Parameter configuration file
# filename Windows for client. Ovpn, Linux for the client. The conf
The client
# id that is a client
Dev top
# using three layer routing IP tunnel (top) or layer 2 Ethernet tunnel (tap), the server is what the client is what
Proto TCP
# the protocol used with udp and TCP, the server is what the client is what
Remote 10.0.0.190 1194
# server address and port
Resolv - retry infinite
# has been trying to parse the OpenVPN server hostname,
# on the machine is very useful, is not permanently connected to the Internet, such as notebook computer,
Nobind
# most clients do not need to bind to specific local port number,
; The user nobody
; Group nobody
# after the initialization of relegation privilege (not the Windows only)
Persist - key
Persist - top
# try to keep some state restarts,
Ca ca. CRT
Cert client. CRT
The key client. The key
# ca certificate, certificate of the client, the client key
# if they and the client. The conf or client. Ovpn in the same directory can not write an absolute path, or you need to write the absolute path called
Remote server - cert - TLS
# through inspection certicate whether has the correct key to use set to verify the server certificate,
The TLS - auth ta. Key 1
# to strengthen the authentication and prevent attacks, server configuration, the client must have
Cipher AES - 256 - CBC
# to choose a password, if use the cipher option on the server, then you must also specify it here, note that v2.4 client/server will automatically in the TLS mode negotiation AES - 256 - GCM,
Compress lz4 - v2
What # server, the client will use what
# said the client enabled lz4 compression, to transmit data to the client when compressed packets,
The verb 3
# log level
; .mute 20
# the silence of the repeat information, up to 20 same news category message will be output to the log in a row,
Connection and test, slightly
6, the Linux client configuration and access
Install openvpn
Installation see above, the above said Linux install OpenVPN, there is no separate said, here we use the previously created wangwu client user verification,
Vim/usr/local/openvpn/lib/systemd/system/openvpn - server @. Service
[Service]
Type=notify
PrivateTmp=true
# WorkingDirectory=/etc/openvpn/server
WorkingDirectory=/etc/openvpn/wangwu
# ExecStart=/usr/local/openvpn/sbin/openvpn - t/openvpn server/status - the status % % i.l og - status - version 2 - suppress - timestamps - config % i.c onf
ExecStart=/usr/local/openvpn/sbin/openvpn -- config wangwu. Conf
Since the launch of configuration system service and boot [please according to the need to join since the launch of boot]
# cp - a/usr/local/openvpn/lib/systemd/system/openvpn - server @. Service/usr/lib/systemd/system/openvpn. Service
# systemctl enable openvpn. Service
The client wangwu client configuration
Description:
1, pay attention to the path, in the/etc/openvpn directory established wangwu directory
2, ca. CRT, wangwu. CRT, wangwu. Key, ta. The key is created before good, only wangwu. Download and modify the ovpn need to separate,
The mkdir/etc/openvpn/wangwu
Will show the certificate in 2 copies only the/etc/openvpn directory/wangwu,
Wangwu. Conf content is as follows:
The client
Dev top
Proto TCP
Remote 10.0.0.190 1194 # server IP
Resolv - retry infinite
Nobind
The user nobody
Group nobody
Persist - key
Persist - top
Ca ca. CRT
Cert wangwu. CRT
The key wangwu. Key
Remote server - cert - TLS
The TLS - auth ta. Key 1
Cipher AES - 256 - CBC
Compress lz4 - v2
The verb 3
; .mute 20
Start the client and connect VPN
Systemctl start openvpn. Service
Enter Private Key Password: * * * * * * # Enter the user created set Password
Ps - ef | grep 'open'
11266 1 0 21:56 nobody? 00:00:00/usr/local/openvpn/sbin/openvpn -- config wangwu. Conf
Test slightly
openvpn access control1, in the main configuration file increases, department or personnel configuration:
Vim/etc/openvpn/server/server. The conf
Server 10.8.0.0 255.255.255.0 # configuration can access all
# 10.8.1.0 is assigned to the administrator of the IP segment; Such as operational
Server 10.8.1.0 255.255.255.0
# 10.8.2.0 assigned to use Java development such as research and development
Server 10.8.2.0 255.255.255.0
The client config - # dir CCD in this configuration file directory to create a new CCD directory
2, the configuration of personal user information
In/etc/openvpn/server/CCD directory to create a new user name of the file
Vim zhangsan
Ifconfig - push 10.8.1.5 10.8.1.6 front is the machine use IP, followed by the client to use IP
3, restart the openvpn service
Systemctl restart openvpn
4, add an access control policy
Iptables -t NAT - A 10.8.1.0/24 POSTROUTING - s - d 172.17.0.0/16 - o eth0 -j MASQUERADE
Save: iptables - save & gt; The/etc/sysconfig/iptables
Check the firewall configuration: iptables - L - n - t NAT
Iptables -t NAT - A 172.17.20.16 10.8.2.0/24 POSTROUTING - s - d - o eth0 -j MASQUERADE
5, add the routing
The route to the add -.net 10.8.1.0/24 gw 10.8.2.1
Ifconfig - push virtual IP address of each pair said the client and the server's IP endpoints, they must be obtained from the continuous/30 sub segments (here is said 30/XXX. XXX. XXX. XXX/30, namely the subnet mask digits for 30), in order to compatible with Windows client and TAP - Windows driver, specifically, the IP address of the each endpoint for the last eight bytes must be taken from the set of the following:
[1, 2], [5, 6] [9, 10] [13, 14] (17, 18)
[21, 22] [25, 26] [29, 30] [33, 34] [37, 38]
[41, 42] [45, 46] [49 and 50] [53, 54] [57, 58]
[61, 62] [65, 66] [69, 70] [73, 74] [77, 78]
[81, 82] [85, 86] [89, 90] [93, 94] [97, 98]
[101102] [105106] [109110] [113114] [117118]
[121122] [125126] [129130] [133134] [137138]
[141142] [145146] [149150] [153154] [157158]
[161162] [165166] [169170] [173174] [177178]
[181182] [185186] [189190] [193194] [197198]
[201202] [205206] [209210] [213214] [217218]
[221222] [225226] [229230] [233234]
Create a new user:
CD/root/easy - rsa - 3.0.7/easyrsa3/
./easyrsa build - the client - full test
Openvpn delete do not use the user
CD/root/easy - rsa - 3.0.7/easyrsa3/
./easyrsa revoke test
./easyrsa gen - the CRL