OpenVPN安装与配置

采用Hyper-V虚拟机模拟环境，配置如下

角色	os版本	网络链接	ip
clients 客户端	windows 11	局域网	192.168.23.220	物理机
openvpn 服务器	rocky9	局域网(桥接网络)	192.168.23.40	hyperv虚拟机
		内部网络	192.168.200.10	hyperv虚拟机
内部服务器1	ubuntu2204	内部网络	192.168.200.20	hyperv虚拟机
内部服务器2	windows server 2019	内部网络	192.168.200.30	hyperv虚拟机

查看并安装软件版本

• openvpn: OpenVPN服务器端
• easy-rsa: 证书管理工具

[root@rocky9 ~]# yum list openvpn easy-rsa
Last metadata expiration check: 0:01:03 ago on Mon 29 Apr 2024 04:56:08 PM CST.
Available Packages
easy-rsa.noarch                                                          3.1.6-1.el9                                                           epel
openvpn.x86_64                                                           2.5.9-2.el9                                                           epel

[root@rocky9 ~]# yum install -y openvpn easy-rsa

准备证书生成环境

[root@rocky9 ~]# rpm -ql easy-rsa
/usr/share/doc/easy-rsa
/usr/share/doc/easy-rsa/COPYING.md
/usr/share/doc/easy-rsa/ChangeLog
/usr/share/doc/easy-rsa/README.md
/usr/share/doc/easy-rsa/README.quickstart.md
/usr/share/doc/easy-rsa/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.1.6
/usr/share/easy-rsa/3.1.6/easyrsa
/usr/share/easy-rsa/3.1.6/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.1.6/x509-types
/usr/share/easy-rsa/3.1.6/x509-types/COMMON
/usr/share/easy-rsa/3.1.6/x509-types/ca
/usr/share/easy-rsa/3.1.6/x509-types/client
/usr/share/easy-rsa/3.1.6/x509-types/code-signing
/usr/share/easy-rsa/3.1.6/x509-types/email
/usr/share/easy-rsa/3.1.6/x509-types/kdc
/usr/share/easy-rsa/3.1.6/x509-types/server
/usr/share/easy-rsa/3.1.6/x509-types/serverClient
/usr/share/licenses/easy-rsa
/usr/share/licenses/easy-rsa/COPYING.md
/usr/share/licenses/easy-rsa/gpl-2.0.txt

[root@rocky9 ~]# ll /usr/share/easy-rsa/
total 0
lrwxrwxrwx 1 root root  5 Aug 24  2023 3 -> 3.1.6
lrwxrwxrwx 1 root root  5 Aug 24  2023 3.0 -> 3.1.6
drwxr-xr-x 3 root root 66 Apr 29 17:00 3.1.6

## 准备证书生成目录
[root@rocky9 3]# mkdir /etc/openvpn/easy-rsa-server

## 准备证书颁发文件
[root@rocky9 3]# cp -r /usr/share/easy-rsa/3/*  /etc/openvpn/easy-rsa-server

## 准备颁发证书相关变量配置文件
[root@rocky9 3]# cp /usr/share/doc/easy-rsa/vars.example  /etc/openvpn/easy-rsa-server/vars

## 修改CA证书和OpenVPN服务器证书有效期时长，可适当加长
[root@rocky9 3]# vim /etc/openvpn/easy-rsa-server/vars
## 可更改证书的默认签名配置信息（可选）
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "HuBei"
set_var EASYRSA_REQ_CITY        "YC"
set_var EASYRSA_REQ_ORG         "xcjyc.top"
set_var EASYRSA_REQ_EMAIL       "mail@xcjyc.top"
set_var EASYRSA_REQ_OU          "My Website Unit"
## ca证书默认有效期3650，可适当延长
set_var EASYRSA_CA_EXPIRE       36500
## 服务器证书默认825天，可适当延长
set_var EASYRSA_CERT_EXPIRE     18250

## 生成openvpn服务器配置文件
[root@rocky9 3]# cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/

## 目录结构如下
[root@rocky9 ~]# tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa-server
│   ├── easyrsa
│   ├── openssl-easyrsa.cnf
│   ├── vars
│   └── x509-types
│       ├── COMMON
│       ├── ca
│       ├── client
│       ├── code-signing
│       ├── email
│       ├── kdc
│       ├── server
│       └── serverClient
├── server
└── server.conf

