阿里云centos7.7x64安装open，并配置ip转发和nat伪装

碰到一个问题：

如果你启动的时候，提示你配置文件已经存在，即使你更改目录啥的，你可以把ovpn配置文件改个名字，用这个配置文件启动就好了，原因不详。反正好了。

​

开启IP转发

永久生效

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf

立即生效

sysctl -w net.ipv4.ip_forward=1

#关闭firewalld

systemctl stop firewalld

#取消开机启动

systemctl disable firewalld

#查看状态

firewall-cmd --state

#先检查是否安装了iptables

service iptables status

#安装iptables

yum install -y iptables

#安装iptables-services

yum -y install iptables-services

#注册iptables服务，相当于以前的chkconfig iptables on

systemctl enable iptables.service

#开启服务

systemctl start iptables.service

#查看状态

systemctl status iptables.service

清空防火墙规则

​

>/etc/sysconfig/iptables

添加规则

iptables -A FORWARD -i tun0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 172.16.77.0/24 -o eth0 -j MASQUERADE

iptables -A INPUT -p tcp --dport 1194 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

保存防火墙规则

service iptables save

service iptables restart

配置镜像源

yum install -y epel-release

安装

yum install openvpn easy-rsa -y

查看版本号

openvpn --version

生成证书

cp -R /usr/share/easy-rsa/ /etc/openvpn/

cp -r /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easy-rsa/3.0.6/vars

生成pki

cd /etc/openvpn/easy-rsa/3.0.6

rm -rf /etc/openvpn/easy-rsa/3.0.6/pki

/etc/openvpn/easy-rsa/3.0.6/easyrsa init-pki

创建CA

创建时输入eduserver

/etc/openvpn/easy-rsa/3.0.6/easyrsa build-ca nopass

CA 只能创建一次，如果需要重新创建需要删除pki重来一次

创建服务端证书

/etc/openvpn/easy-rsa/3.0.6/easyrsa gen-req eduserver nopass

签约服务端证书

/etc/openvpn/easy-rsa/3.0.6/easyrsa sign server eduserver

 确认的时候，输入yes

创建Diffie-Hellman

/etc/openvpn/easy-rsa/3.0.6/easyrsa gen-dh

修改配置文件允许多次重复生成

vim /etc/openvpn/easy-rsa/3.0.6/pki/index.txt.attr

修改demoCA下 index.txt.attr

将unique_subject = yes改为unique_subject = no

生成客户端证书->test01

/etc/openvpn/easy-rsa/3.0.6/easyrsa gen-req test01 nopass

注册客户端

提示输入yes

/etc/openvpn/easy-rsa/3.0.6/easyrsa sign client test01

修改服务端配置文件

vim /etc/openvpn/server.conf

# local 安装openvpn的主机IP地址

local 10.100.0.152

port 1194

proto tcp

dev tun

ca /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt

cert /etc/openvpn/easy-rsa/3.0.6/pki/issued/eduserver.crt

# This file should be kept secret

key /etc/openvpn/easy-rsa/3.0.6/pki/private/eduserver.key

dh /etc/openvpn/easy-rsa/3.0.6/pki/dh.pem

topology subnet

server 172.16.77.0 255.255.255.0

# ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.0.0"

push "route 10.0.0.0 255.0.0.0"

push "route 100.64.0.0 255.192.0.0"

keepalive 10 120

cipher AES-256-CBC

comp-lzo

# 客户端最大可连接数目

max-clients 200

persist-key

persist-tun

status openvpn-status.log

log-append openvpn.log

verb 3

mute 20

duplicate-cn

修改客户端配置文件test01.ovpn

vim test01.ovpn

client

dev tun

proto tcp

#server1

remote 116.62.103.51 1194

cipher AES-256-CBC

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert test01.crt

key test01.key

comp-lzo

verb 3

remote-cert-tls server

auth-nocache

客户端证书文件包括如下：

yum install -y lrzsz

/etc/openvpn/easy-rsa/3.0.6/pki/ca.crt

/etc/openvpn/easy-rsa/3.0.6/pki/private/test01.key

/etc/openvpn/easy-rsa/3.0.6/pki/issued/test01.crt

再加上test01.ovpn，一共四个文件，都放到安装完openvpn程序以后的配置路径C:\Program Files\OpenVPN\config

openvpn做成服务

vim /usr/lib/systemd/system/openvpn.service

[Unit]

Description=openvpn service

After=network-online.target

Wants=network-online.target

[Service]

Type=forking

User=root

Group=root

ExecStart=/usr/sbin/openvpn --daemon --config /etc/openvpn/server.conf

ExecStop=/bin/kill -9 $MAINPID

Restart=on-failure

PrivateTmp=true

[Install]

WantedBy=multi-user.target

服务自启动

systemctl daemon-reload

systemctl enable openvpn

systemctl start openvpn

systemctl status openvpn