{"id":171,"date":"2019-12-10T21:05:22","date_gmt":"2019-12-10T13:05:22","guid":{"rendered":"http:\/\/www.betterit360.com\/?p=171"},"modified":"2019-12-10T21:05:22","modified_gmt":"2019-12-10T13:05:22","slug":"set-up-and-configure-an-openvpn-server-on-centos-7","status":"publish","type":"post","link":"http:\/\/www.betterit360.com\/?p=171","title":{"rendered":"Set Up and Configure an OpenVPN Server on CentOS 7"},"content":{"rendered":"\n

Installing OpenVPN<\/strong><\/strong><\/p>\n\n\n\n

# yum install epel-release<\/p>\n\n\n\n

# yum install openvpn<\/p>\n\n\n\n

Building CA with EasyRSA<\/strong><\/strong><\/p>\n\n\n\n

# cd \/usr\/local\/src<\/p>\n\n\n\n

# wget https:\/\/github.com\/OpenVPN\/easy-rsa\/releases\/download\/v3.0.5\/EasyRSA-nix-3.0.5.tgz<\/p>\n\n\n\n

# tar xzf EasyRSA-nix-3.0.5.tgz -C \/usr\/local<\/p>\n\n\n\n

# cd \/usr\/local\/EasyRSA-3.0.5\/<\/p>\n\n\n\n

# cp vars.example vars<\/p>\n\n\n\n

uncomment and update the following entries to match your information:<\/p>\n\n\n\n

# vi vars<\/p>\n\n\n\n

set_var EASYRSA_REQ_COUNTRY    “CN”<\/p>\n\n\n\n

set_var EASYRSA_REQ_PROVINCE   “Jiangsu”<\/p>\n\n\n\n

set_var EASYRSA_REQ_CITY       “Suzhou”<\/p>\n\n\n\n

set_var EASYRSA_REQ_ORG        “Betterit”<\/p>\n\n\n\n

set_var EASYRSA_REQ_EMAIL      “admin@betterit.info”<\/p>\n\n\n\n

set_var EASYRSA_REQ_OU         “IT”<\/p>\n\n\n\n

Save and close the file.<\/p>\n\n\n\n

Before generating a CA keypair first we need to initialize a new PKI with:<\/p>\n\n\n\n

# .\/easyrsa init-pki<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The next step is to build the CA:<\/p>\n\n\n\n

# .\/easyrsa build-ca<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

You\u2019ll be asked to set a password for the CA key and enter a common name for your CA.<\/p>\n\n\n\n

Once completed, the script will create two files \u2014 CA public certificate ca.crt and CA private key ca.key.<\/p>\n\n\n\n

Now that the Certificate Authority (CA) is created, you can use it to sign certificate requests for one or multiple OpenVPN servers and clients.<\/p>\n\n\n\n

Note:If you don\u2019t want to be prompted for a password each time you sign your certificates, run the build-ca command using the nopass option: .\/easyrsa build-ca nopass.<\/p>\n\n\n\n

Creating Diffie-Hellman and HMAC keys<\/strong><\/strong><\/p>\n\n\n\n

[root@iZbp16cdvzk4ribfwjca03Z EasyRSA-3.0.5]# .\/easyrsa gen-dh<\/p>\n\n\n\n

Note: using Easy-RSA configuration from: .\/vars<\/p>\n\n\n\n

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017<\/p>\n\n\n\n

Generating DH parameters, 2048 bit long safe prime, generator 2<\/p>\n\n\n\n

This is going to take a long time<\/p>\n\n\n\n

……………………………………………………..+………………………..<\/p>\n\n\n\n

……………………….+………………….+…………………………………………………………………………………….++*++*<\/p>\n\n\n\n

DH parameters of size 2048 created at \/usr\/local\/EasyRSA-3.0.5\/pki\/dh.pem<\/p>\n\n\n\n

