一、为什么要搭建VPN

随着企业规模的发展，越来越多的远程办公需求将会产生，为支持远程办公，解决远程连接本地测试环境问题，可以使用开源软件搭建VPN解决，毕竟硬件的VPN不便宜，OpenVPN是个不错的选择，同时支持windows和mac OS。

二、安装OpenVPN

我使用的服务器操作系统是centos7.8，直接用yum安装。

yum install -y epel-release
yum install -y openvpn easy-rsa

安装完检查下版本，我的是OpenVPN 2.4.9

[root@test-vpn01 ~]# openvpn --version
OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>

三、制作证书

cd /etc/openvpn && cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/3/ 

创建vars文件，直接copy以下内容并添加可执行权限chmod +x vars

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "ID"
set_var EASYRSA_REQ_PROVINCE    "Jakarta"
set_var EASYRSA_REQ_CITY        "Jakarta"
set_var EASYRSA_REQ_ORG         "hakase-labs CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "openvpn@hakase-labs.io"
set_var EASYRSA_REQ_OU          "HAKASE-LABS EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "HAKASE-LABS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST          "sha256"

接着执行

./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki

./easyrsa build-ca

......
Enter New CA Key Passphrase:        #输密码
Re-Enter New CA Key Passphrase:  #输密码
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Generating RSA private key, 2048 bit long modulus
................................................+++
...............................................................+++
e is 65537 (0x10001)
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:      

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt

./easyrsa gen-req hakase-server nopass

......
Generating a 2048 bit RSA private key
.................................................................+++
................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-2911.3BE9Ih/tmp.Z1YEhj'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [hakase-server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/hakase-server.req
key: /etc/openvpn/easy-rsa/3/pki/private/hakase-server.key

./easyrsa sign-req server hakase-server

......
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 365 days:

subject=
    commonName                = hakase-server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Unable to load config info from /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-3202.ARaxKb/tmp.WGDm1y
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: #输入上面步骤的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'hakase-server'
Certificate is to be certified until Sep 30 09:54:49 2021 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/hakase-server.crt

openssl verify -CAfile pki/ca.crt pki/issued/hakase-server.crt
pki/issued/hakase-server.crt: OK

创建客户端密钥

./easyrsa gen-req client_01 nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Generating a 2048 bit RSA private key
...........+++
..........................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-3386.pQq0xv/tmp.tHpyYU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client_01]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/client_01.req
key: /etc/openvpn/easy-rsa/3/pki/private/client_01.key

./easyrsa sign-req client client_01

......
Request subject, to be signed as a client certificate for 365 days:

subject=
    commonName                = client_01


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-3446.iYLNHV/tmp.baYmMM
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: #输入上面步骤的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client_01'
Certificate is to be certified until Sep 30 09:57:27 2021 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/client_01.crt

openssl verify -CAfile pki/ca.crt pki/issued/client_01.crt
pki/issued/client_01.crt: OK

./easyrsa gen-dh

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.........................................................+............+.............................................+.......................+
...................................+...........+.+.................+................................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem

复制服务器密钥和证书

cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/hakase-server.crt /etc/openvpn/server/
cp pki/private/hakase-server.key /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/

复制client_01密钥和证书

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client_01.crt /etc/openvpn/client/
cp pki/private/client_01.key /etc/openvpn/client/

四、OpenVPN配置

添加servier配置文件

cd /etc/openvpn/ && vi service.conf

# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/hakase-server.crt
key /etc/openvpn/server/hakase-server.key

#DH and CRL key
dh /etc/openvpn/server/dh.pem
#注意本文没有跳过了丢消证书的检测
#crl-verify /etc/openvpn/server/crl.pem

# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
# 配置分配的内网网段
server 192.168.200.128 255.255.255.128 
push "redirect-gateway def1"

# Using the DNS from https://dns.watch
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 114.114.114.114"

#Enable multiple client to connect with same Certificate key
duplicate-cn

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody

# OpenVPN Log
log-Append openvpn.log
status openvpn-status.log
verb 3

添加client配置文件

cd /etc/openvpn/client && vi client_01.ovpn

client
dev tun
proto udp
# 配置你公司的出口IP
remote 113.xx.xx.xx 1194

ca ca.crt
cert client_01.crt
key client_01.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

增加路由转发的配置

# 用firewalld或iptables都可以，我这边用的是iptables
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE

启动OpenVPN服务

systemctl start openvpn@service
netstat -nlup | grep 1194

五、客户端配置

Windows客户端安装，下载安装openvpn客户端软件，自行搜索

找到软件安装路径，选择config目录，将/etc/openvpn下的client打包下载到本地，解压将证书文件全部拷过去。

双击桌面OpenVPN，右击图标，选择连接，连接成功会分配一个内网IP，说明已经成功连接到内网。

Mac OS客户端安装，下载安装客户端软件，http://down.i4t.com/Tunnelblick_3.8.1_build_5400.dmg，将客户端证书解压全部拷过去config， 直接点开client_01.ovpn就可以自动连接