搭建openvpn


搭建openvpn

安装openvpn和easy-rsa软件

[root@openvpn ~]# yum install -y openvpn easy-rsa
#openvpn和easy-rsa安装需要epel源
#yum install epel-release -y
[root@openvpn /etc/openvpn]# openvpn --version
OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020

easy-rsa版本为3.0.8

[root@openvpn ~]# rpm -ql easy-rsa
/usr/share/doc/easy-rsa-3.0.8
/usr/share/doc/easy-rsa-3.0.8/COPYING.md
/usr/share/doc/easy-rsa-3.0.8/ChangeLog
/usr/share/doc/easy-rsa-3.0.8/README.md
/usr/share/doc/easy-rsa-3.0.8/README.quickstart.md
/usr/share/doc/easy-rsa-3.0.8/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa-3.0.8
/usr/share/licenses/easy-rsa-3.0.8/gpl-2.0.txt

使用easy-rsa为openvpn服务端生成相关证书

PS:生成证书前需要同步系统时间,不然后面客户端连接会报错证书错误。

拷贝easy-rsa文件到openvpn目录

[root@openvpn ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
[root@openvpn ~]# cd /etc/openvpn/easy-rsa
[root@openvpn /etc/openvpn/easy-rsa]# ll
total 0
lrwxrwxrwx 1 root root  5 Dec 12 16:49 3 -> 3.0.8
lrwxrwxrwx 1 root root  5 Dec 12 16:49 3.0 -> 3.0.8
drwxr-xr-x 3 root root 66 Dec 12 16:49 3.0.8
[root@openvpn /etc/openvpn/easy-rsa]# cd 3
[root@openvpn /etc/openvpn/easy-rsa/3]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars
[root@openvpn /etc/openvpn/easy-rsa/3]# ll
total 96
-rwxr-xr-x 1 root root 76946 Dec 12 16:49 easyrsa
-rw-r--r-- 1 root root  4616 Dec 12 16:49 openssl-easyrsa.cnf
-rw-r--r-- 1 root root  8925 Dec 12 16:50 vars
drwxr-xr-x 2 root root   122 Dec 12 16:49 x509-types

创建一个新的PKI和CA

#初始化pki空间
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki

#创建一个CA,不使用密码
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
......................................................................................................................+++
.....................................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:  直接回车

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt

生成服务端证书

[root@openvpn /etc/openvpn/easy-rsa/3]# pwd
/etc/openvpn/easy-rsa/3

#生成服务端证书  nopass表示证书不设置密码
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...........+++
....................................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-14815.HmiQ3c/tmp.iyhm0j'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:  直接回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3/pki/private/server.key

签约服务端证书

[root@openvpn /etc/openvpn/easy-rsa/3]# pwd
/etc/openvpn/easy-rsa/3

#签约服务端证书 第二个server为自定义名称
[root@openvpn /etc/openvpn/easy-rsa/3]#  ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
    commonName                = server
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes #此处输入yes
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-15525.nCQ4VP/tmp.WnoCLR
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Mar 17 09:01:49 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/server.crt

创建diffie-hellman

[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................
......漫长的生成过程.....
................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem

使用easy-rsa为openvpn客户端生成相关证书

拷贝easy-rsa文件到openvpn客户端目录

[root@openvpn /etc/openvpn/easy-rsa/3]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
[root@openvpn /etc/openvpn/easy-rsa/3]# cd /etc/openvpn/client/easy-rsa
[root@openvpn /etc/openvpn/client/easy-rsa]# ll
total 0
lrwxrwxrwx 1 root root  5 Dec 12 17:09 3 -> 3.0.8
lrwxrwxrwx 1 root root  5 Dec 12 17:09 3.0 -> 3.0.8
drwxr-xr-x 3 root root 66 Dec 12 17:09 3.0.8
[root@openvpn /etc/openvpn/client/easy-rsa]# cd 3
[root@openvpn /etc/openvpn/client/easy-rsa/3]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars
[root@openvpn /etc/openvpn/client/easy-rsa/3]# ll
total 96
-rwxr-xr-x 1 root root 76946 Dec 12 17:09 easyrsa
-rw-r--r-- 1 root root  4616 Dec 12 17:09 openssl-easyrsa.cnf
-rw-r--r-- 1 root root  8925 Dec 12 17:10 vars
drwxr-xr-x 2 root root   122 Dec 12 17:09 x509-types

