一、为什么要搭建VPN随着企业规模的发展，越来越多的远程办公需求将会产生，为支持远程办公，解决远程连接本地测试环境问题，可以使用开源软件搭建VPN解决，毕竟硬件的VPN不便宜，OpenVPN是个不错的选择，同时支持windows和mac OS 。
二、安装OpenVPN我使用的服务器操作系统是centos7.8，直接用yum安装 。
yum install -y epel-releaseyum install -y openvpn easy-rsa安装完检查下版本，我的是OpenVPN 2.4.9
[root@test-vpn01 ~]# openvpn --versionOpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020library versions: OpenSSL 1.0.2k-fips26 Jan 2017, LZO 2.06Originally developed by James YonanCopyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>三、制作证书cd /etc/openvpn && cp -r /usr/share/easy-rsa /etc/openvpn/cd /etc/openvpn/easy-rsa/3/ 创建vars文件，直接copy以下内容并添加可执行权限chmod +x vars
set_var EASYRSA"$PWD"set_var EASYRSA_PKI"$EASYRSA/pki"set_var EASYRSA_DN"cn_only"set_var EASYRSA_REQ_COUNTRY"ID"set_var EASYRSA_REQ_PROVINCE"Jakarta"set_var EASYRSA_REQ_CITY"Jakarta"set_var EASYRSA_REQ_ORG"hakase-labs CERTIFICATE AUTHORITY"set_var EASYRSA_REQ_EMAIL"openvpn@hakase-labs.io"set_var EASYRSA_REQ_OU"HAKASE-LABS EASY CA"set_var EASYRSA_KEY_SIZE2048set_var EASYRSA_ALGOrsaset_var EASYRSA_CA_EXPIRE7500set_var EASYRSA_CERT_EXPIRE365set_var EASYRSA_NS_SUPPORT"no"set_var EASYRSA_NS_COMMENT"HAKASE-LABS CERTIFICATE AUTHORITY"set_var EASYRSA_EXT_DIR"$EASYRSA/x509-types"set_var EASYRSA_SSL_CONF"$EASYRSA/openssl-1.0.cnf"set_var EASYRSA_DIGEST"sha256"接着执行
./easyrsa init-pkiNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/varsinit-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki./easyrsa build-ca......Enter New CA Key Passphrase:#输密码Re-Enter New CA Key Passphrase:#输密码WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnfGenerating RSA private key, 2048 bit long modulus................................................+++...............................................................+++e is 65537 (0x10001)WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnfYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/etc/openvpn/easy-rsa/3/pki/ca.crt./easyrsa gen-req hakase-server nopass......Generating a 2048 bit RSA private key.................................................................+++................................+++writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-2911.3BE9Ih/tmp.Z1YEhj'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [hakase-server]:Keypair and certificate request completed. Your files are:req: /etc/openvpn/easy-rsa/3/pki/reqs/hakase-server.reqkey: /etc/openvpn/easy-rsa/3/pki/private/hakase-server.key./easyrsa sign-req server hakase-server......You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender.Request subject, to be signed as a server certificate for 365 days:subject=commonName= hakase-serverType the word 'yes' to continue, or any other input to abort.Confirm request details: yesWARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnfUnable to load config info from /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnfWARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnfWARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnfUsing configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-3202.ARaxKb/tmp.WGDm1yEnter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: #输入上面步骤的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName:ASN.1 12:'hakase-server'Certificate is to be certified until Sep 30 09:54:49 2021 GMT (365 days)Write out database with 1 new entriesData Base UpdatedCertificate created at: /etc/openvpn/easy-rsa/3/pki/issued/hakase-server.crt