内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
<
风哥提示:
p>本文档介绍VPN服务器的部署和配置方法。
Part01-OpenVPN部署
1.1 安装OpenVPN
[root@vpn-server ~]# dnf install -y openvpn easy-rsa
# 初始化PKI
[root@vpn-server ~]# mkdir -p /etc/openvpn/easy-rsa
[root@vpn-server ~]# cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
[root@vpn-server ~]# cd /etc/openvpn/easy-rsa
# 配置变量
[root@vpn-server easy-rsa]# cat > vars << 'EOF'
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Beijing"
set_var EASYRSA_REQ_CITY "Beijing"
set_var EASYRSA_REQ_ORG "Example Company"
set_var EASYRSA_REQ_EMAIL "admin@fgedu.net.cn"
set_var EASYRSA_REQ_OU "IT Department"
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"
EOF
# 初始化PKI
[root@vpn-server easy-rsa]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
# 创建CA
[root@vpn-server easy-rsa]# ./easyrsa build-ca nopass
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'Example CA'
Certificate is to be certified until Apr 4 23:00:00 2036 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
# 生成服务器证书
[root@vpn-server easy-rsa]# ./easyrsa build-server-full server nopass
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021
Generating a EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-12345.tmp'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 4 23:00:00 2027 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
# 生成DH参数
[root@vpn-server easy-rsa]# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021
Generating DH parameters, 2048 bit long safe prime
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
# 生成TLS密钥
[root@vpn-server easy-rsa]# openvpn --genkey secret /etc/openvpn/ta.key
1.2 配置OpenVPN服务器
[root@vpn-server ~]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/
[root@vpn-server ~]# cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/
[root@vpn-server ~]# cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/
[root@vpn-server ~]# cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
# 创建服务器配置
[root@vpn-server ~]# cat > /etc/openvpn/server.conf << 'EOF'
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dfrom PG视频:www.itpux.comhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-GCM
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
auth SHA256
max-clients 100
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
EOF
# 创建日志目录
[root@vpn-server ~]# mkdir -p /var/log/openvpn
# 配置防火墙和NAT
[root@vpn-server ~]# firewall-cmd --permanent --add-service=openvpn
success
[root@vpn-server ~]# firewall-cmd --permanent --add-masquerade
success
[root@vpn-server ~]# firewall-cmd --reload
success
# 启用IP转发
[root@vpn-server ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@vpn-server ~]# sysctl -p
net.ipv4.ip_forward = 1
# 启动OpenVPN
[root@vpn-server ~]# systemctl enable –now openvpn-server@server
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /usr/lib/systemd/system/openvpn-server@server.service.
# 查看状态
[root@vpn-server ~]# systemctl status openvpn-server@server
● openvpn-server@server.service – OpenVPN service for server
Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; enabled; preset: disabled)
Active: active (running) since Fri 2026-04-04 23:05:00 CST; 10s ago
Main PID: 12345 (openvpn)
Status: “Initialization Sequence Completed”
Tasks: 1 (limit: 11232)
Memory: 5.0M
CGroup: /system.更多视频教程www.fgedu.net.cnslice/system-openvpn\x2dserver.slice/openvpn-server@server.service
└─12345 /usr/sbin/openvpn –status /run/openvpn-server/status-server.log –status-version 2 –suppress-timestamps –config server.conf
Part02-客户端配置
2.1 生成客户端证书
[root@vpn-server easy-rsa]# ./easyrsa build-client-full client1 nopass
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021
Generating a EC private key
writing new private key to ‘/etc/openvpn/easy-rsa/pki/easy-rsa-12345.tmp’
—–
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName :ASN.1 12:’client1′
Certificate is to be certified until Apr 4 23:00:00 2027 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
# 创建客户端配置
[root@vpn-server ~]# mkdir -p /etc/openvpn/client-configs
[root@vpn-server ~]# cat > /etc/openvpn/client-configs/client1.ovpn << 'EOF'
client
dev tun
proto udp
remote vpn.fgedu.net.cn 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
auth SHA256
auth-nocache
verb 3
key-direction 1
—–BEGIN CERTIFICATE—–
MIIDSzCCAjOgAwIBAgIUK7lZ8rXjhLsMGf5bNWVtNrqGDPswDQYJKoZIhvcNAQEL
…CA证书内容…
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIDWTCCAkGgAwIBAgIRAJJm7T7YrGJqF5JiGJYxPqEwDQYJKoZIhvcNAQELBQAw
…客户端证书内容…
—–END CERTIFICATE—–
—–BEGIN PRIVATE KEY—–
MHQCAQEEIBzZSGVjPZqFPnGKzA8GqF5JiGJYxPqEwDQYJKoZIhvcNAQELBQAw
…客户端密钥内容…
—–END PRIVATE KEY—–
—–BEGIN OpenVPN Static key V1—–
…TLS密钥内容…
—–END OpenVPN Static key V1—–
EOF
# 打包客户端配置
[root@vpn-server ~]# cd /etc/openvpn/client-configs
[root@vpn-server client-configs]# tar czf client1.tar.gz client1.ovpn
# 传输到客户端
[root@client ~]# scp root@vpn-server:/etc/openvpn/client-configs/client1.tar.gz .
client1.tar.gz 100% 5000 5.0KB/s 00:00
# 解压并连接
[root@client ~]# tar xzf client1.tar.gz
[root@client ~]# openvpn –config client1.ovpn
Fri Apr 4 23:10:00 2026 OpenVPN 2.5.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 1 2026
Fri Apr 4 23:10:00 2026 library versions: OpenSSL 3.0.1 14 Dec 2021, LZO 2.10
Fri Apr 4 23:10:00 2026 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.10:1194
Fri Apr 4 23:10:00 2026 UDP link local: (not bound)
Fri Apr 4 23:10:00 2026 UDP link remote: [AF_INET]192.168.1.10:1194
Fri Apr 4 23:10:00 2026 [server] Peer Connection Initiated with [AF_INET]192.168.1.10:1194
Fri Apr 4 23:10:01 2026 TUN/TAP device tun0 opened
Fri Apr 4 23:10:01 2026 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr 4 23:10:01 2026 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Fri Apr 4 23:10:01 2026 Initialization Sequence Completed
- 使用强加密算法
- 定期轮换证书
- 配置访问控制策略
- 监控VPN连接日志
- 备份CA和证书
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
