因为新版本openvpn里面没有包含最重要的证书制作部分:easy-rsa所以,需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa
3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署
在部署openvpn之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!
1、安装lzo
lzo是致力于解压速度的一种数据压缩算法
- [root@vpn ~]# wgethttp://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz
- [root@vpn ~]# tar xf lzo-2.09.tar.gz
- [root@vpn ~]# cd lzo-2.09
- [root@vpn lzo-2.09]# ./configure && make && make install
复制代码
2、安装openvpn
- [root@vpn ~]# yum install -yopenssl-devel
- [root@vpn ~]# wgethttps://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz
- [root@vpn ~]# tar zxvfopenvpn-2.3.11.tar.gz
- [root@vpn ~]# cd openvpn-2.3.11
- [root@vpn openvpn-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib
- [root@vpn openvpn-2.3.4]# make && make install
- [root@vpn openvpn-2.3.4]# which openvpn
- /usr/local/sbin/openvpn #看到这里,说明安装openvpn成功
复制代码
3、配置easyrsa服务端
openvpn-2.3.11软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3
- [root@vpn ~]# wgethttps://github.com/OpenVPN/easy-rsa/archive/master.zip
- [root@vpn ~]# unzipmaster.zip
- [root@vpn ~]# mv easy-rsa-master easy-rsa
- [root@vpn ~]# cp -R easy-rsa/ /usr/local/share/doc/openvpn/
- [root@vpn ~]# cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/
- [root@vpn easyrsa3]# cp vars.example vars
- [root@vpn easyrsa3]# vim vars
- set_var EASYRSA_REQ_COUNTRY "CN"
- set_var EASYRSA_REQ_PROVINCE "Beijing"
- set_var EASYRSA_REQ_CITY "Beijing"
- set_var EASYRSA_REQ_ORG "qiangshCertificate"
- set_var EASYRSA_REQ_EMAIL "503579266@qq.com"
- set_var EASYRSA_REQ_OU "My OpenVPN"
复制代码
4、创建服务端证书及key
(1)初始化
- [root@vpn easyrsa3]# ls
- easyrsa openssl-1.0.cnf vars vars.example x509-types
- [root@vpn easyrsa3]#
- [root@vpn easyrsa3]# ./easyrsa init-pki
-
- Note: using Easy-RSAconfiguration from: ./vars
- init-pki complete; you may nowcreate a CA or requests.
- Your newly created PKI dir is:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki
复制代码
(2)创建根证书
- [root@vpn easyrsa3]# ./easyrsa build-ca
- Note: using Easy-RSAconfiguration from: ./vars
- Generating a 2048 bit RSA privatekey
- ..+++
- ..........................+++
- writing new private key to'/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key.GiibbqFhXm'
- Enter PEM pass phrase: #输入密码,此密码用途证书签名
- Verifying - Enter PEM passphrase: #再次输入密码
- -----
- You are about to be asked toenter information that will be incorporated
- into your certificate request.
- What you are about to enter iswhat is called a Distinguished Name or a DN.
- There are quite a few fields butyou can leave some blank
- For some fields there will be adefault value,
- If you enter '.', the field willbe left blank.
- -----
- Common Name (eg: your user, host,or server name) [Easy-RSA CA]:qiangsh #输入一个Common Name
- CA creation complete and you maynow import and sign cert requests.
- Your new CA certificate file forpublishing is at:
- /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
复制代码
(3)创建服务器端证书
- [root@vpn easyrsa3]# ./easyrsa gen-req server nopass
- Note: using Easy-RSAconfiguration from: ./vars
- Generating a 2048 bit RSA privatekey
- .......................................+++
- ......................................+++
- writing new private key to '/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.MIGrh2B6S8'
- -----
- You are about to be asked toenter information that will be incorporated
- into your certificate request.
- What you are about to enter iswhat is called a Distinguished Name or a DN.
- There are quite a few fields butyou can leave some blank
- For some fields there will be adefault value,
- If you enter '.', the field willbe left blank.
- -----
- Common Name (eg: your user, host,or server name) [server]:qiangsh-BJ #该Common Name一定不要与创建根证书时的一样 !!!
