Fedora 28/29 安装 ( Open V P N ) 结合 easy-rsa3

安装软件包:

[root@localhost ~]# yum -y install openvpn easy-rsa

复制easy-rsa 文件:

[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
[root@localhost ~]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# cd 3.0.3/
[root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars

创建PKI和CA:

[root@localhost 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki  #创建空的pki
[root@localhost 3.0.3]# ./easyrsa build-ca nopass #创建新的CA,不使用密码

创建服务端证书:

[root@localhost 3.0.3]# ./easyrsa gen-req server nopass

签约服务端证书:

[root@localhost 3.0.3]# ./easyrsa sign server server

创建 Diffie-Hellman:

[root@localhost 3.0.3]# ./easyrsa gen-dh

创建客户端证书:

复制文件:

[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
[root@localhost ~]# cd /etc/openvpn/client/easy-rsa/
[root@localhost easy-rsa]# cd 3.0.3/
[root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars

生成证书:

[root@localhost 3.0.3]# pwd
/etc/openvpn/client/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki #创建新的pki
[root@localhost 3.0.3]# ./easyrsa gen-req yaoxu nopass

签约客户端证书:

[root@localhost 3.0.3]# cd /etc/openvpn/easy-rsa/3.0.3/
[root@localhost 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/yaoxu.req yaoxu

整理证书:

服务端:

[root@localhost ~]# mkdir /etc/openvpn/certs
[root@localhost ~]# cd /etc/openvpn/certs/  
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem .        
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key .

客户端证书:

[root@localhost certs]# mkdir /etc/openvpn/client/yaoxu/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/yaoxu/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/yaoxu.crt /etc/openvpn/client/yaoxu/
[root@localhost certs]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/yaoxu.key /etc/openvpn/client/yaoxu/
[root@localhost certs]# ll /etc/openvpn/client/yaoxu/

服务端配置文件示例:配置文件说明:https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf

[root@localhost ~]# vim /etc/openvpn/server/first.conf
local vpn使用的网卡
port 1194  # vpn 端口
proto tcp # 可以使用 udp,速度更快
dev tun

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem

ifconfig-pool-persist /etc/openvpn/ipp.txt

server 17.166.221.0 255.255.255.0 # server 虚拟地址池
push "route 192.168.1.0 255.255.255.0" # Push操作,适用于在客户端连接上vpn,给客户端路由表添加路由;
push "redirect-gateway def1 bypass-dhcp" # 设置所有的流量走vpn
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
   
keepalive 20 120
comp-lzo
#duplicate-cn

user openvpn
group openvpn

persist-key                               
persist-tun
status openvpn-status.log    
log-append  openvpn.log     
verb 1
mute 20

客户端配置文件client.ovpn:

client   #这个不能改
proto tcp  #要与server.conf一致
dev tun    #要与server.conf一致
remote 主机外网IP 12306

ca ca.crt   
cert yaoxu.crt
key yaoxu.key      #对应所下载的证书

resolv-retry infinite
nobind
mute-replay-warnings

keepalive 20 120
comp-lzo
#user openvpn
#group openvpn

persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20

配置转发(firewalld):注意包转发,此处较为关键;请确认配置正确;并保证防火墙打开; (此条转发命令需要注意,后期如果重启后服务中断,很可能因为此命令重启后失效,需要重新配置)

firewall-cmd --add-service=openvpn
firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 # 保存后执行:sysctl -p
# 设置firewall规则 IP 根据自己的情况确定
systemctl start firewalld.service
firewall-cmd --statefirewall-cmd --zone=public --list-all
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --add-port=1194/udp --permanent
firewall-cmd --add-port=22/tcp --permanent
firewall-cmd --add-source=10.10.1.0 --permanent
firewall-cmd --query-source=10.10.1.0 --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --query-masquerade --permanent
firewall-cmd --reload 

开启 openvpn 服务:

systemctl enable openvpn-server@first.service
systemctl start openvpn-server@first.service

配置客户端:

可以使用 openvpn 命令行

图形界面:

macos:Tunnelblick openvpn 命令行

linux: openvpn 

openvpn (--daemon) --cd /etc/openvpn --config client.ovpn (--log-append /var/log/openvpn.log)

windows: openvpn.exehttp://www.fyluo.com/m/?post=198

保持更新,转载请注明出处;如果对您有帮助,请点击右下角推荐给予支持吧!非常感谢!

参考链接:

https://fedoraproject.org/wiki/Openvpn 官方文档,较为优秀;

https://www.cnblogs.com/olinux/p/5159530.html

https://blog.rj-bai.com/post/78.html#menu_index_14

https://blog.rj-bai.com/post/132.html#menu_index_11

https://blog.rj-bai.com/post/136.html 较为优秀

https://www.cnblogs.com/37yan/p/7171457.html

https://www.cnblogs.com/EasonJim/p/8449495.html 

https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf 较为优秀

https://blog.cryse.org/article/centos7-openvpn 

https://www.cnblogs.com/xiaoyou2018/p/9522172.html firewall-cmd 配置规则有帮助

https://wangchujiang.com/linux-command/c/firewall-cmd.html

https://www.cnblogs.com/luobiao320/p/7190918.html

https://www.cnblogs.com/EasonJim/p/8349519.html (macos 用户建议阅读)

posted @ 2020-03-27 14:15  yaowenxu  阅读(838)  评论(0编辑  收藏  举报