環境： openserver服務器： 操作系統：CentOS Linux release 7.4 (Core) 外網IP：103.45.10.148/255.255.255.192 內網IP： 10.45.10.148/255.255.255.192 內網服務器： slave01： 操作系統：CentOS Linux release 7.4 (Core) 內網IP： 10.45.10.151/255.255.255.192 slave02: 操作系統：CentOS Linux release 7.4 (Core) 內網IP： 10.45.29.216/255.255.255.192 第一部分：安裝openvpn服務器 1、配置yum源 ~~~ [root@openvpn ~]# cd /etc/yum.repos.d/ [root@openvpn yum.repos.d]# ll total 8 -rw-r--r-- 1 root root 1624 Oct 25 14:14 CentOS-Base.repo -rw-r--r-- 1 root root 927 Mar 8 12:00 epel.repo (這里配置了yum源，就不需要配置咯） ~~~ 2、配置時間同步  如果不同步，配置如下 ~~~ [root@openvpn ~]# ntpdate time1.aliyun.com 14 Mar 20:18:15 ntpdate[27719]: adjust time server 203.107.6.88 offset 0.301728 sec [root@manager ~]# crontab -e #sync data */2 * * * * /usr/sbin/ntpdate time1.aliyun.com &>/dev/null 2>&1 ~~~ 3、安裝依賴關系及下載openvpn2.3.16軟件 * 安裝依賴包 [root@openvpn ~]# yum -y install openssh-server lzo openssl openssl-devel pam-devel lzo-devel * 下載相應軟件包 ~~~ [root@openvpn ~]# cd /opt/tools/ [root@openvpn tools]# wget http://soft.51yuki.cn/openvpn-2.3.16.tar.gz [root@openvpn tools]# wget http://soft.51yuki.cn/EasyRSA-2.2.2.tgz ~~~ * 編譯安裝openvpn2.3.16 ~~~ [root@openvpn tools]# tar xf openvpn-2.3.16.tar.gz [root@openvpn tools]# cd openvpn-2.3.16/ [root@openvpn openvpn-2.3.16]# ./configure --prefix=/usr/local/openvpn && make && make install 進入/usr/local/openvpn，然后新建2個目錄server和client [root@openvpn openvpn]# pwd /usr/local/openvpn [root@openvpn openvpn]# mkdir server [root@openvpn openvpn]# mkdir client [root@openvpn server]# ln -sv /usr/local/openvpn/sbin/openvpn /usr/sbin/openvpn ‘/usr/sbin/openvpn’ -> ‘/usr/local/openvpn/sbin/openvpn’ ~~~ * 通過EasyRSA中的各腳本生成證書 ~~~ 1）解壓EasyRSA-2.2.2.tgz，并把解壓后的目錄拷貝到/usr/local/openvpn [root@openvpn openvpn]# cd /opt/tools/ [root@openvpn tools]# tar xf EasyRSA-2.2.2.tgz [root@openvpn tools]# cp -rf EasyRSA-2.2.2 /usr/local/openvpn/ [root@openvpn tools]# cd /usr/local/openvpn/EasyRSA-2.2.2/ [root@openvpn EasyRSA-2.2.2]# 2)編輯vars文件（以后生成證書的時候，就會讀取這個文件） [root@openvpn EasyRSA-2.2.2]# cp vars{,.ori} [root@openvpn EasyRSA-2.2.2]# vim vars export KEY_COUNTRY="CN" export KEY_PROVINCE="SH" export KEY_CITY="shanghai" export KEY_ORG="Pet" export KEY_EMAIL="xhh_198605@163.com" export KEY_OU="Ops" [root@openvpn EasyRSA-2.2.2]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn/EasyRSA-2.2.2/keys [root@openvpn EasyRSA-2.2.2]# ./clean-all 3）生成ca證書 [root@openvpn EasyRSA-2.2.2]# ./build-ca Generating a 2048 bit RSA private key ................+++ .....................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [Pet]: Organizational Unit Name (eg, section) [Ops]: Common Name (eg, your name or your server's hostname) [Pet CA]: Name [EasyRSA]: Email Address [xhh_198605@163.com]: 4）生成交換密鑰 [root@openvpn EasyRSA-2.2.2]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time 5）生成服務器端證書 [root@openvpn EasyRSA-2.2.2]# ./build-key-server server Generating a 2048 bit RSA private key .........................................................