CentOS 7 steps to install OpenVPN

Check system environment

[Root@ss-usa-odo01 ~]# Cat/etc/redhat-release


CentOS Linux release 7.0.1406 (Core)


[Root@ss-usa-odo01 ~]# DF-HP


FileSystem Size Used Avail use% mounted on


/DEV/PLOOP12288P1 30G 484M 28G 2%/


Devtmpfs 256M 0 256M 0%/dev


Tmpfs 256M 0 256M 0%/dev/shm


Tmpfs 256M 88K 256M 1%/run


Tmpfs 256M 0 256M 0%/sys/fs/cgroup


[Root@ss-usa-odo01 ~]# Cat/dev/net/tun


Cat:/dev/net/tun:file Descriptor in


[root@ss-usa-odo01 ~]# grep ipaddr/etc/sysconfig/network-scripts/ifcfg-venet0:0 | Awk-f= ' {print $} '


104.223.122.202


[Root@ss-usa-odo01 ~]#

System initialization

[Root@ss-usa-odo01 ~]# curl-lks Onekey.sh/centos_init|bash
[Root@ss-usa-odo01 ~]# reboot

Update source

[Root@ss-usa-odo01 ~]# yum clean all && yum makecache && yum install epel-release-y && Yum Update -Y
Replace the Friewall of CentOS 7 with Iptables

Bash-c "$ (curl-ls onekey.sh/friewall2iptables)"

Yum Installation OpenVPN

[root@ss-usa-odo01 ~]# yum Install OpenVPN Easy-rsa

Configuring the OpenVPN server Side
[Root@ss-usa-odo01 ~]# cp/usr/share/doc/openvpn-2.3.11/sample/sample-config-files/server.conf/etc/openvpn/
[Root@ss-usa-odo01 ~]# Mkdir/etc/openvpn/easy-rsa
[Root@ss-usa-odo01 ~]#/bin/cp-rf/usr/share/easy-rsa/2.0/*/etc/openvpn/easy-rsa
[Root@ss-usa-odo01 ~]# Cd/etc/openvpn/easy-rsa
[root@ss-usa-odo01/etc/openvpn/easy-rsa]# VI VARs #参考下面的图做修改

[root@ss-usa-odo01/etc/openvpn/easy-rsa]# source./vars
Note:if you run./clean-all, I'll be doing a rm-rf On/etc/openvpn/easy-rsa/keys

Build the CA certificate using the Build-ca script, and the certificate will be created in/etc/openvpn/easy-rsa/. Press the ENTER key to accept the default value:

[root@ss-usa-odo01/etc/openvpn/easy-rsa]#./build-ca


Generating a 2048 bit RSA private key


.....................................................................+++


..........................................+++


Writing new private key to ' Ca.key '


-----


are about to is asked to enter information that would be incorporated


into your certificate request.


What you are about to enter the What is called a distinguished Name or a DN.


There are quite a few fields but you can leave some


For some fields there would be a default value,


If you enter '. ', the field would be left blank.


-----


Country Name (2 letter code) [CN]:


State or province Name (full name) [Shanghai]:


Locality Name (eg, city) [Pudong]:


Organization Name (eg, company) [Prime]:


Organizational unit Name (eg, section) [Social Media]:


Common name (eg, your name or your server ' s hostname) [Prime [S] Asia CA]:


Name [Easyrsa]:


Email address [admin@dwhd.org]:


[root@ss-usa-odo01/etc/openvpn/easy-rsa]#

Next, we will create a certificate for the key and the server itself. As before, accept the default value, and then press Y to confirm the signature of the certificate:

[root@ss-usa-odo01/etc/openvpn/easy-rsa]#./build-key-server Server


Generating a 2048 bit RSA private key


............................+++


...................+++


Writing new private key to ' Server.key '


-----


are about to is asked to enter information that would be incorporated


into your certificate request.


What you are about to enter the What is called a distinguished Name or a DN.


There are quite a few fields but you can leave some


For some fields there would be a default value,


If you enter '. ', the field would be left blank.


-----


Country Name (2 letter code) [CN]:


State or province Name (full name) [Shanghai]:


Locality Name (eg, city) [Pudong]:


Organization Name (eg, company) [Prime]:


Organizational unit Name (eg, section) [Social Media]:


Common name (eg, your name or your server ' s hostname) [Server]:


Name [Easyrsa]:


Email address [admin@dwhd.org]:





Please enter the following ' extra ' attributes


To is sent with your certificate request


A Challenge Password []:


An optional company name []:


Using Configuration From/etc/openvpn/easy-rsa/openssl-1.0.0.cnf


Check that the request matches the signature


Signature OK


The Subject ' s distinguished Name is as follows


CountryName:P rintable: ' CN '


Stateorprovincename:P rintable: ' Shanghai '


Localityname:P rintable: ' Pudong '


OrganizationName:P rintable: ' Prime in the Asia '


Organizationalunitname:printable: ' Social Media '


CommonName:P rintable: ' Server '


Name:P rintable: ' Easyrsa '


Emailaddress:ia5string: ' admin@dwhd.org '


Certificate is to certified until June 18:27:02 2026 GMT (3650 days)


Sign the certificate? [Y/n]:y








1 out of 1 certificate requests certified, commit? [Y/n]y


Write out database with 1 new entries


Data Base Updated


[root@ss-usa-odo01/etc/openvpn/easy-rsa]#


Linux CentOS 7 Installation OpenVPN

Next, generate Diffie-hellman files for information exchange to complement the RSA (which will take a considerable amount of time). This will create a/ETC/OPENVPN/RSA/key file named Dh2048.pem:

[root@ss-usa-odo01/etc/openvpn/easy-rsa]#./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long
..................+.................
Finally, create a separate certificate file for each client using the VPN server:

[root@ss-usa-odo01/etc/openvpn/easy-rsa]#./build-key 104.233.122.202-lookback


Generating a 2048 bit RSA private key


...+++


...........................................................+++


Writing new private key to ' 104.233.122.202-lookback.key '


-----


are about to is asked to enter information that would be incorporated


into your certificate request.


