Build openvpn server in Centos6.5
Because the new version of openvpn does not contain the most important certificate preparation part: easy-rsa, You need to download easyrsa in advance and download it on GitHub. The configuration process will be shown in the following step, this deployment uses the easy-rsa3, And the easy-rsa2.0 operation is completely different, other online on the easy-rsa2.0 of the tutorial is not suitable for this deployment
Before deploying openvpn, it is best to use ntpdate to synchronize the Time of the server. Otherwise, the certificate generation time is inaccurate, which may cause errors such as centificate error!
1. Install lzo
Lzo is a data compression algorithm dedicated to decompression speed.
[Root @ vpn ~] # Wgethttp: // www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz
[Root @ vpn ~] #Tarxflzo-2.09.tar.gz
[Root @ vpn ~] # Cdlzo-2.09
[Root@vpnlzo-2.09] #./configure & make & makeinstall
2. Install openvpn
[Root @ vpn ~] # Yum install-yopenssl-devel
[Root @ vpn ~] # Wgethttps: // swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz
[Root @ vpn ~] # Tar zxvfopenvpn-2.3.11.tar.gz
[Root @ vpn ~] # Cdopenvpn-2.3.11
[Root@vpnopenvpn-2.3.4] #./configure -- with-lzo-headers =/usr/local/include/-- with-lzo-lib =/usr/local/lib
[Root@vpnopenvpn-2.3.4] # make & makeinstall
# Whichopenvpn [root@vpnopenvpn-2.3.4]
/Usr/local/sbin/openvpn # The openvpn is successfully installed.
3. Configure the easyrsa Server
Openvpn-2.3.11 software package does not contain certificate (ca certificate, server certificate, client certificate) production tool, so you also need to download easy-rsa separately, the latest for easy-rsa3
[Root @ vpn ~] # Wgethttps: // github.com/OpenVPN/easy-rsa/archive/master.zip
[Root @ vpn ~] Unzip unzipmaster.zip
[Root @ vpn ~] # Mveasy-rsa-mastereasy-rsa
[Root @ vpn ~] # Cp-Reasy-rsa // usr/local/share/doc/openvpn/
[Root @ vpn ~] # Cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/
[Root @ vpneasyrsa3] # cpvars. examplevars
[Root @ vpneasyrsa3] # vimvars
Set_varEASYRSA_REQ_COUNTRY "CN"
Set_varEASYRSA_REQ_PROVINCE "Beijing"
Set_varEASYRSA_REQ_CITY "Beijing"
Set_varEASYRSA_REQ_ORG "qiangshCertificate"
Set_varEASYRSA_REQ_EMAIL "503579266@qq.com"
Set_varEASYRSA_REQ_OU "MyOpenVPN"
4. Create a server certificate and key
(1) initialization
[Root @ vpneasyrsa3] # ls
Easyrsaopenssl-1.0.cnfvarsvars.examplex509-types
[Root @ vpneasyrsa3] #
[Root @ vpneasyrsa3] #./easyrsainit-pki
Note: using Easy-RSAconfiguration from:./vars
Init-pki complete; you may nowcreate a CA or requests.
Your newly created PKI dir is:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki
(2) create a root certificate
[Root @ vpneasyrsa3] #./easyrsabuild-ca
Note: using Easy-RSAconfiguration from:./vars
Generating a 2048 bit RSA privatekey
... ++
........................ ++
Writing new private key to '/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key. GiibbqFhXm'
Enter PEM pass phrase: # Enter the password. This password is used to sign the certificate.
Verifying-Enter PEM passphrase: # Enter the password again
-----
You are about to be asked toenter information that will be ininitialized
Into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-rsa ca]: qiangsh # enter a Common Name
CA creation complete and you maynow import and sign cert requests.
Your new CA certificate file forpublishing is:
/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt
(3) create a server certificate
[Root @ vpneasyrsa3] #./easyrsagen-reqservernopass
Note: using Easy-RSAconfiguration from:./vars
Generating a 2048 bit RSA privatekey
....................................... ++
...................................... ++
Writing new private key to '/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key. migrh2b6ss'
-----
You are about to be asked toenter information that will be ininitialized
Into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host, or server name) [server]: qiangsh-BJ # This Common Name must not be the same as the one used to create the root certificate !!!