[root@iZbp16cdvzk4ribfwjca03Z EasyRSA-3.0.5]# <\/p>\n\n\n\n

Copy the dh.pem file to the \/etc\/openvpn directory:<\/p>\n\n\n\n

# cp pki\/dh.pem \/etc\/openvpn\/<\/p>\n\n\n\n

generate a HMAC signature using the openvpn binary:<\/p>\n\n\n\n

# openvpn –genkey –secret ta.key<\/p>\n\n\n\n

Once completed copy the ta.key file to the \/etc\/openvpn directory:<\/p>\n\n\n\n

# cp ta.key \/etc\/openvpn\/<\/p>\n\n\n\n

Creating Server Certificate and Private Key<\/strong><\/strong><\/p>\n\n\n\n

.\/easyrsa gen-req vpnsvr01 nopass<\/p>\n\n\n\n

We are using the nopass argument because we want to start the OpenVPN server without a password input. Also in this example, we are using vpnsvr01 as a server name (entity) identifier. If you choose a different name for your server don\u2019t forget to adjust the instructions below where the server name is used.<\/p>\n\n\n\n

The command will create two files, a private key (vpnsvr01.key) and a certificate request file (vpnsvr01.req).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Copy the private key to the \/etc\/openvpn directory:<\/p>\n\n\n\n

# cp pki\/private\/vpnsvr01.key \/etc\/openvpn\/<\/p>\n\n\n\n

run the following command to sign the request:<\/p>\n\n\n\n

.\/easyrsa sign-req server vpnsvr01<\/p>\n\n\n\n

The first argument can either be server or client and the second one is the server short (entity) name.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

# cp pki\/ca.crt \/etc\/openvpn\/<\/p>\n\n\n\n

# cp pki\/issued\/vpnsvr01.crt \/etc\/openvpn\/<\/p>\n\n\n\n

Upon completing the steps outlined in this section, you should have the following new files on your OpenVPN server:<\/p>\n\n\n\n

\/etc\/openvpn\/ca.crt<\/p>\n\n\n\n

\/etc\/openvpn\/dh.pem<\/p>\n\n\n\n

\/etc\/openvpn\/ta.key<\/p>\n\n\n\n

\/etc\/openvpn\/vpnsvr01.crt<\/p>\n\n\n\n

\/etc\/openvpn\/vpnsvr01.key<\/p>\n\n\n\n

Configuring the OpenVPN Service<\/strong><\/strong><\/p>\n\n\n\n

We will use the sample configuration file provided with OpenVPN installation package as a starting point and then add our own custom configuration options to it.<\/p>\n\n\n\n

# cp \/usr\/share\/doc\/openvpn-*\/sample\/sample-config-files\/server.conf \/etc\/openvpn\/vpnsvr01.conf<\/p>\n\n\n\n

Open the file and Find the Certificate, Key and DH parameters directives and change the file names:<\/p>\n\n\n\n

# vi \/etc\/openvpn\/vpnsvr01.conf<\/p>\n\n\n\n

cert vpnsvr01.crt<\/p>\n\n\n\n

key vpnsvr01.key <\/p>\n\n\n\n

dh dh.pem<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

To redirect the clients traffic through the VPN find and uncomment the redirect-gateway and dhcp-option options:<\/p>\n\n\n\n

push “redirect-gateway def1 bypass-dhcp”<\/p>\n\n\n\n

push “dhcp-option DNS 208.67.222.222”<\/p>\n\n\n\n

push “dhcp-option DNS 208.67.220.220”<\/p>\n\n\n\n

By default OpenDNS resolvers are used. You can change it and use Google or any other DNS resolvers you want.<\/p>\n\n\n\n

Find the user and group directives and uncomment these settings by removing the \u201c;\u201d at the beginning of each line:<\/p>\n\n\n\n

user nobody<\/p>\n\n\n\n

group nogroup<\/p>\n\n\n\n

Append the following line at the end of the file. This directive will change the message authentication algorithm (HMAC) from SHA1 to SHA256<\/p>\n\n\n\n

auth SHA256<\/p>\n\n\n\n

Once you are done, the server configuration file (excluding comments) should look something like this:<\/p>\n\n\n\n