生成客户端相关证书

[root@openvpn /etc/openvpn/client/easy-rsa/3]# pwd
/etc/openvpn/client/easy-rsa/3

##初始化pki空间
[root@openvpn /etc/openvpn/client/easy-rsa/3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/client/easy-rsa/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3/pki

#生成客户端证书  osker为自定义名称 nopass表示不设置证书密码
[root@openvpn /etc/openvpn/client/easy-rsa/3]# ./easyrsa gen-req osker nopass
Note: using Easy-RSA configuration from: /etc/openvpn/client/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
..............................................+++
........................+++
writing new private key to '/etc/openvpn/client/easy-rsa/3/pki/easy-rsa-19341.Cy6pk8/tmp.OFFqF4'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [osker]:  直接回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3/pki/reqs/osker.req
key: /etc/openvpn/client/easy-rsa/3/pki/private/osker.key

签约客户端证书

#切换到服务端的easy-rsa目录下
[root@openvpn /etc/openvpn/client/easy-rsa/3]# cd /etc/openvpn/easy-rsa/3
[root@openvpn /etc/openvpn/easy-rsa/3]# pwd
/etc/openvpn/easy-rsa/3

#将req文件导入
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3/pki/reqs/osker.req osker

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: osker
You may now use this name to perform signing operations on this request.

#签约客户端证书 osker为自定义名称
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa sign client osker

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
    commonName                = osker
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes  #此处输入yes后回车
  
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-24537.rgR8BK/tmp.K02MR9
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'osker'
Certificate is to be certified until Mar 17 09:26:35 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/osker.crt

整理生成的服务端和客户端相关证书

服务端

[root@openvpn /etc/openvpn/easy-rsa/3]# mkdir /etc/openvpn/certs
[root@openvpn /etc/openvpn/easy-rsa/3]# cd /etc/openvpn/certs
[root@openvpn /etc/openvpn/certs]# cp /etc/openvpn/easy-rsa/3/pki/dh.pem .
[root@openvpn /etc/openvpn/certs]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt .
[root@openvpn /etc/openvpn/certs]# cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt .
[root@openvpn /etc/openvpn/certs]# cp /etc/openvpn/easy-rsa/3/pki/private/server.key .
[root@openvpn /etc/openvpn/certs]# ll
total 20
-rw------- 1 root root 1172 Dec 12 17:30 ca.crt
-rw------- 1 root root  424 Dec 12 17:30 dh.pem
-rw------- 1 root root 4552 Dec 12 17:30 server.crt
-rw------- 1 root root 1704 Dec 12 17:31 server.key

客户端

[root@openvpn /etc/openvpn/certs]# mkdir /etc/openvpn/client/osker
[root@openvpn /etc/openvpn/certs]# cd /etc/openvpn/client/osker
[root@openvpn /etc/openvpn/client/osker]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt .
[root@openvpn /etc/openvpn/client/osker]# cp /etc/openvpn/easy-rsa/3/pki/issued/osker.crt .
[root@openvpn /etc/openvpn/client/osker]# cp /etc/openvpn/client/easy-rsa/3/pki/private/osker.key .
[root@openvpn /etc/openvpn/client/osker]# ll
total 16
-rw------- 1 root root 1172 Dec 12 17:32 ca.crt
-rw------- 1 root root 4431 Dec 12 17:32 osker.crt
-rw------- 1 root root 1704 Dec 12 17:33 osker.key

配置openvpn 服务端

[root@openvpn /etc/openvpn/client/osker]# cd /etc/openvpn/
[root@openvpn /etc/openvpn]# ll
total 0
drwxr-xr-x 2 root root    70 Dec 12 17:31 certs
drwxr-x--- 4 root openvpn 35 Dec 12 17:31 client
drwxr-xr-x 3 root root    39 Dec 12 16:49 easy-rsa
drwxr-x--- 2 root openvpn  6 Apr 25  2020 server
[root@openvpn /etc/openvpn]# vim server.conf
[root@openvpn /etc/openvpn]# cat server.conf
local 0.0.0.0     #监听地址
port 1194         #监听端口
proto tcp         #指定协议(可以指定udp,udp比tcp快)
dev tun           #采用路由隧道模式

