主要參考這兩篇文章
http://phpcampus.com/2014/08/set-up-openvpn-server-on-linode-vps-centos7/
http://phpcampus.com/2014/09/set-up-openvpn-over-stunnel/
檢查 centos 版本
# cat /etc/redhat-releaseCentOS Linux release 7.1.1503 (Core)或者
# cat /etc/*release*CentOS Linux release 7.1.1503 (Core)
Derived from Red Hat Enterprise Linux 7.1 (Source)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.1.1503 (Core)
CentOS Linux release 7.1.1503 (Core)
cpe:/o:centos:centos:7centos下,yum是十分方便的軟體包安裝工具。
檢查是否已經安裝有 OpenVPN
# yum info openvpnLoaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.linode.com
* epel: mirror.sfo12.us.leaseweb.net
* extras: mirrors.linode.com
* updates: mirrors.linode.com
Installed Packages
Name : openvpn
Arch : x86_64
Version : 2.3.6
Release : 1.el7
Size : 992 k
Repo : installed
From repo : epel
Summary : A full-featured SSL VPN solution
URL : http://openvpn.net/
License : GPLv2
Description : OpenVPN is a robust and highly flexible tunneling application that uses all
: of the encryption, authentication, and certification features of the
: OpenSSL library to securely tunnel IP networks over a single UDP or TCP
: port. It can use the Marcus Franz Xaver Johannes Oberhumer's LZO library
: for compression.
如果還沒有安裝,使用下面的命令
# yum install openvpn需要獨立安裝 easy-rsa。
檢查是否安裝 easy-rsa
# yum info easy-rsaLoaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.linode.com
* epel: mirror.sfo12.us.leaseweb.net
* extras: mirrors.linode.com
* updates: mirrors.linode.com
Installed Packages
Name : easy-rsa
Arch : noarch
Version : 2.2.2
Release : 1.el7
Size : 73 k
Repo : installed
From repo : epel
Summary : Simple shell based CA utility
URL : https://github.com/OpenVPN/easy-rsa
License : GPLv2
Description : This is a small RSA key management package, based on the openssl
: command line tool, that can be found in the easy-rsa subdirectory
: of the OpenVPN distribution. While this tool is primary concerned
: with key management for the SSL VPN application space, it can also
: be used for building web certificates.
如果沒安裝,使用下面的命令
# yum install easy-rsa查看目錄
# ls /usr/share/easy-rsa/2.0
先拷貝生成證書用的工具
# cp -R /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa# cd /etc/openvpn/easy-rsa進入目錄
# vi vars來修改一下環境變數(不一定要修改)
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="FUCKGFW"
export KEY_EMAIL="fuckgfw@myhost.mydomain"
export KEY_OU="AlwaysFuckGFW"使環境變數生效
# source ./vars
當前目錄下生成一個keys的文件夾
# ./clean-all
創建證書自頒發機構
# ./build-ca server
生成伺服器證書
# ./build-key-server server
生成客戶端證書
# ./build-key client
證書所在目錄
# ls keys/
生成Diffie Hellman密鑰
# ./build-dh
到目錄
# cd /etc/openvpn
如果沒有 server.conf 文件,需要創建一個
# ls server.conf
或者複製一個
cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn/
server端配置文件
# vi server.conf
複製防火牆配置文件
# cp /lib/firewalld/services/openvpn.xml /etc/firewalld/services/openvpn.xml
修改防火牆配置文件
# vi /etc/firewalld/services/openvpn.xml
開啟防火牆
# systemctl start firewalld
查看防火牆狀態
# systemctl status firewalld
讓防火牆開機自啟
# systemctl enable firewalld
讓防火牆允許openvpn通過
# firewall-cmd --add-service=openvpn --permanent
確認一下是不是tcp 8443 埠開啟了
# iptables -n -L
如果沒有的話
# firewall-cmd --reload
再確認一下是不是tcp 8443 埠開啟了
# iptables -n -L
防火牆開啟 MASQUERADE
# firewall-cmd --add-masquerade --permanent
重新載入
# firewall-cmd --reload
設置包轉發
# vi /etc/sysctl.conf
# sysctl -p
複製openssl文件
# cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
加入開機啟動
systemctl -f enable openvpn@server.service
啟動openvpn
systemctl start openvpn@server.service
查看狀態
systemctl status openvpn@server.service