上一篇文章为window的openvpn连接方式

本次为linux的openvpn连接方式，其实都差不多只要在服务器把证书弄好就可以了

直接上操作，简化操作步骤，服务端的操作全为脚本

实验环境

首先需要配置好epel源，我是使用的是阿里云的epel源

<code>wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

然后安装对应软件包，并执行相关配置操作

#! /bin/bash

yum clean all

yum makecache

#然后安装openvpn和制作证书工具

yum -y install openvpn

yum -y install easy-rsa

yum -y install expect

# 准备相关配置文件

echo "生成服务器配置文件"

cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/

echo "准备证书签发相关文件"

cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server

echo "准备签发证书相关变量的配置文件"

cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars

echo "初始化服务端PKI生成PKI相关目录和文件"

cd /etc/openvpn/easy-rsa-server/3

./easyrsa init-pki

echo "创建CA证书"

# ./easyrsa build-ca nopass

expect <<EOF

spawn ./easyrsa build-ca nopass

expect {

"Easy-RSA" {send "\n"}

}

expect eof

EOF

cat pki/serial

echo "生成服务端证书"

# ./easyrsa gen-req server nopass

expect <<EOF

spawn ./easyrsa gen-req server nopass

expect {

"server" {send "\n"}

}

expect eof

EOF

echo "签发服务端证书"

# ./easyrsa sign server server

expect <<EOF

spawn ./easyrsa sign server server

expect {

"*details:" {send "yes\n"}

}

expect eof

EOF

echo "创建 Diffie-Hellman 密钥"

./easyrsa gen-dh

cat > /etc/openvpn/server.conf <<EOF

port 1194

proto tcp

dev tun

ca /etc/openvpn/certs/ca.crt

cert /etc/openvpn/certs/server.crt

key /etc/openvpn/certs/server.key # This file should be kept secret

dh /etc/openvpn/certs/dh.pem

server 10.8.0.0 255.255.255.0

push "route 192.168.122.0 255.255.255.0"

keepalive 10 120

cipher AES-256-CBC

compress lz4-v2

push "compress lz4-v2"

max-clients 2048

user openvpn

group openvpn

status /var/log/openvpn/openvpn-status.log

log-append /var/log/openvpn/openvpn.log

verb 3

mute 20

EOF

echo "添加防火墙"

echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf

sysctl -p

yum install iptables-services -y

systemctl disable --now firewalld

systemctl start iptables

iptables -F

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

iptables -vnL -t nat

mkdir -p /var/log/openvpn

mkdir -p /etc/openvpn/certs

cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/

cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/

cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/

cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/

echo "重启OpenVpn"

systemctl daemon-reload

systemctl enable --now openvpn@server

systemctl restart openvpn@server

服务端配置客户端的对应设置

#! /bin/bash

read -p "请输入用户的姓名拼音(如:${NAME}): " NAME

read -p "请输入VPN服务端的公网IP(如:${IP}): " IP

echo "客户端证书环境"

cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client

cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/varsa

cd /etc/openvpn/easy-rsa-client/3

echo "初始化pki证书目录"

# ./easyrsa init-pki

expect << EOF

spawn ./easyrsa init-pki

expect {

"removal" {send "yes\n"}

}

expect eof

EOF

echo "生成客户端证书"

# ./easyrsa gen-req ${NAME} nopass

expect << EOF

spawn ./easyrsa gen-req ${NAME} nopass

expect {

"${NAME}" {send "\n"}

}

expect eof

EOF

echo "将客户端证书同步到服务端"

cd /etc/openvpn/easy-rsa-server/3

./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}

echo "查看客户端证书"

ll pki/reqs/${NAME}.req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req

echo "签发客户端证书,请输入：yes"

# ./easyrsa sign client ${NAME}

expect << EOF

spawn ./easyrsa sign client ${NAME}

expect {

"*details" {send "yes\n"}

}

expect eof

EOF

echo "查看证书"

cat pki/index.txt

ll pki/certs_by_serial/

cat pki/issued/${NAME}.crt

echo "创建客户端配置文件"

mkdir -p /etc/openvpn/client/${NAME}

cd /etc/openvpn/client/${NAME}

cat > /etc/openvpn/client/${NAME}/client.conf <<EOF

client

dev tun

proto tcp

remote ${IP} 1194

resolv-retry infinite

nobind

ca ca.crt

cert ${NAME}.crt

key ${NAME}.key

remote-cert-tls server

cipher AES-256-CBC

verb 3

compress lz4-v2

EOF

cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key .

cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt .

cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt .

echo "打包用户证书"

tar -czvf ${NAME}.tar.gz ./

#重启OpenVpn

systemctl daemon-reload

systemctl enable --now openvpn@server

systemctl restart openvpn@server

然后到客户端的配置，客户端的配置就比较简单了，步骤很少，就不用脚本了，给大家操作了解一下

epel源也是需要的

wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

然后下载openvpn

yum install openvpn -y

将服务端打包好的认证文件拷贝过来，这里大家对应自己的ip来修改

scp 192.168.121.160:/etc/openvpn/client/yiyezhiqiu/yiyezhiqiu.tar.gz /etc/openvpn/

解压认证包文件

tar -xf /etc/openvpn/yiyezhiqiu.tar.gz -C /etc/openvpn/

然后就可以启动openven了

systemctl start openvpn@client

systemctl enable openvpn@client

查看启动日志一切正常

检测连接情况，ping没问题，ssh连接也可以

这样openvpn连接就可以了