image.png

一、服务端配置

环境

云服务器
#Linux系统版本
[root@open***-server open***]# cat /etc/redhat-release 
CentOS Linux release 7.7.1908 (Core)
#查看内网IP信息
[root@open***-server open***]#  ifconfig eth0|awk 'NR==2{print $2}'
172.16.1.90
#查看公网IP信息
[root@open***-server open***]# curl ifconfig.me
59.110.215.165
#配置yum源于eple源
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

①easy-rsa3生成证书

#添加防火墙的内核参数
echo 'net.ipv4.ip_forward=1 ' >>/etc/sysctl.conf && sysctl -p

#下载需要的安装包
yum install gcc gcc-c++ easy-rsa -y open*** openssl

#将easy-rsa复制到open***目录下
mkdir -p /etc/open***/easy-rsa
\cp -a /usr/share/easy-rsa/3/* /etc/open***/easy-rsa/
chown -R root:root /etc/open***/easy-rsa/
cd /etc/open***/easy-rsa/

[root@lcx01 easy-rsa]# ll ./
total 76
-rwxr-xr-x 1 root root 48730 Feb  2  2019 easyrsa
-rw-r--r-- 1 root root  4651 Feb  2  2019 openssl-easyrsa.cnf
drwx------ 4 root root  4096 Jan  2 18:24 pki
drwxr-xr-x 2 root root  4096 Jan  2 18:14 x509-types

#将vars.example复制一份到open***目录下，命名为vars
cp -a /usr/share/doc/easy-rsa-3.0.6/vars.example ./vars

#修改如下参数
egrep -v '^#|^$' vars 
set_var EASYRSA_REQ_COUNTRY "CH"
set_var EASYRSA_REQ_PROVINCE    "BJ"
set_var EASYRSA_REQ_CITY    "BJ"
set_var EASYRSA_REQ_ORG "ZXZN"
set_var EASYRSA_REQ_EMAIL   "245684979@qq.com"
set_var EASYRSA_REQ_OU      "ZXZN"
set_var EASYRSA_KEY_SIZE    2048
set_var EASYRSA_CA_EXPIRE      3650 #默认有效10年
set_var EASYRSA_NS_SUPPORT  "yes"   #如果client的配置文件中使用了ns-cert-type server则要打开此选项

1. 生成服务端证书

初始化目录

初始化，会在当前目录创建PKI目录，用于存储一些中间变量及最终生成的证书

[root@lcx01 easy-rsa]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/open***/easy-rsa/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes  

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open***/easy-rsa/pki

创建CA证书

创建根证书，首先会提示设置密码，用于ca对之后生成的server和client证书签名时使用，然后会提示设置Country Name

[root@lcx01 easy-rsa]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: #输入CA密钥密码
Re-Enter New CA Key Passphrase: #再次输入CA密钥密码
Generating RSA private key, 2048 bit long modulus
...............+++
.........+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:***server #证书名称 

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/open***/easy-rsa/pki/ca.crt

创建服务端证书

创建server端证书和private.key，使用“nopass”参数不加密，服务器通常在没有密码输入的情况下启动。

[root@lcx01 easy-rsa]# ./easyrsa gen-req ***server nopass
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...+++
.....+++
writing new private key to '/etc/open***/easy-rsa/pki/private/***server.key.XaqajZ9e3R'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [***server]:

Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/pki/reqs/***server.req
key: /etc/open***/easy-rsa/pki/private/***server.key

签约服务端证书

给server端证书做签名，首先是对一些信息的确认，可以输入yes，然后输入build-ca时设置的那个密码

[root@lcx01 easy-rsa]# ./easyrsa sign server ***server

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
    commonName                = ***server

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes  #yes确认
Using configuration from /etc/open***/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:     #输入CA证书的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'***server'
Certificate is to be certified until Dec 17 10:49:15 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/open***/easy-rsa/pki/issued/***server.crt

创建迪菲・赫尔曼密钥

生成传输进行秘钥交换时用到的交换秘钥协议文件，确保共享KEY安全穿越不安全网络的方法

时间会有点长，耐心等待

[root@lcx01 easy-rsa]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...+........................................................+.........................................................
......+................................................................................................................
.........................................................................................................................
.......................................+...............................................................................
................+......................................................................................................
.........................................................................................................................
...+......................................................................++*++*