ca /etc/openvpn/certs/ca.crt       #ca证书路径
cert /etc/openvpn/certs/server.crt #服务器证书
key /etc/openvpn/certs/server.key  #服务器秘钥 This file should be kept secret
dh /etc/openvpn/certs/dh.pem       #密钥交换协议文件

server 10.8.0.0 255.255.255.0      #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 192.168.199.0 255.255.0.0"     #推送路由,根据实际情况修改
push "redirect-gateway def1 bypass-dhcp"   #客户端网关使用openvpn服务器网关
push "dhcp-option DNS 192.168.199.1"       #指定dns
push "dhcp-option DNS 114.114.114.114"
client-to-client                           #客户端之间互相通信

keepalive 10 120       #心跳检测,10秒检测一次,2分钟内没有回应则视为断线
#tls-auth ta.key 0     #服务端值为0,客户端为1
cipher AES-256-CBC
comp-lzo               #传输数据压缩
max-clients 100        #最多允许 100 客户端连接
#user openvpn       #用户
#group openvpn      #用户组
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
mute 20

若需要账号密码认证,需要在openvpn服务端配置如下步骤

server.conf中添加如下内容:

# use username and password login
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
client-cert-not-required  #如果加上client-cert-not-required则代表只使用用户名密码方式验证登录,如果不加,则代表需要证书和用户名密码双重验证登录
username-as-common-name

同时创建密码检测脚本checkpsw.sh 到对应路径下/etc/openvpn/

[root@openvpn /etc/openvpn]# vim /etc/openvpn/checkpsw.sh
[root@openvpn /etc/openvpn]# chmod +x /etc/openvpn/checkpsw.sh
[root@openvpn /etc/openvpn]# cat /etc/openvpn/checkpsw.sh
#!/bin/sh
###########################################################
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file" # 账号密码的路径
LOG_FILE="/etc/openvpn/openvpn-password.log" # 账号密码的日志
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

添加账号密码文件

[root@openvpn /etc/openvpn]# vim /etc/openvpn/psw-file
[root@openvpn /etc/openvpn]# cat /etc/openvpn/psw-file
osker 123456
qiu 654321
账户 密码

开启IP路由转发

[root@openvpn /etc/openvpn]# echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf
[root@openvpn /etc/openvpn]# sysctl -p
net.ipv4.ip_forward = 1

iptables设置NAT规则

[root@openvpn /etc/openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

#保存iptables规则
#centos7系统下
[root@openvpn ~]# iptables-save > /etc/sysconfig/iptables
[root@openvpn ~]# echo "iptables-restore < /etc/sysconfig/iptables" >> /etc/rc.d/rc.local
[root@openvpn ~]# chmod +x /etc/rc.d/rc.local

[root@openvpn /etc/openvpn]# iptables  -vnL -t nat
Chain PREROUTING (policy ACCEPT 2 packets, 1434 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 2 packets, 1434 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3 packets, 262 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 3 packets, 262 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       10.8.0.0/24          0.0.0.0/0

启动openvpn

[root@openvpn /etc/openvpn]# systemctl start openvpn@server
[root@openvpn /etc/openvpn]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-12-12 17:50:43 CST; 6s ago
 Main PID: 33430 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─33430 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Dec 12 17:50:43 openvpn systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Dec 12 17:50:43 openvpn systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.

[root@openvpn /etc/openvpn]# netstat -lntup |grep openvpn
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN      33430/openvpn

路由器配置端口转发

添加端口转发:

外部IP为:27.10.217.105,外部端口21194转发到内网IP:192.168.199.161的TCP协议的1194端口

客户端使用

下载openvpn软件

1 windows

2 mac

3 linux

4 IOS

5 Android

配置openvpn客户端

客户端不带账号密码认证方式

#vim osker.ovpn
client
dev tun
proto tcp
remote 27.10.217.105 21194  #openvpn服务端外网ip或域名 端口
comp-lzo
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3

key-direction 1
cipher AES-256-CBC
#可选1 将相关证书下载到本地或者将证书内容粘贴到对应的位置
#ca ca.crt         #ca证书路径
#cert osker.crt   #client的证书
#key osker.key    #client的密钥