+++ ...................................................................................................................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [Pet]: Organizational Unit Name (eg, section) [Ops]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [xhh_198605@163.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/openvpn/EasyRSA-2.2.2/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'shanghai' organizationName :PRINTABLE:'Pet' organizationalUnitName:PRINTABLE:'Ops' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'xhh_198605@163.com' Certificate is to be certified until Mar 12 05:40:43 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 6）生成客戶端證書（一般這個有很多，一般根據員工的名字來命名證書，例如如下） [root@openvpn EasyRSA-2.2.2]# ./build-key-pass louis （louis表示員工的命名） Generating a 2048 bit RSA private key ..........................................+++ ...............................................................................................................................+++ writing new private key to 'louis.key' Enter PEM pass phrase: 輸入密碼 Verifying - Enter PEM pass phrase: 輸入密碼 （這個密碼是客戶端撥vpn的時候，需要輸入這個密碼） ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [Pet]: Organizational Unit Name (eg, section) [Ops]: Common Name (eg, your name or your server's hostname) [louis]: Name [EasyRSA]: Email Address [xhh_198605@163.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/openvpn/EasyRSA-2.2.2/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'shanghai' organizationName :PRINTABLE:'Pet' organizationalUnitName:PRINTABLE:'Ops' commonName :PRINTABLE:'louis' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'xhh_198605@163.com' Certificate is to be certified until Mar 12 05:42:22 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 查看生成了哪些證書 [root@openvpn EasyRSA-2.2.2]# ll keys/ total 84 -rw-r--r-- 1 root root 5372 Mar 15 13:40 01.pem -rw-r--r-- 1 root root 5250 Mar 15 13:42 02.pem -rw-r--r-- 1 root root 1659 Mar 15 13:36 ca.crt -rw------- 1 root root 1704 Mar 15 13:36 ca.key -rw-r--r-- 1 root root 424 Mar 15 13:38 dh2048.pem -rw-r--r-- 1 root root 237 Mar 15 13:42 index.txt -rw-r--r-- 1 root root 21 Mar 15 13:42 index.txt.attr -rw-r--r-- 1 root root 21 Mar 15 13:40 index.txt.attr.old -rw-r--r-- 1 root root 119 Mar 15 13:40 index.txt.old -rw-r--r-- 1 root root 5250 Mar 15 13:42 louis.crt -rw-r--r-- 1 root root 1058 Mar 15 13:42 louis.csr -rw------- 1 root root 1834 Mar 15 13:42 louis.key -rw-r--r-- 1 root root 3 Mar 15 13:42 serial -rw-r--r-- 1 root root 3 Mar 15 13:40 serial.old -rw-r--r-- 1 root root 5372 Mar 15 13:40 server.crt -rw-r--r-- 1 root root 1058 Mar 15 13:40 server.csr -rw------- 1 root root 1704 Mar 15 13:40 server.key ~~~ * 在openvpn服務器上配置server端 ~~~ [root@openvpn server]# openvpn --genkey --secret ta.key [root@openvpn server]# pwd /usr/local/openvpn/server [root@openvpn server]# cp ../EasyRSA-2.2.2/keys/{ca.crt,ca.key,server.crt,server.key,dh2048.pem} . [root@openvpn server]# ll total 24 -rw-r--r-- 1 root root 1659 Mar 15 13:45 ca.crt -rw------- 1 root