Fedora 28/29 安装 ( Open V P N ) 结合 easy-rsa3
<p>安装软件包:</p><div class="cnblogs_code">
<pre># <span style="color: rgba(0, 0, 255, 1)">yum</span> -y <span style="color: rgba(0, 0, 255, 1)">install</span> openvpn easy-rsa</pre>
</div>
<p>复制easy-rsa 文件:</p>
<div class="cnblogs_code">
<pre># <span style="color: rgba(0, 0, 255, 1)">cp</span> -r /usr/share/easy-rsa/ /etc/openvpn/easy-<span style="color: rgba(0, 0, 0, 1)">rsa
# cd /etc/openvpn/easy-rsa/<span style="color: rgba(0, 0, 0, 1)">
# cd <span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/<span style="color: rgba(0, 0, 0, 1)">
# <span style="color: rgba(0, 0, 255, 1)">find</span> / -type f -name <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">vars.example</span><span style="color: rgba(128, 0, 0, 1)">"</span> | <span style="color: rgba(0, 0, 255, 1)">xargs</span> -i <span style="color: rgba(0, 0, 255, 1)">cp</span> {} . && <span style="color: rgba(0, 0, 255, 1)">mv</span> vars.example vars</pre>
</div>
<p>创建PKI和CA:</p>
<div class="cnblogs_code">
<pre># <span style="color: rgba(0, 0, 255, 1)">pwd</span>
/etc/openvpn/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span><span style="color: rgba(0, 0, 0, 1)">
# ./easyrsa init-<span style="color: rgba(0, 0, 0, 1)">pki#创建空的pki
# ./easyrsa build-ca nopass #创建新的CA,不使用密码</pre>
</div>
<p>创建服务端证书:</p>
<div class="cnblogs_code">
<pre># ./easyrsa gen-req server nopass</pre>
</div>
<p>签约服务端证书:</p>
<div class="cnblogs_code">
<pre># ./easyrsa sign server server</pre>
</div>
<p>创建 Diffie-Hellman:</p>
<div class="cnblogs_code">
<pre># ./easyrsa gen-dh</pre>
</div>
<p>创建客户端证书:</p>
<p>复制文件:</p>
<div class="cnblogs_code">
<pre># <span style="color: rgba(0, 0, 255, 1)">cp</span> -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-<span style="color: rgba(0, 0, 0, 1)">rsa
# cd /etc/openvpn/client/easy-rsa/<span style="color: rgba(0, 0, 0, 1)">
# cd <span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/<span style="color: rgba(0, 0, 0, 1)">
# <span style="color: rgba(0, 0, 255, 1)">find</span> / -type f -name <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">vars.example</span><span style="color: rgba(128, 0, 0, 1)">"</span> | <span style="color: rgba(0, 0, 255, 1)">xargs</span> -i <span style="color: rgba(0, 0, 255, 1)">cp</span> {} . && <span style="color: rgba(0, 0, 255, 1)">mv</span> vars.example vars</pre>
</div>
<p>生成证书:</p>
<div class="cnblogs_code">
<pre># <span style="color: rgba(0, 0, 255, 1)">pwd</span>
/etc/openvpn/client/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span><span style="color: rgba(0, 0, 0, 1)">
# ./easyrsa init-<span style="color: rgba(0, 0, 0, 1)">pki #创建新的pki
# ./easyrsa gen-req yaoxu nopass</pre>
</div>
<p>签约客户端证书:</p>
<div class="cnblogs_code">
<pre># cd /etc/openvpn/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/<span style="color: rgba(0, 0, 0, 1)">
# <span style="color: rgba(0, 0, 255, 1)">pwd</span>
/etc/openvpn/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span><span style="color: rgba(0, 0, 0, 1)">
# ./easyrsa import-req /etc/openvpn/client/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/pki/reqs/yaoxu.req yaoxu</pre>
</div>
<p>整理证书:</p>
<p>服务端:</p>
<div class="cnblogs_code">
<pre># <span style="color: rgba(0, 0, 255, 1)">mkdir</span> /etc/openvpn/<span style="color: rgba(0, 0, 0, 1)">certs
# cd /etc/openvpn/certs/<span style="color: rgba(0, 0, 0, 1)">
# </span><span style="color: rgba(0, 0, 255, 1)">cp</span> /etc/openvpn/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/pki/<span style="color: rgba(0, 0, 0, 1)">dh.pem .
# </span><span style="color: rgba(0, 0, 255, 1)">cp</span> /etc/openvpn/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/pki/<span style="color: rgba(0, 0, 0, 1)">ca.crt .
# </span><span style="color: rgba(0, 0, 255, 1)">cp</span> /etc/openvpn/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/pki/issued/<span style="color: rgba(0, 0, 0, 1)">server.crt .
