yum install -y epel-release
yum install -y open*** easy-rsa openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig


server端 制作證書,密鑰等文件

  • CA證書生產

[root@localhost ~]#cp /usr/share/doc/open***-2.4.6/sample/sample-config-files/server.conf /etc/open***/      //復制服務端配置文件到配置文件目錄
[root@localhost ~]# mkdir /etc/open***/easy-rsa
[root@localhost ~]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/open***/easy-rsa/
[root@localhost ~]# cd /etc/open***/easy-rsa/
[root@localhost easy-rsa]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example var
[root@localhost easy-rsa]# ls
easyrsa  openssl-1.0.cnf  var  x509-types
[root@localhost easy-rsa]#vim vars        #×××的相關配置,根據需要自定義,也可以忽略不設置

set_var EASYRSA_REQ_COUNTRY     "CN"                                      #國家
set_var EASYRSA_REQ_PROVINCE    "BJ"                                       #省
set_var EASYRSA_REQ_CITY               "Beijing"                                #城市
set_var EASYRSA_REQ_ORG               "My ***"                               #組織
set_var EASYRSA_REQ_EMAIL            "[email protected]"                  #郵箱
set_var EASYRSA_REQ_OU                  "sky"                                     #公司、組織

[root@localhost easy-rsa]# ./easyrsa init-pki                                        #初始化pki,生成目錄文件結構
init-pki complete; you may now create a CA or requests.
your newly created PKI dir is: /etc/open***/easy-rsa/pki
[root@localhost easy-rsa]# ls
easyrsa  openssl-1.0.cnf  pki  var  x509-types

[root@localhost easy-rsa]# ./easyrsa build-ca                                      #創建ca證書
Note: using Easy-RSA configuration from: ./vars                                  #使用vars文件裏面配置的信息
Generating a 2048 bit RSA private key
writing new private key to ‘/etc/open***/easy-rsa/pki/private/ca.key.Lg8IKADc4Q‘
Enter PEM pass phrase:                                                                      #設置ca密碼(我此處是寫的silence)
Verifying - Enter PEM pass phrase:                                                     #再輸一遍上面的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:         #直接回車,就是默認的CA作為名字
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/open***/easy-rsa/pki/ca.crt                                                                     #ca證書存放路徑

  • 服務端證書server.crt

[root@localhost easy-rsa]# ./easyrsa gen-req server nopass          #nopass設置免證書密碼,如果要設置密碼可以取消此參數選項
Note: using Easy-RSA configuration from: ./vars                             #使用vars文件裏面配置的信息
Generating a 2048 bit RSA private key
writing new private key to ‘/etc/open***/easy-rsa/pki/private/server.key.yuG9HRsSlU‘
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Common Name (eg: your user, host, or server name) [server]:                     #直接回車,默認名字為server
Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/pki/reqs/server.req
key: /etc/open***/easy-rsa/pki/private/server.key                                          #密鑰key的路徑


  • 證書簽名

[root@localhost easy-rsa]# ./easyrsa sign server server                    #第二個server是只上面服務端證書的CN名字,我們用的默認server,隨便寫

Note: using Easy-RSA configuration from: ./vars

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

    commonName                = server

Type the word ‘yes‘ to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:            #輸入上面ca證書生成時的密碼(silence)
Check that the request matches the signature
Signature ok
The Subject‘s Distinguished Name is as follows
commonName            :PRINTABLE:‘server‘
Certificate is to be certified until Jan 14 09:11:12 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open***/easy-rsa/pki/issued/server.crt          #服務端證書路徑

  • dh證書

[root@localhost easy-rsa]# ./easyrsa gen-dh                                                 #創建Diffie-Hellman,時間有點長
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

DH parameters of size 2048 created at /etc/open***/pki/dh.pem                 #dh證書路徑


  • ta密鑰

cd /etc/open***
open*** --genkey --secret ta.key

[root@localhost client]# mkdir -p /etc/open***/client
[root@localhost client]# cd /etc/open***/client
[root@localhost client]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/open***/client
[root@localhost client]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars
[root@localhost client]# ./easyrsa init-pki
[root@localhost client]# ./easyrsa gen-req client nopass               #client為證書名,可自定義,nopass同樣設置免密
Generating a 2048 bit RSA private key
writing new private key to ‘/etc/open***/client/pki/private/client.key.0rbEXauafe‘
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /etc/open***/client/pki/reqs/client.req
key: /etc/open***/client/pki/private/client.key                                #key路徑


  • 對客戶端證書簽名


cd /etc/open***/easy-rsa
./easyrsa import-req /etc/open***/client/pki/reqs/client.req client
./easyrsa sign client client        #簽名,第一個client是固定的參數表示客戶端,第二個client指上面導入的客戶端證書名
Note: using Easy-RSA configuration from: ./vars

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

    commonName                = client

Type the word ‘yes‘ to continue, or any other input to abort.
  Confirm request details: yes                                                            #輸入‘yes‘
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:      #輸入ca密碼(silence)
Check that the request matches the signature
Signature ok
The Subject‘s Distinguished Name is as follows
commonName            :PRINTABLE:‘client‘
Certificate is to be certified until Apr 13 14:37:17 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open***/easy-rsa/pki/issued/client.crt     #最終客戶端證書路徑

  • 修改配置文件


cp /etc/open***/easy-rsa/pki/ca.crt /etc/open***/
cp /etc/open***/easy-rsa/pki/private/server.key /etc/open***/
cp /etc/open***/easy-rsa/pki/issued/server.crt /etc/open***/
cp /etc/open***/easy-rsa/pki/dh.pem /etc/open***/
  • 修改open***服務端配置文件server.conf

cat /etc/open***/server.conf
port 1194                       #指定端口
proto tcp                        #指定協議(可以指定udp,udp比tcp快)
dev tun                          #采用路由隧道模式
ca ca.crt                        #ca證書位置,相對路徑,表示ca.crt和server.conf要在同一目錄
cert server.crt                #服務端證書
key server.key               #服務端key
dh dh.pem                     #dh密鑰
server                                          #給客戶端分配的地址池
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"                       #客戶端網關使用open***服務器網關
push "dhcp-option DNS"               #指定dns
push "dhcp-option DNS"
keepalive 10 120                                                                #心跳檢測,10秒檢測一次,2分鐘內沒有回應則視為斷線
tls-auth ta.key 0                                                                  #服務端值為0,客戶端為1
cipher AES-256-CBC
comp-lzo                                                                            #傳輸數據壓縮
status open***-status.log
verb 3

  • 啟動open***

systemctl -f enable open***@server.service              #設置啟動文件
systemctl start open***@server.service                     #啟動open***的命令
  • 客戶端所需證書(下載保存到客戶端和客戶端配置文件同一目錄下)

sz /etc/open***/easy-rsa/pki/issued/client.crt                   #在服務端證書生成目錄下
sz /etc/open***/client/pki/private/client.key                      #上面的客戶端生成目錄下
sz /etc/open***/easy-rsa/pki/ca.crt                                   #ca證書
sz /etc/open***/ta.key

[root@localhost ~]# cat client.o*** 
dev tun   
proto tcp                                          #和server端一致(可以使用udp比tcp快)
remote xx.xx.xx.xx 1194                 #指定服務端IP和端口
resolv-retry infinite
remote-cert-tls server
ca ca.crt                                           #ca證書
cert client.crt                                    #客戶端證書
key client.key                                   #客戶端密鑰
tls-auth ta.key 1                               #ta密鑰
cipher AES-256-CBC
comp-lzo                                         #傳輸內容壓縮
verb 3  










