服务器配置：

cat /etc/sysctl.d/99-net.conf
二层的网桥在转发包时也会被iptables的FORWARD规则所过滤
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
关闭严格校验数据包的反向路径，默认值1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
设置 conntrack 的上限
net.netfilter.nf_conntrack_max=1048576
端口最大的监听队列的长度
net.core.somaxconn=21644
打开ipv4数据包转发
net.ipv4.ip_forward=1
TCP FastOpen 0:关闭 ; 1:作为客户端时使用 ; 2:作为服务器端时使用 ; 3:无论作为客户端还是服务器端都使用
net.ipv4.tcp_fastopen=3
修改limits参数：
cat /etc/security/limits.d/99-centos.conf

• • nproc 1048576
• • nofile 1048576

安装：

安装epel源：
yum -y install epel-*

更新软件：
yum makecache
yum update -y

安装openvpn及easy-rsa：
yum -y install openvpn easy-rsa

服务端证书配置：

拷贝easy-rsa的文件到/etc/openvpn下
cp -r /usr/share/easy-rsa/3.0.8 /etc/openvpn/easy-rsa
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars

修改/etc/openvpn/easy-rsa/vars配置：

set_var EASYRSA_REQ_COUNTRY “CN”
set_var EASYRSA_REQ_PROVINCE “Zhe Jiang”
set_var EASYRSA_REQ_CITY “Hang Zhou”
set_var EASYRSA_REQ_ORG “test”
set_var EASYRSA_REQ_EMAIL “xx@test.com”
set_var EASYRSA_REQ_OU “openvpn”
set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 365000
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_CERT_RENEW 180
set_var EASYRSA_CRL_DAYS 60

初始化PKI和CA

切换目录：
cd /etc/openvpn/easy-rsa

创建PKI
./easyrsa init-pki

创建CA
./easyrsa build-ca nopass

创建服务器证书
方式一：
./easyrsa build-server-full openvpn-server nopass #自动签发公钥和私钥

    方式二：
        ./easyrsa gen-req openvpn-server nopass    # 创建服务器密钥
        ./easyrsa sign-req server openvpn-server    # 用CA证书签署密钥
1
2
3

创建客户端证书
方式一：
./easyrsa build-server-full openvpn-client nopass

   方式二：
     ./easyrsa gen-req openvpn-client nopass    # 创建服务器密钥
        ./easyrsa sign-req client openvpn-client    # 用CA证书签署密钥
1
2
3

创建DH证书
./easyrsa gen-dh # 根据在顶部创建的vars配置文件生成密钥

创建ta.key
openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key

生成CRL密钥：
./easyrsa gen-crl
拷贝证书

mkdir -p /etc/openvpn/pki
cp /etc/openvpn/easy-rsa/pki/ca.crt
/etc/openvpn/easy-rsa/pki/dh.pem
/etc/openvpn/easy-rsa/pki/issued/openvpn-server.crt
/etc/openvpn/easy-rsa/pki/private/openvpn-server.key
/etc/openvpn/pki/
ln -sv /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/pki/crl.pem
chown -R root:openvpn /etc/openvpn/pki

#复制ca证书，ta.key和server端证书及密钥到/etc/openvpn/server文件夹里
cp -p /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
cp -p /etc/openvpn/easy-rsa/pki/issued/openvpn-server.crt /etc/openvpn/server/
cp -p /etc/openvpn/easy-rsa/pki/private/openvpn-server.key /etc/openvpn/server/
cp -p /etc/openvpn/easy-rsa/ta.key /etc/openvpn/server/

#复制ca证书，ta.key和client端证书及密钥到/etc/openvpn/client文件夹里

cp -p /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/
cp -p /etc/openvpn/easy-rsa/pki/issued/openvpn-client.crt /etc/openvpn/client/
cp -p /etc/openvpn/easy-rsa/pki/private/openvpn-client.key /etc/openvpn/client/
cp -p /etc/openvpn/easy-rsa/ta.key /etc/openvpn/client/

