openvpn version: 2.5.2

Server installation mode: source code compilation and installation

Certificate generation method: easy RSA 3

Server configuration

Compile and install

openvpn source code download address

Easy RSA download address

# system configuration
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
cat /proc/sys/net/ipv4/ip_forward

# centos
yum install openssl-devel lzo{,-devel} pam-devel -y

# ubuntu
apt install libssl-dev liblz4-dev liblzo2-dev libpam0g-dev

# The source file is downloaded in the / data/soft / directory. Enter this directory for operation
tar xfv openvpn-2.5.2.tar.gz
cd openvpn-2.5.2
./configure --prefix=/usr/local/openvpn-2.5.2
make -j$(nproc)
make install

Certificate generation

Use easy-rsa3 to issue certificates

tar xfv EasyRSA-3.0.8.tgz
cd EasyRSA-3.0.8/
mkdir /usr/local/openvpn-2.5.2/easy-rsa
cp -r easyrsa openssl-easyrsa.cnf vars.example x509-types /usr/local/openvpn-2.5.2/easy-rsa/
cd /usr/local/openvpn-2.5.2/easy-rsa/
cp vars.example vars

# vars
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "Beijing"
set_var EASYRSA_REQ_CITY        "Beijing"
set_var EASYRSA_REQ_ORG         "HelloWorld Co"
set_var EASYRSA_REQ_EMAIL       "admin@mailexample.com"
set_var EASYRSA_REQ_OU          "DevOps"

# ca
./easyrsa init-pki
./easyrsa build-ca nopass

# Apply for server certificate
./easyrsa gen-req server nopass
    # Output content; Note the name of the output
    Keypair and certificate request completed. Your files are:
    req: /usr/local/openvpn-2.5.2/easy-rsa/pki/reqs/server.req
    key: /usr/local/openvpn-2.5.2/easy-rsa/pki/private/server.key

# The second server is the name of the output
./easyrsa sign server server

    # Output content; Service certificate issued
    Certificate created at: /usr/local/openvpn-2.5.2/easy-rsa/pki/issued/server.crt

# dh certificate
./easyrsa gen-dh

# ta key
cd ../
./sbin/openvpn --genkey tls-auth ta.key

# Create client certificate request
mkdir client
cp -r /data/soft/EasyRSA-3.0.8/{easyrsa,openssl-easyrsa.cnf,x509-types,vars.example} ./client/
cd ./client && cp vars.example vars

./easyrsa init-pki
./easyrsa gen-req client nopass
    # Output content; Note the name and location of the output
    Keypair and certificate request completed. Your files are:
    req: /usr/local/openvpn-2.5.2/client/pki/reqs/client.req
    key: /usr/local/openvpn-2.5.2/client/pki/private/client.key

cd /usr/local/openvpn-2.5.2/easy-rsa/
./easyrsa import-req /usr/local/openvpn-2.5.2/client/pki/reqs/client.req client

# Issued. The second client is the name of the application
./easyrsa sign client client
    # Output content; Location of client certificate issued
    Certificate created at: /usr/local/openvpn-2.5.2/easy-rsa/pki/issued/client.crt

Server configuration file

Prepare the certificate file used by the server

cd /usr/local/openvpn-2.5.2/ && mkdir -p conf/cert
cp easy-rsa/pki/ca.crt conf/cert/
cp easy-rsa/pki/private/server.key conf/cert/
cp easy-rsa/pki/issued/server.crt conf/cert/
cp easy-rsa/pki/dh.pem conf/cert/
mv ta.key conf/cert/

Modify profile

# Copy the configuration file from the source package
cp /data/soft/openvpn-2.5.2/sample/sample-config-files/server.conf ./conf/

