部署openvpn

openvpn 2.2  /2.4

转：  https://my.oschina.net/Ysolin/blog/889375  安装openvpn篇     （最好是以用户/密码的方式登陆） 

OpenVPN生产环境中实战部署及客户端使用 

原

  运维小当家 发布于 2017/04/28 18:34

 

字数 4277

 

阅读 204

 

收藏  0

 

点赞 0

 

 评论 1

程序员们，在北上广你还能买房吗？ >>>   

OpenVPN生产环境中实战部署及客户端使用

OpenVPN环境部署

1、环境需求

设备	IP
个人PC，VPN客户端	eth0:192.168.119.0/24
OpenVPN Server	eth0:192.168.239.167；eth1:192.168.119.83
局域网服务器	eth0:192.168.239.165
实现需求	在远端通过VPN客户端对VPN Server后端多个servers直接访问，管理维护

2、查看系统环境

[root@Y-solin ~]# cat /etc/redhat-release
CentOS release 6.9 (Final)
[root@Y-solin ~]# uname -r
2.6.32-696.1.1.el6.x86_64
[root@Y-solin ~]# uname -m
x86_64

4、配置VPN服务器时间同步

（1）安装ntp

[root@Y-solin ~]# yum install ntp

（2）手动同步时间

[root@Y-solin ~]# /usr/sbin/ntpdate pool.ntp.org
27 Apr 10:03:51 ntpdate[2387]: step time server 85.199.214.101 offset 7.719699 sec

（3）加入定时任务

[root@Y-solin ~]# echo '# time sync' >>/var/spool/cron/root
[root@Y-solin ~]# echo '*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2>&1' >>/var/spool/cron/root
[root@Y-solin ~]# crontab -l
# time sync
*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2>&1

安装OpenVPN相关依赖软件

1、建立OpenVPN软件目录

[root@Y-solin ~]# mkdir -p /home/solin/opt/openvpm
[root@Y-solin ~]# cd /home/solin/opt/openvpm

2、下载所需要的包

（1）下载依赖包

选择下载的版本：http://www.oberhumer.com/opensource/lzo/download/

我这里选择了lzo-2.06：http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz

[root@Y-solin openvpm]# wget
http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz

（2）下载OpenVPN

选择下载版本：https://build.openvpn.net/downloads/releases/

openvpn-2.4.0：https://build.openvpn.net/downloads/releases/openvpn-2.4.0.tar.gz

这里选择了

[root@Y-solin openvpm]# wget ftp://ftp-osl.osuosl.org/.1/vectorlinux/VL64-7.0/source/sourceVL/openvpn/2.2.2/src/openvpn-2.2.2.tar.gz

3、安装

（1）编译安装vpn依赖

[root@Y-solin openvpm]# tar zxf lzo-2.06.tar.gz
[root@Y-solin openvpm]# cd lzo-2.06
[root@Y-solin lzo-2.06]# ./configure
configure: Configuring LZO 2.06
…
[root@Y-solin lzo-2.06]# make
make  all-am
make[1]: Entering directory `/home/solin/opt/openvpm/lzo-2.06'
…
[root@Y-solin lzo-2.06]# make install
make[1]: Entering directory `/home/solin/opt/openvpm/lzo-2.06'
test -z "/usr/local/lib" || /bin/mkdir -p "/usr/local/lib"
…

（2）编译安装VPN

[root@Y-solin openvpm]# tar zxvf openvpn-2.2.2.tar.gz
[root@Y-solin openvpm]# cd openvpn-2.2.2
[root@Y-solin openvpn-2.2.2]# ./configure --with-lzo-headers=/usr/local/ssl/include --with-lzo-lib=/usr/local/ssl/lib
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
…
[root@Y-solin openvpn-2.2.2]# echo $?
0
[root@Y-solin openvpn-2.2.2]# make
make  all-recursive
make[1]: Entering directory `/home/solin/opt/openvpm/openvpn-2.2.2'
…
[root@Y-solin openvpn-2.2.2]# echo $?
0
[root@Y-solin openvpn-2.2.2]# make install
Making install in images
make[1]: Entering directory `/home/solin/opt/openvpm/openvpn-2.2.2/images'
make[2]: Entering directory `/home/solin/opt/openvpm/openvpn-2.2.2/images'
…
[root@Y-solin openvpn-2.2.2]# echo $?
0
[root@Y-solin openvpm]# ll /usr/local/sbin/openvpn
-rwxr-xr-x. 1 root root 4571186 4月  27 14:40 /usr/local/sbin/openvpn

