登录
OpenVPN下载:
https://github.com/OpenVPN/openvpn/releases
EasyRSA下载:
https://github.com/OpenVPN/easy-rsa/releases
安装环境依赖:
yum install install gcc gcc-c++ libstdc++-devel autoconf automake libtool pam-devel
克隆OpenVPN源代码:
git clone https://github.com/OpenVPN/openvpn.git
配置:
./configure --prefix=/usr/local/OpenVPN --disable-lzo
编译安装:
make && make install
软连接:
ln -s /usr/local/OpenVPN/sbin/openvpn /usr/sbin/openvpn
克隆easy-rsa源代码:
git clone https://github.com/OpenVPN/easy-rsa.git
到eay-rsa的easyrsa3目录,拷贝配置:
cp vars.example vars
修改配置下面对应部分:
set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "HUBEI" set_var EASYRSA_REQ_CITY "WUHAN" set_var EASYRSA_REQ_ORG "JOYCODE" set_var EASYRSA_REQ_EMAIL "maxwoods@qq.com" set_var EASYRSA_REQ_OU "Max Woods' OpenVPN"
初始化:
./easyrsa init-pki
生成根证书:
./easyrsa build-ca
生成服务器证书:
./easyrsa gen-req server nopass
服务器证书签名:
./easyrsa sign server server
创建Diffie-Hellman:
./easyrsa gen-dh
创建客户端证书请求:
/easyrsa gen-req Ops
客户端证书导入:
./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/Ops.req Ops
客户端证书签名:
./easyrsa sign client Ops
生成客户端证书:
该过程程会证你输入ca密码及用户证书的私钥密码
./easyrsa build-client-full joycode
证书吊销:
./easyrsa revoke joycode ./easyrsa gen-crl
在pki/index.txt中会以"R"标记被吊销的证书,同时生成更新后的“/pki/crl.pem”文件。
修改openvpn server配置:
vi /etc/openvpn/server/server.conf
加入下面一行:
crl-verify crl.pem
把crl.pem放到与server.conf相同的目录,并修改权限,然后重启服务。
chmod 777 crl.pem
server.conf示例:
port 1194 proto tcp dev tun ca /usr/local/openvpn/ssl/ca.crt cert /usr/local/openvpn/ssl/server.crt key /usr/local/openvpn/ssl/server.key dh /usr/local/openvpn/ssl/dh.pem server 10.8.0.0 255.255.255.0 duplicate-cn # 允许多人同时登录一个客户端证书 #ifconfig-pool-persist ipp.txt #keepalive 10 120 tls-auth /usr/local/openvpn/ssl/ta.key 0 # This file is secret #push "route 192.168.1.200 255.255.255.0" #cipher AES-256-CBC #persist-key #persist-tun #status openvpn-status.log #verb 3 #explicit-exit-notify 1
.ovpn配置示例:
client proto tcp dev tun remote 8.138.82.236 1194 ca ca.crt cert maxwoods.crt key maxwoods.key tls-auth ta.key 1 nobind persist-key #cipher AES-256-CBC ns-cert-type server verb 3
服务端启动:
./sbin/openvpn --config server.conf --daemon
参考:
评论已关闭