- Keypair and certificate requestcompleted. Your files are:
- req:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
- key:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
复制代码
(4)签约服务器端证书
- [root@vpn easyrsa3]# ./easyrsa sign server server
- Note: using Easy-RSAconfiguration from: ./vars
- You are about to sign thefollowing certificate.
- Please check over the detailsshown below for accuracy. Note that this request
- has not been cryptographicallyverified. Please be sure it came from a trusted
- source or that you have verifiedthe request checksum with the sender.
- Request subject, to be signed asa server certificate for 3650 days:
- subject=
- commonName = qiangsh-BJ
- Type the word 'yes' to continue,or any other input to abort.
- Confirm request details:yes #输入yes继续
- Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
- Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #输入刚才创建根证书时的密码
- Check that the request matchesthe signature
- Signature ok
- The Subject's Distinguished Nameis as follows
- commonName :PRINTABLE:'qiangsh-BJ'
- Certificate is to be certifieduntil Jun 6 07:19:45 2026 GMT (3650 days)
- Write out database with 1 newentries
- Data Base Updated
- Certificate created at: /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
复制代码
(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:
- [root@vpn easyrsa3]# ./easyrsa gen-dh
- Note: using Easy-RSAconfiguration from: ./vars
- Generating DH parameters, 2048bit long safe prime, generator 2
- This is going to take a long time
- ..........................................................................+...........................+.............................................................+...........................+.................................................................................................................................................................................................................................................+...............................................................................................................................+..+.................................................................+..........................................................................................+..............+...............................................................................................................................................................................+........................................................................................+...............................................................................+................................................+..........++*++*
- DH parameters of size 2048 created at/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
复制代码
5、创建客户端证书
(1)在根目录下建立client目录
- [root@vpn easyrsa3]# cd
- [root@vpn ~]# mkdir client
- [root@vpn ~]# cp -R /mnt/easy-rsa/ client/
复制代码
(2)初始化
- [root@vpn ~]# cd client/easy-rsa/easyrsa3/
- [root@vpn easyrsa3]# ls
- easyrsa openssl-1.0.cnf vars vars.example x509-types
- [root@vpn easyrsa3]# ./easyrsa init-pki
-
- Note: using Easy-RSA configuration from: ./vars
-
- init-pki complete; you may now create a CA or requests.
- Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
复制代码
(3)创建客户端key及生成证书
- [root@vpn easyrsa3]# ./easyrsa gen-req qiangsh
- Generating a 2048 bit RSA privatekey
- .......................+++
- ........................................................+++
- writing new private key to'/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key.LD7Wk6hmQq'
- Enter PEM pass phrase: #输入密码
- Verifying - Enter PEM passphrase: #再次输入密码
- -----
- You are about to be asked toenter information that will be incorporated
- into your certificate request.
- What you are about to enter iswhat is called a Distinguished Name or a DN.
- There are quite a few fields butyou can leave some blank
- For some fields there will be adefault value,
- If you enter '.', the field willbe left blank.
- -----
- Common Name (eg: your user, host,or server name) [qiangsh]:qiangsh #输入qiangsh
- Keypair and certificate request completed.Your files are:
- req:/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req
- key:/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key
复制代码
(4)将得到的qiangsh.req导入并签约证书
- [root@vpn ~]# cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/
- [root@vpn easyrsa3]# #导入req
- [root@vpn easyrsa3]#./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.reqqiangsh
- Note: using Easy-RSAconfiguration from: ./vars
- The request has been successfullyimported with a short name of: qiangsh
- You may now use this name toperform signing operations on this request.
-
- [root@vpn easyrsa3]# #签约证书
- [root@vpn easyrsa3]# ./easyrsa sign client qiangsh
- Note: using Easy-RSAconfiguration from: ./vars
- You are about to sign thefollowing certificate.
- Please check over the detailsshown below for accuracy. Note that this request
- has not been cryptographicallyverified. Please be sure it came from a trusted
- source or that you have verifiedthe request checksum with the sender.
- Request subject, to be signed asa client certificate for 3650 days:
- subject=
- commonName = qiangsh
- Type the word 'yes' to continue,or any other input to abort.