#可选2
<ca>
-----BEGIN CERTIFICATE-----
#此处为ca证书内容
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
#此处为客户端证书
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
#此处为客户端密钥
-----END PRIVATE KEY-----
</key>

客户端带账号密码认证方式

在客户端配置文件中增加如下参数

auth-user-pass

参考链接:

https://www.ilanni.com/?p=9847
https://olei.me/907/
https://openvpn.net/community-downloads/
https://www.bbsmax.com/A/kPzOX038Jx/

docker安装openvpn

安装docker

wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo
sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
yum install docker-ce -y
systemctl enable docker
systemctl start docker

部署docker服务

#设置全局环境变量
OVPN_DATA="/data/openvpn"
#创建openvpn目录
mkdir -p ${OVPN_DATA}
cd ${OVPN_DATA}
#生成配置文件(使用tcp模式,并设置你的公网ip)
docker run -v ${OVPN_DATA}:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u tcp://your_public_ip
Unable to find image 'kylemanna/openvpn:latest' locally
latest: Pulling from kylemanna/openvpn
188c0c94c7c5: Pull complete
e470f824352c: Pull complete
d6ed0c7c142e: Pull complete
74586f3c5cd4: Pull complete
cb26244a2b2a: Pull complete
Digest: sha256:643531abb010a088f1e23a1c99d44f0bd417a3dbb483f809caf4396b5c9829a0
Status: Downloaded newer image for kylemanna/openvpn:latest
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Processing PUSH Config: 'comp-lzo no'
Successfully generated config
Cleaning up before Exit ...


#生成密钥文件
docker run -v ${OVPN_DATA}:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Enter New CA Key Passphrase: #输入一个密码
Re-Enter New CA Key Passphrase: #再次输入密码
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................+++++
..................................................................+++++
e is 65537 (0x010001)
......
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #直接回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
Enter pass phrase for /etc/openvpn/pki/private/ca.key: #输入刚才设置的密码
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-149.bMMPdD/tmp.HkIppk
Enter pass phrase for /etc/openvpn/pki/private/ca.key: #输入刚才设置的密码
An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem

#生成客户端证书(cqcd修改为你想要的名字)nopass表示证书不需要设置密码
docker run -v ${OVPN_DATA}:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full cqcd nopass
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
...........................................................................................................................+++++
.......................................................................................................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.FKncgO/tmp.fNneAN'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.FKncgO/tmp.jgCkjI
Enter pass phrase for /etc/openvpn/pki/private/ca.key: #输入之前设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'cqcd'
Certificate is to be certified until Sep 20 03:26:00 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated

#导出客户端配置文件
docker run -v ${OVPN_DATA}:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient cqcd > ${OVPN_DATA}/cqcd.ovpn

#启动openvpn服务(映射本机tcp的1194到容器的1194),--privileged表示容器使用特权模式 
docker run --name openvpn -v ${OVPN_DATA}:/etc/openvpn -d -p 1194:1194/tcp --privileged kylemanna/openvpn

docker ps
CONTAINER ID   IMAGE               COMMAND      CREATED          STATUS          PORTS                                                 NAMES
140be3bafea7   kylemanna/openvpn   "ovpn_run"   26 minutes ago   Up 26 minutes   1194/udp, 0.0.0.0:1194->1194/tcp, :::1194->1194/tcp   openvpn

脚本搭建

[root@openvpn ~]# cat openvpn-install.sh
#!/bin/bash
#
# https://github.com/Nyr/openvpn-install
#
# Copyright (c) 2013 Nyr. Released under the MIT License.


if grep -qs "14.04" /etc/os-release; then
        echo "Ubuntu 14.04 is too old and not supported"
        exit
fi

if grep -qs "jessie" /etc/os-release; then
        echo "Debian 8 is too old and not supported"
        exit
fi

if grep -qs "CentOS release 6" /etc/redhat-release; then
        echo "CentOS 6 is too old and not supported"
        exit
fi

if grep -qs "Ubuntu 16.04" /etc/os-release; then
        echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install
Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604'
        exit
fi