port 1194<\/p>\n\n\n\n

proto udp<\/p>\n\n\n\n

dev tun<\/p>\n\n\n\n

ca ca.crt<\/p>\n\n\n\n

cert vpnsvr01.crt<\/p>\n\n\n\n

key vpnsvr01.key  # This file should be kept secret<\/p>\n\n\n\n

dh dh.pem<\/p>\n\n\n\n

server 10.8.0.0 255.255.255.0<\/p>\n\n\n\n

ifconfig-pool-persist ipp.txt<\/p>\n\n\n\n

push “dhcp-option DNS 208.67.222.222”<\/p>\n\n\n\n

push “dhcp-option DNS 208.67.220.220”<\/p>\n\n\n\n

keepalive 10 120<\/p>\n\n\n\n

tls-auth ta.key 0 # This file is secret<\/p>\n\n\n\n

cipher AES-256-CBC<\/p>\n\n\n\n

user nobody<\/p>\n\n\n\n

group nobody<\/p>\n\n\n\n

persist-key<\/p>\n\n\n\n

persist-tun<\/p>\n\n\n\n

status openvpn-status.log<\/p>\n\n\n\n

verb 3<\/p>\n\n\n\n

explicit-exit-notify 1<\/p>\n\n\n\n

auth SHA256<\/p>\n\n\n\n

Starting OpenVPN Service<\/strong><\/strong><\/p>\n\n\n\n

# systemctl start openvpn@vpnsvr01<\/p>\n\n\n\n

Verify whether the service has started successfully by typing:<\/p>\n\n\n\n

# systemctl status openvpn@vpnsvr01<\/p>\n\n\n\n

Enable the service to automatically start on boot with:<\/p>\n\n\n\n

# systemctl enable openvpn@vpnsvr01<\/p>\n\n\n\n

When starting, the OpenVPN Server creates a tun device tun0. To check if the device is available, type:<\/p>\n\n\n\n

# ip a show tun0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Firewall and Server Networking Configuration<\/strong><\/strong><\/p>\n\n\n\n

In order to forward network packets properly, we need to enable IP forwarding.<\/p>\n\n\n\n

Open the \/etc\/sysctl.conf file and add the following line:<\/p>\n\n\n\n

net.ipv4.ip_forward = 1<\/p>\n\n\n\n

Apply the new settings by running the following command:<\/p>\n\n\n\n

sysctl -p<\/p>\n\n\n\n

Now we need to add firewall rules open OpenVPN port and to enable masquerading.<\/p>\n\n\n\n

Start by adding the tun0 interface to the trusted zone:<\/p>\n\n\n\n

firewall-cmd –permanent –zone=trusted –add-interface=tun0<\/p>\n\n\n\n

Open the default openvpn port 1194 by adding the openvpn service to the list of services allowed by firewalld :<\/p>\n\n\n\n

firewall-cmd –permanent –add-service openvpn<\/p>\n\n\n\n

Set IP masquerading on trusted zone:<\/p>\n\n\n\n

firewall-cmd –permanent –zone=trusted –add-masquerade<\/p>\n\n\n\n

Before adding the nat rule you need to know the public network interface of your CentOS OpenVPN Server. You can easily find the interface by running the following command:<\/p>\n\n\n\n

ip -o -4 route show to default | awk ‘{print $5}’<\/p>\n\n\n\n

In our case, the interface is named eth0 as shown on the output below. Your interface may have a different name.<\/p>\n\n\n\n

The following command will allow the traffic to leave the VPN, giving your VPN clients access to the Internet. Don\u2019t forget to replace eth0 to match the name of public network interface you found in the previous command.<\/p>\n\n\n\n

firewall-cmd –permanent –direct –passthrough ipv4 -t nat -A POSTROUTING -s  10.8.0.0\/24 -o eth0 -j MASQUERADE<\/p>\n\n\n\n

Finally reload the firewall rules for changes to take effect:<\/p>\n\n\n\n

firewall-cmd –reload<\/p>\n\n\n\n

Creating the Client Configuration Infrastructure<\/strong><\/strong><\/p>\n\n\n\n

The whole process of generating the client certificate and configuration file is as follows:<\/p>\n\n\n\n