4 directories, 12 files

初始化PKI环境

## 进入准备好的easyrsa目录
[root@rocky9 ~]# cd /etc/openvpn/easy-rsa-server/

## easyrsa脚本帮助
[root@rocky9 easy-rsa-server]# ./easyrsa 

Easy-RSA 3 usage and overview

USAGE: easyrsa [global-options] COMMAND [command-options]

To get detailed usage and help for a command, use:
  ./easyrsa help COMMAND

For a list of global-options, use:
  ./easyrsa help options

A list of commands is shown below:
  init-pki [ cmd-opts ]
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <file_name_base> [ cmd-opts ]
  sign-req <type> <file_name_base> [ cmd-opts ]
  build-client-full <file_name_base> [ cmd-opts ]
  build-server-full <file_name_base> [ cmd-opts ]
  build-serverClient-full <file_name_base> [ cmd-opts ]
  inline <file_name_base>
  revoke <file_name_base> [ cmd-opts ]
  renew <file_name_base>
  revoke-renewed <file_name_base> [ cmd-opts ]
  rewind-renew <certificate_serial_number>
  rebuild <file_name_base> [ cmd-opts ]
  gen-crl
  update-db
  make-safe-ssl
  show-req <file_name_base> [ cmd-opts ]
  show-cert <file_name_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  show-crl
  show-expire <file_name_base> (Optional)
  show-revoke <file_name_base> (Optional)
  show-renew <file_name_base> (Optional)
  verify-cert <file_name_base>
  import-req <request_file_path> <short_name_base>
  export-p1 <file_name_base> [ cmd-opts ]
  export-p7 <file_name_base> [ cmd-opts ]
  export-p8 <file_name_base> [ cmd-opts ]
  export-p12 <file_name_base> [ cmd-opts ]
  set-pass <file_name_base> [ cmd-opts ]
  upgrade <type>

DIRECTORY STATUS (commands would take effect on these locations)
     EASYRSA: /etc/openvpn/easy-rsa-server
         PKI: /etc/openvpn/easy-rsa-server/pki
   vars-file: /etc/openvpn/easy-rsa-server/vars
  x509-types: /etc/openvpn/easy-rsa-server/x509-types
   CA status: CA has not been built

IMPORTANT:
  The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
  
## 初始化PKI ，在当前目录下生成PKI目录及相关文件
[root@rocky9 easy-rsa-server]# ./easyrsa  init-pki

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /etc/openvpn/easy-rsa-server/pki

Using Easy-RSA configuration:
* /etc/openvpn/easy-rsa-server/vars

IMPORTANT:
  The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

## 生成的PKI
[root@rocky9 easy-rsa-server]# tree 
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│   ├── inline
│   ├── openssl-easyrsa.cnf
│   ├── private
│   ├── reqs
│   └── vars.example
├── vars
└── x509-types
    ├── COMMON
    ├── ca
    ├── client
    ├── code-signing
    ├── email
    ├── kdc
    ├── server
    └── serverClient

5 directories, 13 files

创建CA环境

## 创建CA ，若不想使用密码，可以添加 “nopass”参数，例：[root@rocky9 easy-rsa-server]# ./easyrsa build-ca nopass

[root@rocky9 easy-rsa-server]# ./easyrsa build-ca 
Using Easy-RSA 'vars' configuration:
* /etc/openvpn/easy-rsa-server/vars

IMPORTANT:
  The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

Using SSL:
* openssl OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

## （在此处设置CA密码）
Enter New CA Key Passphrase:              

Confirm New CA Key Passphrase: 
....+.+..............+.+...+..+....+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+.+..............+...+................+..+...+.+.........+......+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.....+......+.......+...+.....+.+........+......+....+...........+.+...+..+................+...+......+.....+.........................+......+..+................+..+.........+............................+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+.+.....+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+...+..+.+.........+..+....+..+....+...+......+...........+....+......+......+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+...+...+.......+...+.....+...................+..+...+......+.+...........+....+......+...+...........+...+.+..............+...+.......+........+...............+.......+...............+.....+......+....+..+....+...........+.+..+.+............+........+.+...+..+................+............+..+......+...+.+........+.+......+..........................+....+...+.....+.......+...+..+.+...+...........+.+.........+...+..+................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
## （在此外回车接受默认值）
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