配置OpenVPN server建立CA（Certificate Authority）证书

1、初始化配置

[root@Y-solin openvpn-2.2.2]# cd easy-rsa/2.0/
[root@Y-solin 2.0]# tail -6 vars
export [email protected]
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
[root@Y-solin 2.0]# pwd
/home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0
[root@Y-solin 2.0]# cp vars vars.solin.170427
[root@Y-solin 2.0]# vi vars
修改如下
#export KEY_COUNTRY="US"
export KEY_COUNTRY="CN"
#export KEY_PROVINCE="CA"
export KEY_PROVINCE="SH"
#export KEY_CITY="SanFrancisco"
export KEY_CITY="ShangHai"
#export KEY_ORG="Fort-Funston"
export KEY_ORG="Y-solin"
#export KEY_EMAIL="[email protected]"
export KEY_EMAIL="[email protected]"
export [email protected]
export KEY_CN=changeme
#export KEY_NAME=changeme
export KEY_NAME=Y-solin
#export KEY_OU=changeme
export KEY_OU=BDCOM
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
[root@Y-solin 2.0]# . vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0/keys
[root@Y-solin 2.0]# ./clean-all#清空所有CA

2、创建一个新的CA

[root@Y-solin 2.0]# ./build-ca
Generating a 1024 bit RSA private key
.++++++
.++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [Y-solin]:
Organizational Unit Name (eg, section) [BDCOM]:
Common Name (eg, your name or your server's hostname) [changeme]:Y-solin
Name [Y-solin]:
Email Address [[email protected]]:[email protected]
查看创建的CA证书
[root@Y-solin 2.0]# ls -l keys/
总用量 12
-rw-r--r--. 1 root root 1330 4月  27 15:58 ca.crt
-rw-------. 1 root root  912 4月  27 15:58 ca.key
-rw-r--r--. 1 root root    0 4月  27 15:51 index.txt
-rw-r--r--. 1 root root    3 4月  27 15:51 serial

 

生成服务器端证书和秘钥key文件

1、生成一个服务端的证书

[root@Y-solin 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
....................++++++
...........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [Y-solin]:
Organizational Unit Name (eg, section) [BDCOM]:
Common Name (eg, your name or your server's hostname) [server]:
Name [Y-solin]:
Email Address [[email protected]]:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:bdyun
An optional company name []:BDCOM
Using configuration from /home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'Y-solin'
organizationalUnitName:PRINTABLE:'BDCOM'
commonName :PRINTABLE:'server'
name :PRINTABLE:'Y-solin'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Apr 25 08:13:48 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

查看生成的CA证书

[root@Y-solin 2.0]# ls -lrt keys/
总用量 40
-rw-r--r--. 1 root root 3 4月 27 15:51 serial.old
-rw-r--r--. 1 root root 0 4月 27 15:51 index.txt.old
-rw-------. 1 root root 912 4月 27 15:58 ca.key
-rw-r--r--. 1 root root 1330 4月 27 15:58 ca.crt
-rw-------. 1 root root 916 4月 27 16:13 server.key
-rw-r--r--. 1 root root 773 4月 27 16:13 server.csr
-rw-r--r--. 1 root root 4029 4月 27 16:14 server.crt
-rw-r--r--. 1 root root 3 4月 27 16:14 serial
-rw-r--r--. 1 root root 21 4月 27 16:14 index.txt.attr
-rw-r--r--. 1 root root 124 4月 27 16:14 index.txt
-rw-r--r--. 1 root root 4029 4月 27 16:14 01.pem