  1. Generate a private key and certificate request on the OpenVPN server.<\/li>
  2. Send the request to the CA machine to be signed.<\/li>
  3. Copy the signed SSL certificate to the OpenVPN server and generate a configuration file.<\/li>
  4. Send the configuration file to the VPN client\u2019s machine.<\/li><\/ol>\n\n\n\n

    Start by creating a set of directories to store the clients files:<\/p>\n\n\n\n

    # cd \/etc\/openvpn<\/p>\n\n\n\n

    # mkdir -p openvpn-clients\/{configs,base,files}<\/p>\n\n\n\n

    • base directory will store the base files and configuration that will be shared across all client files.<\/li>
    • configs directory will store the generated client configuration.<\/li>
    • files directory will store client-specific certificate\/key pair.<\/li><\/ul>\n\n\n\n

      Copy the ca.crt and ta.key files to the openvpn-clients\/base directory:<\/p>\n\n\n\n

      # cp ta.key openvpn-clients\/base<\/p>\n\n\n\n

      # cp ca.crt openvpn-clients\/base<\/p>\n\n\n\n

      Next copy the sample VPN client configuration file into the client-~\/openvpn-clients\/base directory. We will use this file as a base configuration:<\/p>\n\n\n\n

      # cp \/usr\/share\/doc\/openvpn-*\/sample\/sample-config-files\/client.conf openvpn-clients\/base<\/p>\n\n\n\n

      Now we need to edit the file to match our server settings and configuration.<\/p>\n\n\n\n

      # vi openvpn-clients\/base\/client.conf<\/p>\n\n\n\n

      Find the remote directive and change the default placeholder with the public IP address of your OpenVPN server:<\/p>\n\n\n\n

      # The hostname\/IP and port of the server.<\/p>\n\n\n\n

      # You can have multiple remote entries<\/p>\n\n\n\n

      # to load balance between the servers.<\/p>\n\n\n\n

      remote YOUR_SERVER_IP 1194<\/p>\n\n\n\n

      Locate and comment the ca, cert, and key directives. The certs and keys will be added within the configuration file:<\/p>\n\n\n\n

      # SSL\/TLS parms.<\/p>\n\n\n\n

      # See the server config file for more<\/p>\n\n\n\n

      # description.  It’s best to use<\/p>\n\n\n\n

      # a separate .crt\/.key file pair<\/p>\n\n\n\n

      # for each client.  A single ca<\/p>\n\n\n\n

      # file can be used for all clients.<\/p>\n\n\n\n

      # ca ca.crt<\/p>\n\n\n\n

      # cert client.crt<\/p>\n\n\n\n

      # key client.key<\/p>\n\n\n\n

      Append the following lines at the end of the file to match the server settings:<\/p>\n\n\n\n

      auth SHA256<\/p>\n\n\n\n

      key-direction 1<\/p>\n\n\n\n

      Once you are done, the server configuration file should look something like this:<\/p>\n\n\n\n

      client<\/p>\n\n\n\n

      dev tun<\/p>\n\n\n\n

      proto udp<\/p>\n\n\n\n

      remote 118.31.38.47 1194<\/p>\n\n\n\n

      resolv-retry infinite<\/p>\n\n\n\n

      nobind<\/p>\n\n\n\n

      persist-key<\/p>\n\n\n\n

      persist-tun<\/p>\n\n\n\n

      remote-cert-tls server<\/p>\n\n\n\n

      tls-auth ta.key 1<\/p>\n\n\n\n

      cipher AES-256-CBC<\/p>\n\n\n\n

      verb 3<\/p>\n\n\n\n

      auth SHA256<\/p>\n\n\n\n

      key-direction 1<\/p>\n\n\n\n

      Next, create a simple bash script that will merge the base configuration and files with the client certificate and key, and store the generated configuration in the openvpn-clients\/configs directory.<\/p>\n\n\n\n

