环境： openserver服务器： 操作系统：CentOS Linux release 7.4 (Core) 外网IP：103.45.10.148/255.255.255.192 内网IP： 10.45.10.148/255.255.255.192 内网服务器： slave01： 操作系统：CentOS Linux release 7.4 (Core) 内网IP： 10.45.10.151/255.255.255.192 slave02: 操作系统：CentOS Linux release 7.4 (Core) 内网IP： 10.45.29.216/255.255.255.192 第一部分：安装openvpn服务器 1、配置yum源 ~~~ [root@openvpn ~]# cd /etc/yum.repos.d/ [root@openvpn yum.repos.d]# ll total 8 -rw-r--r-- 1 root root 1624 Oct 25 14:14 CentOS-Base.repo -rw-r--r-- 1 root root 927 Mar 8 12:00 epel.repo (这里配置了yum源，就不需要配置咯） ~~~ 2、配置时间同步  如果不同步，配置如下 ~~~ [root@openvpn ~]# ntpdate time1.aliyun.com 14 Mar 20:18:15 ntpdate[27719]: adjust time server 203.107.6.88 offset 0.301728 sec [root@manager ~]# crontab -e #sync data */2 * * * * /usr/sbin/ntpdate time1.aliyun.com &>/dev/null 2>&1 ~~~ 3、安装依赖关系及下载openvpn2.3.16软件 * 安装依赖包 [root@openvpn ~]# yum -y install openssh-server lzo openssl openssl-devel pam-devel lzo-devel * 下载相应软件包 ~~~ [root@openvpn ~]# cd /opt/tools/ [root@openvpn tools]# wget http://soft.51yuki.cn/openvpn-2.3.16.tar.gz [root@openvpn tools]# wget http://soft.51yuki.cn/EasyRSA-2.2.2.tgz ~~~ * 编译安装openvpn2.3.16 ~~~ [root@openvpn tools]# tar xf openvpn-2.3.16.tar.gz [root@openvpn tools]# cd openvpn-2.3.16/ [root@openvpn openvpn-2.3.16]# ./configure --prefix=/usr/local/openvpn && make && make install 进入/usr/local/openvpn，然后新建2个目录server和client [root@openvpn openvpn]# pwd /usr/local/openvpn [root@openvpn openvpn]# mkdir server [root@openvpn openvpn]# mkdir client [root@openvpn server]# ln -sv /usr/local/openvpn/sbin/openvpn /usr/sbin/openvpn ‘/usr/sbin/openvpn’ -> ‘/usr/local/openvpn/sbin/openvpn’ ~~~ * 通过EasyRSA中的各脚本生成证书 ~~~ 1）解压EasyRSA-2.2.2.tgz，并把解压后的目录拷贝到/usr/local/openvpn [root@openvpn openvpn]# cd /opt/tools/ [root@openvpn tools]# tar xf EasyRSA-2.2.2.tgz [root@openvpn tools]# cp -rf EasyRSA-2.2.2 /usr/local/openvpn/ [root@openvpn tools]# cd /usr/local/openvpn/EasyRSA-2.2.2/ [root@openvpn EasyRSA-2.2.2]# 2)编辑vars文件（以后生成证书的时候，就会读取这个文件） [root@openvpn EasyRSA-2.2.2]# cp vars{,.ori} [root@openvpn EasyRSA-2.2.2]# vim vars export KEY_COUNTRY="CN" export KEY_PROVINCE="SH" export KEY_CITY="shanghai" export KEY_ORG="Pet" export KEY_EMAIL="xhh_198605@163.com" export KEY_OU="Ops" [root@openvpn EasyRSA-2.2.2]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn/EasyRSA-2.2.2/keys [root@openvpn EasyRSA-2.2.2]# ./clean-all 3）生成ca证书 [root@openvpn EasyRSA-2.2.2]# ./build-ca Generating a 2048 bit RSA private key ................+++ .....................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [Pet]: Organizational Unit Name (eg, section) [Ops]: Common Name (eg, your name or your server's hostname) [Pet CA]: Name [EasyRSA]: Email Address [xhh_198605@163.com]: 4）生成交换密钥 [root@openvpn EasyRSA-2.2.2]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time 5）生成服务器端证书 [root@openvpn EasyRSA-2.2.2]# ./build-key-server server Generating a 2048 bit RSA private key .........................................................