openvpn服务器安装
# 安装服务
yum install epel-release
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig makecache
yum install -y openvpn easy-rsa
# 找到easy-ras的安装目录
[root@localhost openvpn]# whereis easy-rsa
easy-rsa: /usr/share/easy-rsa
# 并拷贝到openvpn目录下
mkdir -p /etc/openvpn/easy-rsa
# 注意3.0.8版本号可能不一样
cd /usr/share/easy-rsa/3.0.8
cp -r * /etc/openvpn/easy-rsa
openvpn服务端配置
# 进入easy-rsa目录
cd /etc/openvpn/easy-rsa
# 将easy-rsa变量模板拷入到当前目录
find / -type f -name "vars.example"|xargs cp -t . && mv vars.example vars
[root@localhost easy-rsa]# ll
total 100
-rwxr-xr-x. 1 root root 76946 Mar 18 16:26 easyrsa
-rw-r--r--. 1 root root 4616 Mar 18 16:26 openssl-easyrsa.cnf
-rw-r--r--. 1 root root 8888 Mar 19 2022 vars
drwxr-xr-x. 2 root root 122 Mar 18 16:26 x509-types
# 修改vars主要信息,按需修改
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Jiangsu"
set_var EASYRSA_REQ_CITY "Nanjing"
set_var EASYRSA_REQ_ORG "Deri"
set_var EASYRSA_REQ_EMAIL "wuzhiyong@deri.energy"
set_var EASYRSA_REQ_OU "deri.org.cn"
# 创建空的pki
./easyrsa init-pki
# 创建新的CA,不使用密码,过程中直接回车
./easyrsa build-ca nopass
# 创建服务端证书
./easyrsa gen-req server nopass
# 签约服务端证书,过程中手动输入yes
./easyrsa sign server server
# 生成DH验证文件Diffie-Hellman
./easyrsa gen-dh
# 创建吊销列表
./easyrsa gen-crl
# 生成ta.key
openvpn --genkey --secret keys/ta.key
# 将所有需要的文件拷贝到/etc/openvpn/server目录下
cp keys/ta.key ../server/
cp pki/ca.crt ../server/
cp pki/dh.pem ../server/
cp pki/issued/server.crt ../server/
cp pki/private/server.key ../server/
创建服务器配置
[root@ecs-a017-0002 chuanda]# cat server.conf
port 20016
;proto tcp
proto udp
dev tun
;dev tap
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
tls-auth /etc/openvpn/server/ta.key 0
dh /etc/openvpn/server/dh.pem
log /etc/openvpn/openvpn.log
#duplicate-cn
push "route 10.1.0.0 255.255.255.0"
server 10.1.0.0 255.255.255.0
# 在ipp.txt可以配置静态ip: client1,11.1.0.100
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
创建openvpn启停脚本,start.sh
#!/bin/bash
CD_OVPN_PNUM=`ps -ef|grep "openvpn /etc/openvpn/server.conf"|grep -v grep|wc -l`
if [ $CD_OVPN_PNUM -le 0 ]; then
openvpn /etc/openvpn/chuanda/server.conf &
fi
stop.sh
#!/bin/bash
ps -ef|grep "openvpn /etc/openvpn/server.conf"|grep -v grep|awk '{print$2}'|xargs kill -9
创建客户端证书
# 生成客户端证书
./easyrsa build-client-full client_name nopass
创建openvpn客户端文件
client
nobind
dev tun
remote-cert-tls server
remote 服务器IP 端口 udp
<key>
<!-- 客户端私钥 -->
</key>
<cert>
<!-- 客户端证书 -->
</cert>
<ca>
<!-- ca.crt -->
</ca>
key-direction 1
<tls-auth>
<!-- ta.key -->
</tls-auth>
遇到的问题
A: VERIFY ERROR: depth=1, error=certificate is not yet valid
or error 9 at 1 depth lookup:certificate is not yet valid
B: VERIFY ERROR: depth=0, error=certificate signature failure
C: error 7 at 0 depth lookup:certificate signature failure
解决办法:主要是由于服务器时区设置不对,客户端时间比服务器时间早导致.