快速搭建Openvpn-centos7.9+openvpn3.0.8（实现路由代理访问）

一、准备工作

1、系统配置和工具

系统：Centos 7.9

工具:   SecureCRT(https://download.topunix.com/SecureCRT.rar)

2、注意事项

下述脚本三个需要注意的地方：

1是公网IP地址，已经用红色标注。
2是内网IP地址，已经用红色标注
3是代理访问，已经用红色标注

3、解释版：

如果要看详细内容：https://www.topunix.com/post-2986.html

二、根据脚本部署

脚本：下述脚本，根据步骤，批量复制执行即可。

1、第一步，先将SecureCRT工具字符编码设置为UTF-8

2、第二部安装openvpn等软件

yum install epel-* -y
yum -y install openvpn easy-rsa iptables-services

cp -r /usr/share/easy-rsa/ /etc/openvpn/
yum info easy-rsa

cd /etc/openvpn/easy-rsa/3.0.8/
touch vars

cat > vars <<"EOF"
export KEY_COUNTRY="CN" #(国家名称)
export KEY_PROVINCE="ShangHai" #(省份名称)
export KEY_CITY="ShangHai" #(城市名称)
export KEY_ORG="HHHH" #(组织机构名称)
export KEY_EMAIL="*****@qq.com" #(邮件地址)
EOF

source ./vars

./easyrsa init-pki 
./easyrsa build-ca nopass

注：最后这里需要输入值：openvpn（此处设置为openvpn即可，其他也可以）

3、第三步：安装配置

cd /etc/openvpn/easy-rsa/3.0.8/
./easyrsa build-server-full server nopass
./easyrsa gen-dh 
openvpn --genkey --secret ta.key

mkdir /etc/openvpn/server/certs
cd /etc/openvpn/server/certs/
cp /etc/openvpn/easy-rsa/3/pki/dh.pem ./
cp /etc/openvpn/easy-rsa/3/pki/ca.crt ./
cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt ./server.crt
cp /etc/openvpn/easy-rsa/3/pki/private/server.key ./server.key
cp /etc/openvpn/easy-rsa/3/ta.key ./

4、第四步:配置脚本

mkdir -p /var/log/openvpn/
chown openvpn:openvpn /var/log/openvpn
mkdir /etc/openvpn/ccd

echo ''>/etc/openvpn/server.conf
touch /etc/openvpn/server.conf
cat > /etc/openvpn/server.conf <<"EOF"
port 11940
proto udp
dev tun
ca /etc/openvpn/server/certs/ca.crt
cert /etc/openvpn/server/certs/server.crt
key /etc/openvpn/server/certs/server.key
dh /etc/openvpn/server/certs/dh.pem
tls-auth /etc/openvpn/server/certs/ta.key 0
server 10.9.0.0 255.255.240.0
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"
#push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
push "route 172.22.4.0 255.255.255.0"
#compress lzo
#duplicate-cn
keepalive 10 120
client-config-dir ccd
comp-lzo
persist-key
persist-tun
# use username and password login
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
username-as-common-name
script-security 3
user openvpn
#client-cert-not-required
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log
verb 3
explicit-exit-notify 1
EOF

echo ''>/etc/openvpn/checkpsw.sh
touch /etc/openvpn/checkpsw.sh
cat > /etc/openvpn/checkpsw.sh <<"EOF"
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
EOF

chmod +x /etc/openvpn/checkpsw.sh
systemctl stop firewalld
systemctl disable firewalld
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
setenforce 0
systemctl start iptables
systemctl enable iptables
iptables -F
iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
service iptables save
systemctl restart iptables
echo net.ipv4.ip_forward = 1 >>/etc/sysctl.conf
sysctl -p
systemctl start openvpn@server
systemctl enable openvpn@server 
systemctl status openvpn@server