DH parameters of size 2048 created at /etc/open***/easy-rsa/pki/dh.pem

2. 创建客户端证书

在easy-rsa目录下新建client目录，将easy-rsa的原生目录拷贝到此下

mkdir /etc/open***/easy-rsa/client
cd /etc/open***/easy-rsa/client
cp -a /usr/share/easy-rsa/3/* /etc/open***/easy-rsa/client/

初始化目录

会在当前目录创建PKI目录，用于存储一些中间变量及最终生成的证书

[root@lcx01 client]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars

WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/open***/easy-rsa/client/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open***/easy-rsa/client/pki

创建客户端证书

客户端证书和private key, 这里的client01是客户端的主机名

[root@lcx01 client]# ./easyrsa gen-req client01
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
................................+++
....+++
writing new private key to '/etc/open***/easy-rsa/client/pki/private/client01.key.D7Td4Lia5M'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client01]:

Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/client/pki/reqs/client01.req
key: /etc/open***/easy-rsa/client/pki/private/client01.key

导入客户端证书

回到生成服务端证书时的easyrsa目录，导入client端证书，准备签名

[root@lcx01 client]# cd ..
[root@lcx01 easy-rsa]# ./easyrsa import-req ./client/pki/reqs/client01.req client01
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: client01
You may now use this name to perform signing operations on this request.

[root@lcx01 easy-rsa]# ll /etc/open***/easy-rsa/pki/reqs/
total 8
-rw------- 1 root root 891 Jan  2 19:16 client01.req
-rw------- 1 root root 891 Jan  2 18:46 ***server.req

签约客户端证书

给客户端端证书做签名，首先是对一些信息的确认，可以输入yes，然后输入build-ca时设置的那个密码

[root@lcx01 easy-rsa]# ./easyrsa sign client client01
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 1080 days:

subject=
    commonName                = client01

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes  #确认yes
Using configuration from /etc/open***/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:     #输入CA证书密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client01'
Certificate is to be certified until Dec 17 11:17:42 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/open***/easy-rsa/pki/issued/client01.crt

注意：ca、server和client的Common Name最好不要设置为一样，不然open连接时会有问题*

3. 服务端和客户端证书整理

#open*** server端需要的是
/etc/open***/easy-rsa/pki/ca.crt <制作server证书的文件>
/etc/open***/easy-rsa/pki/private/***server.key <制作server证书的文件>
/etc/open***/easy-rsa/pki/issued/***server.crt <制作server证书的文件>
/etc/open***/easy-rsa/pki/dh.pem    <迪菲・赫尔曼密钥>

#open*** client端需要的是
/etc/open***/easy-rsa/pki/ca.crt <制作server证书的文件>
/etc/open***/easy-rsa/pki/issued/client01.crt <制作client01证书的文件>
/etc/open***/easy-rsa/client/pki/private/client01.key <制作client01证书的文件>

4. 整理证书

#服务端
mkdir /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/ca.crt /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/private/ca.key /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/private/***server.key /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/issued/***server.crt /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/dh.pem /etc/open***/keys

[root@lcx01 open***]# ll keys/
total 20
-rw------- 1 root root 1164 Jan  2 18:40 ca.crt
-rw------- 1 root root 1675 Jan  2 18:39 ca.key
-rw------- 1 root root  424 Jan  2 18:52 dh.pem
-rw------- 1 root root 4802 Jan  2 18:49 ***server.crt
-rw------- 1 root root 1704 Jan  2 18:46 ***server.key


#客户端
mkdir /root/client01
cp -a /etc/open***/easy-rsa/pki/ca.crt /root/client01/
cp -a /etc/open***/easy-rsa/pki/private/ca.key /root/client01/
cp -a /etc/open***/easy-rsa/pki/issued/client01.crt /root/client01/
cp -a /etc/open***/easy-rsa/client/pki/private/client01.key /root/client01/
cp -a /usr/share/doc/open***-2.4.8/sample/sample-config-files/client.conf /root/client01/client01.o***

[root@lcx01 open***]# ll /root/client01/
total 20
-rw------- 1 root root 1164 Jan  2 18:40 ca.crt
-rw------- 1 root root 4679 Jan  2 19:17 client01.crt
-rw------- 1 root root 1704 Jan  2 19:04 client01.key
-rw-r--r-- 1 root root 3585 Oct 30 20:37 client01.o***