root 1704 Mar 15 13:45 ca.key -rw-r--r-- 1 root root 424 Mar 15 13:45 dh2048.pem -rw-r--r-- 1 root root 5372 Mar 15 13:45 server.crt -rw------- 1 root root 1704 Mar 15 13:45 server.key [root@openvpn server]# cp /opt/tools/openvpn-2.3.16/sample/sample-config-files/server.conf . [root@openvpn server]# ll total 36 -rw-r--r-- 1 root root 1659 Mar 15 13:45 ca.crt -rw------- 1 root root 1704 Mar 15 13:45 ca.key -rw-r--r-- 1 root root 424 Mar 15 13:45 dh2048.pem -rw-r--r-- 1 root root 10784 Mar 15 13:45 server.conf -rw-r--r-- 1 root root 5372 Mar 15 13:45 server.crt -rw------- 1 root root 1704 Mar 15 13:45 server.key -rw------- 1 root root 636 Mar 15 13:50 ta.key * 編輯server.conf [root@openvpn server]# grep -vE "^$|^#|^;" server.conf local 103.45.10.148 port 52115 proto tcp dev tun ca /usr/local/openvpn/server/ca.crt cert /usr/local/openvpn/server/server.crt key /usr/local/openvpn/server/server.key # This file should be kept secret dh /usr/local/openvpn/server/dh2048.pem server 172.25.200.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.45.10.128 255.255.255.192" client-to-client duplicate-cn keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo persist-key persist-tun status openvpn-status.log log /var/log/openvpn verb 3 ~~~ * 在openvpn服務器上配置client端 ~~~ [root@openvpn client]# cp ../EasyRSA-2.2.2/keys/{ca.crt,louis.crt,louis.key} . [root@openvpn client]# cp ../server/ta.key . [root@openvpn client]# cp /opt/tools/openvpn-2.3.16/sample/sample-config-files/client.conf . [root@openvpn client]# ll total 24 -rw-r--r-- 1 root root 1659 Mar 15 13:52 ca.crt -rw-r--r-- 1 root root 3586 Mar 15 13:53 client.conf -rw-r--r-- 1 root root 5250 Mar 15 13:52 louis.crt -rw------- 1 root root 1834 Mar 15 13:52 louis.key -rw------- 1 root root 636 Mar 15 13:53 ta.key (以后每增加一個客戶端，就把客戶端的公鑰和私鑰拷貝到這個目錄，然后把client.conf,ca.crt,ta.key以及對應用戶的公鑰和私鑰，一并發送給對象的用戶，該用戶就可以在相應的設備上登錄咯，下面會介紹） * 配置client.conf [root@openvpn client]# grep -vE "^$|^#|^;" client.conf client dev tun proto tcp remote 103.45.10.148 52115 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert louis.crt key louis.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3 ~~~ * 拷貝軟件自帶的服務腳本到/etc/init.d/目錄下 ~~~ [root@openvpn client]# cp /opt/tools/openvpn-2.3.16/distro/rpm/openvpn.init.d.rhel /etc/init.d/openvpn [root@openvpn client]# chmod 700 /etc/init.d/openvpn [root@openvpn client]# chkconfig --add openvpn [root@openvpn client]# chkconfig openvpn on [root@openvpn client]# sed -i "s@work=/etc/openvpn@work=/usr/local/openvpn/server@g" /etc/init.d/openvpn [root@openvpn client]# systemctl daemon-reload [root@openvpn client]# service openvpn start Starting openvpn (via systemctl): [ OK ] [root@openvpn client]# ss -tunlp|grep 52115 tcp LISTEN 0 1 103.45.10.148:52115 *:* users:(("openvpn",pid=12335,fd=5)) ~~~ * 在openvpn服務器上配置防火墻 ~~~ [root@openvpn ~]# setenforce 0 setenforce: SELinux is disabled 開通端口轉發 [root@openvpn ~]# vim /etc/sysctl.conf [root@openvpn ~]# sysctl -p net.ipv4.ip_forward = 1 [root@openvpn client]# systemctl stop