生成客户端证书和key文件

（1）生成客户端证书秘钥

[root@Y-solin 2.0]# ./build-key solin
Generating a 1024 bit RSA private key
.++++++
........................................++++++
writing new private key to 'solin.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [Y-solin]:
Organizational Unit Name (eg, section) [BDCOM]:
Common Name (eg, your name or your server's hostname) [solin]:
Name [Y-solin]:
Email Address [[email protected]]:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:bdyun
An optional company name []:BDCOM
Using configuration from /home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'Y-solin'
organizationalUnitName:PRINTABLE:'BDCOM'
commonName :PRINTABLE:'solin'
name :PRINTABLE:'Y-solin'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Apr 25 08:30:57 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@Y-solin 2.0]# ls -lrt keys/
总用量 64
-rw-------. 1 root root 912 4月 27 15:58 ca.key
-rw-r--r--. 1 root root 1330 4月 27 15:58 ca.crt
-rw-------. 1 root root 916 4月 27 16:13 server.key
-rw-r--r--. 1 root root 773 4月 27 16:13 server.csr
-rw-r--r--. 1 root root 4029 4月 27 16:14 server.crt
-rw-r--r--. 1 root root 3 4月 27 16:14 serial.old
-rw-r--r--. 1 root root 124 4月 27 16:14 index.txt.old
-rw-r--r--. 1 root root 21 4月 27 16:14 index.txt.attr.old
-rw-r--r--. 1 root root 4029 4月 27 16:14 01.pem
-rw-------. 1 root root 920 4月 27 16:30 solin.key
-rw-r--r--. 1 root root 769 4月 27 16:30 solin.csr
-rw-r--r--. 1 root root 3907 4月 27 16:31 solin.crt
-rw-r--r--. 1 root root 3 4月 27 16:31 serial
-rw-r--r--. 1 root root 21 4月 27 16:31 index.txt.attr
-rw-r--r--. 1 root root 247 4月 27 16:31 index.txt
-rw-r--r--. 1 root root 3907 4月 27 16:31 02.pem

（2）生成客户端拨号需要密码的证书秘钥

[root@Y-solin 2.0]# ./build-key-pass xiaodangjia
Generating a 1024 bit RSA private key
...........++++++
.........++++++
writing new private key to 'xiaodangjia.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [Y-solin]:
Organizational Unit Name (eg, section) [BDCOM]:
Common Name (eg, your name or your server's hostname) [xiaodangjia]:
Name [Y-solin]:
Email Address [[email protected]]:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:bdyun
An optional company name []:BDCOM
Using configuration from /home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'Y-solin'
organizationalUnitName:PRINTABLE:'BDCOM'
commonName :PRINTABLE:'xiaodangjia'
name :PRINTABLE:'Y-solin'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Apr 26 08:26:54 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

生成generate diffie hellman parameter

生成传输进行秘钥交换时用到的交换秘钥协议文件

[root@Y-solin 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
......

查看生成的证书

[root@Y-solin 2.0]# pwd
/home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0
[root@Y-solin 2.0]# ll keys/
总用量 84
-rw-r--r--. 1 root root 4029 4月 27 16:14 01.pem
-rw-r--r--. 1 root root 3907 4月 27 16:31 02.pem
-rw-r--r--. 1 root root 3921 4月 27 16:36 03.pem
-rw-r--r--. 1 root root 1330 4月 27 15:58 ca.crt
-rw-------. 1 root root 912 4月 27 15:58 ca.key
-rw-r--r--. 1 root root 245 4月 27 16:44 dh1024.pem
-rw-r--r--. 1 root root 376 4月 27 16:36 index.txt
-rw-r--r--. 1 root root 21 4月 27 16:36 index.txt.attr
-rw-r--r--. 1 root root 21 4月 27 16:31 index.txt.attr.old
-rw-r--r--. 1 root root 247 4月 27 16:31 index.txt.old
-rw-r--r--. 1 root root 3 4月 27 16:36 serial
-rw-r--r--. 1 root root 3 4月 27 16:31 serial.old
-rw-r--r--. 1 root root 4029 4月 27 16:14 server.crt
-rw-r--r--. 1 root root 773 4月 27 16:13 server.csr
-rw-------. 1 root root 916 4月 27 16:13 server.key
-rw-r--r--. 1 root root 3907 4月 27 16:31 solin.crt
-rw-r--r--. 1 root root 769 4月 27 16:30 solin.csr
-rw-------. 1 root root 920 4月 27 16:30 solin.key
-rw-r--r--. 1 root root 3921 4月 27 16:36 xiaodangjia.crt
-rw-r--r--. 1 root root 777 4月 27 16:36 xiaodangjia.csr
-rw-------. 1 root root 916 4月 27 16:36 xiaodangjia.key

