[Centos] install openvpn server (easy-rsa3)

[Centos] install openvpn server (easy-rsa3)
VPN is widely used in office and fan wall fields. We may use it in small office networks recently. Learn it first.
The vpn server must have a public ip address, which can be used by clients in multiple environments.
Concept
PKI: Public Key Infrastructure CA: core of Certificate Authority pki
Centos6.6 in virtual machine environment
Nic

eth0      Link encap:Ethernet  HWaddr 00:50:56:35:E7:EC            inet addr:192.168.37.129  Bcast:192.168.37.255  Mask:255.255.255.0          inet6 addr: fe80::250:56ff:fe35:e7ec/64 Scope:Link          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:108531 errors:0 dropped:0 overruns:0 frame:0          TX packets:89610 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000           RX bytes:82324349 (78.5 MiB)  TX bytes:10389968 (9.9 MiB)

Objective: To set up the openvpn service and run it properly (iptables is not set here)
Install dependency packages

Yum install-y openssl-devel lzo-devel pam-devel automake pkgconfigyum install openvpn # The openvpn version is 2.3.6 easy-rsa3

Generate Certificate

# Configuration file directories are generally in a similar directory cp/usr/share/doc/openvpn-2.3.6/sample-config-files/server. conf/etc/openvpn/#2.3 needs to download an easy-rsa package independently. This package is used to create ca certificates and server certificates, client certificate wget-c https://github.com/OpenVPN/easy-rsa/archive/master.zipunzip master.zip mv easy-rsa-master easy-rsacp-rf easy-rsa/etc/openvpneasy-rsa operate cd/etc/openvpn/According to github documentation/ easy-rsa/easyrsa3cp vars. example vars # In general, the default configuration can meet your needs, or you can modify it as needed. /easyrsa init-pk I # create an empty pki structure to generate a series of files and directories. /easyrsa build-ca # Remember to create the ca password and cn. /easyrsa gen-req server nopass # create the common name of the server certificate. It is best not to use the same name as the preceding cn. /easyrsa sign server # sign the server certificate. /easyrsa gen-dh # create Diffie-Hellman # The following is the client certificate # first create a working directory cd/home/mkdir client & cd clientcp-R ~ /Easy-rsa /. /# This is the decompressed easy-rsa instead of the easy-rsacd easy-rsa/easyrsa3/cp vars that generates the server certificate. example vars # Start generation. /easyrsa init-pki. /easyrsa gen-req orangleliu # use your own name. You need to create a password and cn name. Remember what you use # The client certificate must interact with the server, that is, sign the contract, this way, the user can use this vpn # Switch to cd/etc/openvpn/easy-rsa/easyrsa3/Under the server certificate directory /. /easyrsa import-req/home/client/easy-rsa/easyrsa3/pki/reqs/orangleliu. req orangleliu # import req. /easyrsa sign client orangleliu # sign the contract and enter the ca password of the server as prompted

See what is generated by/etc/openvpn/easy-rsa/easyrsa3.

[root@localhost easyrsa3]# tree pkipki├── ca.crt├── certs_by_serial│   ├── 01.pem│   └── 02.pem├── dh.pem├── index.txt├── index.txt.attr├── index.txt.attr.old├── index.txt.old├── issued│   ├── orangleliu.crt│   └── server.crt├── private│   ├── ca.key│   └── server.key├── reqs│   ├── orangleliu.req│   └── server.req├── serial└── serial.old

Check the client/home/client/easy-rsa/easyrsa3.

pki├── private│   └── orangleliu.key└── reqs    └── orangleliu.req

Put these files in the corresponding directory of the server certificate (put in a directory of the configuration file for easy configuration and search)

cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/

Client certificate (only centralized to a folder for vpn Users)

mkdir /home/myclientcp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /home/myclient/cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/orangleliu.crt  /home/myclient/cp /home/client/easy-rsa/easyrsa3/pki/private/orangleliu.key /home/myclient/

The most difficult part has passed. The following is the configuration service. Check whether the Configuration Service vim/etc/openvpn/server. conf has the specific meaning of each configuration. The configuration file has a detailed explanation.

local 192.168.37.129port 1194proto udpdev tunca /etc/openvpn/ca.crtcert /etc/openvpn/server.crtkey /etc/openvpn/server.key  # This file should be kept secretdh /etc/openvpn/dh.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 114.114.114.114"comp-lzomax-clients 100keepalive 10 120persist-keypersist-tunstatus openvpn-status.logverb 3

Start the service

[root@localhost easyrsa3]# service openvpn startStarting openvpn:                                          [FAILED]

View startup log Options error: Unrecognized option or missing parameter (s) in server. conf: 35: kcomp-lzo (2.3.6)
The configuration is incorrect .. It should be comp-lzo.
Restart

[root@localhost easyrsa3]# service openvpn startStarting openvpn:                                          [  OK  ]

OK.

Ifconfig view Nic information tun0 Link encap: UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr: 10.8.0.1 P-t-P: 10.8.0.2 Mask: 255.255.255.255 up pointopoint running noarp multicast mtu: 1500 Metric: 1 RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 0 errors: 0 dropped: 0 overruns: 0 carrier: 0 collisions: 0 txqueuelen: 100 RX bytes: 0 (0.0 B) TX bytes: 0 (0.0 B)

Added 10 CIDR blocks.