      vi openvpn-clients\/gen_config.sh<\/p>\n\n\n\n

      #!\/bin\/bash<\/p>\n\n\n\n

      FILES_DIR=\/etc\/openvpn\/openvpn-clients\/files<\/p>\n\n\n\n

      BASE_DIR=\/etc\/openvpn\/openvpn-clients\/base<\/p>\n\n\n\n

      CONFIGS_DIR=\/etc\/openvpn\/openvpn-clients\/configs<\/p>\n\n\n\n

      BASE_CONF=${BASE_DIR}\/client.conf<\/p>\n\n\n\n

      CA_FILE=${BASE_DIR}\/ca.crt<\/p>\n\n\n\n

      TA_FILE=${BASE_DIR}\/ta.key<\/p>\n\n\n\n

      CLIENT_CERT=${FILES_DIR}\/${1}.crt<\/p>\n\n\n\n

      CLIENT_KEY=${FILES_DIR}\/${1}.key<\/p>\n\n\n\n

      # Test for files<\/p>\n\n\n\n

      for i in “$BASE_CONF” “$CA_FILE” “$TA_FILE” “$CLIENT_CERT” “$CLIENT_KEY”; do<\/p>\n\n\n\n

          if [[ ! -f $i ]]; then<\/p>\n\n\n\n

              echo ” The file $i does not exist”<\/p>\n\n\n\n

              exit 1<\/p>\n\n\n\n

          fi<\/p>\n\n\n\n

          if [[ ! -r $i ]]; then<\/p>\n\n\n\n

              echo ” The file $i is not readable.”<\/p>\n\n\n\n

              exit 1<\/p>\n\n\n\n

          fi<\/p>\n\n\n\n

      done<\/p>\n\n\n\n

      # Generate client config<\/p>\n\n\n\n

      cat > ${CONFIGS_DIR}\/${1}.ovpn <<EOF<\/p>\n\n\n\n

      $(cat ${BASE_CONF})<\/p>\n\n\n\n

      <key><\/p>\n\n\n\n

      $(cat ${CLIENT_KEY})<\/p>\n\n\n\n

      <\/key><\/p>\n\n\n\n

      <cert><\/p>\n\n\n\n

      $(cat ${CLIENT_CERT})<\/p>\n\n\n\n

      <\/cert><\/p>\n\n\n\n

      <ca><\/p>\n\n\n\n

      $(cat ${CA_FILE})<\/p>\n\n\n\n

      <\/ca><\/p>\n\n\n\n

      <tls-auth><\/p>\n\n\n\n

      $(cat ${TA_FILE})<\/p>\n\n\n\n

      <\/tls-auth><\/p>\n\n\n\n

      EOF<\/p>\n\n\n\n

      Save the file and make it executable by running:<\/p>\n\n\n\n

      chmod u+x openvpn-clients\/gen_config.sh<\/p>\n\n\n\n

      Creating Client Certificate Private Key and Configuration<\/strong><\/strong><\/p>\n\n\n\n

      In this example the name of the first VPN client will be david.<\/p>\n\n\n\n

      # cd \/usr\/local\/EasyRSA-3.0.5\/<\/p>\n\n\n\n

      # .\/easyrsa gen-req david nopass<\/p>\n\n\n\n

      The command will create two files, a private key (david.key) and a certificate request file (david.req).<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      Copy the private key david.key to the \/etc\/openvpn\/openvpn-clients\/files directory you created in the previous section:<\/p>\n\n\n\n

      # cp pki\/private\/david.key \/etc\/openvpn\/openvpn-clients\/files\/<\/p>\n\n\n\n

      run the following command to sign the request:<\/p>\n\n\n\n

      # .\/easyrsa sign-req client david<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      Copy the david.crt file to the \/etc\/openvpn\/openvpn-clients\/files directory<\/p>\n\n\n\n

      # cp pki\/issued\/david.crt \/etc\/openvpn\/openvpn-clients\/files\/<\/p>\n\n\n\n

      The final step is to generate a client configuration using the gen_config.sh script:<\/p>\n\n\n\n

      # cd \/etc\/openvpn\/openvpn-clients\/<\/p>\n\n\n\n

      # .\/gen_config.sh david<\/p>\n\n\n\n

      The script will create a file named david.ovpn in the configs directory. <\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      At this point the client configuration is created. You can now transfer the configuration file to the device you intend to use as a client.<\/p>\n\n\n\n