What you are about to enter the What is called a distinguished Name or a DN.


There are quite a few fields but you can leave some


For some fields there would be a default value,


If you enter '. ', the field would be left blank.


-----


Country Name (2 letter code) [CN]:


State or province Name (full name) [Shanghai]:


Locality Name (eg, city) [Pudong]:


Organization Name (eg, company) [Prime]:


Organizational unit Name (eg, section) [Social Media]:


Common name (eg, your name or your server ' s hostname) [104.233.122.202-lookback]:


Name [Easyrsa]:


Email address [admin@dwhd.org]:





Please enter the following ' extra ' attributes


To is sent with your certificate request


A Challenge Password []:


An optional company name []:


Using Configuration From/etc/openvpn/easy-rsa/openssl-1.0.0.cnf


Check that the request matches the signature


Signature OK


The Subject ' s distinguished Name is as follows


CountryName:P rintable: ' CN '


Stateorprovincename:P rintable: ' Shanghai '


Localityname:P rintable: ' Pudong '


OrganizationName:P rintable: ' Prime in the Asia '


Organizationalunitname:printable: ' Social Media '


CommonName:P rintable: ' 104.233.122.202-lookback '


Name:P rintable: ' Easyrsa '


Emailaddress:ia5string: ' admin@dwhd.org '


Certificate is to certified until June 18:35:47 2026 GMT (3650 days)


Sign the certificate? [Y/n]:y








1 out of 1 certificate requests certified, commit? [Y/n]y


Write out database with 1 new entries


Data Base Updated


[root@ss-usa-odo01/etc/openvpn/easy-rsa]#


Linux CentOS 7 Installation OpenVPN

Prevent VPN from being attacked by DDoS, generate Ta.key

[root@ss-usa-odo01/etc/openvpn/easy-rsa]# OpenVPN--genkey--secret. /ta.key

Next, start modifying the server-side configuration file

[root@ss-usa-odo01/etc/openvpn/easy-rsa]# CP Keys/{ca.crt,dh2048.pem,server.crt,server.key}/etc/openvpn/
[root@ss-usa-odo01/etc/openvpn/easy-rsa]# CD ...
[root@ss-usa-odo01/etc/openvpn]# VI server.conf

# # #下面是我的配置文件可以参考


[root@ss-usa-odo01/etc/openvpn]# Grep-ev ' ^ ($|#) ' server.conf


; The local a.b.c.d #Specifies the local IP of the listener (because some computers have multiple IP addresses), the command is optional and all IP addresses are monitored by default.


Port 22033 #Server port number, modify as required


Proto TCP #Connect via tcp protocol, but also through UDP, to see the actual requirements


;p Roto UDP


;d EV Tap


Dev Tun #Routing mode, note that Windows must use dev Tap


;d Ev-node Mytap #Non-Windows systems usually do not need to set this


CA ca.crt #Ca certificate storage location, this side is placed in the default path does not need to modify, if placed in other paths, followed by the absolute path, according to the actual situation change


Cert SERVER.CRT #Server certificate storage location, this side is placed in the default path does not need to be modified, if placed under other paths, followed by the absolute path, according to the actual situation change


Key Server.key #服务器密钥存放位置Server key storage location, this side is placed in the default path does not need to be modified, if placed in other paths, followed by the absolute path, according to the actual situation change


DH dh2048.pem #dh2048. PEM storage location, this side is placed in the default path does not need to be modified, if placed in other paths, followed by the absolute path, according to the actual situation change


; topology Subnet


Server 10.188.0.0 255.255.0.0 #Virtual LAN segment setting, please modify it as appropriate


Ifconfig-pool-persist Ipp.txt #When openvpn restarts, again-connected clients will still be assigned the same IP address as before


; Server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100


; Server-bridge


;p ush "Route 192.168.10.0 255.255.255.0"


;p ush "Route 192.168.20.0 255.255.255.0"


Push "Route 0.0.0.0 0.0.0.0" #全网走openvpn


; Client-config-dir CCD


; Route 192.168.40.128 255.255.255.248


; Client-config-dir CCD


; Route 10.9.0.0 255.255.255.252


; learn-address./script


Push "Redirect-gateway def1 bypass-dhcp" #All network communication of the clientvpn, this can be selected, if commented out that is the local packet or from the local out, not forced to go VPN


Push "Dhcp-option DNS 8.8.8.8" #Specify the primary DNS used by the client


Push "Dhcp-option DNS 8.8.4.4" #Specify the standby DNS used by the client


Client-to-client #Open client exchange


DUPLICATE-CN #Support one certificate for multiple client logins, recommended not enabled


KeepAlive 5 #server 5 side monitor once, if 30 seconds did not respond to determine the client down


Tls-auth Ta.key 0 #防DDOS attack, server-side 0, client 1


; cipher BF-CBC # Blowfish (default) #This is the default encryption algorithm


; Cipher AES-128-CBC # AES


; Cipher DES-EDE3-CBC # Triple-des


Comp-lzo #allows data compression, this is required if the client configuration file is enabled


Max-clients #Maximum number of concurrent clients


User Nobody # defines the user running openvpn


Group Nobody #Define the user group running openvpn


Restart the VPN, do not re-read the keys, keep the keys used for the first time after the timeout is detected by the keepalive


Persist-tun # restart the VPN, keep the Tun or tap device Linkup, otherwise the network connection will linkdown first and then Linkup


Status/tmp/openvpn-status.log # Periodically write some status information of openvpn to the file in order to write your own program billing or other actions


Log Openvpn.log #record log, delete the original log information after each reboot OpenVPN


Log-append/tmp/openvpn.log #记录日志, append the original log information after each reboot OpenVPN


Verb 3 #Set the log to be recorded, optional 0-9, 0 only log error messages, 4 can record ordinary information, 5 and 6 in connection with the problem can help debug, 9 is extreme, all information will be displayed, or Even Baotou and so on Information is displayed (like tcpdump)


Mute 20


#不同的情况的相,,20 identical messages appear consecutively, they will not be recorded in the log.

