openssl verify -CAfile pki/ca.crt pki/issued/hakase-server.crtpki/issued/hakase-server.crt: OK创建客户端密钥
./easyrsa gen-req client_01 nopassNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/varsWARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnfWARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnfUsing SSL: openssl OpenSSL 1.0.2k-fips26 Jan 2017WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnfGenerating a 2048 bit RSA private key...........+++..........................+++writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-3386.pQq0xv/tmp.tHpyYU'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [client_01]:Keypair and certificate request completed. Your files are:req: /etc/openvpn/easy-rsa/3/pki/reqs/client_01.reqkey: /etc/openvpn/easy-rsa/3/pki/private/client_01.key./easyrsa sign-req client client_01......Request subject, to be signed as a client certificate for 365 days:subject=commonName= client_01Type the word 'yes' to continue, or any other input to abort.Confirm request details: yesWARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnfUsing configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-3446.iYLNHV/tmp.baYmMMEnter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: #输入上面步骤的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName:ASN.1 12:'client_01'Certificate is to be certified until Sep 30 09:57:27 2021 GMT (365 days)Write out database with 1 new entriesData Base UpdatedCertificate created at: /etc/openvpn/easy-rsa/3/pki/issued/client_01.crtopenssl verify -CAfile pki/ca.crt pki/issued/client_01.crtpki/issued/client_01.crt: OK./easyrsa gen-dhGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time.........................................................+............+.............................................+.......................+...................................+...........+.+.................+................................++*++*DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem复制服务器密钥和证书
cp pki/ca.crt /etc/openvpn/server/cp pki/issued/hakase-server.crt /etc/openvpn/server/cp pki/private/hakase-server.key /etc/openvpn/server/cp pki/dh.pem /etc/openvpn/server/复制client_01密钥和证书
cp pki/ca.crt /etc/openvpn/client/cp pki/issued/client_01.crt /etc/openvpn/client/cp pki/private/client_01.key /etc/openvpn/client/四、OpenVPN配置添加servier配置文件
cd /etc/openvpn/ && vi service.conf# OpenVPN Port, Protocol and the Tunport 1194proto udpdev tun# OpenVPN Server Certificate - CA, server key and certificateca /etc/openvpn/server/ca.crtcert /etc/openvpn/server/hakase-server.crtkey /etc/openvpn/server/hakase-server.key#DH and CRL keydh /etc/openvpn/server/dh.pem#注意本文没有跳过了丢消证书的检测#crl-verify /etc/openvpn/server/crl.pem# Network Configuration - Internal network# Redirect all Connection through OpenVPN Server# 配置分配的内网网段server 192.168.200.128 255.255.255.128 push "redirect-gateway def1"# Using the DNS from https://dns.watchpush "dhcp-option DNS 223.5.5.5"push "dhcp-option DNS 114.114.114.114"#Enable multiple client to connect with same Certificate keyduplicate-cn# TLS Securitycipher AES-256-CBCtls-version-min 1.2tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256auth SHA512auth-nocache# Other Configurationkeepalive 20 60persist-keypersist-tuncomp-lzo yesdaemonuser nobodygroup nobody# OpenVPN Loglog-Append openvpn.logstatus openvpn-status.logverb 3添加client配置文件
cd /etc/openvpn/client && vi client_01.ovpnclientdev tunproto udp# 配置你公司的出口IPremote 113.xx.xx.xx 1194ca ca.crtcert client_01.crtkey client_01.keycipher AES-256-CBCauth SHA512auth-nocachetls-version-min 1.2tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256resolv-retry infinitecompress lzonobindpersist-keypersist-tunmute-replay-warningsverb 3增加路由转发的配置
# 用firewalld或iptables都可以,我这边用的是iptablessysctl -w net.ipv4.ip_forward=1iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE
推荐阅读
- 2020年部署Web应用的4种方式
- 使用Node.js搭建一个简单的http服务器
- 鸿蒙开发环境搭建、源码下载和编译
- SpringBoot如何用Session共享实现分布式部署?
- 利用docker轻松搭建Redis-Cluster集群环境
- 物联网网关搭建VPN客户端,来实现PLC远程下载
- CentOS7下利用Rancher搭建K8s集群
- 「系统架构」如何搭建自己的DNS服务器?
- 一个Bug损失200亿!如何搭建业务异常检测系统?
- 监控工具之Cacti,搭建和使用