配置服务端VPN配置文件server.conf（服务端模板配置文件）

1、把所有的keys和配置文件拷贝到/etc/openvpn目录下

[root@Y-solin 2.0]# mkdir -p /etc/openvpn
[root@Y-solin 2.0]# cp -a /home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0/keys /etc/openvpn/
[root@Y-solin 2.0]# cp -a /home/solin/opt/openvpm/openvpn-2.2.2/sample-config-files/*.conf /etc/openvpn/

2、进入/etc/openvpn目录

备份server.conf文件

[root@Y-solin 2.0]# cd /etc/openvpn/
[root@Y-solin openvpn]# ll
总用量 36
-rw-rw-r--. 1 500 500 3426 10月 21 2010 client.conf
drwx------. 2 root root 4096 4月 27 16:44 keys
-rw-rw-r--. 1 500 500 10288 10月 21 2010 server.conf
-rw-rw-r--. 1 500 500 1742 10月 21 2010 static-home.conf
-rw-rw-r--. 1 500 500 1688 10月 21 2010 static-office.conf
-rw-rw-r--. 1 500 500 1937 10月 21 2010 tls-home.conf
-rw-rw-r--. 1 500 500 1948 10月 21 2010 tls-office.conf
[root@Y-solin openvpn]# cp server.conf server.conf.solin.170427

过滤出默认开启的配置

[root@Y-solin openvpn]# pwd
/etc/openvpn
[root@Y-solin openvpn]# egrep -v "^#|^$^|;" server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

过滤内容追加到新文件

[root@Y-solin openvpn]# egrep -v "^#|^$|^;" server.conf >solin-vpn.conf
[root@Y-solin openvpn]# cat solin-vpn.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

修改生成的配置文件

[root@Y-solin openvpn]# vi solin-vpn.conf
修改如下
local 192.168.119.96
port 52115
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
key /etc/openvpn/keys/server.key
cert /etc/openvpn/keys/server.crt
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
push "route 192.168.239.0 255.255.255.0"
client-to-client
log /var/log/openvpn.log

启动服务端的VPN服务

0、取消防火墙对VPN（1194,52115）的拦截

1、开启内核转发功能

（1）修改sysctl.conf

[root@Y-solin openvpn]# vi /etc/sysctl.conf
修改
…
net.ipv4.ip_forward = 1
…

（2）配置生效

[root@Y-solin openvpn]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

2、启动OpenVPN服务

[root@Y-solin openvpn]# /usr/local/sbin/openvpn --config /etc/openvpn/solin-vpn.conf &
[1] 48435

3、检查VPN服务端口

[root@Y-solin openvpn]# netstat -lntup |grep 52115
tcp 0 0 192.168.119.96:52115 0.0.0.0:* LISTEN 50918/openvpn
[root@Y-solin openvpn]# ps -ef |grep vpn
root 50918 2392 0 09:22 pts/1 00:00:00 /usr/local/sbin/openvpn --config /etc/openvpn/solin-vpn.conf
root 50932 2392 0 09:23 pts/1 00:00:00 grep vpn

4、设置开机自启动（两种方式）

方式一：修改rc.local配置文件

[root@Y-solin openvpn]# echo "# starup openvpn by solin at 170427" >>/etc/rc.local
[root@Y-solin openvpn]# echo "/usr/local/sbin/openvpn --config /etc/openvpn/solin-vpn.conf &" >>/etc/rc.local
[root@Y-solin openvpn]# tail -2 /etc/rc.local
# starup openvpn by solin at 170427
/usr/local/sbin/openvpn --config /etc/openvpn/solin-vpn.conf &

方式二：加入init.d目录下

注：solin-vpn.conf必须修改为server.conf才可实现

[root@Y-solin openvpn]# cp /home/solin/opt/openvpm/openvpn-2.2.2/sample-scripts/openvpn.init /etc/init.d/openvpn
[root@Y-solin openvpn]# chmod 755 /etc/init.d/openvpn
[root@Y-solin openvpn]# chkconfig openvpn on
[root@Y-solin openvpn]# chkconfig --list openvpn
openvpn 0:关闭1:关闭2:启用3:启用4:启用5:启用6:关闭