firewalld [root@openvpn client]# systemctl disable firewalld [root@openvpn client]# yum -y install iptables-* 放行52115端口 [root@openvpn ~]# iptables -I INPUT -p tcp --dport 52115 -j ACCEPT [root@openvpn ~]# iptables -I INPUT -p udp --dport 52115 -j ACCEPT [root@openvpn ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@openvpn ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service ~~~ 第二部分：客戶端配置 1）windows系統 然后通過xftp把服務器上的客戶端的幾個文件拷貝到本地電腦  2）安裝openvpn gui軟件 http://soft.51yuki.cn/openvpn-install-2.3.14-I601-x86_64.exe 3）比如默認安裝在C:\Program Files\OpenVPN這個目錄，如果這個目錄下沒有config，那么就新建一個config目錄，然后相關文件（ca.crt,client.conf,louis.crt,louis.key,ta.key）拷貝到config目錄下，并且把client.conf重命名為client.ovpn）  4）以管理員身份打開openvpn gui軟件，然后點擊connect  （這里彈出框，就是輸入剛剛./build-key-pass生成客戶端證書時輸入的密碼）  2）linux系統（以centos7.3為例） 第一步：先在openvpn服務器上生成一張客戶端證書 ~~~ [root@openvpn EasyRSA-2.2.2]# ./build-key node1.51yuki.cn [root@openvpn EasyRSA-2.2.2]# cp keys/node1.51yuki.cn.crt keys/node1.51yuki.cn.key ../client/ [root@openvpn EasyRSA-2.2.2]# cd ../client/ [root@openvpn client]# ll total 36 -rw-r--r-- 1 root root 1659 Mar 15 13:52 ca.crt -rw-r--r-- 1 root root 3549 Mar 15 13:56 client.conf -rw-r--r-- 1 root root 5250 Mar 15 13:52 louis.crt -rw------- 1 root root 1834 Mar 15 13:52 louis.key -rw-r--r-- 1 root root 5276 Mar 15 14:20 node1.51yuki.cn.crt -rw------- 1 root root 1704 Mar 15 14:20 node1.51yuki.cn.key -rw------- 1 root root 636 Mar 15 13:53 ta.key [root@openvpn client]# cp client.conf node1.51yuki.cn.conf [root@openvpn client]# vim node1.51yuki.cn.conf [root@openvpn client]# mv node1.51yuki.cn.conf node1.conf [root@openvpn client]# ll total 40 -rw-r--r-- 1 root root 1659 Mar 15 13:52 ca.crt -rw-r--r-- 1 root root 3549 Mar 15 13:56 client.conf -rw-r--r-- 1 root root 5250 Mar 15 13:52 louis.crt -rw------- 1 root root 1834 Mar 15 13:52 louis.key -rw-r--r-- 1 root root 5276 Mar 15 14:20 node1.51yuki.cn.crt -rw------- 1 root root 1704 Mar 15 14:20 node1.51yuki.cn.key -rw-r--r-- 1 root root 3569 Mar 15 14:21 node1.conf -rw------- 1 root root 636 Mar 15 13:53 ta.key ~~~ linux客戶端上操作 * 安裝openvpn軟件（yum安裝即可） [root@node1 ~]# yum -y install openvpn [root@node1 client]# ll total 24 -rw-r--r--. 1 root root 1659 Mar 15 14:23 ca.crt -rw-r--r--. 1 root root 5276 Mar 15 14:23 node1.51yuki.cn.crt -rw-r--r--. 1 root root 1704 Mar 15 14:23 node1.51yuki.cn.key -rw-r--r--. 1 root root 3569 Mar 15 14:23 node1.conf -rw-r--r--. 1 root root 636 Mar 15 14:23 ta.key [root@node1 client]# pwd /etc/openvpn/client * 啟動服務 [root@node1 system]# systemctl start openvpn-client@node1 （這里的node1，就是你上面配置文件.conf,我這里是node1.conf，所以啟動就是） ~~~ [root@node1 system]# ifconfig tun0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 172.25.200.10 netmask 255.255.255.255 destination 172.25.200.9 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ~~~ * 然后測試是否可以ping通tun0和openvpn內網IP ~~~ [root@node1 system]# ping 172.25.200.1 PING 172.25.200.1 (172.25.200.1) 56(84) bytes of data. 64 bytes from 172.25.200.1: icmp_seq=1 ttl=64 time=27.8 