[root@ss-usa-odo01/etc/openvpn]#

[root@ss-usa-odo01/etc/openvpn]# echo-e "# # #OpenVPN Add\nnet.ipv4.conf.default.accept_source_route = 1\ Nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.ip_forward = 1 ">>/etc/sysctl.conf
[root@ss-usa-odo01/etc/openvpn]# sysctl-p
Net.ipv4.conf.default.accept_source_route = 1
Net.ipv4.conf.default.rp_filter = 0
Net.ipv4.ip_forward = 1
[root@ss-usa-odo01/etc/openvpn]#

[root@ss-usa-odo01/etc/openvpn]# systemctl-f Enable Openvpn@server


Created symlink From/etc/systemd/system/multi-user.target.wants/openvpn@server.service to/usr/lib/systemd/system/ Openvpn@.service.


[root@ss-usa-odo01/etc/openvpn]# systemctl start Openvpn@server


[root@ss-usa-odo01/etc/openvpn]# systemctl-l status Openvpn@server


Openvpn@server.service-openvpn robust and highly flexible tunneling on server


Loaded:loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset:disabled)


Active:active (running) since one 2016-06-13 16:08:20 EDT; 10s ago


process:6464 execstart=/usr/sbin/openvpn--daemon--writepid/var/run/openvpn/%i.pid--cd/etc/openvpn/--config% I.conf (code=exited, status=0/success)


Main pid:6465 (OpenVPN)


Cgroup:/system.slice/system-openvpn.slice/openvpn@server.service


└─6465/usr/sbin/openvpn--daemon--writepid/var/run/openvpn/server.pid--cd/etc/openvpn/--config server.conf





June 16:08:20 ss-usa-odo01.90r.org systemd[1]: Starting OpenVPN robust and highly flexible tunneling application on serve R...


June 16:08:20 ss-usa-odo01.90r.org systemd[1]: started OpenVPN robust and highly flexible tunneling on server .


[root@ss-usa-odo01/etc/openvpn]# Cat/tmp/openvpn.log


Mon June 16:07:47 2016 us=2075 current Parameter Settings:


Mon June 16:07:47 2016 us=2135 config = ' server.conf '


Mon June 16:07:47 2016 us=2144 mode = 1


Mon June 16:07:47 2016 us=2150 persist_config = DISABLED


Mon June 16:07:47 2016 us=2156 persist_mode = 1


Mon June 16:07:47 2016 us=2162 show_ciphers = DISABLED


Mon June 16:07:47 2016 us=2168 show_digests = DISABLED


Mon June 16:07:47 2016 us=2174 show_engines = DISABLED


Mon June 16:07:47 2016 us=2180 genkey = DISABLED


Mon June 16:07:47 2016 us=2185 key_pass_file = ' [UNDEF] '


Mon June 16:07:47 2016 us=2192 show_tls_ciphers = DISABLED


Mon June 16:07:47 2016 us=2199 Connection profiles [default]:


Mon June 16:07:47 2016 us=2206 proto = Tcp-server


Mon June 16:07:47 2016 us=2214 local = ' [UNDEF] '


Mon June 16:07:47 2016 us=2219 local_port = 22033


Mon June 16:07:47 2016 us=2224 remote = ' [UNDEF] '


Mon June 16:07:47 2016 us=2229 remote_port = 22033


Mon June 16:07:47 2016 us=2234 remote_float = DISABLED


Mon June 16:07:47 2016 us=2240 bind_defined = DISABLED


Mon June 16:07:47 2016 us=2246 bind_local = ENABLED


Mon June 16:07:47 2016 us=2252 connect_retry_seconds = 5


Mon June 16:07:47 2016 us=2258 connect_timeout = 10


Mon June 16:07:47 2016 us=2264 connect_retry_max = 0


Mon June 16:07:47 2016 us=2271 socks_proxy_server = ' [UNDEF] '


Mon June 16:07:47 2016 us=2277 socks_proxy_port = 0


Mon June 16:07:47 2016 us=2283 socks_proxy_retry = DISABLED


Mon June 16:07:47 2016 us=2289 TUN_MTU = 1500


Mon June 16:07:47 2016 us=2305 tun_mtu_defined = ENABLED


Mon June 16:07:47 2016 us=2311 LINK_MTU = 1500


Mon June 16:07:47 2016 us=2316 link_mtu_defined = DISABLED


Mon June 16:07:47 2016 us=2322 tun_mtu_extra = 0


Mon June 16:07:47 2016 us=2327 tun_mtu_extra_defined = DISABLED


Mon June 16:07:47 2016 us=2333 mtu_discover_type =-1


Mon June 16:07:47 2016 us=2338 fragment = 0


Mon June 16:07:47 2016 us=2344 mssfix = 1450


Mon June 16:07:47 2016 us=2350 explicit_exit_notification = 0


Mon June 16:07:47 2016 us=2357 Connection profiles End


Mon June 16:07:47 2016 us=2363 remote_random = DISABLED


Mon June 16:07:47 2016 us=2368 ipchange = ' [UNDEF] '


