本教程将解释如何在RHEL/CentOS 8上安装和配置OpenVPN服务器8.虚拟专用网络(VPN)允许我们安全地遍历不受信任的网络，就像我们在安全的LAN网络中一样。
OpenVPN是一个功能齐全的开源安全套接字层(SSL)VPN解决方案，支持各种配置。

使用OpenVPN，我们可以轻松地设置一个安全的隧道，该隧道扩展跨公共网络的专用网络。
发送的所有流量都是加密的，我们可以信任另一端收到的信息。
在这篇文章中，我们将探索在RHEL/CentOS 8服务器上安装和配置OpenVPN Server的简单方法。

在Rhel/CentOS上安装OpenVPN服务器8

在RHEL/CentOS 8上设置OpenVPN服务器有两个选项。

手动安装OpenVPN服务器使用自动脚本 - 延时消耗OpenVPN服务器 - 简单快捷

本教程将侧重于使用可信脚本来安装和配置OpenVPN服务器。
我们将使用OpenVPN安装脚本，即使我们之前没有使用OpenVPN，也可以在不超过一分钟内设置自己的VPN服务器。
它被设计为尽可能不引人注目和普及。

第1步：添加涡涡胶并安装git

将epel存储库添加到RHEL/CentOS 8系统中。
它具有OpenVPN包和所需的依赖项。

如何在Rhel/CentOS 8上安装Epel存储库

我们还需要Git来从GitHub中拉代码。
确保安装。

sudo dnf -y install git

第2步：克隆OpenVPN-Install存储库

现在克隆了 openvpn-install使用Git工具安装在步骤1中的存储库：

$cd ~
$git clone https://github.com/Nyr/openvpn-install.git
Cloning into 'openvpn-install'…
remote: Enumerating objects: 360, done.
remote: Total 360 (delta 0), reused 0 (delta 0), pack-reused 360
Receiving objects: 100% (360/360), 104.04 KiB | 263.00 KiB/s, done.
Resolving deltas: 100% (180/180), done.

第3步：运行OpenVPN安装程序

切换到 openvpn-install目录并运行安装程序脚本。

$chmod +x openvpn-install.sh
$sudo ./openvpn-install.sh

我们将收到几次提示更改或者确认安装的默认设置。

Welcome to this OpenVPN "road warrior" installer!
 I need to ask you a few questions before starting the setup.
 You can leave the default options and just press enter if you are ok with them.
 First, provide the IPv4 address of the network interface you want OpenVPN
 listening to.
 IP address: 192.168.122.198
 This server is behind NAT. What is the public IPv4 address or hostname?
 Public IP address/hostname: vpn.example.com
 Which protocol do you want for OpenVPN connections?
    1) UDP (recommended)
    2) TCP
 Protocol [1-2]: 1
 What port do you want OpenVPN listening to?
 Port: 1194
 Which DNS do you want to use with the VPN?
    1) Current system resolvers
    2) 1.1.1.1
    3) Google
    4) OpenDNS
    5) Verisign
 DNS [1-5]: 1
 Finally, tell me your name for the client certificate.
 Please, use one word only, no special characters.
 Client name: theitroad
 Okay, that was all I needed. We are ready to set up your OpenVPN server now.
 Press any key to continue…
 Updating Subscription Management repositories.
 Updating Subscription Management repositories.
 Extra Packages for Enterprise Linux 7 - x86_64                                                                         189 kB/s |  16 MB     01:24    
 Last metadata expiration check: 0:00:54 ago on Wed 20 Mar 2019 07:23:31 PM EAT.
 Package epel-release-7-11.noarch is already installed.
 Dependencies resolved.
 Nothing to do.
 Complete!
 Updating Subscription Management repositories.
 Updating Subscription Management repositories.
 Waiting for process with pid 1906 to finish.
 Package iptables-1.8.0-11.el8.x86_64 is already installed.
 Package openssl-1:1.1.1-6.el8.x86_64 is already installed.
 Package ca-certificates-2016.2.24-6.el8.noarch is already installed.
 Dependencies resolved.
  Package                           Arch                    Version                           Repository                                           Size
 Installing:
  openvpn                           x86_64                  2.4.7-1.el7                       epel                                                522 k
 Installing dependencies:
  pkcs11-helper                     x86_64                  1.11-3.el7                        epel                                                 56 k
  libnsl                            x86_64                  2.28-18.el8                       rhel-8-for-x86_64-baseos-beta-rpms                   84 k
  compat-openssl10                  x86_64                  1:1.0.2o-3.el8                    rhel-8-for-x86_64-baseos-beta-rpms                  1.1 M
 Transaction Summary
 Install  4 Packages
 Total download size: 1.8 M
 Installed size: 4.6 M
 Downloading Packages:
 (1/4): pkcs11-helper-1.11-3.el7.x86_64.rpm                                                                              34 kB/s |  56 kB     00:01    
 (2/4): openvpn-2.4.7-1.el7.x86_64.rpm                                                                                  191 kB/s | 522 kB     00:02    
 (3/4): libnsl-2.28-18.el8.x86_64.rpm                                                                                    26 kB/s |  84 kB     00:03    
 (4/4): compat-openssl10-1.0.2o-3.el8.x86_64.rpm
.......................