- Confirm request details:yes #输入yes
- Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
- Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #输入创建根证书时的密码
- Check that the request matchesthe signature
- Signature ok
- The Subject's Distinguished Nameis as follows
- commonName :PRINTABLE:'qiangsh'
- Certificate is to be certifieduntil Jun 6 07:50:02 2026 GMT (3650 days)
- Write out database with 1 newentries
- Data Base Updated
- Certificate created at:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt #签约成功
复制代码
(5)服务端及客户端生成的文件
服务端:(/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/)文件夹
- /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
- /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
- /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/qiangsh.req
- /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key
- /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
- /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
- /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt
- /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
复制代码
客户端:(/root/client/easy-rsa)
- /root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key
- /root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req #这个文件被我们导入到了服务端文件,所以那里也有
复制代码
(6)拷贝服务器密钥及证书等到openvpn目录
- [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /usr/local/share/doc/openvpn/
- [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /usr/local/share/doc/openvpn/
- [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /usr/local/share/doc/openvpn/
- [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /usr/local/share/doc/openvpn/
复制代码
(7)拷贝客户端密钥及证书等到client目录
- [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client/
- [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt /root/client/
- [root@vpn ~]# cp/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key /root/client/
复制代码
(8)为服务端编写配置文件
当安装好openvpn时候,它会提供一个server配置的文件例子
将此例子拷贝openvpn目录,然后配置
- [root@vpn ~]# cp /mnt/openvpn-2.3.11/sample/sample-config-files/server.conf /usr/local/share/doc/openvpn/
- [root@vpn ~]# vim /usr/local/share/doc/openvpn/server.conf
- local 192.168.1.100 #(自己vps IP)
- port 1194
- proto udp
- dev tun
- ca /usr/local/share/doc/openvpn/ca.crt
- cert /usr/local/share/doc/openvpn/server.crt
- key /usr/local/share/doc/openvpn/server.key # This file should be kept secret
- dh /usr/local/share/doc/openvpn/dh.pem
- server 10.8.0.0 255.255.255.0
- ifconfig-pool-persist ipp.txt
- push "redirect-gateway def1 bypass-dhcp"
- push "dhcp-option DNS 8.8.8.8"
- keepalive 10 120
- comp-lzo
- max-clients 100
- persist-key
- persist-tun
- status openvpn-status.log
- verb 3
复制代码
(9)开启系统转发功能
- [root@vpn ~]# vim /etc/sysctl.conf
- net.ipv4.ip_forward = 0 改成 net.ipv4.ip_forward = 1
- [root@vpn ~]# sysctl -p
- [root@vpn ~]# sysctl -a | grep net.ipv4.ip_forward
- net.ipv4.ip_forward = 1
复制代码
(10)封装出去的数据包(eth0是你的vps外网的网卡):
- /sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE
复制代码
三、下载openvpn客户端,并进行配置
1、将客户端密钥及证书等拷出到windows备用
- [root@vpn ~]# cd client/
- [root@vpn client]# ls
- ca.crt easy-rsa nmshuishui.crt nmshuishui.key #带后缀的这三个
复制代码
2、安装openvpn-gui工具
(1)将C:\ProgramFiles\OpenVPN\sample-config\client.ovpn复制到C:\Program Files\OpenVPN\config
(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下
(3)编辑C:\ProgramFiles\OpenVPN\config\client.ovpn,修改为
- client
- dev tun
- proto udp
- remote 192.168.1.100 1194
- resolv-retry infinite
- nobind
- persist-key
- persist-tun
- ca ca.crt //这里需要证书
- cert qiangsh.crt
- key qiangsh.key
- comp-lzo
- verb 3
复制代码
四、启动服务、测试
1、在vpn服务器上启动openvpn服务
[
- root@vpn ~]#/usr/local/sbin/openvpn --config /usr/local/share/doc/openvpn/server.conf &
-
- [root@vpn ~]# echo "/usr/local/sbin/openvpn--config /usr/local/share/doc/openvpn/server.conf &
- " >>/etc/rc.local #设为开机启动
复制代码
2、在openvpn-gui上右键Connect输入密码连接
3、查看vpn状态