1. Environment introduction
Operating system centos7.4
openvpn version: openvpn-2.1
lzo version: lzo-2.03
2. Build
Turn off the firewalld firewall, and set the boot to not start. close selinux
systemctl stop firewalld systemctl disable firewalld setenforce 0
Install openvpn and necessary dependencies
yum install bridge-utils gcc gcc-c++ make openssl openssl-devel ntpdate* sh* pam pam-devel -y
Compile and install lzo (data encryption and compression function)
#./configure #make #make install
Compile and install openvpn (openvpn-2.1_rc7.tar.gz is used here)
#./configure #make #make install
You need to copy the easy-rsa file in the original installation package to /etc/openvpn/ in the openvpn installation directory
cp -R /root/openvpn-2.1_rc7/easy-rsa /etc/openvpn/
Then give read, write and execute permissions to all files in the 2.0 directory under the installation directory.
#cd /etc/openvpn/2.0/ #chmod +rwx *
Modify and add the following at the end of the file below
#vi vars export KEY_COUNTRY=”CN”#(country) export KEY_PROVINCE=”BEIJING”#(province) export KEY_CITY=”BEIJING”#(city) export KEY_ORG=”gaosiedu”#(organization) export KEY_EMAIL=”[email protected]”#(mail address) export KEY_OU=”gaosi”#(unit)
Execute the following command to generate a certificate
#source ./vars #./clean-all Clear all certificate-related values of openvpn #./build-ca Generate a certificate trusted by CA (Common Name: fill in the company's full spelling here) #./build-key-server server Generate the server's certificate and private key (Common Name: fill in the company's full spelling here) #./build-key client Generate client certificate and private key ./build-key is followed by the client name (such as the name of a place or a person) #./build-dh Create Diffie-Hellman parameters (to prevent malicious attacks, an encrypted hash message verification code)
synchronised time
# timedatectl set-timezone Asia/Shanghai #timedatectl set-ntp yes
mkdir /etc/openvpn/keys Create a keys directory in the installation directory cp /etc/openvpn/2.0/keys/* /etc/openvpn/keys/ Then copy all the certificate and key files generated earlier here
Copy the previously prepared server.conf file to the openvpn installation directory and modify it. (The decompressed installation package contains all the sample files)
cp /root/server.conf /etc/openvpn/
Modify the configuration file
#vi /etc/openvpn/server.conf
Configuration file modification content
port 1195 The default port number of openvpn is 1194, which can be modified proto tcp uses TCP transport dev tap0 tap0 is used here (there is also tun three-layer routing mode) ca /etc/openvpn/keys/ca.crt CA trust certificate location cert /etc/openvpn/keys/server.crt server certificate key /etc/openvpn/keys/server.key # This file should be kept secret server key dh /etc/openvpn/keys/dh1024.pem is generally OK by default here. ifconfig 192.168.0.200 255.255.255.0 The real IP address of the machine must be filled in here ifconfig-pool-persist /etc/openvpn/ipp.txt Here is the client name and the corresponding ip file The required server in front here is the real IP address, followed by the openvpn address (usually we will set an IP address segment with the real server, the front is the real IP address of the machine, and the back is the IP address to be assigned to the client) . server-bridge 192.168.32.100 255.255.255.0 192.168.32.200 192.168.32.205 push "route 192.168.0.0 255.255.255.0" The route issued to the client push "dhcp-option DNS 202.106.0.20" DNS delivered to the client client-to-client allows dial-in openvpn clients to communicate with each other keepalive 10 120 Dial-in timeout 10-120 seconds comp-lzo enables network transmission compression max-clients 3 The maximum number of connected clients user nobody openvpn service own username group nobody openvpn service own group persist-key default OK persist-tun default OK status /etc/openvpn/openvpn-status.log Status information file location, generated by yourself log /etc/openvpn/openvpn.log log file, generated by yourself log-append /etc/openvpn/openvpn.log verb 5
Execute the following command
/usr/local/sbin/openvpn --daemon openvpn --config /etc/openvpn/server.conf --dev-typetap
Copy the three files in the compressed package to /etc/init.d/ and give execution permission. If the path is wrong, you need to change the path inside.
When you start openvpn for the first time, you need to start bridge-start first, and then start openvpn
bridge-stop
bridge-start
openvpn
The following three files need to be placed under /etc/init.d/, giving 755 permissions
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
#!/bin/bash ################################# # Set up Ethernet bridge on Linux # Requires: bridge-utils ################################# # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="ens33" eth_ip="172.16.5.238" eth_netmask="255.255.255.0" eth_broadcast="172.16.5.1" for t in $tap; do /usr/local/sbin/openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast ############################################################################################
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
#!/bin/bash #################################### # Tear Down Ethernet bridge on Linux #################################### # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged together tap="tap0" ifconfig $br down brctl delbr $br for t in $tap; do /usr/local/sbin/openvpn --rmtun --dev $t done
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn" for location in $openvpn_locations do if [ -f "$location" ] then openvpn=$location be done # Lockfile lock="/var/lock/subsys/openvpn" # PID directory piddir="/var/run/openvpn" # Our working directory work=/etc/openvpn # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. if [ ${NETWORKING} = "no" ] then echo "Networking is down" exit 0 be # Check that binary exists if ! [ -f $openvpn ] then echo "openvpn binary not found" exit 0 be # See how we were called. case "$1" in start) echo -n $"Starting openvpn: " /sbin/modprobe tun >/dev/null 2>&1 # From a security perspective, I think it makes # sense to remove this, and have users who need # it explictly enable in their --up scripts or # firewall setups. #echo 1 > /proc/sys/net/ipv4/ip_forward