# Profile content
local 10.2.3.110 # Listening address
port 31234 # port
proto udp
dev tun
ca cert/ca.crt
cert cert/server.crt
key cert/server.key  
dh cert/dh.pem
server 10.8.0.0 255.255.255.0  # Network segment assigned to Client
ifconfig-pool-persist ipp.txt
push "route 192.168.50.0 255.255.255.0"  # The route pushed for the Client can be a range or a single IP (the mask is 255.255.255.255)
keepalive 30 120
tls-auth cert/ta.key 0
cipher AES-256-GCM
compress lz4-v2  # v2.4 + Enable compression on the VPN link
push "compress lz4-v2"
persist-key
persist-tun
status /usr/local/openvpn-2.5.2/logs/openvpn-status.log # Status file
log-append /usr/local/openvpn-2.5.2/logs/openvpn.log  # log file
verb 3
explicit-exit-notify 1

Start and stop with script; Unable to start debugging without -- daemon parameter

# Start script vim/ sbin/openvpn-startup. sh

#!/bin/bash
dir=/usr/local/openvpn-2.5.2
${dir}/sbin/openvpn --cd ${dir} --daemon --config ${dir}/conf/server.conf

# Stop script vim/ sbin/openvpn-shutdown. sh

#!/bin/bash
killall -TERM openvpn

iptables configuration

After configuring openvpn, and the client can connect to the openvpn server, the client can only access the resources on the openvpn server. If you want to access the intranet resources that other openvpn servers can access, you need the following conditions:

• The openvpn server needs to push the "route xxx xxx" route with this resource
• iptables are required for source address translation

# Convert the source IP of the network segment assigned by openvpn client to the IP of the local machine, otherwise you cannot access other internal networks through the local machine
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 10.2.3.110

# Suppose eth0 IP address is dynamic
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# If the server has Docker, FORWARD may be changed to DROP, and FORWARD rules need to be added
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

If other rule tables are DROP, add release rules as needed.

Client configuration

• configuration file

The following is the client configuration file, which is common to Windows and Linux

# Download the certificate client machine from the following path
/usr/local/openvpn-2.5.2/conf/cert/ca.crt
/usr/local/openvpn-2.5.2/conf/cert/ta.key
/usr/local/openvpn-2.5.2/pki/issued/client.crt
/usr/local/openvpn-2.5.2/client/pki/private/client.key

# Client configuration
# The default certificate file path is found in the same directory as the configuration file. Otherwise, please write the full path
client
dev tun
proto udp
remote 10.2.3.110 31234
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
remote-cert-tls server
comp-lzo
allow-compression yes
keysize 256
verb 3

• Linux client

Just like the server, it can be started directly by using the configuration file of the client after compilation

• Configure Windows client

Windows client download address

windows configuration file to At the end of ovpn suffix, the configuration file can be stored in the config directory of openvpn program or anywhere, and the path can be specified through the launched program - > Options - > Advanced - > configuration file

Click next for program installation (remember to check TAP network card installation). The use operation is graphical, omitted.

Configure fixed IP

Configure a fixed IP address for the client

The first IP is the Client IP and the second IP is the server IP endpoint. This IP must be within the vpn address allocation range of the server and belong to the available address in the mask range of 255.255.255.252

If the current configuration is 10.8.0.9/30, its network is 10.8.0.8, available IP is 10.8.0.9-10 and broadcast is 10.8.0.11

The file name in the ccd directory should be consistent with the CN name in the certificate used by the client

# On the server side, conf / server Configure this option in the conf file
client-config-dir conf/ccd

# Create ccd; Fixed IP address for client (CN Name) user
cd /usr/local/openvpn-2.5.2/ && mkdir conf/ccd
echo 'ifconfig-push 10.8.0.9 10.8.0.10' > conf/ccd/client

Troubleshooting

• Client startup failed

Most of them are parameter problems or inconsistent with the configuration negotiation of the server. Pay attention to check the client and server logs to find the problem

• Unable to access the resources that the server can access

Network problems; First, determine that the route pushed by the server is created on the client host (Windows: route print | Linux: route), and then determine the firewall problem. Source address translation (SNAT), forwarding (FORWARD), etc.

When it is still uncertain, the problem can be found by performing packet capture (tcpdump) troubleshooting on the server.