      Revoking Client Certificates<\/strong><\/strong><\/p>\n\n\n\n

      Revoking a certificate means to invalidate a signed certificate so that it can no longer be used for accessing the OpenVPN server.<\/p>\n\n\n\n

      Run the easyrsa script using the revoke argument, followed by the client name you want to revoke:<\/p>\n\n\n\n

      # .\/easyrsa revoke david<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      Use the gen-crl option to generate a certificate revocation list (CRL):<\/p>\n\n\n\n

      # .\/easyrsa gen-crl<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      Copy the file crl.pem to the \/etc\/openvpn directory:<\/p>\n\n\n\n

      # cp pki\/crl.pem \/etc\/openvpn\/<\/p>\n\n\n\n

      Open the OpenVPN server configuration file,Paste the following line at the end of the file:<\/p>\n\n\n\n

      # vi \/etc\/openvpn\/vpnsvr01.conf<\/p>\n\n\n\n

      crl-verify crl.pem<\/p>\n\n\n\n

      Restart the OpenVPN service for the revocation directive to take effect:<\/p>\n\n\n\n

      # systemctl restart openvpn@vpnsvr01<\/p>\n\n\n\n

      \u6ce8\u610f\u4e8b\u9879\uff1a<\/strong><\/p>\n\n\n\n

      1.openvpn\u670d\u52a1\u5668\u9632\u706b\u5899\u5fc5\u987b\u5f00\u542f\uff0c\u5e76\u914d\u7f6e\u76f8\u5173\u89c4\u5219\u3002\u4e0d\u5f00\u542f\u9632\u706b\u5899\uff0copenvpn\u5ba2\u6237\u7aef\u8fde\u63a5\u540e\u65e0\u6cd5\u8fde\u901aopenvpn\u670d\u52a1\u5668\u6240\u5728\u7f51\u6bb5\u53ca\u5176\u5b83\u7f51\u6bb5IP\u3002<\/p>\n\n\n\n

      2.openvpn\u5ba2\u6237\u7aef\u8981\u8fde\u901aopenvpn\u670d\u52a1\u5668\u6240\u5728\u7f51\u6bb5\u53ca\u5176\u5b83\u7f51\u6bb5IP\uff0c\u8fd8\u9700\u5728openvpn\u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6\u4e2d\u6dfb\u52a0\u7c7b\u4f3c\u5982\u4e0b\u914d\u7f6e\u9879\uff1a<\/p>\n\n\n\n

      push “route 192.168.50.0 255.255.255.0”  \/\/openvpn\u670d\u52a1\u5668\u6240\u5728\u7f51\u6bb5IP<\/p>\n\n\n\n

      push “route 192.168.30.0 255.255.255.0”  \/\/\u5176\u5b83\u7f51\u6bb5IP<\/p>\n\n\n\n

      3.openvpn\u5ba2\u6237\u7aef\u8fde\u63a5\u540e\uff0c\u8981\u5229\u7528openvpn\u670d\u52a1\u5668\u4e0a\u7f51\uff0c\u5373openvpn\u5ba2\u6237\u7aef\u8fde\u63a5\u540e\u7684\u516c\u7f51IP\u4e0eopenvpn\u670d\u52a1\u5668\u7684\u516c\u7f51IP\u76f8\u540c\uff0c\u9700\u8981\u5728openvpn\u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6\u4e2d\u5f00\u542f\u5982\u4e0b\u914d\u7f6e\u9879\uff1a<\/p>\n\n\n\n

      push “redirect-gateway def1 bypass-dhcp”<\/p>\n\n\n\n

      4.\u901a\u8fc7.\/easyrsa gen-req david nopass\u521b\u5efa\u751f\u6210\u7684\u914d\u7f6e\u6587\u4ef6\uff08ovpn\uff09\u8fde\u63a5\u670d\u52a1\u5668\u65f6\u65e0\u9700\u8f93\u5165\u5bc6\u7801\uff0c\u82e5\u8fde\u63a5\u65f6\u9700\u8981\u8f93\u5165\u5bc6\u7801\uff0c\u5219\u4f7f\u7528.\/easyrsa gen-req david\u5e76\u8bbe\u7f6e\u5bc6\u7801\u3002<\/p>\n\n\n\n