Mon June 16:07:47 2016 us=2373 dev = ' tun '


Mon June 16:07:47 2016 us=2378 dev_type = ' [UNDEF] '


Mon June 16:07:47 2016 us=2382 dev_node = ' [UNDEF] '


Mon June 16:07:47 2016 us=2388 lladdr = ' [UNDEF] '


Mon June 16:07:47 2016 us=2394 topology = 1


Mon June 16:07:47 2016 us=2400 Tun_ipv6 = DISABLED


Mon June 16:07:47 2016 us=2405 ifconfig_local = ' 10.188.0.1 '


Mon June 16:07:47 2016 us=2411 ifconfig_remote_netmask = ' 10.188.0.2 '


Mon June 16:07:47 2016 us=2416 ifconfig_noexec = DISABLED


Mon June 16:07:47 2016 us=2422 Ifconfig_nowarn = DISABLED


Mon June 16:07:47 2016 us=2437 ifconfig_ipv6_local = ' [UNDEF] '


Mon June 16:07:47 2016 us=2442 ifconfig_ipv6_netbits = 0


Mon June 16:07:47 2016 us=2487 ifconfig_ipv6_remote = ' [UNDEF] '


Mon June 16:07:47 2016 us=2494 shaper = 0


Mon June 16:07:47 2016 us=2500 mtu_test = 0


Mon June 16:07:47 2016 us=2506 mlock = DISABLED


Mon June 16:07:47 2016 us=2512 keepalive_ping = 5


Mon June 16:07:47 2016 us=2518 keepalive_timeout = 30


Mon June 16:07:47 2016 us=2523 inactivity_timeout = 0


Mon June 16:07:47 2016 us=2537 ping_send_timeout = 5


Mon June 16:07:47 2016 us=2542 ping_rec_timeout = 60


Mon June 16:07:47 2016 us=2547 ping_rec_timeout_action = 2


Mon June 16:07:47 2016 us=2554 ping_timer_remote = DISABLED


Mon June 16:07:47 2016 us=2559 remap_sigusr1 = 0


Mon June 16:07:47 2016 us=2564 Persist_tun = ENABLED


Mon June 16:07:47 2016 us=2569 persist_local_ip = DISABLED


Mon June 16:07:47 2016 us=2574 persist_remote_ip = DISABLED


Mon June 16:07:47 2016 us=2579 persist_key = ENABLED


Mon June 16:07:47 2016 us=2585 passtos = DISABLED


Mon June 16:07:47 2016 us=2590 resolve_retry_seconds = 1000000000


Mon June 16:07:47 2016 us=2596 username = ' nobody '


Mon June 16:07:47 2016 us=2601 groupname = ' nobody '


Mon June 16:07:47 2016 us=2617 chroot_dir = ' [UNDEF] '


Mon June 16:07:47 2016 us=2622 cd_dir = ' [UNDEF] '


Mon June 16:07:47 2016 us=2627 writepid = ' [UNDEF] '


Mon June 16:07:47 2016 us=2645 up_script = ' [UNDEF] '


Mon June 16:07:47 2016 us=2650 down_script = ' [UNDEF] '


Mon June 16:07:47 2016 us=2655 down_pre = DISABLED


Mon June 16:07:47 2016 us=2660 up_restart = DISABLED


Mon June 16:07:47 2016 us=2668 up_delay = DISABLED


Mon June 16:07:47 2016 us=2675 daemon = DISABLED


Mon June 16:07:47 2016 us=2681 inetd = 0


Mon June 16:07:47 2016 us=2686 log = ENABLED


Mon June 16:07:47 2016 us=2692 suppress_timestamps = DISABLED


Mon June 16:07:47 2016 us=2696 nice = 0


Mon June 16:07:47 2016 us=2701 verbosity = 6


Mon June 16:07:47 2016 us=2706 mute = 0


Mon June 16:07:47 2016 us=2711 gremlin = 0


Mon June 16:07:47 2016 us=2716 status_file = '/tmp/openvpn-status.log '


Mon June 16:07:47 2016 us=2721 status_file_version = 1


Mon June 16:07:47 2016 us=2727 status_file_update_freq = 60


Mon June 16:07:47 2016 us=2732 OCC = ENABLED


Mon June 16:07:47 2016 us=2738 rcvbuf = 0


Mon June 16:07:47 2016 us=2743 sndbuf = 0


Mon June 16:07:47 2016 us=2749 mark = 0


Mon June 16:07:47 2016 us=2754 sockflags = 0


Mon June 16:07:47 2016 us=2759 fast_io = DISABLED


Mon June 16:07:47 2016 us=2765 Lzo = 7


Mon June 16:07:47 2016 us=2773 route_script = ' [UNDEF] '


Mon June 16:07:47 2016 us=2779 route_default_gateway = ' [UNDEF] '


Mon June 16:07:47 2016 us=2784 route_default_metric = 0


Mon June 16:07:47 2016 us=2791 route_noexec = DISABLED


Mon June 16:07:47 2016 us=2797 route_delay = 0


Mon June 16:07:47 2016 us=2803 Route_delay_window = 30


Mon June 16:07:47 2016 us=2809 route_delay_defined = DISABLED


Mon June 16:07:47 2016 us=2815 route_nopull = DISABLED


Mon June 16:07:47 2016 us=2820 route_gateway_via_dhcp = DISABLED


Mon June 16:07:47 2016 us=2826 max_routes = 100


Mon June 16:07:47 2016 us=2831 Allow_pull_fqdn = DISABLED


Mon June 16:07:47 2016 us=2838 Route 10.188.0.0/255.255.0.0/nil/nil


Mon June 16:07:47 2016 us=2843 management_addr = ' [UNDEF] '