echo ''>/etc/openvpn/openvpn.sh
touch /etc/openvpn/openvpn.sh
cat > /etc/openvpn/openvpn.sh <<"EOF"
#!/bin/bash
#by openvpn useradd
#name LLL 2022年02月23日13:48:55
###########################################
#user="$1"
#pass="$2"
#ip="$3"
easyrsa="/etc/openvpn/easy-rsa/3.0.8"
function useradd(){
read -p "请输入用户名：" user
if [ ! $user ];then
echo "user is NULL"
read -p "请输入用户名：" user
fi
read -p "请输入密码：" pass
if [ ! $pass ];then
echo "password is NULL"
exit
fi
read -p "请输入IP地址(如：10.9.0.6 10.9.0.5,IP地址以4个为单位增加)：" ip
if [ ! $ip ];then
echo "ip is NULL"
exit
fi
sh /etc/openvpn/client/ovpn_user.sh $user
cat>>/etc/openvpn/ccd/$user<<eof
ifconfig-push $ip
eof
cat>>/etc/openvpn/psw-file<<eof
$user $pass
eof
}
function userdel(){
read -p "请输入您需要删除的用户名：" user
if [ ! $user ];then
echo "user is NULL"
fi
cd $easyrsa
echo "-----------------------------------------------------------------"
echo "出现continue with revocation请输入yes"
echo "------------------------------------------------------------------"
./easyrsa revoke $user
./easyrsa gen-crl
rm -f /etc/openvpn/ccd/$user
}
function alter_user(){
read -p "请输入您需要修改的用户名：" user
read -p "请输入此用户名的新密码：" pass
sed -i '/'"$user"'/d' /etc/openvpn/psw-file
echo "$user $pass" >>/etc/openvpn/psw-file
}
function alter_ip(){
read -p "请输入您需要修改的用户名：" user
if [ ! $user ];then
echo "user is NULL"
exit
fi
read -p "请输入您的新IP地址(如：10.9.0.6 10.9.0.5)：" ip
if [ ! $ip ];then
echo "ip is NULL"
exit
fi
echo ifconfig-push $ip >>/etc/openvpn/ccd/$user
}
echo "请选择您需要做的操作选项"
echo "----------------------------------------------------------------"
select VPN in "创建用户" "删除用户" "修改账号密码" "修改IP地址"
do
case $VPN in
创建用户)
useradd
;;
删除用户)
userdel
;;
修改账号密码)
alter_user
;;
修改IP地址)
alter_ip
;;
esac
done
EOF

echo ''>/etc/openvpn/client/ovpn_user.sh
touch /etc/openvpn/client/ovpn_user.sh
cat > /etc/openvpn/client/ovpn_user.sh <<"EOF"
# ! /bin/bash
set -e
OVPN_USER_KEYS_DIR=/etc/openvpn/client/keys
EASY_RSA_VERSION=3
EASY_RSA_DIR=/etc/openvpn/easy-rsa/
PKI_DIR=$EASY_RSA_DIR/$EASY_RSA_VERSION/pki

for user in "$@"
do
if [ -d "$OVPN_USER_KEYS_DIR/$user" ]; then
rm -rf $OVPN_USER_KEYS_DIR/$user
rm -rf $PKI_DIR/reqs/$user.req
sed -i '/'"$user"'/d' $PKI_DIR/index.txt
fi
cd $EASY_RSA_DIR/$EASY_RSA_VERSION
# 生成客户端 ssl 证书文件
./easyrsa build-client-full $user nopass
# 整理下生成的文件
mkdir -p $OVPN_USER_KEYS_DIR/$user
cp $PKI_DIR/ca.crt $OVPN_USER_KEYS_DIR/$user/ # CA 根证书
cp $PKI_DIR/issued/$user.crt $OVPN_USER_KEYS_DIR/$user/ # 客户端证书
cp $PKI_DIR/private/$user.key $OVPN_USER_KEYS_DIR/$user/ # 客户端证书密钥
cp /etc/openvpn/client/sample.ovpn $OVPN_USER_KEYS_DIR/$user/$user.ovpn # 客户端配置文件
sed -i 's/admin/'"$user"'/g' $OVPN_USER_KEYS_DIR/$user/$user.ovpn
cp /etc/openvpn/server/certs/ta.key $OVPN_USER_KEYS_DIR/$user/ta.key # auth-tls 文件
cd $OVPN_USER_KEYS_DIR
zip -r $user.zip $user
done
exit 0
EOF

echo ''>/etc/openvpn/client/sample.ovpn
touch /etc/openvpn/client/sample.ovpn
cat > /etc/openvpn/client/sample.ovpn<<"EOF"

client
proto udp
dev tun
remote 47.90.252.130 11940
ca ca.crt
cert admin.crt

auth-user-pass #密码验证需要
key admin.key
tls-auth ta.key 1
remote-cert-tls server
persist-tun
persist-key
comp-lzo
verb 3
mute-replay-warnings
redirect-gateway def1
EOF

三、给客户端配置用户名密码及文件

1、运行sh openvpn.sh-配置用户

（1）运行sh openvpn.sh

cd /etc/openvpn
sh openvpn.sh

（2）创建用户和密码。

（3）分配ip地址

10.9.0.6 10.9.0.5
或
10.9.0.10 10.9.0.9
新用户依次递增

4、复制zip文件

下载zip文件并解压，复制到客户端：C:\Program Files\OpenVPN\config

5、连接测试

注意:如果出现报错：auth failed等，可能是脚本/etc/openvpn/checkpsw.sh的问题；

先查看日志/var/log/openvpn/server.log，再重新创建此脚本。如果还不行，重新推到系统，根据脚本一步步进行，不要批量执行了。