-
安装依赖包
yum -y install easy-rsa libnl3-devel libcap-ng-devel openssl-devel systemd-devel
sudo yum install -y epel-release
sudo yum install -y gcc make pam-devel lzo-devel lz4-devel automake autoconf libtool -
下载OpenVPN 2.6.14源码
神通获取,放置到/usr/local/src
cd /usr/local/src
sudo tar -xzf openvpn-2.6.14.tar.gz
cd openvpn-2.6.14 -
编译和安装
mkdir -p /etc/openvpn
cd /usr/local/src/openvpn-2.6.14
./configure --prefix=/etc/openvpn --sysconfdir=/etc --disable-dco --enable-lzo --enable-plugins --enable-port-share --enable-iproute2 --enable-plugin-auth-pam --enable-pam-dlopen --enable-systemd
make && make install
cp -r /usr/share/easy-rsa/3.2.1 /etc/openvpn/easy-rsa
cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars
vim /etc/openvpn/easy-rsa/vars
# 证书默认过期时间(天)
set_var EASYRSA_CERT_EXPIRE 3650
# CA 证书过期时间(天)
set_var EASYRSA_CA_EXPIRE 3650
# 证书续订的剩余天数提醒
set_var EASYRSA_CERT_RENEW 30
# CRL 过期时间(天)
set_var EASYRSA_CRL_DAYS 180
# 密钥长度
set_var EASYRSA_KEY_SIZE 2048
# 摘要算法
set_var EASYRSA_ALGO sha256
# 曲线(ECC)
set_var EASYRSA_CURVE secp384r1
# DN 模式(仅用于学习模式)
set_var EASYRSA_DN "cn_only"
github.com/openvpn/eas… github.com/OpenVPN/eas…
cd /etc/openvpn
mkdir ssl
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign server server
./easyrsa gen-dh
cd /etc/openvpn
./sbin/openvpn --genkey secret /etc/openvpn/ssl/ta.key
cd /etc/openvpn/easy-rsa
cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem ../ssl/
客户端证书
./easyrsa gen-req client nopass
./easyrsa sign client client
加域
yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
authselect create-profile custom-profile -b sssd --symlink-meta --symlink-pam
authselect select custom/custom-profile with-sudo with-faillock without-nullok with-mkhomedir
重启服务器
vim /etc/sysctl.d/01-openvpn.conf
net.core.default_qdisc=fq
net.core.somaxconn=21644
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.ip_forward=1
net.ipv4.tcp_fastopen=3
net.netfilter.nf_conntrack_max=1048576
cd /etc/openvpn/
mkdir -p server
cp /usr/local/src/openvpn-2.6.14/sample/sample-config-files/server.conf /etc/openvpn/server/server.conf
vim /etc/openvpn/server/server.conf
#################################################
# OpenVPN 2.6.14 服务器配置
#################################################
# 网络协议
port 1194
proto udp
dev tun
# 证书文件
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
dh /etc/openvpn/ssl/dh.pem
# TLS 安全
tls-crypt /etc/openvpn/ssl/ta.key
tls-version-min 1.2
tls-cipher "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
# 额外的安全设置(可选)
tls-cipher "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
data-ciphers-fallback AES-256-GCM
# 防止某些攻击
tls-server
remote-cert-tls client
# 限制客户端
max-clients 100
# 连接超时设置
connect-timeout 120
# 数据加密
cipher AES-256-GCM
auth SHA256
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
# 网络设置
server 10.8.0.0 255.255.255.0
topology subnet
push "redirect-gateway def1 bypass-dhcp"
push "route 10.8.0.0 255.255.255.0"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 119.29.29.29"
# 客户端设置
client-to-client
duplicate-cn
max-clients 50
# 压缩
compress lz4-v2
push "compress lz4-v2"
# 连接管理
keepalive 10 120
reneg-sec 3600
ping-timer-rem
persist-tun
persist-key
# 安全
user nobody
group nobody
auth-nocache
remote-cert-tls client
# 日志
status /var/log/openvpn-status.log 30
log /var/log/openvpn.log
verb 3
mute 20
# 性能
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
tun-mtu 1500
mssfix 1450
# 脚本安全
script-security 2
systemctl start openvpn-server@server
systemctl status openvpn-server@server