# </span><span style="color: rgba(0, 0, 255, 1)">cp</span> /etc/openvpn/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/pki/private/server.key .</pre>
</div>
<p>客户端证书:</p>
<div class="cnblogs_code">
<pre># <span style="color: rgba(0, 0, 255, 1)">mkdir</span> /etc/openvpn/client/yaoxu/<span style="color: rgba(0, 0, 0, 1)">
# </span><span style="color: rgba(0, 0, 255, 1)">cp</span> /etc/openvpn/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/pki/ca.crt /etc/openvpn/client/yaoxu/<span style="color: rgba(0, 0, 0, 1)">
# </span><span style="color: rgba(0, 0, 255, 1)">cp</span> /etc/openvpn/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/pki/issued/yaoxu.crt /etc/openvpn/client/yaoxu/<span style="color: rgba(0, 0, 0, 1)">
# </span><span style="color: rgba(0, 0, 255, 1)">cp</span> /etc/openvpn/client/easy-rsa/<span style="color: rgba(128, 0, 128, 1)">3.0</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>/pki/private/yaoxu.key /etc/openvpn/client/yaoxu/<span style="color: rgba(0, 0, 0, 1)">
# ll </span>/etc/openvpn/client/yaoxu/</pre>
</div>
<p>服务端配置文件示例:配置文件说明:https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf</p>
<div class="cnblogs_code">
<pre># vim /etc/openvpn/server/<span style="color: rgba(0, 0, 0, 1)">first.conf
local vpn使用的网卡</span><span style="color: rgba(0, 0, 0, 1)">
port </span><span style="color: rgba(128, 0, 128, 1)">1194# vpn 端口</span><span style="color: rgba(0, 0, 0, 1)">
proto tcp # 可以使用 udp,速度更快
dev tun
ca </span>/etc/openvpn/certs/<span style="color: rgba(0, 0, 0, 1)">ca.crt
cert </span>/etc/openvpn/certs/<span style="color: rgba(0, 0, 0, 1)">server.crt
key </span>/etc/openvpn/certs/<span style="color: rgba(0, 0, 0, 1)">server.key
dh </span>/etc/openvpn/certs/<span style="color: rgba(0, 0, 0, 1)">dh.pem
</span><span style="color: rgba(0, 0, 255, 1)">ifconfig</span>-pool-persist /etc/openvpn/<span style="color: rgba(0, 0, 0, 1)">ipp.txt
server </span><span style="color: rgba(128, 0, 128, 1)">17.166</span>.<span style="color: rgba(128, 0, 128, 1)">221.0</span> <span style="color: rgba(128, 0, 128, 1)">255.255</span>.<span style="color: rgba(128, 0, 128, 1)">255.0 # server 虚拟地址池</span><span style="color: rgba(0, 0, 0, 1)">
push </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">route 192.168.1.0 255.255.255.0</span><span style="color: rgba(128, 0, 0, 1)">" # Push操作,适用于在客户端连接上vpn,给客户端路由表添加路由;</span><span style="color: rgba(0, 0, 0, 1)">
push </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">redirect-gateway def1 bypass-dhcp</span><span style="color: rgba(128, 0, 0, 1)">" # 设置所有的流量走vpn</span><span style="color: rgba(0, 0, 0, 1)">
push </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">dhcp-option DNS 223.5.5.5</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
push </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">dhcp-option DNS 223.6.6.6</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
client</span>-to-<span style="color: rgba(0, 0, 0, 1)">client
keepalive </span><span style="color: rgba(128, 0, 128, 1)">20</span> <span style="color: rgba(128, 0, 128, 1)">120</span><span style="color: rgba(0, 0, 0, 1)">
comp</span>-<span style="color: rgba(0, 0, 0, 1)">lzo
#duplicate</span>-<span style="color: rgba(0, 0, 0, 1)">cn
user openvpn
group openvpn
persist</span>-<span style="color: rgba(0, 0, 0, 1)">key
persist</span>-<span style="color: rgba(0, 0, 0, 1)">tun
status openvpn</span>-<span style="color: rgba(0, 0, 0, 1)">status.log
log</span>-<span style="color: rgba(0, 0, 0, 1)">appendopenvpn.log
verb </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">
mute </span><span style="color: rgba(128, 0, 128, 1)">20</span></pre>
</div>
<p>客户端配置文件client.ovpn:</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">client #这个不能改
proto tcp#要与server.conf一致
dev tun #要与server.conf一致
remote 主机外网IP </span><span style="color: rgba(128, 0, 128, 1)">12306</span><span style="color: rgba(0, 0, 0, 1)">
ca ca.crt
cert yaoxu.crt
key yaoxu.key #对应所下载的证书
resolv</span>-<span style="color: rgba(0, 0, 0, 1)">retry infinite
nobind
mute</span>-replay-<span style="color: rgba(0, 0, 0, 1)">warnings
