因為新版本openvpn裡面沒有包含最重要的證書制作部分:easy-rsa所以,需要事先下載好easyrsa,可以到GitHub上進行下載,配置過程將在下面第3步進行,本次部署使用了easy-rsa3,與easy-rsa2.0的操作完全不同,網上其它關於easy-rsa2.0的教程不適合本次部署
在部署openvpn之前,最好用ntpdate同步一下服務器的時間,否則生成證書的時間也不准確,會造成那個什麼centificate error等的錯誤!
1、安裝lzo
lzo是致力於解壓速度的一種數據壓縮算法
[root@vpn~]# wgethttp://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz
[root@vpn~]#tarxflzo-2.09.tar.gz
[root@vpn~]#cdlzo-2.09
[[email protected]]#./configure&&make&&makeinstall2、安裝openvpn
[root@vpn~]# yum install -yopenssl-devel[root@vpn~]#wgethttps://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz
[root@vpn~]# tar zxvfopenvpn-2.3.11.tar.gz
[root@vpn~]#cdopenvpn-2.3.11
[[email protected]]#./configure--with-lzo-headers=/usr/local/include/--with-lzo-lib=/usr/local/lib
[[email protected]]#make&&makeinstall
[[email protected]]#whichopenvpn
/usr/local/sbin/openvpn#看到這裡,說明安裝openvpn成功3、配置easyrsa服務端
openvpn-2.3.11軟件包不包含證書(ca證書,服務端證書,客戶端證書)制作工具,所以還需要單獨下載easy-rsa,最新的為easy-rsa3
[root@vpn~]# wgethttps://github.com/OpenVPN/easy-rsa/archive/master.zip[root@vpn~]#unzipmaster.zip
[root@vpn~]#mveasy-rsa-mastereasy-rsa
[root@vpn~]#cp-Reasy-rsa//usr/local/share/doc/openvpn/
[root@vpn~]# cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/
[root@vpneasyrsa3]#cpvars.examplevars
[root@vpneasyrsa3]#vimvars
set_varEASYRSA_REQ_COUNTRY"CN"
set_varEASYRSA_REQ_PROVINCE"Beijing"
set_varEASYRSA_REQ_CITY"Beijing"
set_varEASYRSA_REQ_ORG"qiangshCertificate"
set_varEASYRSA_REQ_EMAIL"[email protected]"
set_varEASYRSA_REQ_OU"MyOpenVPN"4、創建服務端證書及key
(1)初始化
[root@vpneasyrsa3]#ls
easyrsaopenssl-1.0.cnfvarsvars.examplex509-types
[root@vpneasyrsa3]#
[root@vpneasyrsa3]#./easyrsainit-pki
Note: using Easy-RSAconfiguration from: ./vars
init-pki complete; you may nowcreate a CA or requests.
Your newly created PKI dir is:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki(2)創建根證書
[root@vpneasyrsa3]#./easyrsabuild-ca
Note: using Easy-RSAconfiguration from: ./vars
Generating a 2048 bit RSA privatekey
..+++
..........................+++
writing new private key to'/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key.GiibbqFhXm'
Enter PEM pass phrase: #輸入密碼,此密碼用途證書簽名
Verifying - Enter PEM passphrase: #再次輸入密碼
-----
You are about to be asked toenter information that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host,or server name) [Easy-RSA CA]:qiangsh #輸入一個Common Name
CA creation complete and you maynow import and sign cert requests.
Your new CA certificate file forpublishing is at:
/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
(3)創建服務器端證書
[root@vpneasyrsa3]#./easyrsagen-reqservernopass
Note: using Easy-RSAconfiguration from: ./vars
Generating a 2048 bit RSA privatekey
.......................................+++
......................................+++
writing new private key to '/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.MIGrh2B6S8'
-----
You are about to be asked toenter information that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host,or server name) [server]:qiangsh-BJ #該Common Name一定不要與創建根證書時的一樣 !!!
