openVPN linux 客户端安装使用

安装软件

安装openssl和lzo，lzo用于压缩通讯数据加快传输速度

yum -y install openssl openssl-devel
yum -y install lzo

安装 epel 第三方源，使得可以安装 openvpn ，CentOS 官方源内不含 openvpn 。

yum -y install epel-release
yum -y install openvpn

将下面证书和密钥添加到 /etc/openvpn 下，新建一个 test-client 文件夹存放。client.ovpn 文件中的 .crt 以及 .key 等文件需要写绝对路径。

ca.crt  client1.crt  client1.key  client.ovpn  ta.key

启动客户端服务

[root@hulk ~]# openvpn --config /etc/openvpn/test-client/client.ovpn
Mon Feb 25 15:55:56 2019 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Mon Feb 25 15:55:56 2019 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Mon Feb 25 15:55:56 2019 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Feb 25 15:55:56 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 25 15:55:56 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 25 15:55:56 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]59.172.178.16:1194
Mon Feb 25 15:55:56 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Feb 25 15:55:56 2019 UDP link local: (not bound)
Mon Feb 25 15:55:56 2019 UDP link remote: [AF_INET]55.12.18.19:1194
Mon Feb 25 15:55:56 2019 TLS: Initial packet from [AF_INET]55.12.18.19:1194, sid=602b3fe8 336d7976
Mon Feb 25 15:55:56 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Feb 25 15:55:56 2019 [server] Peer Connection Initiated with [AF_INET]55.12.18.19:1194
Mon Feb 25 15:55:57 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Feb 25 15:55:57 2019 PUSH: Received control message: 'PUSH_REPLY,route 202.114.96.0 255.255.255.0,route 10.0.0.0 255.0.0.0,route 172.29.0.1,topology net30,ping 10,ping-restart 120,ifconfig 172.29.2.170 172.29.2.169'
Mon Feb 25 15:55:57 2019 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 25 15:55:57 2019 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 25 15:55:57 2019 OPTIONS IMPORT: route options modified
Mon Feb 25 15:55:57 2019 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Mon Feb 25 15:55:57 2019 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Feb 25 15:55:57 2019 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 25 15:55:57 2019 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Mon Feb 25 15:55:57 2019 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Feb 25 15:55:57 2019 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 25 15:55:57 2019 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Mon Feb 25 15:55:57 2019 ROUTE_GATEWAY 172.18.0.1/255.255.240.0 IFACE=eth0 HWADDR=fa:23:62:87:31:00
Mon Feb 25 15:55:57 2019 TUN/TAP device tun0 opened
Mon Feb 25 15:55:57 2019 TUN/TAP TX queue length set to 100
Mon Feb 25 15:55:57 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Feb 25 15:55:57 2019 /sbin/ip link set dev tun0 up mtu 1500
Mon Feb 25 15:55:57 2019 /sbin/ip addr add dev tun0 local 172.29.2.170 peer 172.29.2.169
Mon Feb 25 15:55:57 2019 /sbin/ip route add 202.114.96.0/24 via 172.29.2.169
Mon Feb 25 15:55:57 2019 /sbin/ip route add 10.0.0.0/8 via 172.29.2.169
Mon Feb 25 15:55:57 2019 /sbin/ip route add 172.29.0.1/32 via 172.29.2.169
Mon Feb 25 15:55:57 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Feb 25 15:55:57 2019 Initialization Sequence Completed

ifconfig 查看网卡，会多出一块 tun0 的网卡，ping 对端的机器，可以 ping 通。

按 crtl + C 中断前台进程，即可退出 VPN 。

^@^CMon Feb 25 15:58:37 2019 event_wait : Interrupted system call (code=4)
Mon Feb 25 15:58:37 2019 /sbin/ip route del 202.114.96.0/24
Mon Feb 25 15:58:37 2019 /sbin/ip route del 10.0.0.0/8
Mon Feb 25 15:58:37 2019 /sbin/ip route del 172.29.0.1/32
Mon Feb 25 15:58:37 2019 Closing TUN/TAP interface
Mon Feb 25 15:58:37 2019 /sbin/ip addr del dev tun0 local 172.29.2.170 peer 172.29.2.169
Mon Feb 25 15:58:37 2019 SIGINT[hard,] received, process exiting
[root@hulk ~]#

为了使用简单，可以把该进程放在后台运行，或者使用 supervisor 来进行守护，增加易用性和可靠性。

======================
Erdong, A Linux user !