OPEN VPN 实验及脚本实现
OPEN VPN 实验及脚本实现

OPEN VPN 实验及脚本实现

OpenVPN 部署

准备OpenVPN环境

#配置yum源
[root@OPEN-VPN yum.repos.d]#vim base.repo 
[BaseOS]
name=BaseOS
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/BaseOS/x86_64/os/
        http://mirrors.163.com/rocky/$releasever/BaseOS/x86_64/os/
        https://mirrors.nju.edu.cn/rocky/$releasever/BaseOS/x86_64/os/
        https://mirrors.sjtug.sjtu.edu.cn/rocky/$releasever/BaseOS/x86_64/os/
"base.repo" 48L, 2062C                                                                   1,1           Top
[BaseOS]
name=BaseOS
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/BaseOS/x86_64/os/
        http://mirrors.163.com/rocky/$releasever/BaseOS/x86_64/os/
        https://mirrors.nju.edu.cn/rocky/$releasever/BaseOS/x86_64/os/
        https://mirrors.sjtug.sjtu.edu.cn/rocky/$releasever/BaseOS/x86_64/os/
        http://mirrors.sdu.edu.cn/rocky/$releasever/BaseOS/x86_64/os/
gpgcheck=0

[AppStream]
name=AppStream
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/AppStream/x86_64/os/
        http://mirrors.163.com/rocky/$releasever/AppStream/x86_64/os/
        https://mirrors.nju.edu.cn/rocky/$releasever/AppStream/x86_64/os/
        https://mirrors.sjtug.sjtu.edu.cn/rocky/$releasever/AppStream/x86_64/os/
        http://mirrors.sdu.edu.cn/rocky/$releasever/AppStream/x86_64/os/
gpgcheck=0

[extras]
name=extras
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/extras/$basearch/os
        http://mirrors.163.com/rocky/$releasever/extras/$basearch/os
        https://mirrors.nju.edu.cn/rocky/$releasever/extras/$basearch/os
        https://mirrors.sjtug.sjtu.edu.cn/rocky/$releasever/extras/$basearch/os
        http://mirrors.sdu.edu.cn/rocky/$releasever/extras/$basearch/os

gpgcheck=0
enabled=1

[PowerTools]
name=CentOS-$releasever - PowerTools
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/PowerTools/$basearch/os/
        http://mirrors.163.com/rocky/$releasever/PowerTools/$basearch/os/
        http://mirrors.sdu.edu.cn/rocky/$releasever/PowerTools/$basearch/os/
        https://mirrors.sjtug.sjtu.edu.cn/rocky/$releasever/PowerTools/$basearch/os/
        http://mirrors.sdu.edu.cn/rocky/$releasever/PowerTools/$basearch/os/
gpgcheck=0
enabled=0


[epel]
name=EPEL
baseurl=https://mirror.tuna.tsinghua.edu.cn/epel/$releasever/Everything/$basearch
        https://mirrors.cloud.tencent.com/epel/$releasever/Everything/$basearch
        https://mirrors.huaweicloud.com/epel/$releasever/Everything/$basearch
        https://mirrors.aliyun.com/epel/$releasever/Everything/$basearch
gpgcheck=0
enabled=1



#查看版本
[root@OPEN-VPN ~]#yum list openvpn
Last metadata expiration check: 0:03:06 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Available Packages
openvpn.x86_64                                                         2.4.12-1.el8                                                          epel

[root@OPEN-VPN ~]#yum list easy-rsa
Last metadata expiration check: 0:02:49 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Available Packages
easy-rsa.noarch                                                         3.0.8-1.el8          

安装OpenVPN和证书管理工具easy-rsa

#查看版本
[root@OPEN-VPN ~]#yum list openvpn
Last metadata expiration check: 0:03:06 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Available Packages
openvpn.x86_64                                                         2.4.12-1.el8                                                          epel

[root@OPEN-VPN ~]#yum list easy-rsa
Last metadata expiration check: 0:02:49 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Available Packages
easy-rsa.noarch                                                         3.0.8-1.el8                                                          epel

#安装openvpn和easy-rsa
[root@OPEN-VPN ~]#yum -y install openvpn
Last metadata expiration check: 0:05:32 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Dependencies resolved.
===========================================================================================================
 Package                      Architecture          Version                      Repository           Size
===========================================================================================================
Installing:
 openvpn                      x86_64                2.4.12-1.el8                 epel                545 k
Installing dependencies:
 pkcs11-helper                x86_64                1.22-7.el8                   epel                 64 k

Transaction Summary
===========================================================================================================
Install  2 Packages

Total download size: 609 k
Installed size: 1.4 M
Downloading Packages:
(1/2): pkcs11-helper-1.22-7.el8.x86_64.rpm                                                                        12 kB/s |  64 kB     00:05    
(2/2): openvpn-2.4.12-1.el8.x86_64.rpm                                                                            85 kB/s | 545 kB     00:06    
-------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                             94 kB/s | 609 kB     00:06     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                         1/1 
  Installing       : pkcs11-helper-1.22-7.el8.x86_64                                                                                         1/2 
  Running scriptlet: openvpn-2.4.12-1.el8.x86_64                                                                                             2/2 
  Installing       : openvpn-2.4.12-1.el8.x86_64                                                                                             2/2 
  Running scriptlet: openvpn-2.4.12-1.el8.x86_64                                                                                             2/2 
  Verifying        : openvpn-2.4.12-1.el8.x86_64                                                                                             1/2 
  Verifying        : pkcs11-helper-1.22-7.el8.x86_64                                                                                         2/2 

Installed:
  openvpn-2.4.12-1.el8.x86_64                                           pkcs11-helper-1.22-7.el8.x86_64                                          

Complete!

[root@OPEN-VPN ~]#yum -y install easy-rsa
Last metadata expiration check: 0:06:01 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Dependencies resolved.
=================================================================================================================================================
 Package                            Architecture                     Version                                Repository                      Size
=================================================================================================================================================
Installing:
 easy-rsa                           noarch                           3.0.8-1.el8                            epel                            47 k

Transaction Summary
=================================================================================================================================================
Install  1 Package

Total download size: 47 k
Installed size: 120 k
Downloading Packages:
easy-rsa-3.0.8-1.el8.noarch.rpm                                                                                   11 kB/s |  47 kB     00:04    
-------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                             11 kB/s |  47 kB     00:04     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                         1/1 
  Installing       : easy-rsa-3.0.8-1.el8.noarch                                                                                             1/1 
  Verifying        : easy-rsa-3.0.8-1.el8.noarch                                                                                             1/1 

Installed:
  easy-rsa-3.0.8-1.el8.noarch                                                                                                                    

Complete!

查看包中的文件

[root@OPEN-VPN yum.repos.d]#rpm -qi openvpn easy-rsa
Name        : openvpn
Version     : 2.4.12
Release     : 1.el8
Architecture: x86_64
Install Date: Fri 19 Aug 2022 07:45:59 PM CST
Group       : Unspecified
Size        : 1310067
License     : GPLv2
Signature   : RSA/SHA256, Fri 18 Mar 2022 05:21:34 AM CST, Key ID 21ea45ab2f86d6a1
Source RPM  : openvpn-2.4.12-1.el8.src.rpm
Build Date  : Fri 18 Mar 2022 03:01:23 AM CST
Build Host  : buildvm-x86-26.iad2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://community.openvpn.net/
Bug URL     : https://bugz.fedoraproject.org/openvpn
Summary     : A full-featured SSL VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port.  It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.
Name        : easy-rsa
Version     : 3.0.8
Release     : 1.el8
Architecture: noarch
Install Date: Fri 19 Aug 2022 07:46:25 PM CST
Group       : Unspecified
Size        : 122756
License     : GPLv2
Signature   : RSA/SHA256, Thu 10 Sep 2020 09:23:22 PM CST, Key ID 21ea45ab2f86d6a1
Source RPM  : easy-rsa-3.0.8-1.el8.src.rpm
Build Date  : Thu 10 Sep 2020 09:20:42 PM CST
Build Host  : buildvm-s390x-23.s390.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://github.com/OpenVPN/easy-rsa
Bug URL     : https://bugz.fedoraproject.org/easy-rsa
Summary     : Simple shell based CA utility
Description :
This is a small RSA key management package, based on the openssl
command line tool, that can be found in the easy-rsa subdirectory
of the OpenVPN distribution. While this tool is primary concerned
with key management for the SSL VPN application space, it can also
be used for building web certificates.

