/easy-rsa/
root@Server:/usr/share/easy-rsa# ls
easyrsa  openssl-easyrsa.cnf  vars.example  x509-types
root@Server:/usr/share/easy-rsa# mv vars.example vars
root@Server:/usr/share/easy-rsa# vim vars
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "ZJ"
set_var EASYRSA_REQ_CITY        "Hangzhou"
set_var EASYRSA_REQ_ORG         "Chinaskills"
set_var EASYRSA_REQ_EMAIL       "test@Chinaskills.com"
set_var EASYRSA_REQ_OU          "Test OpenVPN"

//pki目录初始化

root@Server:/usr/share/easy-rsa# ./easyrsa init-pki

//创建CA根证书,输入两次pem密码,输入通用名

root@Server:/usr/share/easy-rsa# ./easyrsa build-ca
NEnter New CA Key Passphrase:密码
Re-Enter New CA Key Passphrase:密码
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CA for test OpenVPN

//为vpn服务端创建证书,输入通用名称,自动创建密钥

root@Server:/usr/share/easy-rsa# ./easyrsa gen-req server nopass
Common Name (eg: your user, host, or server name[server]:Server-OpenVPN

//CA签发服务端证书,输入yes,输入CA的pem密码即可

root@Server:/usr/share/easy-rsa# ./easyrsa sign server server
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Enter pass phrase for /usr/share/easy-rsa/pki/private/ca.key:密码

//创建diffie-Hellman,需等待片刻

root@Server:/usr/share/easy-rsa# ./easyrsa gen-dh

创建客户端证书

//创建文件夹客户端证书配置,将主目录的easyrsa及配置文件复制进客户端文件夹

root@Server:/usr/share/easy-rsa# mkdir forclient
root@Server:/usr/share/easy-rsa# cp easyrsa openssl-easyrsa.cnf forclient/
root@Server:/usr/share/easy-rsa# cd forclient/

//执行pki初始化

root@Server:/usr/share/easy-rsa/forclient# ./easyrsa init-pki

//创建客户端密钥及证书,输入自定密码及通用名称

root@Server:/usr/share/easy-rsa/forclient# ./easyrsa gen-req client
Enter PEM pass phrase:密码
Verifying - Enter PEM pass phrase:密码
Common Name (eg: your user, host, or server name) [client]:OpenVPN for Client

//切换至原目录,执行证书导入到CA

root@Server:/usr/share/easy-rsa/forclient# cd ..
root@Server:/usr/share/easy-rsa# ./easyrsa import-req forclient/pki/reqs/client.req client

//签发客户端证书,输入yes确认密码

root@Server:/usr/share/easy-rsa# ./easyrsa sign client <client名称>
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Enter pass phrase for /usr/share/easy-rsa/pki/private/ca.key:密码

//确保目录中有这些证书密钥文件

root@Server:/usr/share/easy-rsa# tree
.
├── forclient     //存放客户端文件夹
│     └── pki
│       ├── private
│       │   └── client.key //客户端私钥
│       ├── reqs
│            └── client.req //客户端证书
├── pki           //CA的pki文件夹
│   ├── ca.crt  //CA根证书
│   ├── dh.pem //DH文件
│   ├── issued
│   │   ├── client.crt //客户证书(从命令中导入)
│   │   └── server.crt //服务端证书
│   ├── private
        ├── ca.key    //CA的私钥
         └── server.key  //服务端私钥

//将所有需要用的证书私钥文件复制整理到指定文件夹下(可不做,但后续配置中注意文件路径)
//服务端文件

root@Server:/usr/share/easy-rsa# mkdir -p /CA/server /CA/client
root@Server:/usr/share/easy-rsa# cp pki/ca.crt /CA/server/
root@Server:/usr/share/easy-rsa# cp pki/issued/server.crt /CA/server/
root@Server:/usr/share/easy-rsa# cp pki/private/server.key /CA/server/
root@Server:/usr/share/easy-rsa# cp pki/dh.pem /CA/server/

//客户端文件

root@Server:/usr/share/easy-rsa# cp forclient/pki/private/client.key /CA/client/
root@Server:/usr/share/easy-rsa# cp pki/issued/client.crt /CA/client/
root@Server:/usr/share/easy-rsa# cp pki/ca.crt /CA/client/
root@Server:/CA# tree
.      //具体文件如下,不可缺少
├── client
│   ├── ca.crt
│   ├── client.crt
│   └── client.key
└── server
    ├── ca.crt
    ├── dh.pem
    ├── server.crt
    └── server.key
2 directories, 7 files

服务端配置

//找到配置文件模板,gunzip解压复制到配置文件目录下

root@Server:/CA# cd /usr/share/doc/openvpn/examples/sample-config-files/
root@Server:/usr/share/doc/openvpn/examples/sample-config-files# gunzip -d server.conf.gz
root@Server:/usr/share/doc/openvpn/examples/sample-config-files# cp server.conf /etc/openvpn/

//编辑服务端server.conf配置文件

root@Server:/etc/openvpn# vim server.conf
local 192.168.10.3
port 1194
proto tcp
dev tun
ca /CA/server/ca.crt
cert /CA/server/server.crt
key /CA/server/server.key
dh /CA/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3

注释最后一行

客户端配置

//安装openvpn软件,从CAserver上获取所需的文件(参考client树状图)

root@Client:/CA# apt-get install openvpn
root@Client:~# mkdir /CA && cd /CA
root@Client:/CA# sftp root@10.10.100.10
root@10.10.100.10 s password:
Connected to root@10.10.100.10.
sftp> cd /CA/client/
sftp> ls
ca.crt       client.crt   client.key
sftp> get *

//复制client客户端配置模板,编辑

root@Client:/usr/share/doc/openvpn/examples/sample-config-files# cp client.conf /etc/openvpn/
root@Client:/etc/openvpn# vim client.conf
client
dev tun
proto tcp
remote 10.10.100.10 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /CA/ca.crt
cert /CA/client.crt
key /CA/client.key
comp-lzo
verb 3

启动连接OpenVPN

//服务端启动openvpn服务

root@Server:/etc/openvpn# systemctl restart openvpn@server.service
#客户端启动连接,命令后跟&运行在后台
root@Client:/etc/openvpn# openvpn --config client.conf
。。。。。
Enter Private Key Password: ****  //输入私钥密码
。。。。。
Sun Oct 18 04:51:43 2020 Initialization Sequence Completed //安装连接完成

//连接成功后,出现tun0接口

root@Client:~# ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        inet6 fe80::7613:f6cd:57a6:d056  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1  bytes 48 (48.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 74  bytes 5286 (5.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

某国赛题目中:

VPN客户拨号使用命令systemctl start openvpn@SERVER03;
这里@是指/etc/openvpn下面对应的conf文件名
当然停止和注销服务就是

sudo systemctl stop openvpn@client.service
sudo systemctl disable openvpn@client.service

查看服务状态是

sudo systemctl status openvpn@client.service

即配置客户端证书时,客户端名称为SERVER03,创建用户证书时加参数nopass