Keypair and certificate requestcompleted. Your files are:
req:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
(4)簽約服務器端證書
[root@vpneasyrsa3]#./easyrsasignserverserver
Note: using Easy-RSAconfiguration from: ./vars
You are about to sign thefollowing certificate.
Please check over the detailsshown below for accuracy. Note that this request
has not been cryptographicallyverified. Please be sure it came from a trusted
source or that you have verifiedthe request checksum with the sender.
Request subject, to be signed asa server certificate for 3650 days:
subject=
commonName = qiangsh-BJ
Type the word 'yes' to continue,or any other input to abort.
Confirm request details:yes #輸入yes繼續
Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #輸入剛才創建根證書時的密碼
Check that the request matchesthe signature
Signature ok
The Subject's Distinguished Nameis as follows
commonName :PRINTABLE:'qiangsh-BJ'
Certificate is to be certifieduntil Jun 6 07:19:45 2026 GMT (3650 days)
Write out database with 1 newentries
Data Base Updated
Certificate created at: /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
(5)創建Diffie-Hellman,確保key穿越不安全網絡的命令:
[root@vpneasyrsa3]#./easyrsagen-dh
Note: using Easy-RSAconfiguration from: ./vars
Generating DH parameters, 2048bit long safe prime, generator 2
This is going to take a long time
..........................................................................+...........................+.............................................................+...........................+.................................................................................................................................................................................................................................................+...............................................................................................................................+..+.................................................................+..........................................................................................+..............+...............................................................................................................................................................................+........................................................................................+...............................................................................+................................................+..........++*++*
DH parameters of size 2048 created at/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem5、創建客戶端證書
(1)在根目錄下建立client目錄
[root@vpneasyrsa3]#cd
[root@vpn~]#mkdirclient
[root@vpn~]# cp -R /mnt/easy-rsa/ client/(2)初始化
[root@vpn~]#cdclient/easy-rsa/easyrsa3/
[root@vpneasyrsa3]#ls
easyrsaopenssl-1.0.cnfvarsvars.examplex509-types
[root@vpneasyrsa3]#./easyrsainit-pki
Note:usingEasy-RSAconfigurationfrom:./vars
init-pkicomplete;youmaynowcreateaCAorrequests.
YournewlycreatedPKIdiris:/root/client/easy-rsa/easyrsa3/pki(3)創建客戶端key及生成證書
[root@vpneasyrsa3]#./easyrsagen-reqqiangsh
Generating a 2048 bit RSA privatekey
.......................+++
........................................................+++
writing new private key to'/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key.LD7Wk6hmQq'
Enter PEM pass phrase: #輸入密碼
Verifying - Enter PEM passphrase: #再次輸入密碼
-----
You are about to be asked toenter information that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host,or server name) [qiangsh]:qiangsh #輸入qiangsh
Keypair and certificate request completed.Your files are:
req:/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req
key:/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key(4)將得到的qiangsh.req導入並簽約證書
[root@vpn~]# cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/
[root@vpneasyrsa3]##導入req
[root@vpneasyrsa3]#./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.reqqiangsh
Note: using Easy-RSAconfiguration from: ./vars
The request has been successfullyimported with a short name of: qiangsh
You may now use this name toperform signing operations on this request.
[root@vpneasyrsa3]##簽約證書
[root@vpneasyrsa3]#./easyrsasignclientqiangsh
Note: using Easy-RSAconfiguration from: ./vars
You are about to sign thefollowing certificate.
Please check over the detailsshown below for accuracy. Note that this request
has not been cryptographicallyverified. Please be sure it came from a trusted
source or that you have verifiedthe request checksum with the sender.
Request subject, to be signed asa client certificate for 3650 days:
subject=
commonName = qiangsh
Type the word 'yes' to continue,or any other input to abort.