[root@OPEN-VPN yum.repos.d]#rpm -ql openvpn
/etc/openvpn
/etc/openvpn/client
/etc/openvpn/server
/run/openvpn-client
/run/openvpn-server
/usr/lib/.build-id
/usr/lib/.build-id/66
/usr/lib/.build-id/66/bd0dab2368dc0d844282225cb7f20f1db4bd9b
/usr/lib/.build-id/9e
/usr/lib/.build-id/9e/360159708bfe37bf6bbae0fa9facffbd2556dc
/usr/lib/.build-id/ca
/usr/lib/.build-id/ca/29127991f2fbcd366ca4d99df93d6d333eebcd
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/tmpfiles.d/openvpn.conf
/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn
/usr/share/doc/openvpn/AUTHORS
/usr/share/doc/openvpn/COPYING
/usr/share/doc/openvpn/COPYRIGHT.GPL
/usr/share/doc/openvpn/ChangeLog
/usr/share/doc/openvpn/Changes.rst
/usr/share/doc/openvpn/README
/usr/share/doc/openvpn/README.auth-pam
/usr/share/doc/openvpn/README.down-root
/usr/share/doc/openvpn/README.systemd
/usr/share/doc/openvpn/contrib
/usr/share/doc/openvpn/contrib/OCSP_check
/usr/share/doc/openvpn/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn/contrib/README
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn/contrib/pull-resolv-conf
/usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn/management-notes.txt
/usr/share/doc/openvpn/sample
/usr/share/doc/openvpn/sample/sample-config-files
/usr/share/doc/openvpn/sample/sample-config-files/README
/usr/share/doc/openvpn/sample/sample-config-files/client.conf
/usr/share/doc/openvpn/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn/sample/sample-config-files/home.up
/usr/share/doc/openvpn/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn/sample/sample-config-files/office.up
/usr/share/doc/openvpn/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn/sample/sample-config-files/server.conf
/usr/share/doc/openvpn/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn/sample/sample-scripts
/usr/share/doc/openvpn/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn/sample/sample-windows
/usr/share/doc/openvpn/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/var/lib/openvpn

[root@OPEN-VPN yum.repos.d]#rpm -ql  easy-rsa 
/usr/share/doc/easy-rsa
/usr/share/doc/easy-rsa/COPYING.md
/usr/share/doc/easy-rsa/ChangeLog
/usr/share/doc/easy-rsa/README.md
/usr/share/doc/easy-rsa/README.quickstart.md
/usr/share/doc/easy-rsa/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa
/usr/share/licenses/easy-rsa/gpl-2.0.txt

准备相关配置文件

#准备证书相关文件
[root@OPEN-VPN yum.repos.d]#cp -r /usr/share/easy-rsa/3/ /etc/openvpn/easy-rsa
[root@OPEN-VPN yum.repos.d]#tree /etc/openvpn/easy-rsa/
/etc/openvpn/easy-rsa/
├── easyrsa
├── openssl-easyrsa.cnf
└── x509-types
    ├── ca
    ├── client
    ├── code-signing
    ├── COMMON
    ├── email
    ├── kdc
    ├── server
    └── serverClient
1 directory, 10 files

#准备颁发证书相关变量的配置文件
[root@OPEN-VPN yum.repos.d]#cp /usr/share/doc/easy-rsa/vars.example  /etc/openvpn/easy-rsa/vars
[root@OPEN-VPN yum.repos.d]#tree /etc/openvpn/easy-rsa/
/etc/openvpn/easy-rsa/
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
    ├── ca
    ├── client
    ├── code-signing
    ├── COMMON
    ├── email
    ├── kdc
    ├── server
    └── serverClient

1 directory, 11 files

#设置CA和OpenVPN服务器的证书有效期,可适当加长
[root@OPEN-VPN yum.repos.d]#vim /etc/openvpn/easy-rsa/vars 
#set_var EASYRSA_CA_EXPIRE  3650 CA证书有效期默认3650天,现设置为36500天
set_var EASYRSA_CA_EXPIRE   36500

#set_var EASYRSA_CERT_EXPIRE    825  服务器证书有效期默认为825天,设置为36500天
set_var EASYRSA_CERT_EXPIRE 36500

[root@OPEN-VPN yum.repos.d]#tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa
│   ├── easyrsa
│   ├── openssl-easyrsa.cnf
│   ├── vars
│   └── x509-types
│       ├── ca
│       ├── client
│       ├── code-signing
│       ├── COMMON
│       ├── email
│       ├── kdc
│       ├── server
│       └── serverClient
└── server

准备证书相关文件

初始化PKI和CA颁发机构环境

#证书脚本的使用帮助
[root@OPEN-VPN easy-rsa]#cd /etc/openvpn/easy-rsa/
[root@OPEN-VPN easy-rsa]#./easyrsa 

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

Easy-RSA 3 usage and overview

USAGE: easyrsa [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, run:
  ./easyrsa help COMMAND

For a listing of options that can be supplied before the command, use:
  ./easyrsa help options

Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.

  init-pki
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <filename_base> [ cmd-opts ]
  sign-req <type> <filename_base>
  build-client-full <filename_base> [ cmd-opts ]
  build-server-full <filename_base> [ cmd-opts ]
  revoke <filename_base> [cmd-opts]
  renew <filename_base> [cmd-opts]
  build-serverClient-full <filename_base> [ cmd-opts ]
  gen-crl
  update-db
  show-req <filename_base> [ cmd-opts ]
  show-cert <filename_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  import-req <request_file_path> <short_basename>
  export-p7 <filename_base> [ cmd-opts ]
  export-p8 <filename_base> [ cmd-opts ]
  export-p12 <filename_base> [ cmd-opts ]
  set-rsa-pass <filename_base> [ cmd-opts ]
  set-ec-pass <filename_base> [ cmd-opts ]
  upgrade <type>

DIRECTORY STATUS (commands would take effect on these locations)
  EASYRSA: /etc/openvpn/easy-rsa
      PKI: /etc/openvpn/easy-rsa/pki

#初始化PKI生成PKI相关目录和文件
[root@OPEN-VPN easy-rsa]#./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

[root@OPEN-VPN easy-rsa]#tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa
│   ├── easyrsa
│   ├── openssl-easyrsa.cnf
│   ├── pki
│   │   ├── openssl-easyrsa.cnf
│   │   ├── private
│   │   ├── reqs
│   │   └── safessl-easyrsa.cnf
│   ├── vars
│   └── x509-types
│       ├── ca
│       ├── client
│       ├── code-signing
│       ├── COMMON
│       ├── email
│       ├── kdc
│       ├── server
│       └── serverClient
└── server

7 directories, 13 files

创建 CA 机构证书环境

[root@OPEN-VPN easy-rsa]#./easyrsa build-ca nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................+++++
.....................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Open-CA   #命名

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt


[root@OPEN-VPN easy-rsa]#tree pki
pki
├── ca.crt                    #ca证书
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│   └── ca.key                 #私钥
├── renewed
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── reqs
├── revoked
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial

12 directories, 7 files

#查看生成CA相关的文件
[root@OPEN-VPN easy-rsa]#cat pki/serial 
01
[root@OPEN-VPN easy-rsa]#ll pki/index.txt
-rw------- 1 root root 0 Aug 19 20:14 pki/index.txt
[root@OPEN-VPN easy-rsa]#cat pki/serial 
01
[root@OPEN-VPN easy-rsa]#ll pki/ca.crt  pki/private/ca.key 
-rw------- 1 root root 1188 Aug 19 20:15 pki/ca.crt
-rw------- 1 root root 1675 Aug 19 20:14 pki/private/ca.key