5. 创建第二份客户端证书

cd /etc/open***/easy-rsa/client/
./easyrsa init-pki
./easyrsa gen-req client02
cd ..
./easyrsa import-req ./client/pki/reqs/client02.req client02
./easyrsa sign client client02
mkdir /root/client02
cp -a /etc/open***/easy-rsa/pki/ca.crt /root/client02/
cp -a /etc/open***/easy-rsa/pki/private/ca.key /root/client02/
cp -a /etc/open***/easy-rsa/pki/issued/client02.crt /root/client02/
cp -a /etc/open***/easy-rsa/client/pki/private/client02.key /root/client02/
cp -a /usr/share/doc/open***-2.4.8/sample/sample-config-files/client.conf /root/client02/client02.conf

[root@open***-server easy-rsa]# ll /root/client02/
total 24
-rw------- 1 root root 1151 Jan  3 14:18 ca.crt
-rw------- 1 root root 1675 Jan  3 14:17 ca.key
-rw-r--r-- 1 root root 3585 Oct 30 20:37 client02.conf
-rw------- 1 root root 4665 Jan  3 14:51 client02.crt
-rw------- 1 root root 1704 Jan  3 14:50 client02.key

6. 修改服务端配置文件

#拷贝一份服务端配置源文件
cp /usr/share/doc/open***-2.4.8/sample/sample-config-files/server.conf /etc/open***/server.conf.bak
cd /etc/open***/
egrep -v '^;|^$|^#' server.conf.bak >server.conf


#设置客户端固定IP的目录与文件
#ccd目录用来设置客户端固定IP的作用，ccd目录下面的文件名要以客户端证书的名称命名
#open***只支持255.255.255.252的子网，而且252的子网只有两个IP，2^2-2=2
#所以要设置两个IP，一个分配给客户端，一个留给服务器用
#ifconfig-push 10.8.0.1 10.8.0.2
#ifconfig-push 10.8.0.5 10.8.0.6
#ifconfig-push 10.8.0.9 10.8.0.10
#ifconfig-push 10.8.0.13 10.8.0.14
#ifconfig-push 10.8.0.17 10.8.0.18
#...
#ifconfig-push 10.8.0.249 10.8.0.250
http://www.wendangku.net/doc/749ab13c580216fc700afd27.html

mkdir ./ccd 
vim ./ccd/client01
ifconfig-push 10.8.0.5 10.8.0.6
vim ./ccd/client02
ifconfig-push 10.8.0.9 10.8.0.10

☆服务端配置文件详情

[root@lcx01 open***]# cat server.conf
#监听端口
port 1194   
#传输协议
proto udp   
#路由隧道模式
dev tun     
#ca证书路径路径，服务端和客户端都使用相同的CA证书
ca     keys/ca.crt  
#服务器证书路径路径，服务端和客户端指定各自的证书和密钥
cert   keys/***server.crt   
#服务器秘钥路径，可用以配置文件开始为根的相对路径，也可以使用绝对路径
key    keys/***server.key  
#密钥交换协议文件
dh     keys/dh.pem      
#给客户端分配地址池，注意：不能和***服务器内网网段有相同
server 10.8.0.0 255.255.255.0   
#客户端和VIP的对应表，当客户端重连时仍然分配原IP
ifconfig-pool-persist ipp.txt   
#推送路由信息到客户端，使客户端能够连接到服务器背后的其他私有子网
push "route 192.168.1.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
#允许客户端之间互相访问,云服务器搭建***,公司和外地都是***客户端
client-to-client
#设置客户端固定IP的作用，ccd目录下面的文件名要以客户端证书的名称命名
client-config-dir ccd
#存活时间，10秒ping一次,如果120秒未收到响应则认为程连接已关闭
keepalive 10 120
#在***连接上启用压缩，服务端和客户端都必须采用相同配置
comp-lzo
#最大客户端连接数
max-clients 100
#加密算法
cipher AES-256-CBC
#降低open***守护进程的权限
user nobody
group nobody
#保障重启时仍能保留一些状态
persist-key
persist-tun
#输出短日志,每分钟刷新一次,以显示当前的客户端
status open***-status.log
#日志要记录的级别，值越大日志越详细 (0:只记录错误信息;4:记录普通信息;5/6:在连接出现问题时能帮助调试;9:显示所有信息，包括包头信息)
verb 3
#记录日志，重启open***后覆盖原log文件
log /var/log/open***.log
#相同信息的记录次数，连续出现20条后不再记录到日志中
mute 20 
#当服务端重启后，使客户端能自动重连
explicit-exit-notify 1