# Detect Debian users running the script with "sh" instead of bash
if readlink /proc/$$/exe | grep -q "dash"; then
        echo "This script needs to be run with bash, not sh"
        exit
fi

if [[ "$EUID" -ne 0 ]]; then
        echo "Sorry, you need to run this as root"
        exit
fi

if [[ ! -e /dev/net/tun ]]; then
        echo "The TUN device is not available
You need to enable TUN before running this script"
        exit
fi

if ! iptables -t nat -nL &>/dev/null; then
        echo "Unable to initialize the iptables/netfilter NAT table, setup can't continue.
Make sure that your system has iptables/netfilter available.
If using OpenVZ, ask your provider to enable full netfilter support."
        exit
fi

if [[ -e /etc/debian_version ]]; then
        os="debian"
        group_name="nogroup"
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
        os="centos"
        group_name="nobody"
else
        echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
        exit
fi

new_client () {
        # Generates the custom client.ovpn
        {
        cat /etc/openvpn/server/client-common.txt
        echo "<ca>"
        cat /etc/openvpn/server/easy-rsa/pki/ca.crt
        echo "</ca>"
        echo "<cert>"
        sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$1".crt
        echo "</cert>"
        echo "<key>"
        cat /etc/openvpn/server/easy-rsa/pki/private/"$1".key
        echo "</key>"
        echo "<tls-crypt>"
        sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
        echo "</tls-crypt>"
        } > ~/"$1".ovpn
}

