事先需要准备好网络yum源，保证服务器可正常上网
关闭防火墙，关闭selinux

说明：
此为内网环境模拟连接
VPN服务器：192.168.0.110/24
客户端为同一网段的其他ip就行
如果要模拟公司，则需要在路由或者防火墙上开启映射，然后客户端的配置文件连接ip填路由或者防火墙的出口地址和端口

1. 下载 easy-rsa

cd /usr/local/src/
wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip

2. 配置并生成证书

mkdir /etc/openvpn
cp -arp /usr/local/src/easy-rsa-master/easyrsa3 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
cat > vars << EOF
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Sichuang"
set_var EASYRSA_REQ_CITY "Chengdu"
set_var EASYRSA_REQ_ORG "XXX.CN"
set_var EASYRSA_REQ_EMAIL "xxxx@ss.cn"
set_var EASYRSA_REQ_OU "xx.CN CD"
EOF

3.1初始化

sh easyrsa init-pki

3.2生成CA证书

sh easyrsa build-ca #过程中会输入CA自己的PEM两次密码，给server和clent签名使用，还要输入common name 通用名，随便设置个独一无二的

3.3生成DH验证文件

sh easyrsa gen-dh

3.4生成服务器证书

sh easyrsa build-server-full server nopass  #过程中输入server自己的PEM两次密码，还要输入CA的PEM密码(加了nopass就是取消pem密码，也是服务端启动密码)

3.5生成客户端证书

sh easyrsa build-client-full client #过程中输入client自己的PEM两次密码，还要输入CA的PEM密码

4.下载openvpn-2.3.9.zip

cd /usr/local/src
wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.9.tar.gz

5.准备安装环境和需要的软件

yum groupinstall -y "Development tools"
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig net-tools

6. 配置编译安装openvpn

tar -xf openvpn-2.3.9.tar.gz
cd openvpn-2.3.9
./configure && make && make install

先用find确认下openvpn是否被安装成功

[root@localhost openvpn-2.3.9]# find / -name 'openvpn'
/etc/selinux/targeted/active/modules/100/openvpn
/usr/local/lib/openvpn
/usr/local/sbin/openvpn
/usr/local/share/doc/openvpn
/usr/local/src/openvpn-2.3.9/src/openvpn
/usr/local/src/openvpn-2.3.9/src/openvpn/openvpn

7. 配置 openvpn 服务器

cp /usr/local/src/openvpn-2.3.9/sample/sample-config-files/server.conf /etc/openvpn/
cp /usr/local/src/openvpn-2.3.9/sample/sample-config-files/openvpn-shutdown.sh /etc/openvpn/

8. 配置openvpn

cd /etc/openvpn
mv server.conf server.conf.bak
cat > server.conf << EOF
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"  #根据实际情况设置推送路由的网段
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
EOF
mkdir -p /var/log/openvpn
touch /var/log/openvpn/openvpn.log

9. 开启路由转发

echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p

10. 防火墙设置一条规则

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
iptables -L -n -t nat

11. 启动openvpn

/usr/local/sbin/openvpn --cd /etc/openvpn --daemon --config server.conf

查看进程 ps -ef | grep openvpn

查看日志

[root@localhost openvpn]# tail -f /var/log/openvpn/openvpn.log
Sun Jan 23 23:13:29 2022 GID set to nobody
Sun Jan 23 23:13:29 2022 UID set to nobody
Sun Jan 23 23:13:29 2022 Listening for incoming TCP connection on [undef]
Sun Jan 23 23:13:29 2022 TCPv4_SERVER link local (bound): [undef]
Sun Jan 23 23:13:29 2022 TCPv4_SERVER link remote: [undef]
Sun Jan 23 23:13:29 2022 MULTI: multi_init called, r=256 v=256
Sun Jan 23 23:13:29 2022 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Jan 23 23:13:29 2022 IFCONFIG POOL LIST
Sun Jan 23 23:13:29 2022 MULTI: TCP INIT maxclients=100 maxevents=104
Sun Jan 23 23:13:29 2022 Initialization Sequence Completed

12.openvpn客户端配置

下载openvpn软件

mac版

Tunnelblick_3.5.5_build_4270.4461.dmg

windows版

openvpn-install-2.3.10-I601-x86_64.exe

13.1 安装openvpn客户端

13.2 添加配置文件client.ovpn,内容如下

client
dev tun
proto tcp
remote 192.168.0.110 1194 #可以是ip或域名，如果有防火墙则需要把vpn服务器映射到防火墙端口上
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
#redirect-gateway def1  #开启后，访问外网网页流量走服务端
comp-lzo
verb 3

14.1 把服务器端下载的ca.crt，用户名.crt ，用户名.key和client.ovpn 拷贝到openVPN的安装目录下的config目录

14.2 启动openVPN ，输入client的PEM密码如果openVPN图标变绿色表示成功！

15 吊销证书

回到server端

cd /etc/openvpn/easy-rsa
./easyrsa revoke test
./easyrsa gen-crl
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/
echo crl-verify crl.pem >>/etc/openvpn/server.conf #第一次吊销后，配置文件就不要在添加这条了
chmod o+r /etc/openvpn/crl.pem #每次吊销证书后，都需要重新对这个crl.pem赋予权限
/usr/local/sbin/openvpn --cd /etc/openvpn --daemon --config server.conf