启动服务端

systemctl restart open***@server.service
systemctl enable open***@server.service
systemctl status open***@server.service
netstat -lntup|grep 1194
ip a |grep tun0

7. 修改windows客户端配置文件

cd /root/client01

#windows上是.o*** ;linux上是.conf
cat ./client.o***   
ns-cert-type server
client  #指定为客户端
dev tun
proto udp
remote 59.110.215.165 1194  #指定服务器(主机名或IP)以及端口号，可设置多个***服务器
resolv-retry infinite       #启用自动重连，适合不稳定的网络环境
nobind          #客户端默认不需要绑定本机特定的端口号
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
ca ca.crt
cert client01.crt
key client01.key
comp-lzo
verb 3

cd ~/

8. 下载客户端证书文件进行连接

windows客户端安装在下文中

yum install -y zip lrzsz
zip -r client01.zip client01/*
sz client01.zip

解压到config下

9. 删除过期的证书的方法

#删除以下文件
rm -rf /etc/open***/easy-rsa/pki/reqs/***server.req
rm -rf /etc/open***/easy-rsa/pki/private/***server.key

#撤消证书
cd /etc/open***/easy-rsa/
./easyrsa revoke server
./easyrsa gen-crl

#重启open***
systemctl restart open***@server.service

10. 一键安装脚本的方法

此脚本建议在执行前拷贝出来仔细看一遍脚本过程，操作部分的流程跟文档大致一样，在生产服务端配置文件时候没有做客户端固定IP的功能，有需求可以适当添加需要的内容，推送路由信息到客户端的配置也没有生成，做了DNS解析与防火墙的一些规则。客户端文件命名规则为xxx.o***，如果要推送到linux客户端记得修改为xxx.conf。

根据自身的生产需求还需要手动进行添加一些功能。我自己部署的过程虽然没有问题，但是较为繁琐，而且来回切换许多目录，容易导致杂乱。所以建议使用开源一键脚本。使用的easy-rsa版本也是最新的3.0.5。网上的许多博客都是easy-rsa2.x版本的，此版本据说有安全漏洞，所以建议学习一下easy-rsa3版一些生成证书的命令。

下载Github上的开源open项目*

#将下载的压缩包上传到服务器中并解压
wget https://github.com/Nyr/open***-install/archive/master.zip
unzip master.zip
ls open***-install-master
LICENSE.txt  open***-install.sh  README.md

执行脚本，一直点点点：回车

#需要输入服务端的公网ip地址
#云服务器需要绑定其他端口，记得在安全组打开此端口
[root@open*** open***-install-master]# bash open***-install.sh 
Welcome to this open*** road warrior installer!

I need to ask you a few questions before starting setup.
You can use the default options and just press enter if you are ok with them.

What IPv4 address should the open*** server bind to?
     1) 172.17.43.166
IPv4 address [1]: 59.110.215.165
59.110.215.165: invalid selection.
IPv4 address [1]: 

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [114.249.225.46]: 59.110.215.165

Which protocol do you want for open*** connections?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 1

What port do you want open*** listening to?
Port [1194]: 

Which DNS do you want to use with the ***?
   1) Current system resolvers
   2) 1.1.1.1
   3) Google
   4) OpenDNS
   5) Verisign
DNS [1]: 1

Finally, tell me a name for the client certificate.
Client name [client]: client <客户端证书名字，建议不要使用默认名称>

Okay, that was all I needed. We are ready to set up your open*** server now.
Press any key to continue... [回车]
...
.....
Finished!

Your client configuration is available at: /root/client.o***
If you want to add more clients, just run this script again!    

