1 install OpenVPN

Install openVPN using YUM

$ yum install -y epel-release
$ yum update -y
$ yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
$ yum install -y easy-rsa
$ yum install -y openvpn
Copy the code

2 Configure the OpenVPN server

2.1 Creating a Directory for Configuration

  1. Create a directory for storing logs:mkdir -p /var/log/openvpn/
  2. Create a user management directory:mkdir -p /etc/openvpn/server/user
  3. Configure directory permissions:chown openvpn:openvpn /var/log/openvpn

2.2 Generating a Certificate

The easy-RSA version installed through yum is 3.x. You can directly copy the tool from the installation directory to /etc/openvpn

$cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn-server/easy-rsaCopy the code

2.2.1 Creating a Certificate for the Server

  1. Switch to the/etc/openvpn/server/easy-rsadirectory
  2. Using the command./easyrsa init-pkiInitialization, will be created in the current directoryPKIDirectory for storing intermediate variables and the resulting certificate
  3. Using the command./easyrsa build-ca nopassCreate a certificate
  4. Generate server side certificate:./easyrsa build-server-full server nopass
  5. createDiffie-Hellman:./easyrsa gen-dhTo ensure thatkeyCommands that can traverse an insecure network
  6. Collate server side certificate:
$ mkdir -p /etc/openvpn/server
$ cp -a pki/ca.crt /etc/openvpn/server/
$ cp -a pki/private/server.key /etc/openvpn/server
$ cp -a pki/issued/server.crt /etc/openvpn/server
$ cp -a pki/dh.pem /etc/openvpn/server
$ cp -a ta.key /etc/openvpn/server
Copy the code

2.2.2 Creating a Certificate for a Client

  1. Generate a password-free client certificate:./easyrsa build-client-full client nopass
  2. Generate client certificate with password:./easyrsa build-client-full jiaoxn, will prompt you to enter the password, remember the password set before connectingOpenVPNOn the server, you can perform this step to create certificates for multiple users

Then create a ta. Key

To improve OpenVPN security, you can create ta.key: OpenVPN –genkey –secret ta.key to enhance authentication and prevent attacks.

2.3 Editing a Configuration File

  1. Copy sample.conf to /etc/openvpn as the starting configuration file: cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/server

  2. Run the vi /etc/openvpn-server. conf command to edit the configuration file

    • Change line 25 to:The local 0.0.0.0
    • Uncomment line 35 and change the effect:proto tcp
    • Comment line 36:; proto udp
    • Modify line 78, setca.crtThe path:ca /etc/openvpn/server/ca.crt
    • Modify line 79, setserver.crtThe path:ca /etc/openvpn/server/server.crt
    • Modify line 80, setserver.keyThe path:ca /etc/openvpn/server/server.key
    • Modify line 85, setdhThe path:dh /etc/openvpn/server/dh.pem
    • Modify line 141:Push "route 10.10.10.0 255.255.255.0." "
    • Modify line 244:tls-auth /etc/openvpn/server/ta.key 0
    • Uncomment line 257:compress lz4-v2
    • Uncomment line 258:push "compress lz4-v2"
    • Uncomment lines 274 and 275
    • Uncomment line 296 and change the log file address:log /var/log/openvpn.log
    • Comment line 315
    • Keep the default Settings for other Settings

3 Start OpenVPN and configure startup

  1. Using the commandvi /usr/lib/systemd/system/openvpn-server\@.serviceEdit and modify the service fileExecStartThe value ofExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config server.conf
  2. Change the name of the service filecp /usr/lib/systemd/system/openvpn-server\@.service /usr/lib/systemd/system/openvpn-service
  3. Start theOpenVPN:systemctl start openvpn-service
  4. configurationOpenVPNStartup:sysemctl enable openvpn-service

4 Configuring the Firewall

Configure the firewall and enable port 1194:

$ firewall-cmd --permanent --add-masquerade
$ firewall-cmd --permanent --add-service=openvpn
$ firewall-cmd --permanent --add-port=1194/tcp
$ firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
$ firewall-cmd --reload
Copy the code

5 Windows client Configuration

  1. from/etc/openvpn/server/easy-rsacopyta.keyfile
  2. from/etc/openvpn/server/easy-rsa/pki/privateCopy client.keyFiles, such as:jiaoxn.key
  3. from/etc/openvpn/server/easy-rsa/pki/issuedCopy client.crtFiles, such as:jiaoxn.crt
  4. from/etc/openvpn/server/easy-rsa/pkiCopy clientca.crtfile
  5. WindowsSystem installationOpenVPNAfter the client, open the configuration folder (default:C:\Program Files\OpenVPN\config), create a folder (for example:client), copy the previous 4 files to the new folder
  6. In the folder created in step 5, createclient.ovpnThe file name is the same as the folder name. The configuration content is as followsjiaoxn.crt,jiaoxn.keyReplace it with the corresponding file name
Client dev Tun Proto TCP remote 192.168.1.70 1194 resolv-Retry infinite nobind; user nobody ; group nobody persist-key persist-tun ca ca.crt cert jiaoxn.crt key jiaoxn.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC compress lz4-v2 verb 3 ; mute 20Copy the code
  1. Right clickVPNIcon, select the newly configured folder name, click connect, and set the password to the initial name +”@123″, for example, jiaoxn@123