#复制dh.pem , crl.pem到/etc/openvpn/client文件夹里
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/client/
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/client/

4、OpenVPN服务端配置
文件创建

创建日志目录：
mkdir -p /var/log/openvpn
chown -R openvpn:openvpn /var/log/openvpn

创建客户端配置目录
mkdir -p /etc/openvpn/client/{config,user}
chown -R root:openvpn /etc/openvpn/client/{config,user}

cp -p /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn/server/
配置server.conf

port 1194
# 通信协议
proto udp
# TUN模式还是TAP模式
dev tun
# 证书
ca         /etc/openvpn/pki/ca.crt
cert       /etc/openvpn/pki/openvpn-server.crt
key        /etc/openvpn/pki/openvpn-server.key
dh         /etc/openvpn/pki/dh.pem
crl-verify /etc/openvpn/pki/crl.pem
# 禁用OpenVPN自定义缓冲区大小，由操作系统控制
sndbuf 0
rcvbuf 0
# TLS rules “client” | “server”
#remote-cert-tls  "client"
# TLS认证
tls-auth /etc/openvpn/pki/ta.key 0
# TLS最小版本
#tls-version-min "1.2"
# 重新协商数据交换的key，默认3600
#reneg-sec 3600
# 在此文件中维护客户端与虚拟IP地址之间的关联记录
# 如果OpenVPN重启，重新连接的客户端可以被分配到先前分配的虚拟IP地址
ifconfig-pool-persist /etc/openvpn/ipp.txt
# 配置client配置文件
client-config-dir /etc/openvpn/client/config
# 该网段为 open VPN 虚拟网卡网段，不要和内网网段冲突即可。
server 10.10.0.0 255.255.0.0
# 配置网桥模式，需要在OpenVPN服务添加启动关闭脚本，将tap设备桥接到物理网口
# 假定内网地址为192.168.0.0/24，内网网关是192.168.0.1
# 分配192.168.0.200-250给VPN使用
#server-bridge 192.168.0.1 255.255.255.0 192.168.0.200 192.168.0.250
# 给客户端推送自定义路由
#push "route 10.10.0.0 255.255.0.0"
# 所有客户端的默认网关都将重定向到VPN
#push "redirect-gateway def1 bypass-dhcp"  
# 向客户端推送DNS配置
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"
# 允许客户端之间互相访问
client-to-client
# 限制最大客户端数量
max-clients 100
# 客户端连接时运行脚本
#client-connect ovpns.script
# 客户端断开连接时运行脚本
#client-disconnect ovpns.script
# 保持连接时间
keepalive 20 120
# 开启vpn压缩
comp-lzo
# 允许多人使用同一个证书连接VPN，不建议使用，注释状态
duplicate-cn
# 运行用户
user openvpn
#运行组
group openvpn
# 持久化选项可以尽量避免访问那些在重启之后由于用户权限降低而无法访问的某些资源
persist-key
persist-tun

cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"

# 显示当前的连接状态
status      /var/log/openvpn/openvpn-status.log
# 日志路径，不指定文件路径时输出到控制台
# log代表每次启动时清空日志文件
# log        /var/log/openvpn/openvpn.log
# log-append代表追加写入到日志文件
log-append  /var/log/openvpn/openvpn.log
# 日志级别
verb 6
# 忽略过多的重复信息，相同类别的信息只有前20条会输出到日志文件中
mute 20
explicit-exit-notify 1

#文件进行用户认证
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
verify-client-cert none
username-as-common-name
script-security 3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

systemctl enable openvpn-server@server 开启服务

本地客户端配置文件

client
dev tun
proto udp
remote 47.108.232.1 1194          #公网地址
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
auth-user-pass
remote-cert-tls server
cipher AES-256-CBC
verb 6 
route-nopull
route-metric 800
route 10.158.254.0 255.255.254.0 vpn_gateway     #只转发该网段的流量到vpn其余的走本地
max-routes 1000