keepalive </span><span style="color: rgba(128, 0, 128, 1)">20</span> <span style="color: rgba(128, 0, 128, 1)">120</span><span style="color: rgba(0, 0, 0, 1)">
comp</span>-<span style="color: rgba(0, 0, 0, 1)">lzo
#user openvpn
#group openvpn
persist</span>-<span style="color: rgba(0, 0, 0, 1)">key
persist</span>-<span style="color: rgba(0, 0, 0, 1)">tun
status openvpn</span>-<span style="color: rgba(0, 0, 0, 1)">status.log
log</span>-<span style="color: rgba(0, 0, 0, 1)">append openvpn.log
verb </span><span style="color: rgba(128, 0, 128, 1)">3</span><span style="color: rgba(0, 0, 0, 1)">
mute </span><span style="color: rgba(128, 0, 128, 1)">20</span></pre>
</div>
<p>配置转发(firewalld):注意包转发,<strong><span style="color: rgba(255, 0, 0, 1)">此处较为关键</span></strong>;请确认配置正确;并保证防火墙打开; (<strong><span style="color: rgba(255, 0, 0, 1)">此条转发命令需要注意,后期如果重启后服务中断,很可能因为此命令重启后失效,需要重新配置</span></strong>)</p>
<div class="cnblogs_code">
<pre>firewall-cmd --add-service=<span style="color: rgba(0, 0, 0, 1)">openvpn
firewall</span>-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s <span style="color: rgba(128, 0, 128, 1)">10.8</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">24</span> -o eth0 -j MASQUERADE</pre>
</div>
<div class="cnblogs_code">
<pre>vim /etc/<span style="color: rgba(0, 0, 0, 1)">sysctl.conf
net.ipv4.ip_forward </span>= <span style="color: rgba(128, 0, 128, 1)">1</span> # 保存后执行:sysctl -p</pre>
</div>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)"># 设置firewall规则 IP 根据自己的情况确定
systemctl start firewalld.service
firewall</span>-cmd --statefirewall-cmd --zone=public --list-<span style="color: rgba(0, 0, 0, 1)">all
firewall</span>-cmd --add-service=openvpn --<span style="color: rgba(0, 0, 0, 1)">permanent
firewall</span>-cmd --add-port=<span style="color: rgba(128, 0, 128, 1)">1194</span>/udp --<span style="color: rgba(0, 0, 0, 1)">permanent
firewall</span>-cmd --add-port=<span style="color: rgba(128, 0, 128, 1)">22</span>/tcp --<span style="color: rgba(0, 0, 0, 1)">permanent
firewall</span>-cmd --add-source=<span style="color: rgba(128, 0, 128, 1)">10.10</span>.<span style="color: rgba(128, 0, 128, 1)">1.0</span> --<span style="color: rgba(0, 0, 0, 1)">permanent
firewall</span>-cmd --query-source=<span style="color: rgba(128, 0, 128, 1)">10.10</span>.<span style="color: rgba(128, 0, 128, 1)">1.0</span> --<span style="color: rgba(0, 0, 0, 1)">permanent
firewall</span>-cmd --add-masquerade --<span style="color: rgba(0, 0, 0, 1)">permanent
firewall</span>-cmd --query-masquerade --<span style="color: rgba(0, 0, 0, 1)">permanent
firewall</span>-cmd --reload </pre>
</div>
<p>开启 openvpn 服务:</p>
<div class="cnblogs_code">
<pre>systemctl enable openvpn-<span style="color: rgba(0, 0, 0, 1)">server@first.service
systemctl start openvpn</span>-server@first.service</pre>
</div>
<p>配置客户端:</p>
<p>可以使用 openvpn 命令行</p>
<p>图形界面:</p>
<p>macos:Tunnelblick openvpn 命令行</p>
<p>linux: openvpn </p>
<div class="cnblogs_code">
<pre>openvpn (--daemon) --cd /etc/openvpn --config client.ovpn (--log-append /var/log/openvpn.log)</pre>
</div>
<p>windows: openvpn.exe : http://www.fyluo.com/m/?post=198</p>
<p><span style="color: rgba(255, 0, 0, 1)">保持更新,转载请注明出处;如果对您有帮助,请点击右下角推荐给予支持吧!非常感谢!</span></p>
<p>参考链接:</p>
<p>https://fedoraproject.org/wiki/Openvpn 官方文档,较为优秀;</p>
<p><strong>https://www.cnblogs.com/olinux/p/5159530.html</strong></p>
<p><strong>https://blog.rj-bai.com/post/78.html#menu_index_14</strong></p>
<p>https://blog.rj-bai.com/post/132.html#menu_index_11</p>
<p>https://blog.rj-bai.com/post/136.html 较为优秀</p>
<p>https://www.cnblogs.com/37yan/p/7171457.html</p>
<p>https://www.cnblogs.com/EasonJim/p/8449495.html </p>
<p>https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf 较为优秀</p>
<p>https://blog.cryse.org/article/centos7-openvpn </p>
<p>https://www.cnblogs.com/xiaoyou2018/p/9522172.html firewall-cmd 配置规则有帮助</p>
<p>https://wangchujiang.com/linux-command/c/firewall-cmd.html</p>
<p>https://www.cnblogs.com/luobiao320/p/7190918.html</p>
<p>https://www.cnblogs.com/EasonJim/p/8349519.html (macos 用户建议阅读)</p>
</div>
<div id="MySignature" role="contentinfo">
https://github.com/yaowenxu<br><br>
来源:https://www.cnblogs.com/xuyaowen/p/linux-openvpn.html
頁:
[1]