Notice
------
CA creation complete. Your new CA certificate is at:
* /etc/openvpn/easy-rsa-server/pki/ca.crt

##  查看创建的CA文件
### 自签名证书文件：./pki/ca.crt   
### 私钥文件：     ./pki/private/ca.key
### 证书索引信息：  ./pki/index.txt
[root@rocky9 easy-rsa-server]# tree 
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│   ├── ca.crt
│   ├── certs_by_serial
│   ├── index.txt
│   ├── index.txt.attr
│   ├── inline
│   ├── issued
│   ├── openssl-easyrsa.cnf
│   ├── private
│   │   └── ca.key
│   ├── reqs
│   ├── revoked
│   │   ├── certs_by_serial
│   │   ├── private_by_serial
│   │   └── reqs_by_serial
│   ├── serial
│   └── vars.example
├── vars
└── x509-types
    ├── COMMON
    ├── ca
    ├── client
    ├── code-signing
    ├── email
    ├── kdc
    ├── server
    └── serverClient

11 directories, 18 files

创建服务端证书

##  创建服务器端证书申请，nopass表示不加密文件,server表示文件命名前缀为server。

[root@rocky9 easy-rsa-server]# ./easyrsa gen-req server nopass
Using Easy-RSA 'vars' configuration:
* /etc/openvpn/easy-rsa-server/vars

IMPORTANT:
  The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

Using SSL:
* openssl OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
......+.+......+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+....+...+......+....................+.+.....+.+........+.+...+...............+..+.+........+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.+...+..+........................+......+..........+.....+....+..............+....+.....+...+....+...+...+........+......+......+.......+...+............+..+....+.....+......+.+.........+.....+...+...+.......+.....+.+...............+......+.....+.+.........+...+..+.+........+.+.....+......+.........+.............+..+...+...+..........+........+.+...+.....+.+...........+.+...+..............+......+.....................+.+..+...+....+........+..................+....+.....+....+......+........+.......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.....+......+...+.+......+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..............+.............+.....+....+.....+.+.....+...+.......+..+.+......+.........+.....+.........+.............+...+..............+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+..+......+...+....+..+.+............+.....+.+...............+..+.......+...+..+.+..+...+...............+.......+....................+..........+...............+..............+....+......+......+...+..+............+.......+.....+....+...........+......+....+..............+............+....+...+..+......+...+.......+..+.......+...+.....+............+...+...+....+.....+..........+.........+............+..+..........+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
## 回车确认
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /etc/openvpn/easy-rsa-server/pki/reqs/server.req
* key: /etc/openvpn/easy-rsa-server/pki/private/server.key

##  颁发服务器证书，第一个server表示证书类型，第二个server表示文件名前缀

[root@rocky9 easy-rsa-server]# ./easyrsa sign server server
Using Easy-RSA 'vars' configuration:
* /etc/openvpn/easy-rsa-server/vars

IMPORTANT:
  The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

Using SSL:
* openssl OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
You are about to sign the following certificate:
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate 
for '18250' days:

subject=
    commonName                = server

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
##  输入yes确认
Using configuration from /etc/openvpn/easy-rsa-server/pki/openssl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa-server/pki/private/ca.key:
##  输入设置的CA密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Apr 18 05:24:37 2074 GMT (18250 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa-server/pki/issued/server.crt

[root@rocky9 easy-rsa-server]# tree pki
pki
├── ca.crt
├── certs_by_serial
│   └── ACF621E40DAD89940B729F78FAEA3824.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── inline
├── issued
│   └── server.crt
├── openssl-easyrsa.cnf
├── private
│   ├── ca.key
│   └── server.key
├── reqs
│   └── server.req
├── revoked
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── serial
├── serial.old
└── vars.example

9 directories, 14 files

创建Diffie-Hellman密钥

[root@rocky9 easy-rsa-server]# ./easyrsa gen-dh
Using Easy-RSA 'vars' configuration:
* /etc/openvpn/easy-rsa-server/vars

IMPORTANT:
  The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

Using SSL:
* openssl OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
Generating DH parameters, 2048 bit long safe prime
......................................................+..................................+...........................................................................................................................+...............................................................................................................................................................................+....................................................................................+........................+.............+..................................+.......+......+.........................................................................................................................................................................+.............................+........................................+.......................................................+..........................................................................................................................................................+.............................................+......................................................................................................................................................................+........................................................................................................................................................................................................................+...........................................................................................................................................................................................................................+.........................+......................+....................................................................+..........................................................................................................+......................................................................................................................................................................+...........................................................................................................................................................................................................................................................................................................................................................+....+............................................................................................................................................+.................................................................................+..........+.....................................................................................................................................................................................................................+............++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*
DH parameters appear to be ok.