#查看生成的自签名证书
[root@OPEN-VPN easy-rsa]#cat pki/ca.crt 
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgIUMdFoxeJZrUtYTQDXWHrQelYWVBgwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHT3Blbi1DQTAgFw0yMjA4MTkxMjE1MTFaGA8yMTIyMDcy
NjEyMTUxMVowEjEQMA4GA1UEAwwHT3Blbi1DQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAOEfNDLI2ab9OQ8pYqKR5/lhT+ckgWRbKRu0Na7BEEEleEz9
GGTjMCBgWOP8TIw0QNNcpwE9p+YOMyqIhsk5UApj8MubIhjtVx5uisuvB2t5dFiC
ZCGqJeZINUqJBGHRIgkHF/OXTPzOwk9P8eokM9QZwMkHZ1kCEXM/kW7LER/jZZ43
IT70rJ79RPL7zZ4f2f4jPseZ3UgLDSzhIlXbcqIeJnfoTYdWq4CIeD46EPfQCVU0
U8BQacXK+A9yAAyVRpZdTXR9fxXTrzO1gHv9QMTi0Ku2+Fw5YLXgJOnOUUekRbO3
I3SWOeI4iPYqSIdpdnAuzIQ6RzM3ulVclX+hw4kCAwEAAaOBjDCBiTAdBgNVHQ4E
FgQUmO8Qp8SVS+No7LaN87pekH78doMwTQYDVR0jBEYwRIAUmO8Qp8SVS+No7LaN
87pekH78doOhFqQUMBIxEDAOBgNVBAMMB09wZW4tQ0GCFDHRaMXiWa1LWE0A11h6
0HpWFlQYMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
A4IBAQC4bYVWgEGJp4S8WV8c0EXL6v7u8HZUML3vJ1jV50ochY86CQoUhkVpTuZf
SNUCDmQNYvuvRfRfLQ08EaVr9EAOsafGVbw8Rybs39MHJ2gsa4tXzzGw6yOCBYPB
tbm1i0ownHCS9vfFIljAf7bWftjSy4EB86r47etPBY35iDKl/q1EBSLlJL61DuO1
lsAHjmnoZ7L9q8odmVzheZIq4MZyIUKF00hI25fg3JmcxK6AIZJnrOa7mDH+/DdY
iNtFefCXaEvO4/5YWjRQ1XY23Svk0MBsglxxfYFXafUiG/DWogZQ87AKfEYcsMC0
5A991Jo115Kps1IcUs+NF8lPah+Z
-----END CERTIFICATE-----

[root@OPEN-VPN easy-rsa]#openssl x509 -in pki/ca.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            31:d1:68:c5:e2:59:ad:4b:58:4d:00:d7:58:7a:d0:7a:56:16:54:18
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Open-CA
        Validity
            Not Before: Aug 19 12:15:11 2022 GMT
            Not After : Jul 26 12:15:11 2122 GMT
        Subject: CN = Open-CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e1:1f:34:32:c8:d9:a6:fd:39:0f:29:62:a2:91:
                    e7:f9:61:4f:e7:24:81:64:5b:29:1b:b4:35:ae:c1:
                    10:41:25:78:4c:fd:18:64:e3:30:20:60:58:e3:fc:
                    4c:8c:34:40:d3:5c:a7:01:3d:a7:e6:0e:33:2a:88:
                    86:c9:39:50:0a:63:f0:cb:9b:22:18:ed:57:1e:6e:
                    8a:cb:af:07:6b:79:74:58:82:64:21:aa:25:e6:48:
                    35:4a:89:04:61:d1:22:09:07:17:f3:97:4c:fc:ce:
                    c2:4f:4f:f1:ea:24:33:d4:19:c0:c9:07:67:59:02:
                    11:73:3f:91:6e:cb:11:1f:e3:65:9e:37:21:3e:f4:
                    ac:9e:fd:44:f2:fb:cd:9e:1f:d9:fe:23:3e:c7:99:
                    dd:48:0b:0d:2c:e1:22:55:db:72:a2:1e:26:77:e8:
                    4d:87:56:ab:80:88:78:3e:3a:10:f7:d0:09:55:34:
                    53:c0:50:69:c5:ca:f8:0f:72:00:0c:95:46:96:5d:
                    4d:74:7d:7f:15:d3:af:33:b5:80:7b:fd:40:c4:e2:
                    d0:ab:b6:f8:5c:39:60:b5:e0:24:e9:ce:51:47:a4:
                    45:b3:b7:23:74:96:39:e2:38:88:f6:2a:48:87:69:
                    76:70:2e:cc:84:3a:47:33:37:ba:55:5c:95:7f:a1:
                    c3:89
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                98:EF:10:A7:C4:95:4B:E3:68:EC:B6:8D:F3:BA:5E:90:7E:FC:76:83
            X509v3 Authority Key Identifier: 
                keyid:98:EF:10:A7:C4:95:4B:E3:68:EC:B6:8D:F3:BA:5E:90:7E:FC:76:83
                DirName:/CN=Open-CA
                serial:31:D1:68:C5:E2:59:AD:4B:58:4D:00:D7:58:7A:D0:7A:56:16:54:18

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         b8:6d:85:56:80:41:89:a7:84:bc:59:5f:1c:d0:45:cb:ea:fe:
         ee:f0:76:54:30:bd:ef:27:58:d5:e7:4a:1c:85:8f:3a:09:0a:
         14:86:45:69:4e:e6:5f:48:d5:02:0e:64:0d:62:fb:af:45:f4:
         5f:2d:0d:3c:11:a5:6b:f4:40:0e:b1:a7:c6:55:bc:3c:47:26:
         ec:df:d3:07:27:68:2c:6b:8b:57:cf:31:b0:eb:23:82:05:83:
         c1:b5:b9:b5:8b:4a:30:9c:70:92:f6:f7:c5:22:58:c0:7f:b6:
         d6:7e:d8:d2:cb:81:01:f3:aa:f8:ed:eb:4f:05:8d:f9:88:32:
         a5:fe:ad:44:05:22:e5:24:be:b5:0e:e3:b5:96:c0:07:8e:69:
         e8:67:b2:fd:ab:ca:1d:99:5c:e1:79:92:2a:e0:c6:72:21:42:
         85:d3:48:48:db:97:e0:dc:99:9c:c4:ae:80:21:92:67:ac:e6:
         bb:98:31:fe:fc:37:58:88:db:45:79:f0:97:68:4b:ce:e3:fe:
         58:5a:34:50:d5:76:36:dd:2b:e4:d0:c0:6c:82:5c:71:7d:81:
         57:69:f5:22:1b:f0:d6:a2:06:50:f3:b0:0a:7c:46:1c:b0:c0:
         b4:e4:0f:7d:d4:9a:35:d7:92:a9:b3:52:1c:52:cf:8d:17:c9:
         4f:6a:1f:99

准备服务端证书环境

#创建服务端证书申请
[root@OPEN-VPN easy-rsa]#./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating a RSA private key
.............+++++
..................................................................................................................................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-2676.Q3r6LY/tmp.OL1u7X'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:OpenVPN

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key

[root@OPEN-VPN easy-rsa]#tree pki/
pki/
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│   ├── ca.key
│   └── server.key     #密钥文件
├── renewed
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── reqs
│   └── server.req      #申请文件
├── revoked
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial

12 directories, 9 files

#颁发服务端证书
[root@OPEN-VPN easy-rsa]#./easyrsa sign server server

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 36500 days:

subject=
    commonName                = OpenVPN


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-2758.W5coEX/tmp.KdpHqF
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'OpenVPN'
Certificate is to be certified until Jul 26 12:26:27 2122 GMT (36500 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

[root@OPEN-VPN easy-rsa]#tree pki
pki
├── ca.crt
├── certs_by_serial
│   └── A8DDBD8D92EBA8975E0B51FAEF80AEB8.pem #Openvpn服务器证书
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│   └── server.crt       #Openvpn服务器证书
├── openssl-easyrsa.cnf
├── private
│   ├── ca.key
│   └── server.key
├── renewed
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── reqs
│   └── server.req
├── revoked
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old