-----BEGIN CERTIFICATE-----
MIIDHjCCAgagAwIBAgIJAO4RGdLmB/glMA0GCSqGSIb3DQEBCwUAMA8xDTALBgNV
BAMMBHNheG8wHhcNMjIwNjIwMDgwMDM4WhcNMzIwNjE3MDgwMDM4WjAPMQ0wCwYD
VQQDDARzYXhvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu52r1c/z
uZVbBZeg/vTeeL+jbCDBr/8NAiOR9u4i9vHjYgPSybeJFyrRaDvxE99N/hm3D3sj
JQkxmzqY5yx2fmthJr51Gg02K3SxR+NN+CtysMajkbX5crBA8yJVWMXqH/3oLVVr
rnUidUhqkuNiFjXBOU9zk3Par0br/wNy1sCsX0sDUlsLBr3JQaXY4McbkhW22uKR
ZniOvgApi3TFYKExNgO8syYFOIom6sKFk+NgVy6NTGx7tV1h5POOiyx5E7asysHS
BmiNIKSKT8JJgGbJH3NJNaBGp3i9/sl8juCgk8H6KlwhKnrHFIz6mPpoadJ8ZvbG
c6nQnQ4CnPRYLwIDAQABo30wezAdBgNVHQ4EFgQUNyZF9ZhZFAB2HyIn31ldRcf5
yYQwPwYDVR0jBDgwNoAUNyZF9ZhZFAB2HyIn31ldRcf5yYShE6QRMA8xDTALBgNV
BAMMBHNheG+CCQDuERnS5gf4JTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAN
BgkqhkiG9w0BAQsFAAOCAQEAYvZ+aVIXGi8PjtBIdl5cymC3aV76nkTfgaTjqsnX
VZ+5435MSxWwyAovn16iW8psHc9AL63EOaPu/xWw66bQBAAp0/GlxGzHzBmeH1hy
2g7jHYPpcq30AuADwzKk0O/lzYeq7yPdrkdyYffYZxumXNYCfndnQBAOCzcZvCuP
XCwTcV2hVtzrf873fWHULwbmYfzEzbqryvxka9N+R5izihvH/YB9AbSXheJbXwwN
aCgc8ip114N8/lvL+iIdfQryHOgStIoO3aniJPal8J+yseWVBY1CD4UdV5/+5DGQ
BX6vncyb2wzUY8WQfFL6ISOIKz7DioWSS7KLN32diXaztA==
-----END CERTIFICATE-----


#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
17e85bbb44fac0aa352bf377d5e74c6e
acba43b4845fe2e4d6bb408a3ff234dc
2bbb5a4fbe3da10a7f73dc996193d179
41dddc4d393b243ac531d531b98ad333
be3ff286a3f926b55c9f19b1206d73d6
a3c5af13033c0f14632c904aca47cbfd
af69ca63f47ef044e59a3c9636651c5b
4289f0744502c6efb67c9b28b0712895
e02c4492c04afd23e1a3b82a693d3858
02ac75a7e0e9d7bdc9959743c3a60863
26a0de2d374123bb2b9d55eeb07b1763
e88caf717d4648f475fa6af5370c28f4
180445af56e09ee01d9e64c67f2baf4a
76932254bf0da76ded98ecbe1ef0cff3
c48d236b50dc03461d924ec3cb29e27c
3087a2c3486a163020ec52502666a2e0
-----END OpenVPN Static key V1-----

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

云上还得配置一条路由表将vpn虚拟网段路由到openvpn服务器

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman 
#
# This script will authenticate Open××× users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/server/psw-file"
LOG_FILE="/var/log/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
        echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
        exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
        echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
        exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
        echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
        exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

这是用户密码检测脚本