我们需要设置：如果要使用的natopenvpn协议，则服务器的hostname的服务器的IP地址 - TCP或者UDPOPENVPN PortDNS NameServer将与First客户端配置文件的VPNName一起使用以创建

如果安装成功，则应收到类似于下面的消息。

..............
 Check that the request matches the signature
 Signature ok
 The Subject's Distinguished Name is as follows
 commonName            :ASN.1 12:'theitroad'
 Certificate is to be certified until Mar 17 16:24:47 2029 GMT (3650 days)
 Write out database with 1 new entries
 Data Base Updated
 Using SSL: openssl OpenSSL 1.1.1 FIPS  11 Sep 2016
 Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
 Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
 140135296710464:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
 An updated CRL has been created.
 CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
 788
 success
 success
 success
 success
 success
 success
 612
 Created symlink /etc/systemd/system/multi-user.target.wants/Hyman@theitroad → /usr/lib/systemd/system/Hyman@theitroad
 Finished!
 Your client configuration is available at: /root/theitroad.ovpn
 If you want to add more clients, you simply need to run this script again!

主要的OpenVPN服务器配置文件是， /etc/openvpn/server.conf我们可以自由调整喜好。

$cat  /etc/openvpn/server.conf 
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.122.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

一种 tun0在安装过程中将创建虚拟接口。
这是由OpenVPN客户端子网使用的。

$ip addr | grep tun0
 3: tun0:  mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
     inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0

此接口的默认子网是。 10.8.0.0/24.将分配OpenVPN服务器 10.8.0.1IP地址：

步骤3：生成OpenVPN用户配置文件(.ovpn文件)

完成步骤1到3后，VPN服务器已准备好使用。
我们需要生成用户使用的VPN配置文件。
我们用于安装的相同脚本将用于此。
它管理用户配置文件的创建和撤销。

运行脚本并选择 1添加新用户。

$sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
 What do you want to do?
    1) Add a new user
    2) Revoke an existing user
    3) Remove OpenVPN
    4) Exit
 Select an option [1-4]: 1
 Tell me a name for the client certificate.
 Please, use one word only, no special characters.
 Client name: user1
 Using SSL: openssl OpenSSL 1.1.1 FIPS  11 Sep 2016
 Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
 139966006863680:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
 Generating a RSA private key
 ……………………………………………………………………..+++++
 ……………………………………….+++++
 writing new private key to '/etc/openvpn/easy-rsa/pki/private/user1.key.SeCj8ncgaH'
 Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
 Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
 139828629223232:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
 Check that the request matches the signature
 Signature ok
 The Subject's Distinguished Name is as follows
 commonName            :ASN.1 12:'user1'
 Certificate is to be certified until Mar 17 16:48:32 2029 GMT (3650 days)
 Write out database with 1 new entries
 Data Base Updated
 Client user1 added, configuration is available at: /root/user1.ovpn

这 .ovpnOpenVPN配置文件文件位于/根文件夹中。

$sudo ls /root/| grep ovpn
theitroad.ovpn
user1.ovpn

撤消OpenVPN用户配置文件

要撤消用户配置文件，请运行脚本并选择 2。

$sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
 What do you want to do?
    1) Add a new user
    2) Revoke an existing user
    3) Remove OpenVPN
    4) Exit
 Select an option [1-4]: 2
 Select the existing client certificate you want to revoke:
      1) theitroad
      2) user1
 Select one client [1-2]: 2
 Do you really want to revoke access for client user1? [y/N]: y
 Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
 Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
 140410149218112:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
 Revoking Certificate FAC5CC0C127D1242CC55BD31B7FB27D3.
 Data Base Updated
 Using SSL: openssl OpenSSL 1.1.1 FIPS  11 Sep 2016
 Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
 Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
 139874879330112:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
 An updated CRL has been created.
 CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
 Certificate for client user1 revoked!

在RHEL/CONTOS 8上卸载OpenVPN服务器

如果我们不再需要OpenVPN服务器，则可以使用相同的安装程序脚本完成卸载。

$sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
 What do you want to do?
    1) Add a new user
    2) Revoke an existing user
    3) Remove OpenVPN
    4) Exit
 Select an option [1-4]: 3
 Do you really want to remove OpenVPN? [y/N]: y
 788
 success
 success
 success
 success
 success
 success
 Updating Subscription Management repositories.
 Updating Subscription Management repositories.
 Dependencies resolved.
....
Complete!
OpenVPN removed!

步骤4：从客户端连接到OpenVPN服务器

我们可以使用我们选择的VPN客户端在操作系统上配置OpenVPN客户端。
对于那些想要使用官方OpenVPN客户端的人，请转到下载页面并获取最新版本然后安装它。

一旦安装在Windows上，导航到带有的目录 ovpn配置文件，右键单击文件名，然后选择"在此配置文件上启动OpenVPN"