12 directories, 14 files

[root@OPEN-VPN easy-rsa]#cat pki/issued/server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a8:dd:bd:8d:92:eb:a8:97:5e:0b:51:fa:ef:80:ae:b8
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Open-CA
        Validity
            Not Before: Aug 19 12:26:27 2022 GMT
            Not After : Jul 26 12:26:27 2122 GMT
        Subject: CN=OpenVPN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9f:49:70:c3:ff:a8:e8:9d:be:ed:bc:08:b5:2c:
                    93:31:7c:65:2e:a5:a3:03:5f:41:37:8a:1c:10:27:
                    6d:b8:aa:dc:4e:a5:4b:cd:59:fe:70:36:8b:59:20:
                    e6:40:6d:b7:e1:2d:34:09:b5:55:23:b8:0b:cd:7a:
                    89:c6:73:1c:05:00:b4:a2:dd:75:1d:ee:9e:f4:fa:
                    bd:bd:5b:9c:43:7b:35:4c:e2:f9:f5:b7:79:ae:59:
                    7b:31:1e:71:a7:ef:4a:db:2d:c5:9e:15:91:04:d2:
                    58:86:4b:cf:bf:27:90:c3:19:ce:bf:3d:4c:17:af:
                    00:13:f1:1c:56:20:92:ee:df:76:5e:ec:97:30:98:
                    99:2f:5b:1e:53:39:48:21:be:40:4a:f4:a6:58:a6:
                    ef:cc:c0:c1:99:0f:46:49:44:df:df:52:85:6d:f7:
                    04:01:86:e1:27:6c:c0:f2:47:a6:26:40:88:26:b0:
                    1e:db:ec:6b:38:32:6b:33:59:24:62:87:2a:21:66:
                    63:e1:74:ce:2f:50:24:8b:27:2b:2c:21:8d:76:c0:
                    42:6e:a4:f6:1f:d4:c6:41:b6:2c:80:45:01:c7:86:
                    20:11:cc:4f:86:67:65:8e:ca:42:d2:1d:ea:c5:eb:
                    23:ea:09:df:6e:8a:e9:b3:66:ac:fc:ff:f1:5a:78:
                    77:41
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B3:6C:AF:C8:3D:44:42:A8:B1:7B:2F:75:78:E3:02:9C:4B:E7:4C:7E
            X509v3 Authority Key Identifier: 
                keyid:98:EF:10:A7:C4:95:4B:E3:68:EC:B6:8D:F3:BA:5E:90:7E:FC:76:83
                DirName:/CN=Open-CA
                serial:31:D1:68:C5:E2:59:AD:4B:58:4D:00:D7:58:7A:D0:7A:56:16:54:18

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:OpenVPN
    Signature Algorithm: sha256WithRSAEncryption
         82:69:37:35:ca:3a:38:47:ce:e1:e9:b3:48:17:b8:ba:a3:22:
         66:97:54:7c:cd:1f:35:bb:ce:81:35:35:70:6c:de:05:37:4a:
         16:ec:57:7d:e8:b7:81:bc:75:f8:e5:6b:20:32:dd:87:22:f4:
         8f:68:44:f3:86:ed:b4:ff:46:1d:c1:ed:b5:03:49:17:cf:27:
         0d:f2:a6:a2:9c:aa:5f:29:09:6f:0c:46:86:77:37:01:cc:1b:
         b8:67:c5:02:a6:b2:66:be:88:52:e5:ba:34:2b:63:12:87:2e:
         9a:52:4b:05:28:97:08:59:a4:78:16:0d:24:20:1d:d9:3d:42:
         d1:52:21:4d:ee:1f:28:6f:01:91:79:53:4d:de:66:95:86:60:
         63:f6:c2:e9:d3:69:61:32:a3:2c:c9:10:e1:9b:b0:95:be:36:
         40:c9:67:b4:89:f7:c2:43:5f:a9:24:70:38:9c:71:46:ef:ff:
         eb:ee:d4:8e:27:c4:55:b8:03:46:fe:e8:25:a3:94:68:ff:f5:
         4f:5d:5a:72:71:01:01:84:92:8c:06:bd:85:de:56:ad:dc:95:
         3c:69:0d:53:ac:e7:83:3e:fe:07:4a:95:bf:e0:c2:0d:e3:9e:
         9d:76:44:2c:f2:59:2c:70:07:44:ea:a3:84:8d:3b:08:27:c2:
         83:ae:e6:fe
-----BEGIN CERTIFICATE-----
MIIDZDCCAkygAwIBAgIRAKjdvY2S66iXXgtR+u+ArrgwDQYJKoZIhvcNAQELBQAw
EjEQMA4GA1UEAwwHT3Blbi1DQTAgFw0yMjA4MTkxMjI2MjdaGA8yMTIyMDcyNjEy
MjYyN1owEjEQMA4GA1UEAwwHT3BlblZQTjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJ9JcMP/qOidvu28CLUskzF8ZS6lowNfQTeKHBAnbbiq3E6lS81Z
/nA2i1kg5kBtt+EtNAm1VSO4C816icZzHAUAtKLddR3unvT6vb1bnEN7NUzi+fW3
ea5ZezEecafvStstxZ4VkQTSWIZLz78nkMMZzr89TBevABPxHFYgku7fdl7slzCY
mS9bHlM5SCG+QEr0plim78zAwZkPRklE399ShW33BAGG4SdswPJHpiZAiCawHtvs
azgyazNZJGKHKiFmY+F0zi9QJIsnKywhjXbAQm6k9h/UxkG2LIBFAceGIBHMT4Zn
ZY7KQtId6sXrI+oJ326K6bNmrPz/8Vp4d0ECAwEAAaOBsjCBrzAJBgNVHRMEAjAA
MB0GA1UdDgQWBBSzbK/IPURCqLF7L3V44wKcS+dMfjBNBgNVHSMERjBEgBSY7xCn
xJVL42jsto3zul6Qfvx2g6EWpBQwEjEQMA4GA1UEAwwHT3Blbi1DQYIUMdFoxeJZ
rUtYTQDXWHrQelYWVBgwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWg
MBIGA1UdEQQLMAmCB09wZW5WUE4wDQYJKoZIhvcNAQELBQADggEBAIJpNzXKOjhH
zuHps0gXuLqjImaXVHzNHzW7zoE1NXBs3gU3ShbsV33ot4G8dfjlayAy3Yci9I9o
RPOG7bT/Rh3B7bUDSRfPJw3ypqKcql8pCW8MRoZ3NwHMG7hnxQKmsma+iFLlujQr
YxKHLppSSwUolwhZpHgWDSQgHdk9QtFSIU3uHyhvAZF5U03eZpWGYGP2wunTaWEy
oyzJEOGbsJW+NkDJZ7SJ98JDX6kkcDiccUbv/+vu1I4nxFW4A0b+6CWjlGj/9U9d
WnJxAQGEkowGvYXeVq3clTxpDVOs54M+/gdKlb/gwg3jnp12RCzyWSxwB0Tqo4SN
OwgnwoOu5v4=
-----END CERTIFICATE-----

[root@OPEN-VPN easy-rsa]#cat pki/serial
A8DDBD8D92EBA8975E0B51FAEF80AEB9
[root@OPEN-VPN easy-rsa]#cat pki/index.txt
V	21220726122627Z		A8DDBD8D92EBA8975E0B51FAEF80AEB8	unknown	/CN=OpenVPN
[root@OPEN-VPN easy-rsa]#cat pki/serial.old 
a8ddbd8d92eba8975e0b51faef80aeb8

创建 Diffie-Hellman 密钥

#创建 Diffie-Hellman 密钥
[root@OPEN-VPN easy-rsa]#./easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............................................................................................................................+.......................................................+........................................................................................................................................................................................+...........................+...........................................................+................................... .......+......................+..............................................................................................+......................................................................................................................................................................................................................................................................................................................................+.............................................................................................................................................................................................................................+..............+................................................................+..+...............................................................+..........+........................++*++*++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