**下载完成后显示下载到了 /root/client.o*****

#下载到客户端
sz /root/client.o***

将下载的文件放到windows客户端的config下才可以使用open软件*

修改服务端配置文件

添加自己需求的功能参数配置,例如固定IP，生成日志等等

[root@m01 ~]# vim /etc/open***/server/server.conf
local 59.110.215.165 #监听地址，可以写 0.0.0.0 ，或者内网IP                 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"  #连通***可以访问的网段或者IP
push "route 10.0.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

<font color=red>重启open服务</font>*

systemctl restart open***-server@server.service 
systemctl enable open***-server@server.service

②easy-rsa2生成证书

此方法可行，建议使用easy-rsa3版本生成证书，与时俱进

https://blog.51cto.com/ljohn/1961347

yum install -y gcc gcc-c++ open***
wget https://github.com/open***/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
tar xf EasyRSA-2.2.2.tgz -C /root/
mv /root/EasyRSA-2.2.2 /root/easyrsa
echo 'net.ipv4.ip_forward=1 ' >>/etc/sysctl.conf && sysctl -p

cd /root/easyrsa/
cp -a ./vars{,.bak}

cat > vars <<EOF
export KEY_SIZE=2048
export KEY_COUNTRY="CN" 
export KEY_PROVINCE="BJ"
export KEY_CITY="BJ"
export KEY_ORG="zxzn"
export KEY_EMAIL="245684979@qq.com"
export KEY_OU="zxzn"
export KEY_NAME="zxzn"
EOF

chmod +x vars
source vars

./clean-all
./build-ca zxzn***
./build-key-server ***server
./build-key ***client_01
./build-dh
open*** --genkey --secret keys/ta.key

#./build-key-pass ***zxzn \\需密码验证登录的证书


#./keys/***client_01.crt
#./keys/***client_01.key


cp /usr/share/doc/open***-2.4.8/sample/sample-config-files/server.conf /etc/open***/server.conf.bak
cd /etc/open***/
egrep -v '^;|^$|^#' server.conf.bak >server.conf
mkdir ./{keys,ccd}
\cp -a /root/2_easyrsa/keys/{***server.crt,***server.key,ca.crt,dh2048.pem,ta.key} keys/

vim server.conf
port 1194
proto udp
dev tun
ca  keys/ca.crt
cert    keys/***server.crt
key     keys/***server.key  # This file should be kept secret
dh  keys/dh.pem
server  10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
keepalive 10 120
client-to-client
client-config-dir ccd
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
log /var/log/open***.log
explicit-exit-notify 1

mkdir ./ccd 
vim ./ccd/client01
ifconfig-push 10.8.0.5 10.8.0.6

systemctl restart open***@server
systemctl enable open***@server
systemctl status open***@server
netstat -lntup|grep 1194
ip a |grep tun0

二、windows客户端配置

windows客户端下载

运行

解压sz下载的压缩包到config目录下

打开服务端的安全组

可以在服务端上进行一下访问内网IP测试，查看是否可以直接访问

yum install nginx -y 
systemctl restart nginx.service

三、Linux客户端配置

Linux的客户端和服务端安装方法相同，其配置方法和Windows的相同，只是文件扩展名有区别而已，Windows是.o***，Linux是 .conf

编译 open*** 及解决相关依赖问题

1. 同步服务器时间

#服务端是阿里云的服务器，所以客户端要保证时间同步，如果时间不同步，客户端是无法连接服务器的
[root@open***01 lzo-2.10]# crontab -e
#/bin/bash-date
*/5 * * * *  /sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1

2. 安装lzo组件

cd /server/tools
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
tar xf lzo-2.10.tar.gz -C /usr/src/
cd /usr/src/lzo-2.10/
./configure --enable-shared
make && make install

3. 编译安装open***

cd /server/tools/
wget https://swupdate.open***.org/community/releases/open***-2.4.8.tar.xz
yum install openssl-devel pam-devel -y
tar xf open***-2.4.8.tar.xz && cd open***-2.4.8/
./configure --prefix=/usr/local/open***
make && make install
ln -s  /usr/local/open***/sbin/open*** /usr/bin/open***

4. 获取服务端的证书和文件

mkdir /usr/local/open***/etc && cd /usr/local/open***/etc/
rsync -avz root@59.110.215.165:/root/client02.zip ./
unzip client02.zip

#将之前生成的client02.o***客户端文件的后缀名改为.conf
mv ./client02/client02.o*** ./client02/client02.conf

cat /usr/local/open***/etc/client02/client02.conf
ns-cert-type server                                            
client  #指定为客户端
dev tun
proto udp
remote 59.110.215.165 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca      /usr/local/open***/etc/***client_01/ca.crt
cert    /usr/local/open***/etc/***client_01/***client_01.crt
key     /usr/local/open***/etc/***client_01/***client_01.key
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