+++ ...................................................................................................................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [Pet]: Organizational Unit Name (eg, section) [Ops]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [xhh_198605@163.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/openvpn/EasyRSA-2.2.2/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'shanghai' organizationName :PRINTABLE:'Pet' organizationalUnitName:PRINTABLE:'Ops' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'xhh_198605@163.com' Certificate is to be certified until Mar 12 05:40:43 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 6）生成客户端证书（一般这个有很多，一般根据员工的名字来命名证书，例如如下） [root@openvpn EasyRSA-2.2.2]# ./build-key-pass louis （louis表示员工的命名） Generating a 2048 bit RSA private key ..........................................+++ ...............................................................................................................................+++ writing new private key to 'louis.key' Enter PEM pass phrase: 输入密码 Verifying - Enter PEM pass phrase: 输入密码 （这个密码是客户端拨vpn的时候，需要输入这个密码） ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [Pet]: Organizational Unit Name (eg, section) [Ops]: Common Name (eg, your name or your server's hostname) [louis]: Name [EasyRSA]: Email Address [xhh_198605@163.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/openvpn/EasyRSA-2.2.2/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'shanghai' organizationName :PRINTABLE:'Pet' organizationalUnitName:PRINTABLE:'Ops' commonName :PRINTABLE:'louis' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'xhh_198605@163.com' Certificate is to be certified until Mar 12 05:42:22 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 查看生成了哪些证书 [root@openvpn EasyRSA-2.2.2]# ll keys/ total 84 -rw-r--r-- 1 root root 5372 Mar 15 13:40 01.pem -rw-r--r-- 1 root root 5250 Mar 15 13:42 02.pem -rw-r--r-- 1 root root 1659 Mar 15 13:36 ca.crt -rw------- 1 root root 1704 Mar 15 13:36 ca.key -rw-r--r-- 1 root root 424 Mar 15 13:38 dh2048.pem -rw-r--r-- 1 root root 237 Mar 15 13:42 index.txt -rw-r--r-- 1 root root 21 Mar 15 13:42 index.txt.attr -rw-r--r-- 1 root root 21 Mar 15 13:40 index.txt.attr.old -rw-r--r-- 1 root root 119 Mar 15 13:40 index.txt.old -rw-r--r-- 1 root root 5250 Mar 15 13:42 louis.crt -rw-r--r-- 1 root root 1058 Mar 15 13:42 louis.csr -rw------- 1 root root 1834 Mar 15 13:42 louis.key -rw-r--r-- 1 root root 3 Mar 15 13:42 serial -rw-r--r-- 1 root root 3 Mar 15 13:40 serial.old -rw-r--r-- 1 root root 5372 Mar 15 13:40 server.crt -rw-r--r-- 1 root root 1058 Mar 15 13:40 server.csr -rw------- 1 root root 1704 Mar 15 13:40 server.key ~~~ * 在openvpn服务器上配置server端 ~~~ [root@openvpn server]# openvpn --genkey --secret ta.key [root@openvpn server]# pwd /usr/local/openvpn/server [root@openvpn server]# cp ../EasyRSA-2.2.2/keys/{ca.crt,ca.key,server.crt,server.key,dh2048.pem} . [root@openvpn server]# ll total 24 -rw-r--r-- 1 root root 1659 Mar 15 13:45 ca.crt -rw------- 1 root