#产看生成文件
[root@OPEN-VPN easy-rsa]# ll pki/dh.pem 
-rw------- 1 root root 424 Aug 19 20:31 pki/dh.pem
[root@OPEN-VPN easy-rsa]#cat pki/dh.pem 
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA8wCXPyhcgLE/7Q+RX1NsHZlnZNtOUYFVCGgfGYukETo60KjlXLc/
EgSRTXIaF7KNo1mtm6JYMR2N0yau1OF8anSHbfqyhci/uUvVnpiqC6xKsJDXQzW4
sbaS+uaaVjaVdSrSyk0RzhV5N8Z4f5byo66sPpT4/p3RhUaoZ8+qrJsf+2yb7D/N
Yrd98SNzuQJ8WLESUXIF3rbBXYyDDIJ75RGHgOu4T66t00jLHqDHTzrAtw08zNQA
zofa9y+eK1FJd71wb3IE9GZ79KlGGsDeOYFUhespe8HTFxALsm0zlMNcXm14UQh2
p5++8Yv96pqSYAARbBzLcG7a3C12X5RJqwIBAg==
-----END DH PARAMETERS-----





准备客户端证书环境

#客户端证书有效时间设置
[root@OPEN-VPN easy-rsa]#vim /etc/openvpn/easy-rsa/vars 
set_var EASYRSA_CERT_EXPIRE 100
#注意此处设置是修改之前服务器端的有效时间

#创建客户端证书申请
[root@OPEN-VPN easy-rsa]#./easyrsa gen-req shuhong nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating a RSA private key
..................................+++++
..............+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-2953.gKUfYX/tmp.EZeleA'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [shuhong]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/shuhong.req
key: /etc/openvpn/easy-rsa/pki/private/shuhong.key

[root@OPEN-VPN easy-rsa]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│   ├── ca.crt
│   ├── certs_by_serial
│   │   └── A8DDBD8D92EBA8975E0B51FAEF80AEB8.pem
│   ├── dh.pem
│   ├── index.txt
│   ├── index.txt.attr
│   ├── index.txt.attr.old
│   ├── index.txt.old
│   ├── issued
│   │   └── server.crt
│   ├── openssl-easyrsa.cnf
│   ├── private
│   │   ├── ca.key
│   │   ├── server.key
│   │   └── shuhong.key     #密钥文件
│   ├── renewed
│   │   ├── certs_by_serial
│   │   ├── private_by_serial
│   │   └── reqs_by_serial
│   ├── reqs
│   │   ├── server.req
│   │   └── shuhong.req     #申请文件
│   ├── revoked
│   │   ├── certs_by_serial
│   │   ├── private_by_serial
│   │   └── reqs_by_serial
│   ├── safessl-easyrsa.cnf
│   ├── serial
│   └── serial.old
├── vars
└── x509-types
    ├── ca
    ├── client
    ├── code-signing
    ├── COMMON
    ├── email
    ├── kdc
    ├── server
    └── serverClient

14 directories, 28 files

#颁发客户端证书
[root@OPEN-VPN easy-rsa]#./easyrsa sign client shuhong

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 100 days:

subject=
    commonName                = shuhong


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-3020.QXbOnw/tmp.VzgvZy
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'shuhong'
Certificate is to be certified until Nov 27 12:39:37 2022 GMT (100 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/shuhong.crt


[root@OPEN-VPN easy-rsa]#tree pki
pki
├── ca.crt
├── certs_by_serial
│   ├── 116207B3A862F7D08C3CE1B78AC5482D.pem
│   └── A8DDBD8D92EBA8975E0B51FAEF80AEB8.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│   ├── server.crt
│   └── shuhong.crt   #证书文件
├── openssl-easyrsa.cnf
├── private
│   ├── ca.key
│   ├── server.key
│   └── shuhong.key
├── renewed
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── reqs
│   ├── server.req
│   └── shuhong.req
├── revoked
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old

12 directories, 19 files

[root@OPEN-VPN easy-rsa]#cat pki/issued/shuhong.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            11:62:07:b3:a8:62:f7:d0:8c:3c:e1:b7:8a:c5:48:2d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Open-CA
        Validity
            Not Before: Aug 19 12:39:37 2022 GMT
            Not After : Nov 27 12:39:37 2022 GMT
        Subject: CN=shuhong
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b6:9e:3c:1e:f2:1f:32:1e:d8:6d:12:30:d2:e7:
                    80:82:dc:8d:5f:7d:d6:63:f3:04:fe:4b:f4:e9:6a:
                    27:f1:b7:d6:c8:5e:51:56:a9:68:1b:a3:98:ba:5d:
                    8a:30:3e:0b:4b:c7:1d:bf:f7:d4:ad:45:4e:aa:55:
                    39:7f:06:82:bf:04:af:64:80:19:47:31:80:e9:3e:
                    5a:f8:5c:af:71:2d:8e:ad:e7:e4:4e:12:18:b1:e4:
                    fd:a9:4a:0e:4d:34:83:ee:89:bf:cd:da:6d:df:b6:
                    8a:d6:9b:03:71:0a:fd:56:77:ec:58:24:61:86:8c:
                    ca:fe:83:f7:ee:54:34:74:4a:3f:79:e2:bd:32:3c:
                    d8:b7:bd:5b:07:a0:18:97:cb:7d:5d:5e:91:f7:5b:
                    95:d1:fc:e6:2b:06:86:2a:34:ee:ca:e8:69:e0:55:
                    3a:a0:41:d0:3f:8f:7e:83:61:0d:49:1e:3d:75:37:
                    b1:b2:aa:63:0c:3d:07:4a:31:81:2a:b7:b4:1a:39:
                    72:34:5e:91:7a:7d:b1:94:cb:40:66:a8:7f:18:03:
                    57:73:bd:03:93:8c:52:41:c2:aa:a5:06:79:04:d0:
                    bb:ff:5c:7f:fd:75:50:73:96:33:09:b0:32:53:8b:
                    79:b3:81:6d:55:69:9a:94:3c:87:11:7c:20:10:21:
                    df:67
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B1:3D:6A:E0:3B:C1:BD:4C:28:B1:4E:E2:89:A5:CF:13:33:D1:92:93
            X509v3 Authority Key Identifier: 
                keyid:98:EF:10:A7:C4:95:4B:E3:68:EC:B6:8D:F3:BA:5E:90:7E:FC:76:83
                DirName:/CN=Open-CA
                serial:31:D1:68:C5:E2:59:AD:4B:58:4D:00:D7:58:7A:D0:7A:56:16:54:18

