[Linux虚拟机]OpenVPN安装和基本使用方法，帮你快速理解公司网络

sudo apt-get update
sudo apt-get install openvpn easy-rsa

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
vim vars

exportKEY_COUNTRY="US"
exportKEY_PROVINCE="CA"
exportKEY_CITY="SanFrancisco"
exportKEY_ORG="Fort-Funston"
exportKEY_EMAIL="me@myhost.mydomain"
exportKEY_OU="MyOrganizationalUnit"

export KEY_COUNTRY="CN"
export KEY_PROVINCE="SX"
export KEY_CITY="TaiYuan"
export KEY_ORG="SYSU"
export KEY_EMAIL="bjernsen@163.com"
export KEY_OU="SDCS"

# X509 Subject Field
export KEY_NAME="server"

cd ~/openvpn-ca
source vars

**************************************************************
  No /home/ubuntu/openvpn-ca/openssl.cnf file could be found
  Further invocations will fail
**************************************************************
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/ubuntu/openvpn-ca/keys

cp ~/openvpn-ca/openssl-1.0.0.cnf  ~/openvpn-ca/openssl.cnf

./clean-all
./build-ca

./build-key-server server

./build-dh

openvpn --genkey --secret keys/ta.key

cd ~/openvpn-casource vars./build-key client1

cd ~/openvpn-ca/keyssudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/cd /etc/openvpn/sudo gzip -d server.conf.gz

sudo vim /etc/openvpn/server.conf

tls-auth ta.key 0key-direction 0

user nobodygroup nobody

sudo vim /etc/sysctl.conf

net.ipv4.ip_forward=1

sudo sysctl -p

sudo sysctl -p

sudo service openvpn start

sudo service openvpn status

ip route | grep default

 $ ip route | grep default default via 172.18.159.254 dev enp2s0  proto static  metric 100

# NAT table rules*nat:POSTROUTING ACCEPT [0:0]# Allow traffic from OpenVPN client to eth0(changeto the interface you discovered!)-A POSTROUTING -s 10.8.0.0/8 -o eth0 -jMASQUERADE #这里为配置文件设置的虚拟网段COMMIT# END OPENVPN RULES

DEFAULT_FORWARD_POLICY="ACCEPT"

ufw allow 1193/udpufw allow OpenSSH

ufw disableufw enable

############################################### Sample client-side OpenVPN 2.0 config file ## for connecting to multi-client server.     ##                                            ## This configuration can be used by multiple ## clients, however each client should have   ## its own cert and key files.                ##                                            ## On Windows, you might want to rename this  ## file so it has a .ovpn extension           ################################################ Specify that we are a client and that we# will be pulling certain config file directives# from the server.client# Use the same setting as you are using on# the server.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.;dev tapdev tun# Windows needs the TAP-Win32 adapter name# from the Network Connections panel# if you have more than one.  On XP SP2,# you may need to disable the firewall# for the TAP adapter.;dev-node MyTap# Are we connecting to a TCP or# UDP server?  Use the same setting as# on the server.;proto tcpproto udp# The hostname/IP and port of the server.# You can have multiple remote entries# to load balance between the servers.remote 81.70.205.40 1194;remote my-server-1 1194;remote my-server-2 1194# Choose a random host from the remote# list for load-balancing.  Otherwise# try hosts in the order specified.;remote-random# Keep trying indefinitely to resolve the# host name of the OpenVPN server.  Very useful# on machines which are not permanently connected# to the internet such as laptops.resolv-retry infinite# Most clients don't need to bind to# a specific local port number.nobind# Downgrade privileges after initialization (non-Windows only)user nobodygroup nobody# Try to preserve some state across restarts.persist-keypersist-tun# If you are connecting through an# HTTP proxy to reach the actual OpenVPN# server, put the proxy server/IP and# port number here.  See the man page# if your proxy server requires# authentication.;http-proxy-retry # retry on connection failures;http-proxy [proxy server] [proxy port #]# Wireless networks often produce a lot# of duplicate packets.  Set this flag# to silence duplicate packet warnings.;mute-replay-warnings# SSL/TLS parms.# See the server config file for more# description.  It's best to use# a separate .crt/.key file pair# for each client.  A single ca# file can be used for all clients.ca ca.crtcert client1.crtkey client1.key# Verify server certificate by checking that the# certicate has the correct key usage set.# This is an important precaution to protect against# a potential attack discussed here:#  http://openvpn.net/howto.html#mitm## To use this feature, you will need to generate# your server certificates with the keyUsage set to#   digitalSignature, keyEncipherment# and the extendedKeyUsage to#   serverAuth# EasyRSA can do this for you.remote-cert-tls server# If a tls-auth key is used on the server# then every client must also have the key.tls-auth ta.key 1key-direction 1# Select a cryptographic cipher.# If the cipher option is used on the server# then you must also specify it here.;cipher xcipher AES-256-CBCauth SHA256# Enable compression on the VPN link.# Don't enable this unless it is also# enabled in the server config file.comp-lzo# Set log file verbosity.verb 3# Silence repeating messages;mute 20