參考網站:
CentOS 7 install OpenVPN @ 回憶……! :: 痞客邦 PIXNET ::
CentOS 7 安裝 OpenVPN Server – Linux 技術手札
1. 安裝 epel 套件庫
# yum install epel-release
2. 安裝 OpenVPN 套件
# yum install openvpn
3. 安裝 Easy RSA 套件,之後要產生 Key 的
# yum install easy-rsa[@more@]4. 複製 server.conf 的範例檔至 openvpn 設定檔目錄
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
5. 備份原設定檔
# cp /etc/openvpn/server.conf /etc/openvpn/server.conf.$(date +%F)
6. 修改 /etc/openvpn/server.conf 設定檔
# egrep -v “^#|^$|^;” /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 10.8.0.0 255.255.255.0”
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 168.95.1.1”
push “dhcp-option DNS 8.8.8.8”
client-to-client
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
7. 建立 Easy RSA 要產生 Key 的目錄
# mkdir -p /etc/openvpn/easy-rsa/keys
8. 複製 Easy RSA 範例檔至 Easy RSA 設定檔目錄
# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
9. 請情況修改 /etc/openvpn/easy-rsa/vars 中的變數
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_OU=”MyOrganizationalUnit”
# X509 Subject Field
export KEY_NAME=”EasyRSA”
10. 以下為開始做建立憑證的動作:
# cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
# cd /etc/openvpn/easy-rsa
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# ./clean-all
# ./build-ca
# ./build-key-server server
# ./build-dh
# cd /etc/openvpn/easy-rsa/keys
# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
# cd /etc/openvpn/easy-rsa
# ./build-key client
11. 產生 ta.key
# cd /etc/openvpn/
# openvpn –genkey –secret ta.key
12. 安裝 iptables 的相關 packages 與設定 iptables
# yum install iptables-services -y
# systemctl mask firewalld
# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
# systemctl stop firewalld
# systemctl start iptables
# iptables –flush
13. iptables 防火牆上的設定
將 Source IP range 為 10.8.0.0/24 的 IP 做 NAT 後,並由 ppp0 出去
# iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE
# iptables-save > /etc/sysconfig/iptables
# systemctl restart iptables
14. 修改 /etc/sysctl.conf 設定
# vim /etc/sysctl.conf
—————————————–
......
net.ipv4.ip_forward = 1
......
—————————————–
15. 啟動 OpenVPN 服務,並設定開機時啟動
# systemctl start openvpn@server.service
# systemctl enable openvpn@server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
16. 檢查 OpenVPN 服務狀態
# systemctl status openvpn@server.service
● openvpn@server.service – OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since 日 2016-08-14 15:13:07 CST; 9s ago
Process: 2294 ExecStart=/usr/sbin/openvpn –daemon –writepid /var/run/openvpn/%i.pid –cd /etc/openvpn/ –config %i.conf (code=exited, status=0/SUCCESS)
Main PID: 2295 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
mq2295 /usr/sbin/openvpn –daemon –writepid /var/run/openvpn/server.pid –cd /etc/openvpn/ –config server.conf
17. 檢查 OpenVPN 是否有正常啟動
# netstat -antulp | grep :1194
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 1039/openvpn