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: sha256WithRSAEncryption
         a7:c3:f0:0e:e1:e6:fe:6a:59:7e:d5:3a:3e:0d:89:1f:71:cb:
         8f:cb:2b:91:fd:08:1c:16:b8:63:75:89:87:f5:87:83:6e:10:
         b0:a8:87:41:5d:e0:9e:01:18:2f:c4:2f:21:9a:ad:63:4d:43:
         9e:3a:c3:2d:40:74:08:84:4d:5a:b0:a0:31:1c:94:48:e1:44:
         1e:8e:36:b7:23:2e:f8:bf:75:89:2b:f8:02:ec:39:b4:ef:38:
         81:46:38:3d:64:b7:b8:d1:2b:8a:e5:b4:02:77:d1:19:f8:3d:
         e5:ec:f3:e8:3c:6c:1d:02:79:fc:a8:a7:95:cf:a2:72:29:13:
         be:d7:82:a2:6c:10:d2:f9:65:34:1d:60:26:be:2a:d0:5f:85:
         05:70:47:fa:31:c2:4d:b0:1f:8f:e3:e1:82:42:90:02:b1:44:
         3a:dc:19:aa:28:ff:a2:ae:2c:11:8c:b9:56:2c:21:5a:7f:4c:
         22:df:38:70:9e:71:a7:26:6a:9e:4d:48:6a:a8:1a:ed:46:fb:
         f2:fa:4b:ec:78:44:d6:e6:e7:3d:40:22:93:68:ff:ce:6c:48:
         25:90:3d:cb:fc:8d:57:03:60:60:59:c5:b2:10:00:87:d8:61:
         13:9c:83:c6:77:df:1c:2e:b1:b2:fb:46:ba:a7:b0:50:23:c0:
         41:b6:37:66
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIQEWIHs6hi99CMPOG3isVILTANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQDDAdPcGVuLUNBMB4XDTIyMDgxOTEyMzkzN1oXDTIyMTEyNzEyMzkz
N1owEjEQMA4GA1UEAwwHc2h1aG9uZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALaePB7yHzIe2G0SMNLngILcjV991mPzBP5L9OlqJ/G31sheUVapaBuj
mLpdijA+C0vHHb/31K1FTqpVOX8Ggr8Er2SAGUcxgOk+Wvhcr3Etjq3n5E4SGLHk
/alKDk00g+6Jv83abd+2itabA3EK/VZ37FgkYYaMyv6D9+5UNHRKP3nivTI82Le9
WwegGJfLfV1ekfdbldH85isGhio07sroaeBVOqBB0D+PfoNhDUkePXU3sbKqYww9
B0oxgSq3tBo5cjRekXp9sZTLQGaofxgDV3O9A5OMUkHCqqUGeQTQu/9cf/11UHOW
MwmwMlOLebOBbVVpmpQ8hxF8IBAh32cCAwEAAaOBnjCBmzAJBgNVHRMEAjAAMB0G
A1UdDgQWBBSxPWrgO8G9TCixTuKJpc8TM9GSkzBNBgNVHSMERjBEgBSY7xCnxJVL
42jsto3zul6Qfvx2g6EWpBQwEjEQMA4GA1UEAwwHT3Blbi1DQYIUMdFoxeJZrUtY
TQDXWHrQelYWVBgwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0G
CSqGSIb3DQEBCwUAA4IBAQCnw/AO4eb+all+1To+DYkfccuPyyuR/QgcFrhjdYmH
9YeDbhCwqIdBXeCeARgvxC8hmq1jTUOeOsMtQHQIhE1asKAxHJRI4UQejja3Iy74
v3WJK/gC7Dm07ziBRjg9ZLe40SuK5bQCd9EZ+D3l7PPoPGwdAnn8qKeVz6JyKRO+
14KibBDS+WU0HWAmvirQX4UFcEf6McJNsB+P4+GCQpACsUQ63BmqKP+iriwRjLlW
LCFaf0wi3zhwnnGnJmqeTUhqqBrtRvvy+kvseETW5uc9QCKTaP/ObEglkD3L/I1X
A2BgWcWyEACH2GETnIPGd98cLrGy+0a6p7BQI8BBtjdm
-----END CERTIFICATE-----

将CA和服务器证书相关文件复制到服务器相应的目录

[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/easy-rsa/pki/ca.crt  /etc/openvpn/server/
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/easy-rsa/pki/issued/server.crt  /etc/openvpn/server/
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/easy-rsa/pki/private/server.key  /etc/openvpn/server/
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/easy-rsa/pki/dh.pem  /etc/openvpn/server/
[root@OPEN-VPN easy-rsa]#ll /etc/openvpn/server/
total 20
-rw------- 1 root root 1188 Aug 19 20:43 ca.crt
-rw------- 1 root root  424 Aug 19 20:44 dh.pem
-rw------- 1 root root 4598 Aug 19 20:43 server.crt
-rw------- 1 root root 1704 Aug 19 20:44 server.key

将客户端私钥与证书相关文件复制到服务器相关的目录

[root@OPEN-VPN easy-rsa]#find /etc/openvpn/easy-rsa/ -name "shuhong.key" -o -name "shuhong.crt" -o -name ca.crt
/etc/openvpn/easy-rsa/pki/private/shuhong.key
/etc/openvpn/easy-rsa/pki/issued/shuhong.crt
/etc/openvpn/easy-rsa/pki/ca.crt

[root@OPEN-VPN easy-rsa]#find /etc/openvpn/easy-rsa \( -name "shuhong.key" -o -name "shuhong.crt" -o -name ca.crt \) -exec cp {} /etc/openvpn/client/shuhong/ \;

[root@OPEN-VPN easy-rsa]#ll /etc/openvpn/client/shuhong/
total 16
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 shuhong.crt
-rw------- 1 root root 1704 Aug 19 20:49 shuhong.key

配置 OpenVPN 服务器并启动服务

服务器端配置文件说明

[root@OPEN-VPN easy-rsa]#cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf  /etc/openvpn/
[root@OPEN-VPN easy-rsa]#grep -Ev "^#|^$" /etc/openvpn/server.conf
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20
explicit-exit-notify 1

修改服务器端配置文件

[root@OPEN-VPN easy-rsa]#vim /etc/openvpn/server.conf 
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20

准备服务器日志相关目录

[root@OPEN-VPN easy-rsa]#getent passwd openvpn
openvpn:x:994:991:OpenVPN:/etc/openvpn:/sbin/nologin
[root@OPEN-VPN easy-rsa]#mkdir /var/log/openvpn
[root@OPEN-VPN easy-rsa]#chown openvpn:openvpn /var/log/openvpn
[root@OPEN-VPN easy-rsa]#ll -d /var/log/openvpn/
drwxr-xr-x 2 openvpn openvpn 6 Aug 19 20:56 /var/log/openvpn/

启动 OpenVPN 服务

#准备 OpenVPN 服务的service文件
#centos8缺失文件,需要从centos7拷贝过来
[root@OPEN-VPN easy-rsa]#rpm -ql openvpn |grep systemd
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/share/doc/openvpn/README.systemd

[root@OPEN-VPN easy-rsa]# ll /usr/lib/systemd/system/ |grep openvpn
-rw-r--r--  1 root root  702 Mar 18 02:59 openvpn-client@.service
-rw-r--r--  1 root root  914 Mar 18 02:59 openvpn-server@.service
-rw-r--r--  1 root root  244 Aug 19 21:17 openvpn@.service   #拷贝此文件过来

[root@OPEN-VPN easy-rsa]# cat /usr/lib/systemd/system/openvpn@.service 
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf

[Install]
WantedBy=multi-user.target

[root@OPEN-VPN easy-rsa]#systemctl daemon-reload 
[root@OPEN-VPN easy-rsa]#systemctl enable --now openvpn@server
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /usr/lib/systemd/system/openvpn@.service.

#查看服务状态
[root@OPEN-VPN easy-rsa]#systemctl status openvpn@server.service 
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2022-08-19 21:22:45 CST; 1min 25s ago
 Main PID: 3538 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 11175)
   Memory: 1.2M
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─3538 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

Aug 19 21:22:45 OPEN-VPN.com systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Aug 19 21:22:45 OPEN-VPN.com systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.

[root@OPEN-VPN easy-rsa]#ss -ntlp
State      Recv-Q      Send-Q           Local Address:Port           Peer Address:Port     Process                                
LISTEN     0           100                  127.0.0.1:25                  0.0.0.0:*         users:(("master",pid=1522,fd=16))     
LISTEN     0           32                     0.0.0.0:1194                0.0.0.0:*         users:(("openvpn",pid=3538,fd=8))     
LISTEN     0           128                    0.0.0.0:22                  0.0.0.0:*         users:(("sshd",pid=1049,fd=4))        
LISTEN     0           100                      [::1]:25                     [::]:*         users:(("master",pid=1522,fd=17))     
LISTEN     0           128                       [::]:22                     [::]:*         users:(("sshd",pid=1049,fd=6))        

[root@OPEN-VPN easy-rsa]#cat /var/log/openvpn/openvpn.log 
Fri Aug 19 21:22:45 2022 OpenVPN 2.4.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
Fri Aug 19 21:22:45 2022 library versions: OpenSSL 1.1.1k  FIPS 25 Mar 2021, LZO 2.08
Fri Aug 19 21:22:45 2022 WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Fri Aug 19 21:22:45 2022 WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Fri Aug 19 21:22:45 2022 Diffie-Hellman initialized with 2048 bit key
Fri Aug 19 21:22:45 2022 ROUTE_GATEWAY 10.0.0.2/255.255.255.0 IFACE=eth0 HWADDR=00:0c:29:51:16:b6
Fri Aug 19 21:22:45 2022 TUN/TAP device tun0 opened
Fri Aug 19 21:22:45 2022 TUN/TAP TX queue length set to 100
Fri Aug 19 21:22:45 2022 /sbin/ip link set dev tun0 up mtu 1500
Fri Aug 19 21:22:45 2022 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Fri Aug 19 21:22:45 2022 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Fri Aug 19 21:22:45 2022 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Aug 19 21:22:45 2022 Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri Aug 19 21:22:45 2022 Listening for incoming TCP connection on [AF_INET][undef]:1194
Fri Aug 19 21:22:45 2022 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Fri Aug 19 21:22:45 2022 TCPv4_SERVER link remote: [AF_UNSPEC]
Fri Aug 19 21:22:45 2022 GID set to openvpn
Fri Aug 19 21:22:45 2022 UID set to openvpn
Fri Aug 19 21:22:45 2022 MULTI: multi_init called, r=256 v=256
Fri Aug 19 21:22:45 2022 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri Aug 19 21:22:45 2022 MULTI: TCP INIT maxclients=2048 maxevents=2052
Fri Aug 19 21:22:45 2022 Initialization Sequence Completed