Mon June 16:07:47 2016 us=2850 management_port = 0


Mon June 16:07:47 2016 us=2856 management_user_pass = ' [UNDEF] '


Mon June 16:07:47 2016 us=2862 Management_log_history_cache = 250


Mon June 16:07:47 2016 us=2877 management_echo_buffer_size = 100


Mon June 16:07:47 2016 us=2883 management_write_peer_info_file = ' [UNDEF] '


Mon June 16:07:47 2016 us=2889 management_client_user = ' [UNDEF] '


Mon June 16:07:47 2016 us=2895 management_client_group = ' [UNDEF] '


Mon June 16:07:47 2016 us=2901 management_flags = 0


Mon June 16:07:47 2016 us=2912 shared_secret_file = ' [UNDEF] '


Mon June 16:07:47 2016 us=2918 key_direction = 1


Mon June 16:07:47 2016 us=2924 ciphername_defined = ENABLED


Mon June 16:07:47 2016 us=2940 ciphername = ' BF-CBC '


Mon June 16:07:47 2016 us=2946 authname_defined = ENABLED


Mon June 16:07:47 2016 us=2951 authname = ' SHA1 '


Mon June 16:07:47 2016 us=2957 prng_hash = ' SHA1 '


Mon June 16:07:47 2016 us=2963 Prng_nonce_secret_len = 16


Mon June 16:07:47 2016 us=2968 keysize = 0


Mon June 16:07:47 2016 us=2974 engine = DISABLED


Mon June 16:07:47 2016 us=2979 replay = ENABLED


Mon June 16:07:47 2016 us=2989 mute_replay_warnings = DISABLED


Mon June 16:07:47 2016 us=2994 Replay_window = 64


Mon June 16:07:47 2016 us=2999 replay_time = 15


Mon June 16:07:47 2016 us=3004 packet_id_file = ' [UNDEF] '


Mon June 16:07:47 2016 us=3010 Use_iv = ENABLED


Mon June 16:07:47 2016 us=3015 test_crypto = DISABLED


Mon June 16:07:47 2016 us=3020 tls_server = ENABLED


Mon June 16:07:47 2016 us=3026 tls_client = DISABLED


Mon June 16:07:47 2016 us=3031 Key_method = 2


Mon June 16:07:47 2016 us=3047 ca_file = ' ca.crt '


Mon June 16:07:47 2016 us=3053 ca_path = ' [UNDEF] '


Mon June 16:07:47 2016 us=3069 dh_file = ' Dh2048.pem '


Mon June 16:07:47 2016 us=3074 cert_file = ' server.crt '


Mon June 16:07:47 2016 us=3080 extra_certs_file = ' [UNDEF] '


Mon June 16:07:47 2016 us=3096 priv_key_file = ' Server.key '


Mon June 16:07:47 2016 us=3102 pkcs12_file = ' [UNDEF] '


Mon June 16:07:47 2016 us=3107 cipher_list = ' [UNDEF] '


Mon June 16:07:47 2016 us=3112 tls_verify = ' [UNDEF] '


Mon June 16:07:47 2016 us=3118 tls_export_cert = ' [UNDEF] '


Mon June 16:07:47 2016 us=3123 verify_x509_type = 0


Mon June 16:07:47 2016 us=3129 verify_x509_name = ' [UNDEF] '


Mon June 16:07:47 2016 us=3135 crl_file = ' [UNDEF] '


Mon June 16:07:47 2016 us=3140 ns_cert_type = 0


Mon June 16:07:47 2016 us=3146 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3152 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3157 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3163 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3169 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3174 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3179 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3184 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3189 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3194 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3199 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3204 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3209 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3214 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3220 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3234 remote_cert_ku[i] = 0


Mon June 16:07:47 2016 us=3241 remote_cert_eku = ' [UNDEF] '


Mon June 16:07:47 2016 us=3246 ssl_flags = 0


Mon June 16:07:47 2016 us=3252 tls_timeout = 2


Mon June 16:07:47 2016 us=3258 renegotiate_bytes = 0


Mon June 16:07:47 2016 us=3263 renegotiate_packets = 0


Mon June 16:07:47 2016 us=3268 renegotiate_seconds = 3600


Mon June 16:07:47 2016 us=3274 Handshake_window = 60


Mon June 16:07:47 2016 us=3278 Transition_window = 3600


Mon June 16:07:47 2016 us=3293 single_session = DISABLED


Mon June 16:07:47 2016 us=3298 push_peer_info = DISABLED


Mon June 16:07:47 2016 us=3303 tls_exit = DISABLED


Mon June 16:07:47 2016 us=3309 tls_auth_file = ' Ta.key '


Mon June 16:07:47 2016 us=3315 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3321 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3327 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3332 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3338 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3344 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3350 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3356 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3361 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3367 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3372 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3377 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3382 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3389 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3395 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3403 pkcs11_protected_authentication = DISABLED


Mon June 16:07:47 2016 us=3410 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3415 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3421 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3426 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3432 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3437 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3443 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3448 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3454 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3459 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3465 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3481 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3486 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3503 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3509 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3514 pkcs11_private_mode = 00000000


Mon June 16:07:47 2016 us=3530 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3535 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3540 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3545 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3550 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3557 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3563 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3568 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3573 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3579 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3585 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3590 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3595 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3601 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3606 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3613 pkcs11_cert_private = DISABLED


Mon June 16:07:47 2016 us=3619 pkcs11_pin_cache_period =-1


Mon June 16:07:47 2016 us=3624 pkcs11_id = ' [UNDEF] '