Notice
------

DH parameters of size 2048 created at:
* /etc/openvpn/easy-rsa-server/pki/dh.pem

创建客户端证书和私钥

##  修改客户端证书的有效期设置

[root@rocky9 easy-rsa-server]# vim vars 
set_var EASYRSA_CERT_EXPIRE     180

##  创建客户端证书申请文件，
[root@rocky9 easy-rsa-server]# ./easyrsa gen-req xcjyc nopass
Using Easy-RSA 'vars' configuration:
* /etc/openvpn/easy-rsa-server/vars

IMPORTANT:
  The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

Using SSL:
* openssl OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
.+.........+..+.......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+........+...+.+.....+.+...+...........+....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..................+...+....+...+...+..+..........+..+.......+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+.+...+...+..+...+.............+..............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.....+.......+.....+.......+..+....+.....+....+..+...+.+...........+.........+.+......+........................+......+...+..+...+.+...+.....+.......+......+.....+...+......+..........+...+......+..+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..............+...+............+....+...+........+.............+.........+......+...........+...+..........+...+..+.......+...........+.........+...+...+....+...+.....+......+.+...........+....+.........+......+........+......+.......+..+..........+...+.....+.........+.+.....+............+.+.....+....+...+...+......+...+......+......+........+............+.+..+................+..+...+.......+............+.....+................+......+...+...+..+.+......+.....+....+..+.......+..+......+.......+...+...+.....+.......+...+..+......................+.....+...+...+......+..........+...........+...+.......+..+.......+.........+.........+.....+............+...................+.............................+.+..+....+.....+.+..+.......+...+..+.+.....+..............................+...+.......+.....+...+.+...+...+...+...........+...+.+...........+..........+...+...+.....+.........+...+.......+........+.+...............+......+.....+..........+...............+......+..+...+...+....+...+............+......+...............+..+...+....+...+.....+.......+..+...+......+.......+..............+................+.....+..........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [xcjyc]:

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /etc/openvpn/easy-rsa-server/pki/reqs/xcjyc.req
* key: /etc/openvpn/easy-rsa-server/pki/private/xcjyc.key

##  颁发客户端证书
[root@rocky9 easy-rsa-server]# ./easyrsa sign client xcjyc
Using Easy-RSA 'vars' configuration:
* /etc/openvpn/easy-rsa-server/vars

IMPORTANT:
  The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

Using SSL:
* openssl OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
You are about to sign the following certificate:
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate 
for '180' days:

subject=
    commonName                = xcjyc

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
## 输入yes确认
Using configuration from /etc/openvpn/easy-rsa-server/pki/openssl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa-server/pki/private/ca.key:
## 输入CA的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'xcjyc'
Certificate is to be certified until Oct 27 05:43:16 2024 GMT (180 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa-server/pki/issued/xcjyc.crt

##  查看生成的文件树
[root@rocky9 easy-rsa-server]# tree
.
├── easyrsa                                                       ## 管理命令
├── openssl-easyrsa.cnf
├── pki
│   ├── ca.crt                                                    ## CA根证书，服务端和客户端都需要
│   ├── certs_by_serial
│   │   ├── 05C5204F013F6E6EF029F21E2D9ABFE6.pem
│   │   └── ACF621E40DAD89940B729F78FAEA3824.pem
│   ├── dh.pem                                                    ## 认证算法，服务端需要
│   ├── index.txt                                                 ## 证书索引文件
│   ├── index.txt.attr
│   ├── index.txt.attr.old
│   ├── index.txt.old
│   ├── inline
│   ├── issued
│   │   ├── server.crt                                            ## 服务端证书
│   │   └── xcjyc.crt                                             ## 客户端证书
│   ├── openssl-easyrsa.cnf
│   ├── private
│   │   ├── ca.key
│   │   ├── server.key                                            ## 服务端私钥
│   │   └── xcjyc.key                                             ## 客户端私钥
│   ├── reqs
│   │   ├── server.req
│   │   └── xcjyc.req
│   ├── revoked
│   │   ├── certs_by_serial
│   │   ├── private_by_serial
│   │   └── reqs_by_serial
│   ├── serial
│   ├── serial.old
│   └── vars.example
├── vars
└── x509-types
    ├── COMMON
    ├── ca
    ├── client
    ├── code-signing
    ├── email
    ├── kdc
    ├── server
    └── serverClient