root 1704 Mar 15 13:45 ca.key -rw-r--r-- 1 root root 424 Mar 15 13:45 dh2048.pem -rw-r--r-- 1 root root 5372 Mar 15 13:45 server.crt -rw------- 1 root root 1704 Mar 15 13:45 server.key [root@openvpn server]# cp /opt/tools/openvpn-2.3.16/sample/sample-config-files/server.conf . [root@openvpn server]# ll total 36 -rw-r--r-- 1 root root 1659 Mar 15 13:45 ca.crt -rw------- 1 root root 1704 Mar 15 13:45 ca.key -rw-r--r-- 1 root root 424 Mar 15 13:45 dh2048.pem -rw-r--r-- 1 root root 10784 Mar 15 13:45 server.conf -rw-r--r-- 1 root root 5372 Mar 15 13:45 server.crt -rw------- 1 root root 1704 Mar 15 13:45 server.key -rw------- 1 root root 636 Mar 15 13:50 ta.key * 编辑server.conf [root@openvpn server]# grep -vE "^$|^#|^;" server.conf local 103.45.10.148 port 52115 proto tcp dev tun ca /usr/local/openvpn/server/ca.crt cert /usr/local/openvpn/server/server.crt key /usr/local/openvpn/server/server.key # This file should be kept secret dh /usr/local/openvpn/server/dh2048.pem server 172.25.200.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.45.10.128 255.255.255.192" client-to-client duplicate-cn keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo persist-key persist-tun status openvpn-status.log log /var/log/openvpn verb 3 ~~~ * 在openvpn服务器上配置client端 ~~~ [root@openvpn client]# cp ../EasyRSA-2.2.2/keys/{ca.crt,louis.crt,louis.key} . [root@openvpn client]# cp ../server/ta.key . [root@openvpn client]# cp /opt/tools/openvpn-2.3.16/sample/sample-config-files/client.conf . [root@openvpn client]# ll total 24 -rw-r--r-- 1 root root 1659 Mar 15 13:52 ca.crt -rw-r--r-- 1 root root 3586 Mar 15 13:53 client.conf -rw-r--r-- 1 root root 5250 Mar 15 13:52 louis.crt -rw------- 1 root root 1834 Mar 15 13:52 louis.key -rw------- 1 root root 636 Mar 15 13:53 ta.key (以后每增加一个客户端，就把客户端的公钥和私钥拷贝到这个目录，然后把client.conf,ca.crt,ta.key以及对应用户的公钥和私钥，一并发送给对象的用户，该用户就可以在相应的设备上登录咯，下面会介绍） * 配置client.conf [root@openvpn client]# grep -vE "^$|^#|^;" client.conf client dev tun proto tcp remote 103.45.10.148 52115 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert louis.crt key louis.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3 ~~~ * 拷贝软件自带的服务脚本到/etc/init.d/目录下 ~~~ [root@openvpn client]# cp /opt/tools/openvpn-2.3.16/distro/rpm/openvpn.init.d.rhel /etc/init.d/openvpn [root@openvpn client]# chmod 700 /etc/init.d/openvpn [root@openvpn client]# chkconfig --add openvpn [root@openvpn client]# chkconfig openvpn on [root@openvpn client]# sed -i "s@work=/etc/openvpn@work=/usr/local/openvpn/server@g" /etc/init.d/openvpn [root@openvpn client]# systemctl daemon-reload [root@openvpn client]# service openvpn start Starting openvpn (via systemctl): [ OK ] [root@openvpn client]# ss -tunlp|grep 52115 tcp LISTEN 0 1 103.45.10.148:52115 *:* users:(("openvpn",pid=12335,fd=5)) ~~~ * 在openvpn服务器上配置防火墙 ~~~ [root@openvpn ~]# setenforce 0 setenforce: SELinux is disabled 开通端口转发 [root@openvpn ~]# vim /etc/sysctl.conf [root@openvpn ~]# sysctl -p net.ipv4.ip_forward = 1 [root@openvpn client]# systemctl stop