Keypair and certificate requestcompleted. Your files are:
Req:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server. req
Key:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key
(4) sign up for the server certificate
[Root @ vpneasyrsa3] #./easyrsasignserverserver
Note: using Easy-RSAconfiguration from:./vars
You are about to sign thefollowing certificate.
Please check over the detailsshown below for accuracy. Note that this request
Has not been cryptographicallyverified. Please be sure it came from a trusted
Source or that you have verifiedthe request checksum with the sender.
Request subject, to be signed asa server certificate for 3650 days:
Subject =
CommonName = qiangsh-BJ
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes # Enter yes to continue
Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key: # Enter the password used to create the root certificate.
Check that the request matchesthe signature
Signature OK
The Subject's Distinguished Nameis as follows
CommonName: PRINTABLE: 'qiangsh-BJ'
Certificate is to be certifieduntil Jun 6 07:19:45 2026 GMT (3650 days)
Write out database with 1 newentries
Data Base Updated
Certificate created at:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt
(5) create a Diffie-Hellman command to ensure that the key crosses the insecure network:
[Root @ vpneasyrsa3] #./easyrsagen-dh
Note: using Easy-RSAconfiguration from:./vars
Generating DH parameters, 2048bit long safe prime, generator 2
This is going to take a long time
........................................ .................................. + ........................... + ....................................... ...................... + ........................... + ....................................... ........................................ ........................................ ........................................ ........................................ ........................................ .. + ....................................... ........................................ ........................................ ........ + .. + ....................................... .......................... + ....................................... ........................................ ........... + .............. + ....................................... ........................................ ........................................ ........................................ ................ + ....................................... ........................................ ......... + ....................................... ........................................ + ....................................... ......... + .......... ++ *
DH parameters of size 2048 created at/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh. pem
5. Create a client certificate
(1) create a client directory under the root directory
[Root @ vpneasyrsa3] # cd
[Root @ vpn ~] # Mkdirclient
[Root @ vpn ~] # Cp-R/mnt/easy-rsa/client/
(2) initialization
[Root @ vpn ~] # Cdclient/easy-rsa/easyrsa3/
[Root @ vpneasyrsa3] # ls
Easyrsaopenssl-1.0.cnfvarsvars.examplex509-types
[Root @ vpneasyrsa3] #./easyrsainit-pki
Note: usingEasy-RSAconfigurationfrom:./vars
Init-pkicomplete; youmaynowcreateaCAorrequests.
YournewlycreatedPKIdiris:/root/client/easy-rsa/easyrsa3/pki
(3) create a client key and generate a certificate
[Root @ vpneasyrsa3] #./easyrsagen-reqqiangsh
Generating a 2048 bit RSA privatekey
..............................
........................................ ................ ++
Writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key. ld7wk6hmqq'
Enter PEM pass phrase: # Enter the password
Verifying-Enter PEM passphrase: # Enter the password again
-----
You are about to be asked toenter information that will be ininitialized
Into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host, or server name) [qiangsh]: qiangsh # Enter qiangsh
Keypair and certificate request completed. Your files are:
Req:/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh. req
Key:/root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key
(4) import the obtained qiangsh. req and sign the certificate.
[Root @ vpn ~] # Cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/
[Root @ vpneasyrsa3] # import req
[Root @ vpneasyrsa3] #./easyrsa import-req/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh. reqqiangsh
Note: using Easy-RSAconfiguration from:./vars
The request has been successfullyimported with a short name of: qiangsh
You may now use this name toperform signing operations on this request.
[Root @ vpneasyrsa3] # signing Certificate
[Root @ vpneasyrsa3] #./easyrsasignclientqiangsh
Note: using Easy-RSAconfiguration from:./vars
You are about to sign thefollowing certificate.
Please check over the detailsshown below for accuracy. Note that this request
Has not been cryptographicallyverified. Please be sure it came from a trusted
Source or that you have verifiedthe request checksum with the sender.