11 directories, 30 files

将CA和服务端证书复制到OpenVPN相关目录

==此步骤也可省略而在OpenVPN配置文件中指定具体位置==

[root@rocky9 easy-rsa-server]# mkdir /etc/openvpn/server/certs
[root@rocky9 easy-rsa-server]# cp ./pki/ca.crt ./pki/issued/server.crt ./pki/private/server.key ./pki/dh.pem /etc/openvpn/server/certs

[root@rocky9 easy-rsa-server]# ll /etc/openvpn/server/certs/
total 20
-rw------- 1 root root 1204 Apr 30 13:58 ca.crt
-rw------- 1 root root  424 Apr 30 13:58 dh.pem
-rw------- 1 root root 4613 Apr 30 13:58 server.crt
-rw------- 1 root root 1704 Apr 30 13:58 server.key

将客户端证书复制到OpenVPN相关目录统一管理

[root@rocky9 easy-rsa-server]# mkdir /etc/openvpn/client/xcjyc
[root@rocky9 easy-rsa-server]# cp ./pki/ca.crt ./pki/issued/xcjyc.crt ./pki/private/xcjyc.key /etc/openvpn/client/xcjyc 
[root@rocky9 easy-rsa-server]# ll /etc/openvpn/client/xcjyc
total 16
-rw------- 1 root root 1204 Apr 30 14:03 ca.crt
-rw------- 1 root root 4488 Apr 30 14:03 xcjyc.crt
-rw------- 1 root root 1704 Apr 30 14:03 xcjyc.key

准备OpenVPN的配置文件

服务端配置文件范本：/usr/share/doc/openvpn/sample/sample-config-files/server.conf

##  主要配置项含义
port 1194                                  #端口
proto udp                                  #协议
dev tun                                    #采用路由隧道模式
ca /opt/easy-rsa/pki/ca.crt                #ca证书的位置
cert /opt/easy-rsa/pki/issued/server.crt   #服务端公钥的位置
key /opt/easy-rsa/pki/private/server.key   #服务端私钥的位置
dh /opt/easy-rsa/pki/dh.pem                #证书校验算法  
server 10.8.0.0 255.255.255.0              #给客户端分配的地址池
push "route 172.16.1.0 255.255.255.0"      #允许客户端访问的内网网段
ifconfig-pool-persist ipp.txt              #地址池记录文件位置，未来让openvpn客户端固定ip地址使用的
keepalive 10 120                           #存活时间，10秒ping一次，120秒如果未收到响应则视为短线
max-clients 100                            #最多允许100个客户端连接
status openvpn-status.log                  #日志位置，记录openvpn状态
log /var/log/openvpn.log                   #openvpn日志记录位置
verb 3                                     #openvpn版本
client-to-client                           #允许客户端与客户端之间通信
persist-key                                #通过keepalive检测超时后，重新启动VPN，不重新读取
persist-tun                                #检测超时后，重新启动VPN，一直保持tun是linkup的，否则网络会先linkdown然后再linkup
duplicate-cn                               #客户端密钥（证书和私钥）是否可以重复
comp-lzo                                   #启动lzo数据压缩格式

##  准备配置文件
[root@rocky9 ~]# cd /etc/openvpn/
[root@rocky9 openvpn]# vim server.conf 

[root@rocky9 openvpn]# grep  '^[a-z,A-Z].*' server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/certs/ca.crt
cert /etc/openvpn/server/certs/server.crt
key /etc/openvpn/server/certs/server.key  
dh /etc/openvpn/server/certs/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.200.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
mute 20

##  准备日志目录
[root@rocky9 easy-rsa-server]# mkdir /var/log/openvpn
[root@rocky9 easy-rsa-server]# chown openvpn.openvpn /var/log/openvpn

[root@rocky9 openvpn]# ll /var/log/openvpn -d
drwxr-xr-x 2 openvpn openvpn 6 Apr 30 14:23 /var/log/openvpn

准备systemd启动配置文件并启动

## 由于缺少/usr/lib/systemd/system/openvpn@.service启动文件，可以参考centos7下的文件自已创建
[root@rocky9 openvpn]# rpm -ql openvpn | grep systemd
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/share/doc/openvpn/README.systemd

## 注意文件名比较特殊（openvpn@.service）
[root@rocky9 ~]# cat /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf

[Install]
WantedBy=multi-user.target

## 启动服务，注意服务名称（openvpn@server）
[root@rocky9 ~]# systemctl enable --now openvpn@server
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /usr/lib/systemd/system/openvpn@.service.