if [[ -e /etc/openvpn/server/server.conf ]]; then
        while :
        do
        clear
                echo "Looks like OpenVPN is already installed."
                echo
                echo "What do you want to do?"
                echo "   1) Add a new user"
                echo "   2) Revoke an existing user"
                echo "   3) Remove OpenVPN"
                echo "   4) Exit"
                read -p "Select an option: " option
                until [[ "$option" =~ ^[1-4]$ ]]; do
                        echo "$option: invalid selection."
                        read -p "Select an option: " option
                done
                case "$option" in
                        1)
                        echo
                        echo "Tell me a name for the client certificate."
                        read -p "Client name: " unsanitized_client
                        client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
                        while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do
                                echo "$client: invalid client name."
                                read -p "Client name: " unsanitized_client
                                client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
                        done
                        cd /etc/openvpn/server/easy-rsa/
                        EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
                        # Generates the custom client.ovpn
                        new_client "$client"
                        echo
                        echo "Client $client added, configuration is available at:" ~/"$client.ovpn"
                        exit
                        ;;
                        2)
                        # This option could be documented a bit better and maybe even be simplified
                        # ...but what can I say, I want some sleep too
                        number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
                        if [[ "$number_of_clients" = 0 ]]; then
                                echo
                                echo "You have no existing clients!"
                                exit
                        fi
                        echo
                        echo "Select the existing client certificate you want to revoke:"
                        tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
                        read -p "Select one client: " client_number
                        until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do
                                echo "$client_number: invalid selection."
                                read -p "Select one client: " client_number
                        done
                        client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p)
                        echo
                        read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
                        until [[ "$revoke" =~ ^[yYnN]*$ ]]; do
                                echo "$revoke: invalid selection."
                                read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
                        done
                        if [[ "$revoke" =~ ^[yY]$ ]]; then
                                cd /etc/openvpn/server/easy-rsa/
                                ./easyrsa --batch revoke "$client"
                                EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
                                rm -f pki/reqs/"$client".req
                                rm -f pki/private/"$client".key
                                rm -f pki/issued/"$client".crt
                                rm -f /etc/openvpn/server/crl.pem
                                cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
                                # CRL is read with each client connection, when OpenVPN is dropped to nobody
                                chown nobody:"$group_name" /etc/openvpn/server/crl.pem
                                echo
                                echo "Certificate for client $client revoked!"
                        else
                                echo
                                echo "Certificate revocation for client $client aborted!"
                        fi
                        exit
                        ;;
                        3)
                        echo
                        read -p "Do you really want to remove OpenVPN? [y/N]: " remove
                        until [[ "$remove" =~ ^[yYnN]*$ ]]; do
                                echo "$remove: invalid selection."
                                read -p "Do you really want to remove OpenVPN? [y/N]: " remove
                        done
                        if [[ "$remove" =~ ^[yY]$ ]]; then
                                port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
                                protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
                                if pgrep firewalld; then
                                        ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
                                        # Using both permanent and not permanent rules to avoid a firewalld reload.
                                        firewall-cmd --remove-port="$port"/"$protocol"
                                        firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
                                        firewall-cmd --permanent --remove-port="$port"/"$protocol"
                                        firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
                                        firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
                                        firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
                                else
                                        systemctl disable --now openvpn-iptables.service
                                        rm -f /etc/systemd/system/openvpn-iptables.service
                                fi
                                if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
                                        semanage port -d -t openvpn_port_t -p "$protocol" "$port"
                                fi
                                systemctl disable --now openvpn-server@server.service
                                rm -rf /etc/openvpn/server
                                rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
                                rm -f /etc/sysctl.d/30-openvpn-forward.conf
                                if [[ "$os" = "debian" ]]; then
                                        apt-get remove --purge -y openvpn
                                else
                                        yum remove openvpn -y
                                fi
                                echo
                                echo "OpenVPN removed!"
                        else
                                echo
                                echo "Removal aborted!"
                        fi
                        exit
                        ;;
                        4) exit;;
                esac
        done
else
        clear
        echo "Welcome to this OpenVPN "road warrior" installer!"
        echo
        echo "I need to ask you a few questions before starting setup."
        echo "You can use the default options and just press enter if you are ok with them."
        # If system has a single IPv4, it is selected automatically. Else, ask the user
        if [[ $(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') -eq 1 ]]; then
                ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
        else
                number_of_ips=$(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
                echo
                echo "What IPv4 address should the OpenVPN server bind to?"
                ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | nl -s ') '
                read -p "IPv4 address [1]: " ip_number
                until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ips" ]]; do
                        echo "$ip_number: invalid selection."
                        read -p "IPv4 address [1]: " ip_number
                done
                [[ -z "$ip_number" ]] && ip_number="1"
                ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sed -n "$ip_number"p)
        fi
        # If $IP is a private IP address, the server must be behind NAT
        if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
                echo
                echo "This server is behind NAT. What is the public IPv4 address or hostname?"
                get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/")
