參考網站:
How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean
1. 安裝 OpenVPN
# apt-get install openvpn easy-rsa
2. 建立 Certificate Authority
# mkdir -p /etc/openvpn/easy-rsa/keys
# cp -r /usr/share/easy-rsa /etc/openvpn
# cd /etc/openvpn/easy-rsa
請情況修改 /etc/openvpn/easy-rsa/vars 中的變數
# vim /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY=”TW“
export KEY_PROVINCE=”Taiwan“
export KEY_CITY=”Yilan“
export KEY_ORG=”School“
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_OU=”MyOrganizationalUnit”
# X509 Subject Field
export KEY_NAME=”EasyRSA”[@more@]
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# ./clean-all
# ./build-ca
3. 產生 Server 憑證、金鑰及加密檔案
# ./build-key-server server
Certificate is to be certified until Dec 21 10:24:53 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
時間會稍微比較久一些
# ./build-dh
# openvpn –genkey –secret keys/ta.key
4. 產生 Client Certificate 和 Key Pair
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# ./build-key client
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
Certificate is to be certified until Dec 21 12:15:42 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
如果要建立需要密碼
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# ./build-pass client
5. 複製憑證金鑰到 /etc/openvpn/keys 目錄
# cd /etc/openvpn/easy-rsa/keys
# mkdir /etc/openvpn/keys
# cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn/keys
6. 設定 OpenVPN
修改 /etc/openvpn/server.conf 設定檔
# gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
# cp /etc/openvpn/server.conf /etc/openvpn/server.conf.$(date +%F)
修改設定
# sed -i ‘s/;tls-auth/tls-auth/’ /etc/openvpn/server.conf
# sed -i ‘/tls-auth/ akey-direction 0’ /etc/openvpn/server.conf
# sed -i ‘s/;cipher AES/cipher AES/’ /etc/openvpn/server.conf
# sed -i ‘/^cipher/ aauth SHA256’ /etc/openvpn/server.conf
OpenVPN 執行使用者及群組
# sed -i ‘s/^;user/user/’ /etc/openvpn/server.conf
# sed -i ‘s/^;group/group/’ /etc/openvpn/server.conf
VPN Client 的 Default Gatewa y以 VPN Gateway 為主
# sed -i ‘s/^;push “redirect/push “redirect/’ /etc/openvpn/server.conf
DNS 設定
# sed -i ‘s/^;push “dhcp-option DNS 208.67.222.222″/push “dhcp-option DNS 168.95.1.1″/’ /etc/openvpn/server.conf
# sed -i ‘s/^;push “dhcp-option DNS 208.67.220.220″/push “dhcp-option DNS 8.8.8.8″/’ /etc/openvpn/server.conf
將預設的 UDP 改為 TCP
# sed -i ‘s/^;proto tcp/proto tcp/’ /etc/openvpn/server.conf
# sed -i ‘s/^proto udp/;proto udp/’ /etc/openvpn/server.conf
更改 crt / key 的檔案位置
# sed -i ‘s|ca ca.crt|ca /etc/openvpn/keys/ca.crt|’ /etc/openvpn/server.conf
# sed -i ‘s|cert server.crt|cert /etc/openvpn/keys/server.crt|’ /etc/openvpn/server.conf
# sed -i ‘s|key server.key|key /etc/openvpn/keys/server.key|’ /etc/openvpn/server.conf
# sed -i ‘s|dh dh2048.pem|dh /etc/openvpn/keys/dh2048.pem|’ /etc/openvpn/server.conf
# sed -i ‘s|tls-auth ta.key 0|tls-auth /etc/openvpn/keys/ta.key 0|’ /etc/openvpn/server.conf
使用憑證認證時,允許所有的 Client 使用相同的 KEY 登入
# sed -i ‘s/^;duplicate-cn/duplicate-cn/’ /etc/openvpn/server.conf
允許 Client 間互接連接
# sed -i ‘s/^;client-to-client/client-to-client/’ /etc/openvpn/server.conf
更改 log 檔位置
# sed -i ‘s|status openvpn-status.log|status /var/log/openvpn/openvpn-status.log|’ /etc/openvpn/server.conf
# sed -i ‘s|;log openvpn.log|log /var/log/openvpn/openvpn.log|’ /etc/openvpn/server.conf
# sed -i ‘s|;log-append openvpn.log|log-append /var/log/openvpn/openvpn.log|’ /etc/openvpn/server.conf
此網段走 VPN Gateway
# sed -i ‘/^;push “route 192.168.10/ ipush “route 10.8.0.0 255.255.255.0″‘ /etc/openvpn/server.conf
For sed
# cat script-file
s/;tls-auth/tls-auth/
/tls-auth/ akey-direction 0
s/;cipher AES/cipher AES/
/^cipher/ aauth SHA256
s/^;user/user/
s/^;group/group/
s/^;push “redirect/push “redirect/
s/^;push “dhcp-option DNS 208.67.222.222″/push “dhcp-option DNS 168.95.1.1″/
s/^;push “dhcp-option DNS 208.67.220.220″/push “dhcp-option DNS 8.8.8.8″/
s/^;proto tcp/proto tcp/
s/^proto udp/;proto udp/
s|ca ca.crt|ca /etc/openvpn/keys/ca.crt|
s|cert server.crt|cert /etc/openvpn/keys/server.crt|
s|key server.key|key /etc/openvpn/keys/server.key|
s|dh dh2048.pem|dh /etc/openvpn/keys/dh2048.pem|
s|tls-auth ta.key 0|tls-auth /etc/openvpn/keys/ta.key 0|
s/^;duplicate-cn/duplicate-cn/
s/^;client-to-client/client-to-client/
s|status openvpn-status.log|status /var/log/openvpn/openvpn-status.log|
s|;log openvpn.log|log /var/log/openvpn/openvpn.log|
s|;log-append openvpn.log|log-append /var/log/openvpn/openvpn.log|
/^;push “route 192.168.10/ ipush “route 10.8.0.0 255.255.255.0”
# sed -i -f script-file /etc/openvpn/server.conf
建立存放 Log 的目錄
# mkdir /var/log/openvpn
7.設定網路 Forward
# sed -i ‘s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/’ /etc/sysctl.conf
# sysctl -p
8. 防火牆設定 iptables
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# iptables -A FORWARD -i tun0 -j ACCEPT
# iptables -A FORWARD -o tun0 -j ACCEPT
9. 設定開機時啟動 OpenVPN 服務
# systemctl enable openvpn@server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /lib/systemd/system/openvpn@.service.
10. 啟動並檢查是否有正常啟動
# systemctl start openvpn@server.service
# systemctl status openvpn@server.service | head -3
● openvpn@server.service – OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: active (running) since 五 2016-12-23 21:35:43 CST; 15h ago
# netstat -antpl | grep :1194
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 3146/openvpn