Windows下同时连接多个VPN的话,需要以管理员身份运行 C:\Program Files\TAP-Windows\bin\addtap.bat 添加虚拟网络适配器
-----------------------------------------------------------------------------------------------------------------------------------------
1、安装OpenVPN
首先从EPEL安装OpenVPN:
# yum install openvpn easy-rsa -y
buneblick官网:https://tunnelblick.org/downloads.html
2、使用easy-rsa创建服务端与客户端证书及密钥
服务端的创建:
服务器配置完成后需要生成密钥和证书,通过Easy RSA安装的一些脚本,方便快速产生密钥和证书;
创建keys文件夹,并且拷贝Easy RSA密钥和证书生成脚本到目录下(到easy-rsa目录)
# mkdir -p /etc/openvpn/key_server# cp -rf /usr/share/easy-rsa/3.0.3/* /etc/openvpn/key_server/
# cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/key_server/vars为方便后续使用,按需要修改/etc/openvpn/easy-rsa/vars文件中的默认信息。
vi /etc/openvpn/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"
# cd /etc/openvpn/key_server
# ./easyrsa init-pki nopass
# ./easyrsa build-ca nopass 输入CN
# ./easyrsa gen-req server nopass 输入CN
# ./easyrsa sign server server
# ./easyrsa gen-dh 创建Diffie-Hellman,时间会有点长,耐心等待
客户端的创建:
# cp -r /etc/openvpn/key_server /etc/openvpn/key_client
# ./easyrsa init-pki nopass
# ./easyrsa gen-req client nopass
进入服务端key_server目录,关联客户端req,使之向服务端注册
# cd ../key_server
# ./easyrsa import-req /etc/openvpn/key_client/pki/reqs/client.req client
# ./easyrsa sign client client
如果出现报错:TXT_DB error number 2 ,则
# rm -f /etc/openvpn/key_server/pki/index.txt
# touch /etc/openvpn/key_server/pki/index.txt
3、整理生成的证书
# cp /etc/openvpn/key_server/pki/ca.crt /etc/openvpn/server/
# cp /etc/openvpn/key_server/pki/private/server.key /etc/openvpn/server/
# cp /etc/openvpn/key_server/pki/issued/server.crt /etc/openvpn/server/
# cp /etc/openvpn/key_server/pki/dh.pem /etc/openvpn/server/
# cp /etc/openvpn/key_server/pki/ca.crt /etc/openvpn/client/
# cp /etc/openvpn/key_server/pki/issued/client.crt /etc/openvpn/client/
# cp /etc/openvpn/key_client/pki/private/client.key /etc/openvpn/client/
4、打开服务器的ip路由转发功能,并配置防火墙
5、服务端配置,指定相关ca、crt、key文件
从示例配置文件复制一份配置文件到/etc/openvpn
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
# vim /etc/openvpn/server.conf ( cat server.conf | grep -v ^$ | grep -v ^# | grep -v "^;" )
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.17.0.0 255.255.0.0" #向客户端推送需要访问的路由信息
duplicate-cn #定义openvpn一个证书在同一时刻是否允许多个客户端接入,默认没有启用。
keepalive 10 120
tls-auth ta.key 0 #服务端设置为0 客户端设置为1
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1生成ta.key ,与server.conf放在同一层目录下
# cd /etc/openvpn ; openvpn --genkey --secret ta.key
测试该配置文件是否正确:
# openvpn /etc/openvpn/server.conf
6、编辑客户端配置文件 client.ovpn
client
dev tun
proto udp
remote * 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca-myxb.crt
cert myxb.crt
key myxb.key
tls-auth ta.key 1
cipher AES-256-CBC
;comp-lzo
verb 47、启动OpenVPN服务
# systemctl enable openvpn@server.service
# systemctl start openvpn@server.service
8、添加用户名和密码验证
# vim /etc/openvpn/server.conf 添加
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
username-as-common-name
script-security 3
创建用于验证用户登录的脚本和用户名密码认证文件
# vim /etc/openvpn/checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1# vim /etc/openvpn/psw-file
wjoyxt 666# touch /etc/openvpn/openvpn-password.log
# chown nobody:nobody checkpsw.sh psw-file openvpn-password.log
# chmod 744 checkpsw.sh ; chmod 400 psw-file
修改客户端配置文件
# vim client.ovpn 增加
auth-user-pass pass.txt重启服务后生效
# cat pass.txt
wjoyxt
wjoyxt666-----------------------------------------------------------------------------------
优化client.ovpn,合并证书到配置文件中
删除或者注释掉以下几行内容:
在这里我把它们注释掉:
ca ca.crt 改为:#ca ca.crt
cert client.crt 改为:#cert client.crt
key client.key 改为:#key client.key
tls-auth ta.key 1 改为:#tls-auth ta.key 1
在最后面添加以下内容:
<ca>
ca.crt文件内容
</ca>
<cert>
client.crt文件内容
</cert>
<key>
client.key文件内容
</key>
key-direction 1
<tls-auth>
ta.key文件内容
</tls-auth>
复制各文件里的内容到相应的位置即可!保存退出!!
参考资料:https://yq.aliyun.com/articles/43247
https://www.cnblogs.com/ilanni/p/4695112.html
来源:oschina
链接:https://my.oschina.net/u/4307784/blog/3862370