                read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
                [ -z "$public_ip" ] && public_ip="$get_public_ip"
        fi
        echo
        echo "Which protocol do you want for OpenVPN connections?"
        echo "   1) UDP (recommended)"
        echo "   2) TCP"
        read -p "Protocol [1]: " protocol
        until [[ -z "$protocol" || "$protocol" =~ ^[12]$ ]]; do
                echo "$protocol: invalid selection."
                read -p "Protocol [1]: " protocol
        done
        case "$protocol" in
                1|"")
                protocol=udp
                ;;
                2)
                protocol=tcp
                ;;
        esac
        echo
        echo "What port do you want OpenVPN listening to?"
        read -p "Port [1194]: " port
        until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do
                echo "$port: invalid selection."
                read -p "Port [1194]: " port
        done
        [[ -z "$port" ]] && port="1194"
        echo
        echo "Which DNS do you want to use with the VPN?"
        echo "   1) Current system resolvers"
        echo "   2) 1.1.1.1"
        echo "   3) Google"
        echo "   4) OpenDNS"
        echo "   5) Verisign"
        read -p "DNS [1]: " dns
        until [[ -z "$dns" || "$dns" =~ ^[1-5]$ ]]; do
                echo "$dns: invalid selection."
                read -p "DNS [1]: " dns
        done
        echo
        echo "Finally, tell me a name for the client certificate."
        read -p "Client name [client]: " unsanitized_client
        # Allow a limited set of characters to avoid conflicts
        client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
        [[ -z "$client" ]] && client="client"
        echo
        echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now."
        read -n1 -r -p "Press any key to continue..."
        # If running inside a container, disable LimitNPROC to prevent conflicts
        if systemd-detect-virt -cq; then
                mkdir /etc/systemd/system/openvpn-server@server.service.d/ 2>/dev/null
                echo "[Service]
LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
        fi
        if [[ "$os" = "debian" ]]; then
                apt-get update
                apt-get install openvpn iptables openssl ca-certificates -y
        else
                # Else, the distro is CentOS
                yum install epel-release -y
                yum install openvpn iptables openssl ca-certificates -y
        fi
        # Get easy-rsa
        easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
        wget -O ~/easyrsa.tgz "$easy_rsa_url" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$easy_rsa_url"
        tar xzf ~/easyrsa.tgz -C ~/
        mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/
        mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/
        chown -R root:root /etc/openvpn/server/easy-rsa/
        rm -f ~/easyrsa.tgz
        cd /etc/openvpn/server/easy-rsa/
        # Create the PKI, set up the CA and the server and client certificates
        ./easyrsa init-pki
        ./easyrsa --batch build-ca nopass
        EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass
        EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
        EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
        # Move the stuff we need
        cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
        # CRL is read with each client connection, when OpenVPN is dropped to nobody
        chown nobody:"$group_name" /etc/openvpn/server/crl.pem
        # Generate key for tls-crypt
        openvpn --genkey --secret /etc/openvpn/server/tc.key
        # Create the DH parameters file using the predefined ffdhe2048 group
        echo '-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
        # Generate server.conf
        echo "local $ip
port $port
proto $protocol
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf
        echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
        # DNS
        case "$dns" in
                1|"")
                # Locate the proper resolv.conf
                # Needed for systems running systemd-resolved
                if grep -q "127.0.0.53" "/etc/resolv.conf"; then
                        resolv_conf="/run/systemd/resolve/resolv.conf"
                else
                        resolv_conf="/etc/resolv.conf"
                fi
                # Obtain the resolvers from resolv.conf and use them for OpenVPN
                grep -v '#' "$resolv_conf" | grep nameserver | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
                        echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
                done
                ;;
                2)
                echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
                echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
                ;;
                3)
                echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
                echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
                ;;
                4)
                echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
                echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
                ;;
                5)
                echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf
                echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf
                ;;
        esac
        echo "keepalive 10 120
cipher AES-256-CBC
user nobody
group $group_name
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem" >> /etc/openvpn/server/server.conf
        if [[ "$protocol" = "udp" ]]; then
                echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf
        fi
        # Enable net.ipv4.ip_forward for the system
        echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
        # Enable without waiting for a reboot or service restart
        echo 1 > /proc/sys/net/ipv4/ip_forward
        if pgrep firewalld; then
                # Using both permanent and not permanent rules to avoid a firewalld
                # reload.
                # We don't use --add-service=openvpn because that would only work with
                # the default port and protocol.
                firewall-cmd --add-port="$port"/"$protocol"
                firewall-cmd --zone=trusted --add-source=10.8.0.0/24
                firewall-cmd --permanent --add-port="$port"/"$protocol"
                firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
                # Set NAT for the VPN subnet
                firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
                firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
        else
                # Create a service to set up persistent iptables rules
                echo "[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
ExecStart=/sbin/iptables -I INPUT -p $protocol --dport $port -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
ExecStop=/sbin/iptables -D INPUT -p $protocol --dport $port -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service
                systemctl enable --now openvpn-iptables.service
        fi
        # If SELinux is enabled and a custom port was selected, we need this
        if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
                # Install semanage if not already present
                if ! hash semanage 2>/dev/null; then
                        if grep -qs "CentOS Linux release 7" "/etc/centos-release"; then
                                yum install policycoreutils-python -y
                        else
                                yum install policycoreutils-python-utils -y
                        fi
                fi
                semanage port -a -t openvpn_port_t -p "$protocol" "$port"
        fi
        # If the server is behind a NAT, use the correct IP address
        if [[ "$public_ip" != "" ]]; then
                ip="$public_ip"
        fi
        # client-common.txt is created so we have a template to add further users later
        echo "client
dev tun
proto $protocol
remote $ip $port
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3" > /etc/openvpn/server/client-common.txt
        # Enable and start the OpenVPN service
        systemctl enable --now openvpn-server@server.service
        # Generates the custom client.ovpn
        new_client "$client"
        echo
        echo "Finished!"
        echo
        echo "Your client configuration is available at:" ~/"$client.ovpn"
        echo "If you want to add more clients, just run this script again!"
fi

声明:鹅石壳儿|版权所有,违者必究|如未注明,均为原创|本网站采用BY-NC-SA协议进行授权

转载:转载请注明原文链接 - 搭建openvpn


Just Do IT !