Mon June 16:07:47 2016 us=3630 pkcs11_id_management = DISABLED


Mon June 16:07:47 2016 us=3637 server_network = 10.188.0.0


Mon June 16:07:47 2016 us=3643 server_netmask = 255.255.0.0


Mon June 16:07:47 2016 us=3654 Server_network_ipv6 =::


Mon June 16:07:47 2016 us=3660 Server_netbits_ipv6 = 0


Mon June 16:07:47 2016 us=3666 server_bridge_ip = 0.0.0.0


Mon June 16:07:47 2016 us=3672 server_bridge_netmask = 0.0.0.0


Mon June 16:07:47 2016 us=3678 server_bridge_pool_start = 0.0.0.0


Mon June 16:07:47 2016 us=3685 server_bridge_pool_end = 0.0.0.0


Mon June 16:07:47 2016 us=3690 push_entry = ' route 0.0.0.0 0.0.0.0 '


Mon June 16:07:47 2016 us=3708 push_entry = ' Redirect-gateway def1 bypass-dhcp '


Mon June 16:07:47 2016 us=3724 push_entry = ' dhcp-option DNS 8.8.8.8 '


Mon June 16:07:47 2016 us=3729 push_entry = ' dhcp-option DNS 8.8.4.4 '


Mon June 16:07:47 2016 us=3734 push_entry = ' route 10.188.0.0 255.255.0.0 '


Mon June 16:07:47 2016 us=3740 push_entry = ' topology Net30 '


Mon June 16:07:47 2016 us=3747 push_entry = ' ping 5 '


Mon June 16:07:47 2016 us=3751 push_entry = ' Ping-restart 30 '


Mon June 16:07:47 2016 us=3754 ifconfig_pool_defined = ENABLED


Mon June 16:07:47 2016 us=3758 ifconfig_pool_start = 10.188.0.4


Mon June 16:07:47 2016 us=3762 ifconfig_pool_end = 10.188.255.251


Mon June 16:07:47 2016 us=3766 ifconfig_pool_netmask = 0.0.0.0


Mon June 16:07:47 2016 us=3769 ifconfig_pool_persist_filename = ' Ipp.txt '


Mon June 16:07:47 2016 us=3773 ifconfig_pool_persist_refresh_freq = 600


Mon June 16:07:47 2016 us=3776 ifconfig_ipv6_pool_defined = DISABLED


Mon June 16:07:47 2016 us=3780 ifconfig_ipv6_pool_base =::


Mon June 16:07:47 2016 us=3783 ifconfig_ipv6_pool_netbits = 0


Mon June 16:07:47 2016 us=3790 n_bcast_buf = 256


Mon June 16:07:47 2016 us=3793 tcp_queue_limit = 64


Mon June 16:07:47 2016 us=3796 real_hash_size = 256


Mon June 16:07:47 2016 us=3800 virtual_hash_size = 256


Mon June 16:07:47 2016 us=3803 client_connect_script = ' [UNDEF] '


Mon June 16:07:47 2016 us=3807 learn_address_script = ' [UNDEF] '


Mon June 16:07:47 2016 us=3810 client_disconnect_script = ' [UNDEF] '


Mon June 16:07:47 2016 us=3814 client_config_dir = ' [UNDEF] '


Mon June 16:07:47 2016 us=3817 ccd_exclusive = DISABLED


Mon June 16:07:47 2016 us=3820 tmp_dir = '/tmp '


Mon June 16:07:47 2016 us=3824 push_ifconfig_defined = DISABLED


Mon June 16:07:47 2016 us=3828 push_ifconfig_local = 0.0.0.0


Mon June 16:07:47 2016 us=3831 push_ifconfig_remote_netmask = 0.0.0.0


Mon June 16:07:47 2016 us=3835 push_ifconfig_ipv6_defined = DISABLED


Mon June 16:07:47 2016 us=3841 push_ifconfig_ipv6_local =::/0


Mon June 16:07:47 2016 us=3845 push_ifconfig_ipv6_remote =::


Mon June 16:07:47 2016 us=3849 enable_c2c = ENABLED


Mon June 16:07:47 2016 us=3853 duplicate_cn = ENABLED


Mon June 16:07:47 2016 us=3858 cf_max = 0


Mon June 16:07:47 2016 us=3862 cf_per = 0


Mon June 16:07:47 2016 us=3865 max_clients = 100


Mon June 16:07:47 2016 us=3869 max_routes_per_client = 256


Mon June 16:07:47 2016 us=3882 auth_user_pass_verify_script = ' [UNDEF] '


Mon June 16:07:47 2016 us=3886 auth_user_pass_verify_script_via_file = DISABLED


Mon June 16:07:47 2016 us=3889 port_share_host = ' [UNDEF] '


Mon June 16:07:47 2016 us=3893 port_share_port = 0


Mon June 16:07:47 2016 us=3896 client = DISABLED


Mon June 16:07:47 2016 us=3900 pull = DISABLED


Mon June 16:07:47 2016 us=3906 auth_user_pass_file = ' [UNDEF] '


Mon June 16:07:47 2016 us=3911 OpenVPN 2.3.11 X86_64-redhat-linux-gnu [SSL (OpenSSL)] [Lzo] [epoll] [PKCS11] [MH] [IPV6] Built on May 10 2016


Mon June 16:07:47 2016 us=3919 library Versions:openssl 1.0.1e-fips One Feb 2013, Lzo 2.06


Mon June 16:07:47 2016 us=4002 WARNING:--ifconfig-pool-persist won't be work with--DUPLICATE-CN


Mon June 16:07:47 2016 us=59407 Diffie-hellman initialized with 2048 bit key


Mon June 16:07:47 2016 us=59920 control Channel authentication:using ' Ta.key ' as a OpenVPN static key file


