CentOS7 搭建OpenVPN

添加epel源

yum install epel-release
yum cleanall # 可选
yum update # 可选
yum makecache # 可选

安装openvpn easy-rsa iptables

yum -y install openvpn easy-rsa iptables-services

配置easy-rsa

在这一步生成一些证书

  • CA证书
  • 服务器证书和密钥
  • Diffie-Hellman密钥
  • 客户端证书和密钥
cp -r /usr/share/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.*/
vim vars

确保vars中以下参数正确

export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_NAME="EasyRSA"

生成服务器证书密钥和客户端证书密钥

source ./vars
./clean-all
# 生成证书
# Name [EasyRSA] 那一项写ca
./build-ca
# 生成服务器密钥和证书
# 在challenge password和optional company name处留空
# Name [EasyRSA] 那一项写server
# 两个y选项选择y
./build-key-server server
./build-dh
# 生成客户端密钥和证书
# 在challenge password和optional company name处留空
# Name [EasyRSA] 那一项写client
# 两个y选项选择y
./build-key client
cd /etc/openvpn/easy-rsa/2.0/
cp -r keys/ /etc/openvpn/

配置OpenVPN服务端

你可以从/usr/share/doc/openvpn-*.*.*/sample/sample-config-files中拷贝出配置文件(*.*.*是openvpn版本),也可以自己新建配置文件,我这里是自己新建配置文件

cd /etc/openvpn/
vim server.conf

把下列内容复制进去

#change with your port
port 1337

#You can use udp or tcp
proto udp

# "dev tun" will create a routed IP tunnel.
dev tun

#Certificate Configuration

#ca certificate
ca /etc/openvpn/keys/ca.crt

#Server Certificate
cert /etc/openvpn/keys/server.crt

#Server Key and keep this is secret
key /etc/openvpn/keys/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh1024.pem

#Internal IP will get when already connect
server 192.168.200.0 255.255.255.0

#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#Enable multiple client to connect with same key
duplicate-cn

keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon

#enable log
log-append /var/log/myvpn/openvpn.log

#Log Level
verb 3

保存,然后新建一个Log文件

mkdir -p /var/log/myvpn/
touch /var/log/myvpn/openvpn.log

配置路由和iptables

启动iptables,systemctl enable iptablessystemctl start iptables
/etc/sysconfig/iptables中nat中添加一行-A POSTROUTING -s 192.168.200.0/24 -j SNAT --to-source x.x.x.x,其中的x.x.x.x是本机服务器IP,如果没有这个文件,那么service iptables save
设置允许IP转发,在/etc/sysctl.conf文件中添加一行net.ipv4.ip_forward = 1
sysctl -psystemctl restart iptables

启动服务端openvpn服务

systemctl start openvpn@server

配置&启动客户端openvpn

客户端配置文件

/etc/openvpn/下创建client.ovpn文本文件,然后在里面添加如下内容

client
dev tun
proto udp

#Server IP and Port
remote x.x.x.x 1337

resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
mute-replay-warnings
ns-cert-type server
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>

<ca>,<cert>,<key>中分别加入ca.crt,client.crt,client.keyBEGINEND之间的内容,当然也可以通过路径指定对应的文件,具体命令可以google

linux

安装对应系统下的openvpn,然后把client.opvn放至/etc/openvpn/client.opvn,然后通过命令openvpn /etc/openvpn/client.opvn运行,然后等待一会儿就会有连接成功的提示

安卓

安卓下需要安装一个名为OpenVPN Connect的APP,然后导入client.ovpn文件,就可以连接了

配置帐号密码可登录

配置Server

配置server.conf,在最后添加以下

script-security 3 system
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
;client-cert-not-required
username-as-common-name

配置验证密码文件
创建/etc/openvpn/checkpsw.sh并加入以下代码

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

/etc/openvpn/psw-file中配置密码
一行一个账户名+空格+密码,以明文方式配置
比如test 123123,这样就有了一个test帐号,密码为123123

配置Client

client.opvn文件中加入下几行配置

verb 3
auth-nocache
reneg-sec 0

然后linux下通过命令openvpn /etc/openvpn/client.opvn,就会让输入帐号名和密码来登录
安卓/IOS下有openvpn,需要导入client.ovpn,然后输入帐号密码就可以使用了