到这里服务端完全配置完毕！

安装WindowsVPN客户端配置VPN连接

1、下载安装客户端

官网下载：https://openvpn.net/index.php/download/58-open-source/downloads.html

下载与OpenVPN服务端版本一致的Windows客户端，如果版本不一致可能会导致连接失败。

我这里下载好了

2、openvpn-2.2.2Windows客户端安装

（1）双加开始安装

（2）按默认配置安装就可以了

3、客户端配置

（1）备份client.conf配置文件

[root@Y-solin openvpn]# pwd
/etc/openvpn
[root@Y-solin openvpn]# ll
总用量 56
-rw-rw-r--. 1 500 500 3426 10月 21 2010 client.conf
-rw-------. 1 root root 0 4月 28 14:13 ipp.txt
drwx------. 2 root root 4096 4月 28 09:09 keys
-rw-------. 1 root root 232 4月 28 14:13 openvpn-status.log
-rw-rw-r--. 1 500 500 10288 10月 21 2010 server.conf
-rw-r--r--. 1 root root 10288 4月 27 17:15 server.conf.solin.170427
-rw-r--r--. 1 root root 403 4月 28 09:20 solin-vpn.conf
-rw-rw-r--. 1 500 500 1742 10月 21 2010 static-home.conf
-rw-rw-r--. 1 500 500 1688 10月 21 2010 static-office.conf
-rw-rw-r--. 1 500 500 1937 10月 21 2010 tls-home.conf
-rw-rw-r--. 1 500 500 1948 10月 21 2010 tls-office.conf
[root@Y-solin openvpn]# cp client.conf client.conf.solin.17.04.28

（2）过滤配置文件

[root@Y-solin openvpn]# egrep -v "^#|^;|^$" client.conf
client
dev tun
proto udp
remote my-server-1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3

（3）过滤内容追加为新的文件

[root@Y-solin openvpn]# egrep -v "^#|^;|^$" client.conf >client-solin.conf
[root@Y-solin openvpn]# cat client-solin.conf
client
dev tun
proto udp
remote my-server-1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3

（4）生产环境下配置

[root@Y-solin openvpn]# vi client-solin.conf
[root@Y-solin openvpn]# cat client-solin.conf
client
dev tun
#proto udp
proto tcp
#remote my-server-1 1194
remote 192.168.119.96 52115
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
#cert client.crt
cert solin.crt
#key client.key
key solin.key
ns-cert-type server
comp-lzo
verb 3

4、从服务器导出修改好的配置文件和证书文件

在OpenVPN安装目录（我的OpenVPN安装目录：D:\Tools\OpenVPN\config）的config文件夹下，新建client-solin文件夹，把配置好的配置文件和证书文件放在该目录中

[root@Y-solin openvpn]# sz client-solin.conf keys/ca.crt keys/solin.* keys/xiaodangjia.*

5、修改配置文件client-solin.conf和证书文件client-solin.ovpn

6、同样的方式导出xiaodangjia配置文件和认证文件

（1）在我的安装目录D:\Tools\OpenVPN\config下，创建client-xiaodangjia文件夹，导入配置文件和认证文件

（2）连接拨号client-xiaodangjia，需要输入密码，连接成功

7、连接拨号

（1）双加打开VPN（2）拨号连接（3）连接成功显示绿色

下面贴出openvpn启动的配置文件  这个配置是用用户密码的形式来登陆的

local 172.17.10.12

port 52115

proto tcp

dev tun

ca /etc/openvpn/keys/ca.crt

key /etc/openvpn/keys/server.key

cert /etc/openvpn/keys/server.crt

dh /etc/openvpn/keys/dh1024.pem
tls-auth  /etc/openvpn/keys/ta.key  0

###client-cert-not-required
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3

push "route 172.17.10.0 255.255.230.0"

client-to-client

log /var/log/openvpn.log
script-security 3  system
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env    #指定用户认证脚本
username-as-common-name
client-cert-not-required

/etc/openvpn/checkpsw.sh内容，后面的参数是固定的，我也不知道，就是参考这篇文章做的，http://www.89cool.com/811.html，但是这篇文章用的是2.4的版本；所以下面的参数是按照 https://blog.csdn.net/gcqcc848/article/details/54380788来做的

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <[email protected]>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

　　/etc/openvpn/psw-file 这是给openvpn登陆时要输入的用户名密码。  格式如下

user1 passwd1
user2 passwd2