Mon June 16:07:47 2016 us=59938 outgoing control Channel authentication:using 160 bit message hash ' SHA1 ' for HMAC auth Entication


Mon June 16:07:47 2016 us=59946 incoming control Channel authentication:using 160 bit message hash ' SHA1 ' for HMAC auth Entication


Mon June 16:07:47 2016 us=59958 tls-auth MTU parms [l:1544 d:1182 ef:68-eb:0 et:0 El:3]


Mon June 16:07:47 2016 us=59975 Socket buffers:r=[87380->87380] s=[16384->16384]


Mon June 16:07:47 2016 us=60070 route_gateway on_link iface=venet0 hwaddr=00:00:00:00:00:00


Mon June 16:07:47 2016 us=60296 Tun/tap device Tun0 opened


Mon June 16:07:47 2016 us=60311 tun/tap TX Queue Length set to 100


Mon June 16:07:47 2016 us=60323 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0


Mon June 16:07:47 2016 US=60341/USR/SBIN/IP link set dev tun0 up MTU 1500


Mon June 16:07:47 2016 US=72043/USR/SBIN/IP addr Add dev tun0 local 10.188.0.1 peer


Mon June 16:07:47 2016 US=89355/USR/SBIN/IP route add 10.188.0.0/16 via 10.188.0.2


Mon June 16:07:47 2016 us=90077 Data Channel MTU parms [l:1544 d:1450 ef:44 eb:143 et:0 El:3 AF:3/1]


Mon June 16:07:47 2016 us=90257 GID set to nobody


Mon June 16:07:47 2016 us=90268 UID set to nobody


Mon June 16:07:47 2016 us=90275 listening for incoming TCP connection on [undef]


Mon June 16:07:47 2016 us=90283 tcpv4_server link Local (bound): [undef]


Mon June 16:07:47 2016 us=90287 tcpv4_server link remote: [undef]


Mon June 16:07:47 2016 us=90295 Multi:multi_init called, r=256 v=256


Mon June 16:07:47 2016 us=90441 IFCONFIG pool:base=10.188.0.4 size=16382, ipv6=0


Mon June 16:07:47 2016 us=90453 IFCONFIG POOL LIST


Mon June 16:07:47 2016 us=90480 multi:tcp INIT maxclients=100 maxevents=104


Mon June 16:07:47 2016 us=90495 initialization Sequence Completed


Mon June 16:08:07 2016 us=790588 tcp/udp:closing socket


Mon June 16:08:07 2016 US=790658/USR/SBIN/IP Route del 10.188.0.0/16


Rtnetlink Answers:operation not permitted


Mon June 16:08:07 2016 us=791611 error:linux Route Delete command failed:external program exited with ERROR Status:2


Mon June 16:08:07 2016 us=791637 Closing Tun/tap interface


Mon June 16:08:07 2016 us=791657/usr/sbin/ip addr del Dev tun0 local 10.188.0.1 peer-10.188.0.2


Rtnetlink Answers:operation not permitted


Mon June 16:08:07 2016 us=792360 Linux IP addr del failed:external program exited with error Status:2


Mon June 16:08:07 2016 us=830989 Sigint[hard,] received, process exiting


[root@ss-usa-odo01/etc/openvpn]#

[root@ss-usa-odo01/etc/openvpn]# IPTABLES-NVXL--lin


Chain INPUT (Policy ACCEPT 0 packets, 0 bytes)


Num pkts bytes target prot opt in Out source destination


1 127988 174103095 ACCEPT All--* * 0.0.0.0/0 0.0.0.0/0 State Related,establi Shed


2 0 0 ACCEPT ICMP--* * 0.0.0.0/0 0.0.0.0/0


3 0 0 ACCEPT All--Lo * 0.0.0.0/0 0.0.0.0/0


4 228 14272 ACCEPT TCP--* * 0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:22


5 651 33525 REJECT All--* * 0.0.0.0/0 0.0.0.0/0 Reject-with Prohibited





Chain FORWARD (Policy ACCEPT 0 packets, 0 bytes)


Num pkts bytes target prot opt in Out source destination


1 0 0 REJECT All--* * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host- Prohibited





Chain OUTPUT (Policy ACCEPT 77183 packets, 5938860 bytes)


Num pkts bytes target prot opt in Out source destination


[root@ss-usa-odo01/etc/openvpn]# iptables-i INPUT 4-p tcp-m State--state new-m TCP--dport 22033-j ACCEPT


[root@ss-usa-odo01/etc/openvpn]# IPTABLES-NVXL--lin


Chain INPUT (Policy ACCEPT 0 packets, 0 bytes)


Num pkts bytes target prot opt in Out source destination


1 127988 174103095 ACCEPT All--* * 0.0.0.0/0 0.0.0.0/0 State Related,establi Shed


2 0 0 ACCEPT ICMP--* * 0.0.0.0/0 0.0.0.0/0


3 0 0 ACCEPT All--Lo * 0.0.0.0/0 0.0.0.0/0


4 0 0 ACCEPT TCP--* * 0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:2203 3


5 228 14272 ACCEPT TCP--* * 0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:22


6 651 33525 REJECT All--* * 0.0.0.0/0 0.0.0.0/0 Reject-with Prohibited





Chain FORWARD (Policy ACCEPT 0 packets, 0 bytes)


Num pkts bytes target prot opt in Out source destination


1 0 0 REJECT All--* * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host- Prohibited





Chain OUTPUT (Policy ACCEPT 77183 packets, 5938860 bytes)


Num pkts bytes target prot opt in Out source destination


[root@ss-usa-odo01/etc/openvpn]# iptables-i forward-m State--state related,established-j ACCEPT


