碰到一個問題:
如果你啟動的時候,提示你配置文件已經存在,即使你更改目錄啥的,你可以把ovpn配置文件改個名字,用這個配置文件啟動就好了,原因不詳。反正好了。
原文:
https://blog.csdn.net/liuyunshengsir/article/details/100634293
開啟IP轉發
永久生效
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf
立即生效
sysctl -w net.ipv4.ip_forward=1
#先檢查是否安裝了iptables
service iptables status
#安裝iptables
yum install -y iptables
#安裝iptables-services
yum -y install iptables-services
#注冊iptables服務,相當於以前的chkconfig iptables on
systemctl enable iptables.service
#開啟服務
systemctl start iptables.service
#查看狀態
systemctl status iptables.service
清空防火牆規則
https://www.cnblogs.com/itfat/p/12297309.html
>/etc/sysconfig/iptables
添加規則
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.16.77.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
保存防火牆規則
service iptables save
service iptables restart
配置鏡像源
yum install -y epel-release
安裝
yum install openvpn easy-rsa -y
查看版本號
openvpn --version
生成證書
cp -R /usr/share/easy-rsa/ /etc/openvpn/
cp -r /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easy-rsa/3.0.6/vars
生成pki
cd /etc/openvpn/easy-rsa/3.0.6
rm -rf /etc/openvpn/easy-rsa/3.0.6/pki
/etc/openvpn/easy-rsa/3.0.6/easyrsa init-pki
創建CA
創建時輸入eduserver
/etc/openvpn/easy-rsa/3.0.6/easyrsa build-ca nopass
CA 只能創建一次,如果需要重新創建需要刪除pki重來一次
創建服務端證書
/etc/openvpn/easy-rsa/3.0.6/easyrsa gen-req eduserver nopass
簽約服務端證書
/etc/openvpn/easy-rsa/3.0.6/easyrsa sign server eduserver
確認的時候,輸入yes
創建Diffie-Hellman
/etc/openvpn/easy-rsa/3.0.6/easyrsa gen-dh
修改配置文件允許多次重復生成
vim /etc/openvpn/easy-rsa/3.0.6/pki/index.txt.attr
修改demoCA下 index.txt.attr
將unique_subject = yes改為unique_subject = no
生成客戶端證書->test01
/etc/openvpn/easy-rsa/3.0.6/easyrsa gen-req test01 nopass
注冊客戶端
提示輸入yes
/etc/openvpn/easy-rsa/3.0.6/easyrsa sign client test01
修改服務端配置文件
vim /etc/openvpn/server.conf
# local 安裝openvpn的主機IP地址
local 10.100.0.152
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt
cert /etc/openvpn/easy-rsa/3.0.6/pki/issued/eduserver.crt
# This file should be kept secret
key /etc/openvpn/easy-rsa/3.0.6/pki/private/eduserver.key
dh /etc/openvpn/easy-rsa/3.0.6/pki/dh.pem
topology subnet
server 172.16.77.0 255.255.255.0
# ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.0.0"
push "route 10.0.0.0 255.0.0.0"
push "route 100.64.0.0 255.192.0.0"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
# 客戶端最大可連接數目
max-clients 200
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
duplicate-cn
修改客戶端配置文件test01.ovpn
vim test01.ovpn
client
dev tun
proto tcp
#server1
remote 116.62.103.51 1194
cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert test01.crt
key test01.key
comp-lzo
verb 3
remote-cert-tls server
auth-nocache
客戶端證書文件包括如下:
yum install -y lrzsz
/etc/openvpn/easy-rsa/3.0.6/pki/ca.crt
/etc/openvpn/easy-rsa/3.0.6/pki/private/test01.key
/etc/openvpn/easy-rsa/3.0.6/pki/issued/test01.crt
再加上test01.ovpn,一共四個文件,都放到安裝完openvpn程序以后的配置路徑C:\Program Files\OpenVPN\config
openvpn做成服務
vim /usr/lib/systemd/system/openvpn.service
[Unit]
Description=openvpn service
After=network-online.target
Wants=network-online.target
[Service]
Type=forking
User=root
Group=root
ExecStart=/usr/sbin/openvpn --daemon --config /etc/openvpn/server.conf
ExecStop=/bin/kill -9 $MAINPID
Restart=on-failure
PrivateTmp=true
[Install]
WantedBy=multi-user.target
服務自啟動
systemctl daemon-reload
systemctl enable openvpn
systemctl start openvpn
systemctl status openvpn