Request subject, to be signed asa client certificate for 3650 days:
Subject =
CommonName = qiangsh
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes # Enter yes
Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key: # Enter the password when creating the root certificate
Check that the request matchesthe signature
Signature OK
The Subject's Distinguished Nameis as follows
CommonName: PRINTABLE: 'qiangsh'
Certificate is to be certifieduntil Jun 6 07:50:02 2026 GMT (3650 days)
Write out database with 1 newentries
Data Base Updated
Certificate created at:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh. crt # contract successful
(5) files generated by the server and client
Server :(/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/) folder
/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt
/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server. req
/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/qiangsh. req
/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key
/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key
/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt
/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh. crt
/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh. pem
Client :(/root/client/easy-rsa)
/Root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key
/Root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh. req # This file is imported to the server.
(6) copy the server key and certificate to the openvpn directory.
[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt/usr/local/share/doc/openvpn/
[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key/usr/local/share/doc/openvpn/
[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt/usr/local/share/doc/openvpn/
[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh. pem/usr/local/share/doc/openvpn/
(7) copy the client key and certificate to the client directory.
[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt/root/client/
[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh. crt/root/client/
[Root @ vpn ~] # Cp/root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key/root/client/
(8) Write a configuration file for the server
When openvpn is installed, it provides an example of the server configuration file.
Copy the openvpn directory in this example and configure
[Root @ vpn ~] # Cp/mnt/openvpn-2.3.11/sample-config-files/server. conf/usr/local/share/doc/openvpn/
[Root @ vpn ~] # Vim/usr/local/share/doc/openvpn/server. conf
Local192.168.1.100 # (self-built vpsIP)
Port1194
Protoudp
Devtun
Ca/usr/local/share/doc/openvpn/ca. crt
Cert/usr/local/share/doc/openvpn/server. crt
Key/usr/local/share/doc/openvpn/server. key # Thisfileshouldbekeptsecret
Dh/usr/local/share/doc/openvpn/dh. pem
Server10.8.0.0255.255.255.0
Ifconfig-pool-persistipp.txt
Push redirect-gatewaydef1bypass-dhcp"
Push dhcp-optionDNS8.8.8.8"
Keepalive10120
Comp-lzo
Max-clients100
Persist-key
Persist-tun
Statusopenvpn-status.log
Verb3
(9) enable the system forwarding function
[Root @ vpn ~] # Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 0 to net. ipv4.ip _ forward = 1
[Root @ vpn ~] # Sysctl-p
[Root @ vpn ~] # Sysctl-a | grepnet. ipv4.ip _ forward
Net. ipv4.ip _ forward = 1
(10) encapsulated data packets (eth0 is the network card of your vps Internet ):
/Sbin/iptables-tnat-IPOSTROUTING-s10.8.0.0/rj0000255.0-oeth0-jMASQUERADE
Iii. DownloadOpenvpnClient and configure
1. Copy the client key and certificate to windows for backup.
[Root @ vpn ~] # Cdclient/
[Root @ vpnclient] # ls
Ca. crteasy-rsanmshuishui.crtnmshuishui.key # The Three with suffixes2. Install openvpn-gui
(1) Copy C: \ ProgramFiles \ OpenVPN \ sample-config \ client. ovpn to C: \ Program Files \ OpenVPN \ config
(2) put the three keys and certificates copied from linux under D: \ Program Files (x86) \ OpenVPN \ config.
(3) edit c: \ ProgramFiles \ OpenVPN \ config \ client. ovpn and change it
Client
Devtun
Protoudp
Remote192.168.1.1001194
Resolv-retryinfinite
Nobind
Persist-key
Persist-tun
Caca. crt // certificate required here
Certqiangsh. crt
Keyqiangsh. key
Comp-lzo
Verb34. Start the service and Test
1. Start the openvpn service on the vpn Server
[Root @ vpn ~] #/Usr/local/sbin/openvpn -- config/usr/local/share/doc/openvpn/server. conf &
[Root @ vpn ~] # Echo "/usr/local/sbin/openvpn -- config/usr/local/share/doc/openvpn/server. conf &
">/Etc/rc. local # set to start upon startup2. On openvpn-gui, right-click Connect and enter the password for connection.
3. view the vpn status