ms 64 bytes from 172.25.200.1: icmp_seq=2 ttl=64 time=27.7 ms 64 bytes from 172.25.200.1: icmp_seq=3 ttl=64 time=27.0 ms 64 bytes from 172.25.200.1: icmp_seq=4 ttl=64 time=27.4 ms 64 bytes from 172.25.200.1: icmp_seq=5 ttl=64 time=27.5 ms 64 bytes from 172.25.200.1: icmp_seq=6 ttl=64 time=36.2 ms ^C --- 172.25.200.1 ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5008ms rtt min/avg/max/mdev = 27.052/28.987/36.235/3.252 ms [root@node1 system]# ping 10.45.10.148 PING 10.45.10.148 (10.45.10.148) 56(84) bytes of data. 64 bytes from 10.45.10.148: icmp_seq=1 ttl=64 time=26.9 ms 64 bytes from 10.45.10.148: icmp_seq=2 ttl=64 time=27.4 ms 64 bytes from 10.45.10.148: icmp_seq=3 ttl=64 time=27.6 ms 64 bytes from 10.45.10.148: icmp_seq=4 ttl=64 time=28.0 ms 64 bytes from 10.45.10.148: icmp_seq=5 ttl=64 time=27.5 ms ^C --- 10.45.10.148 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4003ms rtt min/avg/max/mdev = 26.978/27.545/28.096/0.356 ms [root@node1 system]# scp /etc/hosts root@10.45.10.148:/tmp The authenticity of host '10.45.10.148 (10.45.10.148)' can't be established. ECDSA key fingerprint is SHA256:2LDr2C1IMRfrRTj8d0Djs6JMZdGWmw4hSFqvAObRHYc. ECDSA key fingerprint is MD5:d1:6e:12:94:b7:bd:91:30:1a:ee:ea:a9:0d:1f:c7:f0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.45.10.148' (ECDSA) to the list of known hosts. root@10.45.10.148's password: Permission denied, please try again. root@10.45.10.148's password: hosts 100% 158 5.5KB/s 00:00 [root@node1 system]# （通過以上操作，發現從撥通vpn的客戶端上，可以ping通vpn服務器tun0接口和內網口ip，并且可以拷貝文件到openvpn服務器上） ~~~ 第三部分：測試從撥通vpn的電腦上，訪問slave01和slave02電腦上內網ip ~~~ C:\Users\Administrator>ping 10.45.10.151 正在 Ping 10.45.10.151 具有 32 字節的數據: 請求超時。 請求超時。 ~~~ 第一種方法： [root@slave02 ~]# route add -net 172.25.200.0/24 gw 10.45.10.148 [root@slave02 ~]# echo "route add -net 172.25.200.0/24 gw 10.45.10.148" >> /etc/rc.local 然后測試 ~~~ C:\Users\Administrator>ping 10.45.10.151 正在 Ping 10.45.10.151 具有 32 字節的數據: 來自 10.45.10.151 的回復: 字節=32 時間=28ms TTL=63 來自 10.45.10.151 的回復: 字節=32 時間=28ms TTL=63 來自 10.45.10.151 的回復: 字節=32 時間=28ms TTL=63 來自 10.45.10.151 的回復: 字節=32 時間=28ms TTL=63 在linux客戶端上操作 [root@node1 system]# ssh root@10.45.10.151 The authenticity of host '10.45.10.151 (10.45.10.151)' can't be established. ECDSA key fingerprint is SHA256:2LDr2C1IMRfrRTj8d0Djs6JMZdGWmw4hSFqvAObRHYc. ECDSA key fingerprint is MD5:d1:6e:12:94:b7:bd:91:30:1a:ee:ea:a9:0d:1f:c7:f0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.45.10.151' (ECDSA) to the list of known hosts. root@10.45.10.151's password: Permission denied, please try again. root@10.45.10.151's password: Last failed login: Thu Mar 15 14:37:34 CST 2018 from 172.25.200.10 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Thu Mar 15 14:33:55 2018 from 180.169.194.190 [root@slave02 ~]# ~~~ 第二種方法：配置NAT地址轉換（在openvpn上操作） ~~~ [root@openvpn ~]# iptables -t nat -A POSTROUTING -s 172.25.200.0/24 -o eth1 -j SNAT --to-s [root@openvpn ~]# iptables -t nat -I POSTROUTING -s 172.25.200.0/24 -o eth1 -j MASQUERADE ~~~