5. 启动open***客户端

#出现Completed就说明连接成功了
open*** --config /usr/local/open***/etc/test01.conf
#加一个参数，在后台运行
open***  --daemon --config /usr/local/open***/etc/test01.conf

#根据生产场景写入开机自启
echo '/usr/bin/open*** --daemon --config /usr/local/open***/etc/client02/client02.conf' >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local

ip a|grep tun0

#注意：如果生成服务端证书时没有为private.key使用“nopass”参数不加密，那这里后台运行会卡住，需要输入密码。所以，生产需求需要连接linux客户端的话，在创建服务端证书时一定要使用"nopass"参数

ifconfig时会多出一块网卡tun0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.9  netmask 255.255.255.0  destination 10.8.0.3
        inet6 fe80::7077:955a:31de:c4b3  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

按相同步骤在服务端上生成新的客户端证书并下发到其他linux客户端上。

此图是之前测试用的，IP与文档中的不同，只是为表明含义

四、记录总结

* 保证全国各地的局域网必须能够访问外网，才能连接云服务器
* 云服务器搭建***,  公司和外地都是***客户端,然后就相当于在一个局域网了
* 客户端都可以通过内网地址通讯，开启客户端之间允许通信,就行了
* 开机自动让客户端向云服务器进行连接
* windows上的客户端和linux上的客户端的安装
* 异地客户端都连服务端，然后就相当于在一个局域网了，客户端都可以通过内网地址通讯
* open***服务端也可以使用开源的一键安装脚本，脚本里面也是用easy-rsa随机生成的，生成客户端证书也是非常方便的。

服务端配置客户端固定虚拟内网IP地址

内网ip获取以后 本地会断开连接 ，客户端的ip地址总是dhcp自动分配的，内网ip地址不知道如何获取到则无法进行连接，所以要进行对客户端IP固定的配置。这里只做记录，具体配置文档中已配置

mkdir -p /etc/open***/ccd
cd /etc/open***/ccd/

#ccd目录下面的文件名要以客户端证书的名称命名
vim ***client_01
ifconfig-push 10.8.0.5 10.8.0.6

echo 'client-config-dir /etc/open***/ccd' >>/etc/open***/server.conf

systemctl restart open***@server.service

服务端配置文件用到的模块文件详解

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have *** access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
===================================================
＃为特定的IP地址分配特定的IP地址
＃个客户端，或者连接的客户端有私有客户端
＃后面的子网也应具有***访问权限，
＃将子目录“ ccd”用于特定于客户端的
＃配置文件（有关更多信息，请参见手册页）。


# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the ***.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
===================================================
＃示例：假设客户端
＃具有证书通用名称“ Thelonious”
＃在他的连接后面还有一个小子网
＃机器，例如192.168.40.128/255.255.255.248。
＃首先，取消注释以下行：
; client-config-dir ccd
;路由192.168.40.128 255.255.255.248
＃然后使用以下代码创建文件ccd / Thelonious：
＃iroute 192.168.40.128 255.255.255.248
＃这将允许Thelonious的专用子网
＃访问***。这个例子只会起作用
＃如果您正在路由而不是桥接，即您在
＃使用“ dev tun”和“ server”指令。


# EXAMPLE: Suppose you want to give
# Thelonious a fixed *** IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2
===================================================
＃示例：假设您想给
＃克隆固定的*** IP地址10.9.0.1。
＃首先取消注释以下行：
; client-config-dir ccd
;路由10.9.0.0 255.255.255.252
＃然后将此行添加到ccd / Thelonious中：
＃ifconfig-push 10.9.0.1 10.9.0.2

五、服务端配置参数

duplicate-cn
使用–duplicate-cn,允许两个具有相同公用名的连接,因此一个证书可以由多个连接/用户使用.
如果没有–duplicate-cn,每个vpn证书必须拥有自己的CN,因此每个连接/用户都有一个唯一的证书.
如果Client使用的CA的Common Name有重复了，或者说客户都使用相同的CA和keys连接VPN，一定要打开这个选项，否则只允许一个人连接VPN