      5.\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u65e5\u5fd7\u6d88\u606f\u5199\u5165\/var\/log\/messages\uff0copenvpn\u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6\u4e2d\u53d6\u6d88\u5982\u4e0b\u914d\u7f6e\u9879\u524d\u7684\u6ce8\u91ca\u53ef\u5c06\u65e5\u5fd7\u6d88\u606f\u5199\u5165openvpn.log\u3002<\/p>\n\n\n\n

      ;log-append openvpn.log<\/p>\n\n\n\n

      6.\u82e5openvpn\u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6\u4e2d\u53bb\u6389\u914d\u7f6e\u9879crl-verify crl.pem\u5e76\u91cd\u542fopenvpn\uff0c\u5219\u540a\u9500\u8bc1\u4e66\u7684\u7528\u6237\u4ecd\u53ef\u8fde\u63a5\u3002<\/p>\n\n\n\n

      \u9644\u5f55\uff1a<\/strong>\u521b\u5efa\u7528\u6237\u8bc1\u4e66\u3001\u521b\u5efa\u7528\u6237VPN\u914d\u7f6e\u6587\u4ef6\u3001\u540a\u9500\u7528\u6237\u8bc1\u4e66\u64cd\u4f5c\u90fd\u53ef\u901a\u8fc7\u811a\u672c\u7b80\u5316\u64cd\u4f5c\u3002<\/p>\n\n\n\n

      \u811a\u672c\u5185\u5bb9\u53c2\u8003\u5982\u4e0b\uff1a<\/p>\n\n\n\n

      \u521b\u5efa\u7528\u6237\u8bc1\u4e66\uff1a<\/strong><\/strong><\/p>\n\n\n\n

      # cat create_client_cert.sh <\/p>\n\n\n\n

      #!\/bin\/bash<\/p>\n\n\n\n

      echo “Please input a client name for the client certificate.”<\/p>\n\n\n\n

      read -p “Client name: ” -e CLIENT<\/p>\n\n\n\n

      cd \/usr\/local\/EasyRSA-3.0.5\/<\/p>\n\n\n\n

      .\/easyrsa gen-req $CLIENT<\/p>\n\n\n\n

      cp pki\/private\/$CLIENT.key \/etc\/openvpn\/openvpn-clients\/files\/<\/p>\n\n\n\n

      .\/easyrsa sign-req client $CLIENT<\/p>\n\n\n\n

      cp pki\/issued\/$CLIENT.crt \/etc\/openvpn\/openvpn-clients\/files\/<\/p>\n\n\n\n

      echo “Client $CLIENT cert created”<\/p>\n\n\n\n

      exit<\/p>\n\n\n\n

      \u521b\u5efa\u7528\u6237VPN\u914d\u7f6e\u6587\u4ef6\uff1a<\/strong><\/strong><\/p>\n\n\n\n