Confirm request details:yes #輸入yes
Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #輸入創建根證書時的密碼
Check that the request matchesthe signature
Signature ok
The Subject's Distinguished Nameis as follows
commonName :PRINTABLE:'qiangsh'
Certificate is to be certifieduntil Jun 6 07:50:02 2026 GMT (3650 days)
Write out database with 1 newentries
Data Base Updated
Certificate created at:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt#簽約成功(5)服務端及客戶端生成的文件
服務端:(/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/)文件夾
/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/qiangsh.req
/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key
/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt
/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem客戶端:(/root/client/easy-rsa)
/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key
/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req #這個文件被我們導入到了服務端文件,所以那裡也有(6)拷貝服務器密鑰及證書等到openvpn目錄
[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt/usr/local/share/doc/openvpn/
[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key/usr/local/share/doc/openvpn/
[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt/usr/local/share/doc/openvpn/
[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem/usr/local/share/doc/openvpn/(7)拷貝客戶端密鑰及證書等到client目錄
[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt/root/client/
[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt/root/client/
[root@vpn~]# cp/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key /root/client/(8)為服務端編寫配置文件
當安裝好openvpn時候,它會提供一個server配置的文件例子
將此例子拷貝openvpn目錄,然後配置
[root@vpn~]#cp/mnt/openvpn-2.3.11/sample/sample-config-files/server.conf/usr/local/share/doc/openvpn/
[root@vpn~]#vim/usr/local/share/doc/openvpn/server.conf
local192.168.1.100 #(自己vpsIP)
port1194
protoudp
devtun
ca/usr/local/share/doc/openvpn/ca.crt
cert/usr/local/share/doc/openvpn/server.crt
key/usr/local/share/doc/openvpn/server.key#Thisfileshouldbekeptsecret
dh/usr/local/share/doc/openvpn/dh.pem
server10.8.0.0255.255.255.0
ifconfig-pool-persistipp.txt
push"redirect-gatewaydef1bypass-dhcp"
push"dhcp-optionDNS8.8.8.8"
keepalive10120
comp-lzo
max-clients100
persist-key
persist-tun
statusopenvpn-status.log
verb3(9)開啟系統轉發功能
[root@vpn~]#vim/etc/sysctl.conf
net.ipv4.ip_forward=0改成net.ipv4.ip_forward=1
[root@vpn~]#sysctl-p
[root@vpn~]#sysctl-a|grepnet.ipv4.ip_forward
net.ipv4.ip_forward=1(10)封裝出去的數據包(eth0是你的vps外網的網卡):
/sbin/iptables-tnat-IPOSTROUTING-s10.8.0.0/255.255.255.0-oeth0-jMASQUERADE三、下載openvpn客戶端,並進行配置
1、將客戶端密鑰及證書等拷出到windows備用
[root@vpn~]#cdclient/
[root@vpnclient]#ls
ca.crteasy-rsanmshuishui.crtnmshuishui.key#帶後綴的這三個2、安裝openvpn-gui工具
(1)將C:\ProgramFiles\OpenVPN\sample-config\client.ovpn復制到C:\Program Files\OpenVPN\config
(2)將從linux中拷貝出來的三個密鑰及證書放到D:\Program Files (x86)\OpenVPN\config下
(3)編輯C:\ProgramFiles\OpenVPN\config\client.ovpn,修改為
client
devtun
protoudp
remote192.168.1.1001194
resolv-retryinfinite
nobind
persist-key
persist-tun
caca.crt//這裡需要證書
certqiangsh.crt
keyqiangsh.key
comp-lzo
verb3四、啟動服務、測試
1、在vpn服務器上啟動openvpn服務
[root@vpn~]#/usr/local/sbin/openvpn --config /usr/local/share/doc/openvpn/server.conf &
[root@vpn~]#echo"/usr/local/sbin/openvpn--config /usr/local/share/doc/openvpn/server.conf &
">>/etc/rc.local#設為開機啟動2、在openvpn-gui上右鍵Connect輸入密碼連接
3、查看vpn狀態
http://xxxxxx/Linuxjc/1134258.html TechArticle