六、DNS和dnsmasq配置

dnsmasq是一款小巧且方便地用于配置DNS服务器和DHCP服务器的工具，适用于小型网络，它提供了DNS解析功能和可选择的DHCP功能。

#yum安装
yum –y install dnsmasq
cp /etc/dnsmasq.conf /etc/dnsmasq.conf.backup

vim /etc/dnsmasq.conf
#resolve-file定义dnsmasq从哪里获取上游DNS服务器的地址，默认/etc/resolv.conf
resolv-file=/etc/resolv.dnsmasq.conf
#表示严格按照resolv-file文件中的顺序从上到下进行DNS解析，直到第一个解析成功为止。
strict-order
#定义dnsmasq监听的地址，默认是监控本机(127.0.0.1)的所有网卡上。 如果想让局域网内的其他机器使用dnsmasq解析域名的话，需要添加本机的IP地址(10.240.0.1)
listen-address=10.240.0.1
listen-address=127.0.0.1
#告诉dnsmasq使用DNS服务器进行解析
server=223.5.5.5
#为了防止DNS污染，我们使用bogus-nxdomain定义DNS解析的服务器。如果在阿里云服务器上配置dnsmasq，一定要启用此项。
bogus-nxdomain=223.5.5.5
#绑定了网卡之后会保证dnsmasq不去骚扰其他网卡，保证请求不乱发，仅监听指定的接口，一般跟interface一起使用
bind-interfaces
#记录dns查询日志
log-queries
#添加读取额外的 hosts 文件路径，可以多次指定。如果指定为目录，则读取目录中的所有文件。
addn-hosts=/etc/dnsmasq.hosts
#这个是重要的东西，设置dhcp的ip发配range，就是你的dhcp服务器分配多少个ip出来，ip的范围从哪里到哪里，默认是c类网段，所以简略了掩码，后面增加一个租约时间，dhcp分配的ip是有租约的，租约过了是需要回收的。
dhcp-range=10.255.31.224,10.255.31.255,255.255.224.0,168h
#3-->设置DNS服务器地址选项
dhcp-option=3,10.240.0.1,221.12.33.227,8.8.8.8

------------------------------------
systemctl restart dnsmasq.service 
systemctl enable dnsmasq.service 

strict-order
listen-address=10.240.0.1
interface=tun0
server=223.5.5.5
bind-interfaces
dhcp-range=10.255.31.224,10.255.31.255,255.255.224.0,168h
dhcp-option=3,10.240.0.1

七、Docker部署openvpn

1. 在openvpn服务端部署docker环境

#配置docker源并下载
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
sed -i 's#download.docker.com#mirrors.tuna.tsinghua.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
yum install docker-ce -y

#启动docker并查看版本
systemctl restart docker
systemctl enable docker
docker version

#配置docker镜像加速
[root@openvpn docker]# cat  /etc/docker/daemon.json
{
  "registry-mirrors": ["https://registry.docker-cn.com"]
} 

#搜索openvpn的官方镜像并拉取
docker search openvpn
docker pull kylemanna/openvpn:2.4

#导出镜像的命令
docker image ls
docker image save -o docker_openvpn2.4.tar.gz kylemanna/openvpn:2.4

#创建数据文件夹 
mkdir -p /root/docker/ovpn-data

#生成配置文件，118.89.231.144是当前服务器的公网IP
docker run -v /root/docker/ovpn-data:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_genconfig -u udp://118.89.231.144 

#生成秘钥文件
docker run -v /root/docker/ovpn-data:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki
输入私钥密码(输入时是看不见的)：
Enter PEM pass phrase:123456
再输入一次：123456
Verifying - Enter PEM pass phrase:
输入CA证书的名称(我这里直接回车)
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
输入刚才设置的私钥密码(输入完成后会再输入一次)
Enter pass phrase for /etc/openvpn/pki/private/ca.key:123456

#生成客户端用户,openvpn_test为客户端名称
docker run -v /root/docker/ovpn-data:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full openvpn_test nopass
输入设置的私钥密码：
Enter pass phrase for /etc/openvpn/pki/private/ca.key:

#生成客户端配置并导出客户端配置
mkdir -p /root/docker/ovpn-data/conf
docker run -v /root/docker/ovpn-data:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient openvpn_test > /root/docker/ovpn-data/conf/openvpn_test.ovpn

#启动openvpn服务，1196端口为docker_vpn的映射外网端口,云服务器的安全组要打开此端口
docker run --name openvpn -v /root/docker/ovpn-data:/etc/openvpn -d -p 1196:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn:2.4

#检查容器是否启动成功
docker ps -a
netstat -lntup|grep 1196

#将客户端证书下载到本地，docker的客户端配置默认中包含了公钥
yum install lrzsz -y
sz /root/docker/ovpn-data/conf/openvpn_test.ovpn