      # cat gen_client_ovpn.sh<\/p>\n\n\n\n

      #!\/bin\/bash<\/p>\n\n\n\n

      echo “Please input a client cert name for the client ovpn.”<\/p>\n\n\n\n

      read -p “Client name: ” -e CLIENT<\/p>\n\n\n\n

      FILES_DIR=\/etc\/openvpn\/openvpn-clients\/files<\/p>\n\n\n\n

      BASE_DIR=\/etc\/openvpn\/openvpn-clients\/base<\/p>\n\n\n\n

      CONFIGS_DIR=\/etc\/openvpn\/openvpn-clients\/configs<\/p>\n\n\n\n

      BASE_CONF=${BASE_DIR}\/client.conf<\/p>\n\n\n\n

      CA_FILE=${BASE_DIR}\/ca.crt<\/p>\n\n\n\n

      TA_FILE=${BASE_DIR}\/ta.key<\/p>\n\n\n\n

      CLIENT_CERT=${FILES_DIR}\/$CLIENT.crt<\/p>\n\n\n\n

      CLIENT_KEY=${FILES_DIR}\/$CLIENT.key<\/p>\n\n\n\n

      cat > ${CONFIGS_DIR}\/$CLIENT.ovpn <<EOF<\/p>\n\n\n\n

      $(cat ${BASE_CONF})<\/p>\n\n\n\n

      <key><\/p>\n\n\n\n

      $(cat ${CLIENT_KEY})<\/p>\n\n\n\n

      <\/key><\/p>\n\n\n\n

      <cert><\/p>\n\n\n\n

      $(cat ${CLIENT_CERT})<\/p>\n\n\n\n

      <\/cert><\/p>\n\n\n\n

      <ca><\/p>\n\n\n\n

      $(cat ${CA_FILE})<\/p>\n\n\n\n

      <\/ca><\/p>\n\n\n\n

      <tls-auth><\/p>\n\n\n\n

      $(cat ${TA_FILE})<\/p>\n\n\n\n

      <\/tls-auth><\/p>\n\n\n\n

      EOF<\/p>\n\n\n\n

      echo “Client $CLIENT ovpn created”<\/p>\n\n\n\n

      exit<\/p>\n\n\n\n

      \u6ce8\uff1aVPN\u914d\u7f6e\u6587\u4ef6\u5b58\u653e\u8def\u5f84\uff1a\/etc\/openvpn\/openvpn-clients\/configs\uff0c\u7528\u6237\u4f7f\u7528\u751f\u6210\u7684ovpn\u6587\u4ef6\u53ca\u521b\u5efa\u7528\u6237\u8bc1\u4e66\u65f6\u8bbe\u7f6e\u7684\u5bc6\u94a5\u5373\u53ef\u8fde\u63a5VPN\u670d\u52a1\u5668\u3002<\/p>\n\n\n\n

      \u540a\u9500\u7528\u6237\u8bc1\u4e66\uff1a<\/strong><\/strong><\/p>\n\n\n\n

      # cat revoke_client_cert.sh<\/p>\n\n\n\n

      #!\/bin\/bash<\/p>\n\n\n\n

      echo “Please input a client cert name for revoke.”<\/p>\n\n\n\n

      read -p “Client name: ” -e CLIENT<\/p>\n\n\n\n

      cd \/usr\/local\/EasyRSA-3.0.5\/<\/p>\n\n\n\n

      .\/easyrsa revoke $CLIENT<\/p>\n\n\n\n

      .\/easyrsa gen-crl<\/p>\n\n\n\n

      \\cp -f pki\/crl.pem \/etc\/openvpn\/<\/p>\n\n\n\n

      systemctl restart openvpn@vpnsvr<\/p>\n\n\n\n

      echo “Client $CLIENT cert revoked”<\/p>\n\n\n\n

      exit<\/p>\n\n\n\n

      \u6ce8\uff1a\u8fd0\u884c\u6b64\u811a\u672c\u540a\u9500\u7528\u6237\u8bc1\u4e66\u540e\uff0c\u7528\u6237\u5373\u65e0\u6cd5\u8fde\u63a5VPN\u670d\u52a1\u5668\u3002\u82e5\u9700\u8981\u6062\u590d\u4f7f\u7528\uff0c\u9700\u518d\u6b21\u521b\u5efa\u7528\u6237\u8bc1\u4e66\u53caVPN\u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"

      Installing OpenVPN # yum install epel-release # yum ins … \u7ee7\u7eed\u9605\u8bfb\u201cSet Up and Configure an OpenVPN Server on CentOS 7\u201d<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/www.betterit360.com\/index.php?rest_route=\/wp\/v2\/posts\/171"}],"collection":[{"href":"http:\/\/www.betterit360.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.betterit360.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.betterit360.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.betterit360.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=171"}],"version-history":[{"count":0,"href":"http:\/\/www.betterit360.com\/index.php?rest_route=\/wp\/v2\/posts\/171\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.betterit360.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.betterit360.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=171"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.betterit360.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}