[root@OPEN-VPN easy-rsa]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:51:16:b6 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.154/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe51:16b6/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:51:16:c0 brd ff:ff:ff:ff:ff:ff
    inet 172.25.254.128/24 brd 172.25.254.255 scope global dynamic noprefixroute eth1
       valid_lft 1546sec preferred_lft 1546sec
    inet6 fe80::1dc0:cf48:556f:afd6/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::8036:20a0:df8f:4eab/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

[root@OPEN-VPN easy-rsa]#route -n 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.2        0.0.0.0         UG    100    0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     100    0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.25.254.0    0.0.0.0         255.255.255.0   U     101    0        0 eth1

开启openvpn服务器的路由转发功能及配置iptables

[root@OPEN-VPN shuhong]#vim /etc/sysctl.conf 
net.ipv4.ip_forward = 1
[root@OPEN-VPN shuhong]#sysctl -p
net.ipv4.ip_forward = 1

[root@OPEN-VPN shuhong]#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 10.0.0.154

准备 OpenVPN 客户端配置文件

生成客户端用户的配置文件

[root@OPEN-VPN easy-rsa]#grep '^[[:alpha:]].*' /usr/share/doc/openvpn/sample/sample-config-files/client.conf > /etc/openvpn/client/shuhong/client.ovpn

[root@OPEN-VPN /]#vim etc/openvpn/client/shuhong/client.ovpn 
client
dev tun
proto tcp
remote 172.25.254.128 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2

实现 OpenVPN 客户端

Windows 安装 OpenVPN 客户端

官方客户端下载地址:
https://openvpn.net/community-downloads/

Windows 客户端配置准备

[root@OPEN-VPN /]#cd /etc/openvpn/client/shuhong/
[root@OPEN-VPN shuhong]#ll
total 28
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 client.crt
-rw------- 1 root root 1704 Aug 19 20:49 client.key
-rw-r--r-- 1 root root  233 Aug 19 21:33 client.ovpn
-rw-r--r-- 1 root root 5629 Aug 19 21:39 shuhong.zip
[root@OPEN-VPN shuhong]#zip shuhong.zip /etc/openvpn/client/shuhong/* 
[root@OPEN-VPN shuhong]#sz shuhong.zip 

将客户端文件放入windows的openvpn的config文件夹中

测试链接

打开windows的openvpn

使用cmd命令及访问web服务测试

Openvpn管理

启动安全增强功能

[root@OPEN-VPN ~]#openvpn --genkey --secret /etc/openvpn/server/ta.key
[root@OPEN-VPN ~]#cat /etc/openvpn/server/ta.key 
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
58aa52d580d44f0f33af5550e2363625
d1ce12d8b82a561f8326a924642c7118
32af0a1271a62ab31588b053609e0ef1
aae88540dec0d131cd2713f4c92e49bc
777a032a30ec0456447c6f762784b3f3
7478fcd69c0b3e728a4fad7cc185fcb1
9b673bbd8abc960587b7f761a9682eba
bc03eb736dffbb06c1398607abaf8460
9e4c7e9874c1b74ce95d186b466963fd
0a69db81086bc518886aeb1f8ce010f4
cef7242118cb901098f6773c9eb64e50
76b2b6fe12d4899a0693f0a78fd9dd25
9230616abf7ac11747c3fad7d262357f
e102176e165a470983191142aa703e02
324cb469710c9dfb7a721826b42e3586
e196c311d2c3b9a8655c5172576236aa
-----END OpenVPN Static key V1-----

[root@OPEN-VPN ~]#cp /etc/openvpn/server/ta.key /etc/openvpn/client/shuhong/ta.key
[root@OPEN-VPN ~]#ll /etc/openvpn/client/shuhong/
total 32
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 client.crt
-rw------- 1 root root 1704 Aug 19 20:49 client.key
-rw-r--r-- 1 root root  233 Aug 19 21:33 client.ovpn
-rw-r--r-- 1 root root 5629 Aug 19 21:39 shuhong.zip
-rw------- 1 root root  636 Aug 20 08:42 ta.key

[root@OPEN-VPN ~]#vim  /etc/openvpn/client/shuhong/client.ovpn 
tls-auth ta.key 1

[root@OPEN-VPN ~]#vim  /etc/openvpn/server.conf
tls-auth /etc/openvpn/server/ta.key 0 

[root@OPEN-VPN ~]#systemctl restart openvpn@server.service 

[root@OPEN-VPN ~]#systemctl status openvpn@server.service 
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2022-08-20 08:45:24 CST; 47s ago
 Main PID: 4571 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 11175)
   Memory: 1.1M
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─4571 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

Aug 20 08:45:24 OPEN-VPN.com systemd[1]: openvpn@server.service: Succeeded.
Aug 20 08:45:24 OPEN-VPN.com systemd[1]: Stopped OpenVPN Robust And Highly Flexible Tunneling Application On server.
Aug 20 08:45:24 OPEN-VPN.com systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Aug 20 08:45:24 OPEN-VPN.com systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.

[root@OPEN-VPN shuhong]#ll
total 24
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 client.crt
-rw------- 1 root root 1704 Aug 19 20:49 client.key
-rw-r--r-- 1 root root  233 Aug 20 08:44 client.ovpn
-rw------- 1 root root  636 Aug 20 08:42 ta.key
[root@OPEN-VPN shuhong]#
[root@OPEN-VPN shuhong]#zip shuhong.zip *
  adding: ca.crt (deflated 27%)
  adding: client.crt (deflated 45%)
  adding: client.key (deflated 23%)
  adding: client.ovpn (deflated 28%)
  adding: ta.key (deflated 39%)
[root@OPEN-VPN shuhong]#ll
total 32
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 client.crt
-rw------- 1 root root 1704 Aug 19 20:49 client.key
-rw-r--r-- 1 root root  233 Aug 20 08:44 client.ovpn
-rw-r--r-- 1 root root 5938 Aug 20 08:47 shuhong.zip
-rw------- 1 root root  636 Aug 20 08:42 ta.key
[root@OPEN-VPN shuhong]#sz shuhong.zip 

[root@OPEN-VPN shuhong]#tail -f /var/log/openvpn/*
==> /var/log/openvpn/openvpn.log <==
Sat Aug 20 08:49:12 2022 172.25.254.1:52935 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sat Aug 20 08:49:12 2022 172.25.254.1:52935 [shuhong] Peer Connection Initiated with [AF_INET]172.25.254.1:52935
Sat Aug 20 08:49:12 2022 shuhong/172.25.254.1:52935 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sat Aug 20 08:49:12 2022 shuhong/172.25.254.1:52935 MULTI: Learn: 10.8.0.6 -> shuhong/172.25.254.1:52935
Sat Aug 20 08:49:12 2022 shuhong/172.25.254.1:52935 MULTI: primary virtual IP for shuhong/172.25.254.1:52935: 10.8.0.6
Sat Aug 20 08:49:13 2022 shuhong/172.25.254.1:52935 PUSH: Received control message: 'PUSH_REQUEST'
Sat Aug 20 08:49:13 2022 shuhong/172.25.254.1:52935 SENT CONTROL [shuhong]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,compress lz4-v2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sat Aug 20 08:49:13 2022 shuhong/172.25.254.1:52935 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Aug 20 08:49:13 2022 shuhong/172.25.254.1:52935 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Aug 20 08:49:13 2022 shuhong/172.25.254.1:52935 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