2. 修改生成的服务端配置

[root@openvpn ~]# cat /root/docker/ovpn-data/openvpn.conf
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/118.89.231.144.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/118.89.231.144.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup

### Route Configurations Below
#route 192.168.254.0 255.255.255.0

### Push Configurations Below
#push "block-outside-dns"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
push "route 172.17.0.0 255.255.0.0"
duplicate-cn
client-to-client

3. 客户端配置修改

将docker测试环境的端口映射到了1196，所以客户端配置中也要修改

4. 创建用户脚本

[root@openvpn docker]# cat user_create.sh 
#!/bin/bash
DATA='/root/docker/ovpn-data'

echo '私钥密码为 123456'
read -p "请输入你要创建的客户端名称: " NAME
docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full $NAME nopass
docker run -v $DATA:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient $NAME > $DATA/conf/"$NAME".ovpn
echo "客户端配置已生成:" $DATA/conf/"$NAME".ovpn
echo "如果要添加更多客户端，只需再次运行此脚本！"

5. 删除用户脚本

[root@openvpn docker]# cat user_delete.sh 
#!/bin/bash
DATA='/root/docker/ovpn-data'

echo '私钥密码为 123456'
read -p "请输入您要删除的客户端名称: " DNAME

docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa revoke $DNAME
docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa gen-crl
docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -rf /etc/openvpn/pki/reqs/"$DNAME".req
docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -rf /etc/openvpn/pki/private/"$DNAME".key
docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -rf /etc/openvpn/pki/issued/"$DNAME".crt
docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -rf /etc/openvpn/conf/$DNAME.ovpn
docker restart openvpn

echo "客户端$[DNAME]已删除!"

5. 客户端判断脚本

写一个脚本，测试和正式环境的俩套证书配置文件，正式在外，测试在docker中，要把ip映射到外网，如果是测试环境就启动测试证书，如果是正式环境，就启动正式环境

[root@CentOS8 ~]# cat vpn_restart.sh
#!/bin/bash
hostname=`hostname`
path='/usr/local/openvpn/etc'
IP=`ip addr |grep tun|awk -F'[ /]+' 'NR==2{print $3}'`
#重启vpn,如果是生产环境则启动第一套客户端配置，如果是测试环境则启动第二套客户端测试配置

cat << EOF
    `echo -e "\033[32m 1.生产环境\033[0m"`
    `echo -e "\033[33m 2.测试环境\033[0m"`
    `echo -e "\033[36m 3.退出\033[0m"`
EOF

read -p "请输入当前系统的环境【1】or【2】: " num
  if [ $num = "1" ];then
    pkill openvpn
    nohup /usr/bin/openvpn --config $path/$hostname/$hostname.conf >/dev/null 2>&1 &
    echo "请等待 生产环境正在启动....."
        b=''
      for ((i=0;$i<=50;i++));do
                let jinshu=$i*2
            printf "[%-50s]%d%%\r" $b $jinshu
            sleep 0.2
            b=#$b
      done
    echo
    echo "$hostname 的虚拟IP地址是: `ip addr |grep tun|awk -F'[ /]+' 'NR==2{print $3}'`" > /tmp/$hostname.ip
    echo "$hostname 的虚拟IP地址是: `ip addr |grep tun|awk -F'[ /]+' 'NR==2{print $3}'`"

  elif [ $num = "2" ];then
    pkill openvpn
    nohup /usr/bin/openvpn --config /usr/local/openvpn/etc/openvpn_test.conf >/dev/null 2>&1 &
    echo "请等待 测试环境正在启动....."
        b=''
          for ((i=0;$i<=50;i++));do
                let jinshu=$i*2
                printf "[%-50s]%d%%\r" $b $jinshu
                sleep 0.2
                b=#$b
          done
        echo
    echo "$hostname 的虚拟IP地址是: `ip addr |grep tun|awk -F'[ /]+' 'NR==2{print $3}'`" > /tmp/$hostname.ip
    echo "$hostname 的虚拟IP地址是: `ip addr |grep tun|awk -F'[ /]+' 'NR==2{print $3}'`"

  elif [ $num = "3" ];then
    echo "即将退出...感谢使用!"
    sleep 1
    exit

  else
    echo "输入有误!请重新输入"
  fi

image.png