## 检查服务状态及1194端口
[root@rocky9 ~]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
     Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; preset: disabled)
     Active: active (running) since Tue 2024-04-30 15:28:49 CST; 3min 4s ago
   Main PID: 3331 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 24718)
     Memory: 1.5M
        CPU: 12ms
     CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
             └─3331 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

Apr 30 15:28:49 rocky9 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Apr 30 15:28:49 rocky9 openvpn[3331]: 2024-04-30 15:28:49 WARNING: Compression for receiving enabled. Compression has been used in the past to bre>
Apr 30 15:28:49 rocky9 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
lines 1-14/14 (END)

[root@rocky9 ~]# ss -ntl
State            Recv-Q           Send-Q                     Local Address:Port                      Peer Address:Port           Process           
LISTEN           0                128                              0.0.0.0:22                             0.0.0.0:*                                
LISTEN           0                4096                             0.0.0.0:111                            0.0.0.0:*                                
LISTEN           0                32                               0.0.0.0:1194                           0.0.0.0:*                                
LISTEN           0                128                                 [::]:22                                [::]:*                                
LISTEN           0                4096                                [::]:111                               [::]:*  

准备客户端配置文件

客户端配置文件范本：/usr/share/doc/openvpn/sample/sample-config-files/client.conf

[root@rocky9 ~]# grep '^[[:alpha:]].*' /usr/share/doc/openvpn/sample/sample-config-files/client.conf > /etc/openvpn/client/xcjyc/client.ovpn

[root@rocky9 ~]# vim /etc/openvpn/client/xcjyc/client.ovpn
## 修改配置项和服务端保持一致

[root@rocky9 ~]# cat /etc/openvpn/client/xcjyc/client.ovpn
client
dev tun
proto tcp
remote 192.168.23.40 1194
resolv-retry infinite
nobind
##persist-key
##persist-tun
ca ca.crt
cert xcjyc.crt
key xcjyc.key
remote-cert-tls server
##tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2

## 打包配置文件给客户端
[root@rocky9 ~]# cd  /etc/openvpn/client/xcjyc/
[root@rocky9 xcjyc]# zip /root/openvpn-xcjyc.zip *
  adding: ca.crt (deflated 26%)
  adding: client.ovpn (deflated 27%)
  adding: xcjyc.crt (deflated 46%)
  adding: xcjyc.key (deflated 23%)
  
[root@rocky9 xcjyc]# sz /root/openvpn-xcjyc.zip 

安装客户端，连接测试

拷贝解压打包的配置文件到 C:\Program Files\OpenVPN\config

实现访问openvpn内网主机

## 在服务器开启ip_forward功能
[root@rocky9 ~]# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
[root@rocky9 ~]# sysctl -p
net.ipv4.ip_forward = 1


## 配置内网服务器回应远程客户端的路由

### 方法一：在主机上配置路由
[root@rocky9 ~]# route add -net 10.8.0.0/24 gw 192.168.200.10

### 方法二：在网络设备中添加路由

### 方法三：在openvpn服务器上添加防火墙NAT规则进行地址转换
[root@rocky9 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination  
 
#####  添加iptable 方法一：
[root@rocky9 ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE
[root@rocky9 ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       10.8.0.0/24         !10.8.0.0/24  

#####  添加iptable 方法二：
[root@rocky9 ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.200.10
[root@rocky9 ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       10.8.0.0/24         !10.8.0.0/24          to:192.168.200.10

测试连接内网服务器

ubuntu2204：192.168.200.20

## windows server：192.168.200.30

源码包：

https://github.com/OpenVPN/openvpn/releases/download/v2.6.10/openvpn-2.6.10.tar.gz

https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.7/EasyRSA-3.1.7.tgz