==> /var/log/openvpn/openvpn-status.log <==
OpenVPN CLIENT LIST
Updated,Sat Aug 20 08:53:27 2022
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
shuhong,172.25.254.1:52935,16604,4553,Sat Aug 20 08:49:12 2022
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,shuhong,172.25.254.1:52935,Sat Aug 20 08:49:12 2022
GLOBAL STATS
Max bcast/mcast queue length,1
END

设置客户端的私钥密码增强安全性

#新建一个账户wing,并且设置证书密码,提高证书及登录VPN的安全性
[root@OPEN-VPN easy-rsa]#pwd
/etc/openvpn/easy-rsa

[root@OPEN-VPN easy-rsa]#./easyrsa gen-req wing 

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating a RSA private key
...........+++++
.......................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-4682.ncTvFz/tmp.qiKy83'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [wing]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/wing.req
key: /etc/openvpn/easy-rsa/pki/private/wing.key

[root@OPEN-VPN easy-rsa]#./easyrsa sign client wing

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 100 days:

subject=
    commonName                = wing


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4711.Law9Ho/tmp.YmJlmu
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'wing'
Certificate is to be certified until Nov 28 00:58:28 2022 GMT (100 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/wing.crt


[root@OPEN-VPN easy-rsa]#cp pki/issued/wing.crt  /etc/openvpn/client/wing/
[root@OPEN-VPN easy-rsa]#cp pki/private/wing.key  /etc/openvpn/client/wing/
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/server/{ca.crt,ta.key} /etc/openvpn/client/wing/
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/client/shuhong/client.ovpn /etc/openvpn/client/wing/
[root@OPEN-VPN easy-rsa]#ll /etc/openvpn/client/wing/
total 24
-rw------- 1 root root 1188 Aug 20 09:03 ca.crt
-rw-r--r-- 1 root root  233 Aug 20 09:04 client.ovpn
-rw------- 1 root root  636 Aug 20 09:03 ta.key
-rw------- 1 root root 4470 Aug 20 09:02 wing.crt
-rw------- 1 root root 1854 Aug 20 09:02 wing.key

[root@OPEN-VPN easy-rsa]#cd  /etc/openvpn/client/wing/
[root@OPEN-VPN wing]#mv wing.crt client.crt
[root@OPEN-VPN wing]#mv wing.key client.key
[root@OPEN-VPN wing]#ll
total 24
-rw------- 1 root root 1188 Aug 20 09:03 ca.crt
-rw------- 1 root root 4470 Aug 20 09:02 client.crt
-rw------- 1 root root 1854 Aug 20 09:02 client.key
-rw-r--r-- 1 root root  233 Aug 20 09:04 client.ovpn
-rw------- 1 root root  636 Aug 20 09:03 ta.key


[root@OPEN-VPN wing]#zip wing.zip *
  adding: ca.crt (deflated 27%)
  adding: client.crt (deflated 45%)
  adding: client.key (deflated 24%)
  adding: client.ovpn (deflated 28%)
  adding: ta.key (deflated 39%)
[root@OPEN-VPN wing]#ll
total 32
-rw------- 1 root root 1188 Aug 20 09:03 ca.crt
-rw------- 1 root root 4470 Aug 20 09:02 client.crt
-rw------- 1 root root 1854 Aug 20 09:02 client.key
-rw-r--r-- 1 root root  233 Aug 20 09:04 client.ovpn
-rw------- 1 root root  636 Aug 20 09:03 ta.key
-rw-r--r-- 1 root root 6045 Aug 20 09:07 wing.zip
[root@OPEN-VPN wing]#sz wing.zip 

账户证书管理

#证书手动注销
#查看当前证书的有效性,证书有效为V,无效为R
[root@OPEN-VPN wing]#cat /etc/openvpn/easy-rsa/pki/index.txt
V	21220726122627Z		A8DDBD8D92EBA8975E0B51FAEF80AEB8	unknown	/CN=OpenVPN
V	221127123937Z		116207B3A862F7D08C3CE1B78AC5482D	unknown	/CN=shuhong
V	221128005828Z		8BAB14A8BA75754630460E45A543ACB7	unknown	/CN=wing

#吊销指定的用户的证书
[root@OPEN-VPN wing]#cd /etc/openvpn/easy-rsa/
[root@OPEN-VPN easy-rsa]#./easyrsa revoke wing

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = wing


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4998.iPNltG/tmp.evGxMm
Revoking Certificate 8BAB14A8BA75754630460E45A543ACB7.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

[root@OPEN-VPN easy-rsa]#cat /etc/openvpn/easy-rsa/pki/index.txt
V	21220726122627Z		A8DDBD8D92EBA8975E0B51FAEF80AEB8	unknown	/CN=OpenVPN
V	221127123937Z		116207B3A862F7D08C3CE1B78AC5482D	unknown	/CN=shuhong
R	221128005828Z	220820011319Z	8BAB14A8BA75754630460E45A543ACB7	unknown	/CN=wing


#生成证书吊销列表
#每次吊销证书后都需要更新证书吊销列表文件,并且需要重启OpenVPN服务

[root@OPEN-VPN easy-rsa]#./easyrsa gen-crl

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-5044.xlCh5R/tmp.ar9LFJ

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

#将吊销列表文件发布
#第一次吊销证时需要编辑配置文件调用吊销证书的文件,后续吊销无需此步
[root@OPEN-VPN easy-rsa]#vim /etc/openvpn/server.conf 
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
[root@OPEN-VPN easy-rsa]#systemctl restart openvpn@server.service 

实现用户密码认证

#修改服务端配置
[root@OPEN-VPN easy-rsa]#vim /etc/openvpn/server.conf
# 添加三行,实现服务端支持密码认证方式
script-security 3 # 允许使用自定义脚本
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #指定自定义脚本路径
username-as-common-name #开启用户密码验证

#创建自定义脚本
#官方脚本下载:http://openvpn.se/files/other/checkpsw.sh

[root@OPEN-VPN openvpn]#ll
total 8
-rw-r--r-- 1 root root    1191 Feb  8  2022 checkpsw.sh
drwxr-x--- 4 root openvpn   33 Aug 20 08:59 client
drwxr-xr-x 4 root root      89 Aug 19 21:35 easy-rsa
drwxr-x--- 2 root openvpn   84 Aug 20 08:41 server
-rw-r--r-- 1 root root     664 Aug 20 09:22 server.conf
[root@OPEN-VPN openvpn]#vim checkpsw.sh 
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=date "+%Y-%m-%d %T"

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
[root@OPEN-VPN openvpn]#chmod +x checkpsw.sh 

[root@OPEN-VPN openvpn]#cat > /etc/openvpn/psw-file << EOF
> shuhong 123456
> wing 654321
> EOF
[root@OPEN-VPN openvpn]#ll
total 12
-rwxr-xr-x 1 root root    1191 Feb  8  2022 checkpsw.sh
drwxr-x--- 4 root openvpn   33 Aug 20 08:59 client
drwxr-xr-x 4 root root      89 Aug 19 21:35 easy-rsa
-rw-r--r-- 1 root root      27 Aug 20 09:24 psw-file
drwxr-x--- 2 root openvpn   84 Aug 20 08:41 server
-rw-r--r-- 1 root root     664 Aug 20 09:22 server.conf
[root@OPEN-VPN openvpn]#systemctl restart openvpn@server.service 

#修改客户端配置
[root@OPEN-VPN openvpn]#vim /etc/openvpn/client/shuhong/client.ovpn 
#加下面一行,可以支持用户密码认证
auth-user-pass
[root@OPEN-VPN shuhong]#zip shuhong.zip *
  adding: ca.crt (deflated 27%)
  adding: client.crt (deflated 45%)
  adding: client.key (deflated 23%)
  adding: client.ovpn (deflated 28%)
  adding: ta.key (deflated 39%)
[root@OPEN-VPN shuhong]#ll
total 32
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 client.crt
-rw------- 1 root root 1704 Aug 19 20:49 client.key
-rw-r--r-- 1 root root  248 Aug 20 09:26 client.ovpn
-rw-r--r-- 1 root root 5949 Aug 20 09:27 shuhong.zip
-rw------- 1 root root  636 Aug 20 08:42 ta.key