[root@ss-usa-odo01/etc/openvpn]# iptables-i FORWARD 2-s 10.0.0.0/8-j


[root@ss-usa-odo01/etc/openvpn]# IPTABLES-NVXL--lin


Chain INPUT (Policy ACCEPT 0 packets, 0 bytes)


Num pkts bytes target prot opt in Out source destination


1 128015 174104967 ACCEPT All--* * 0.0.0.0/0 0.0.0.0/0 State Related,establi Shed


2 0 0 ACCEPT ICMP--* * 0.0.0.0/0 0.0.0.0/0


3 0 0 ACCEPT All--Lo * 0.0.0.0/0 0.0.0.0/0


4 0 0 ACCEPT TCP--* * 0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:2203 3


5 228 14272 ACCEPT TCP--* * 0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:22


6 651 33525 REJECT All--* * 0.0.0.0/0 0.0.0.0/0 Reject-with Prohibited





Chain FORWARD (Policy ACCEPT 0 packets, 0 bytes)


Num pkts bytes target prot opt in Out source destination


1 0 0 ACCEPT All – * * 0.0.0.0/0 0.0.0.0/0 State Related,establis HED


2 0 0 ACCEPT All--* * 10.0.0.0/8 0.0.0.0/0


3 0 0 REJECT All--* * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host- Prohibited





Chain OUTPUT (Policy ACCEPT 3 packets, 436 bytes)


Num pkts bytes target prot opt in Out source destination


[root@ss-usa-odo01/etc/openvpn]# iptables-t nat-a postrouting-s 10.0.0.0/8-j SNAT--to-source 104.223.122.202


[root@ss-usa-odo01/etc/openvpn]# iptables-t NAT-NVXL--lin


Chain prerouting (Policy ACCEPT 0 packets, 0 bytes)


Num pkts bytes target prot opt in Out source destination





Chain postrouting (Policy ACCEPT 0 packets, 0 bytes)


Num pkts bytes target prot opt in Out source destination


1 0 0 SNAT All--* * 10.0.0.0/8 0.0.0.0/0 to:104.223.122.202





Chain OUTPUT (Policy ACCEPT 0 packets, 0 bytes)


Num pkts bytes target prot opt in Out source destination


[root@ss-usa-odo01/etc/openvpn]# Iptables-save >/etc/sysconfig/iptables


[root@ss-usa-odo01/etc/openvpn]# Cat/etc/sysconfig/iptables


# generated by Iptables-save v1.4.21 on Mon June 13 16:14:40 2016


*raw


:P rerouting ACCEPT [366,072:522,504,090]


: OUTPUT ACCEPT [204,986:14,628,967]


COMMIT


# Completed on Mon June 13 16:14:40 2016


# generated by Iptables-save v1.4.21 on Mon June 13 16:14:40 2016


*nat


:P rerouting ACCEPT [0:0]


:P ostrouting ACCEPT [0:0]


: OUTPUT ACCEPT [0:0]


-A postrouting-s 10.0.0.0/8-j SNAT--to-source 104.223.122.202


COMMIT


# Completed on Mon June 13 16:14:40 2016


# generated by Iptables-save v1.4.21 on Mon June 13 16:14:40 2016


*mangle


:P rerouting ACCEPT [366,072:522,504,090]


: INPUT ACCEPT [366,072:522,504,090]


: FORWARD ACCEPT [0:0]


: OUTPUT ACCEPT [204,986:14,628,967]


:P ostrouting ACCEPT [204,986:14,628,967]


COMMIT


# Completed on Mon June 13 16:14:40 2016


# generated by Iptables-save v1.4.21 on Mon June 13 16:14:40 2016


*filter


: INPUT ACCEPT [0:0]


: FORWARD ACCEPT [0:0]


: OUTPUT ACCEPT [98:11,832]


-A input-m state--state related,established-j ACCEPT


-A input-p icmp-j ACCEPT


-A input-i lo-j ACCEPT


-A input-p tcp-m state--state new-m TCP--dport 22033-j ACCEPT


-A input-p tcp-m state--state new-m TCP--dport 22-j ACCEPT


-A input-j REJECT--reject-with icmp-host-prohibited


-A forward-m state--state related,established-j ACCEPT


-A forward-s 10.0.0.0/8-j ACCEPT


-A forward-j REJECT--reject-with icmp-host-prohibited


COMMIT


# Completed on Mon June 13 16:14:40 2016


[root@ss-usa-odo01/etc/openvpn]#

IPTABLES-NVXL--lin
Iptables-i INPUT 4-p tcp-m State--state new-m TCP--dport 22033-j ACCEPT
Iptables-i forward-m State--state related,established-j ACCEPT
Iptables-i FORWARD 2-s 10.0.0.0/8-j ACCEPT
Iptables-t nat-a postrouting-s 10.0.0.0/8-j SNAT--to-source 104.223.122.202
Iptables-save >/etc/sysconfig/iptables

# # #Because OpenVPN does not support multiple ports, so we can use iptables to realize multiport usage
Iptables-t nat-a prerouting-p tcp-d 104.223.122.202-m multiport--dports 22034:22044-j REDIRECT--to-port 22033
This forwards all packets sent to 104.223.122.202 this IP 22034-22044 port to 22033.
104.223.122.202 is your OpenVPN's listening IP.

Client configuration File Reference

Client
Dev Tun
Proto TCP
Resolv-retry infinite
nobind
Persist-key
Persist-tun
Comp-lzo
Verb 3
Remote 104.223.122.202 22033
CA 104.223.122.202-ca.crt
Cert 104.223.122.202-LOOKBACK.CRT
Key 104.223.122.202-lookback.key
Tls-auth 104.223.122.202-ta.key 1