firewalld [root@openvpn client]# systemctl disable firewalld [root@openvpn client]# yum -y install iptables-* 放行52115端口 [root@openvpn ~]# iptables -I INPUT -p tcp --dport 52115 -j ACCEPT [root@openvpn ~]# iptables -I INPUT -p udp --dport 52115 -j ACCEPT [root@openvpn ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@openvpn ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service ~~~ 第二部分：客户端配置 1）windows系统 然后通过xftp把服务器上的客户端的几个文件拷贝到本地电脑  2）安装openvpn gui软件 http://soft.51yuki.cn/openvpn-install-2.3.14-I601-x86_64.exe 3）比如默认安装在C:\Program Files\OpenVPN这个目录，如果这个目录下没有config，那么就新建一个config目录，然后相关文件（ca.crt,client.conf,louis.crt,louis.key,ta.key）拷贝到config目录下，并且把client.conf重命名为client.ovpn）  4）以管理员身份打开openvpn gui软件，然后点击connect  （这里弹出框，就是输入刚刚./build-key-pass生成客户端证书时输入的密码）  2）linux系统（以centos7.3为例） 第一步：先在openvpn服务器上生成一张客户端证书 ~~~ [root@openvpn EasyRSA-2.2.2]# ./build-key node1.51yuki.cn [root@openvpn EasyRSA-2.2.2]# cp keys/node1.51yuki.cn.crt keys/node1.51yuki.cn.key ../client/ [root@openvpn EasyRSA-2.2.2]# cd ../client/ [root@openvpn client]# ll total 36 -rw-r--r-- 1 root root 1659 Mar 15 13:52 ca.crt -rw-r--r-- 1 root root 3549 Mar 15 13:56 client.conf -rw-r--r-- 1 root root 5250 Mar 15 13:52 louis.crt -rw------- 1 root root 1834 Mar 15 13:52 louis.key -rw-r--r-- 1 root root 5276 Mar 15 14:20 node1.51yuki.cn.crt -rw------- 1 root root 1704 Mar 15 14:20 node1.51yuki.cn.key -rw------- 1 root root 636 Mar 15 13:53 ta.key [root@openvpn client]# cp client.conf node1.51yuki.cn.conf [root@openvpn client]# vim node1.51yuki.cn.conf [root@openvpn client]# mv node1.51yuki.cn.conf node1.conf [root@openvpn client]# ll total 40 -rw-r--r-- 1 root root 1659 Mar 15 13:52 ca.crt -rw-r--r-- 1 root root 3549 Mar 15 13:56 client.conf -rw-r--r-- 1 root root 5250 Mar 15 13:52 louis.crt -rw------- 1 root root 1834 Mar 15 13:52 louis.key -rw-r--r-- 1 root root 5276 Mar 15 14:20 node1.51yuki.cn.crt -rw------- 1 root root 1704 Mar 15 14:20 node1.51yuki.cn.key -rw-r--r-- 1 root root 3569 Mar 15 14:21 node1.conf -rw------- 1 root root 636 Mar 15 13:53 ta.key ~~~ linux客户端上操作 * 安装openvpn软件（yum安装即可） [root@node1 ~]# yum -y install openvpn [root@node1 client]# ll total 24 -rw-r--r--. 1 root root 1659 Mar 15 14:23 ca.crt -rw-r--r--. 1 root root 5276 Mar 15 14:23 node1.51yuki.cn.crt -rw-r--r--. 1 root root 1704 Mar 15 14:23 node1.51yuki.cn.key -rw-r--r--. 1 root root 3569 Mar 15 14:23 node1.conf -rw-r--r--. 1 root root 636 Mar 15 14:23 ta.key [root@node1 client]# pwd /etc/openvpn/client * 启动服务 [root@node1 system]# systemctl start openvpn-client@node1 （这里的node1，就是你上面配置文件.conf,我这里是node1.conf，所以启动就是） ~~~ [root@node1 system]# ifconfig tun0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 172.25.200.10 netmask 255.255.255.255 destination 172.25.200.9 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ~~~ * 然后测试是否可以ping通tun0和openvpn内网IP ~~~ [root@node1 system]# ping 172.25.200.1 PING 172.25.200.1 (172.25.200.1) 56(84) bytes of data. 64 bytes from 172.25.200.1: icmp_seq=1 ttl=64 time=27.8 ms 64 bytes from 172.25.200.1: icmp_seq=2 ttl=64 time=27.7 ms 64 bytes from 172.25.200.1: icmp_seq=3 ttl=64 time=27.0 ms 64 bytes from 172.25.200.1: icmp_seq=4 ttl=64 time=27.4 ms 64 bytes from 172.25.200.1: icmp_seq=5 ttl=64 time=27.5 ms 64 bytes from 172.25.200.1: icmp_seq=6 ttl=64 time=36.2 ms ^C --- 172.25.200.1 ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5008ms rtt min/avg/max/mdev = 27.052/28.987/36.235/3.252 ms [root@node1 system]# ping 10.45.10.148 PING 10.45.10.148 (10.45.10.148) 56(84) bytes of data. 64 bytes from 10.45.10.148: icmp_seq=1 ttl=64 time=26.9 ms 64 bytes from 10.45.10.148: icmp_seq=2 ttl=64 time=27.4 ms 64 bytes from 10.45.10.148: icmp_seq=3 ttl=64 time=27.6 ms 64 bytes from 10.45.10.148: icmp_seq=4 ttl=64 time=28.0 ms 64 bytes from 10.45.10.148: icmp_seq=5 ttl=64 time=27.5 ms ^C --- 10.45.10.148 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4003ms rtt min/avg/max/mdev = 26.978/27.545/28.096/0.356 ms [root@node1 system]# scp /etc/hosts root@10.45.10.148:/tmp The authenticity of host '10.45.10.148 (10.45.10.148)' can't be established. ECDSA key fingerprint is SHA256:2LDr2C1IMRfrRTj8d0Djs6JMZdGWmw4hSFqvAObRHYc. ECDSA key fingerprint is MD5:d1:6e:12:94:b7:bd:91:30:1a:ee:ea:a9:0d:1f:c7:f0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.45.10.148' (ECDSA) to the list of known hosts. root@10.45.10.148's password: Permission denied, please try again. root@10.45.10.148's password: hosts 100% 158 5.5KB/s 00:00 [root@node1 system]# （通过以上操作，发现从拨通vpn的客户端上，可以ping通vpn服务器tun0接口和内网口ip，并且可以拷贝文件到openvpn服务器上） ~~~ 第三部分：测试从拨通vpn的电脑上，访问slave01和slave02电脑上内网ip ~~~ C:\Users\Administrator>ping 10.45.10.151 正在 Ping 10.45.10.151 具有 32 字节的数据: 请求超时。 请求超时。 ~~~ 第一种方法： [root@slave02 ~]# route add -net 172.25.200.0/24 gw 10.45.10.148 [root@slave02 ~]# echo "route add -net 172.25.200.0/24 gw 10.45.10.148" >> /etc/rc.local 然后测试 ~~~ C:\Users\Administrator>ping 10.45.10.151 正在 Ping 10.45.10.151 具有 32 字节的数据: 来自 10.45.10.151 的回复: 字节=32 时间=28ms TTL=63 来自 10.45.10.151 的回复: 字节=32 时间=28ms TTL=63 来自 10.45.10.151 的回复: 字节=32 时间=28ms TTL=63 来自 10.45.10.151 的回复: 字节=32 时间=28ms TTL=63 在linux客户端上操作 [root@node1 system]# ssh root@10.45.10.151 The authenticity of host '10.45.10.151 (10.45.10.151)' can't be established. ECDSA key fingerprint is SHA256:2LDr2C1IMRfrRTj8d0Djs6JMZdGWmw4hSFqvAObRHYc. ECDSA key fingerprint is MD5:d1:6e:12:94:b7:bd:91:30:1a:ee:ea:a9:0d:1f:c7:f0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.45.10.151' (ECDSA) to the list of known hosts. root@10.45.10.151's password: Permission denied, please try again. root@10.45.10.151's password: Last failed login: Thu Mar 15 14:37:34 CST 2018 from 172.25.200.10 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Thu Mar 15 14:33:55 2018 from 180.169.194.190 [root@slave02 ~]# ~~~ 第二种方法：配置NAT地址转换（在openvpn上操作） ~~~ [root@openvpn ~]# iptables -t nat -A POSTROUTING -s 172.25.200.0/24 -o eth1 -j SNAT --to-s [root@openvpn ~]# iptables -t nat -I POSTROUTING -s 172.25.200.0/24 -o eth1 -j MASQUERADE ~~~