环境

操作系统ubuntu-22.04.3,源码获取openvpn-2.6.6.tar.gz

编译安装openssl-1.1.1w.tar.gz

## 解压
root@192-168-3-11:~# tar xf openssl-1.1.1w.tar.gz

## 配置
root@192-168-3-11:~/openssl-1.1.1w# ./config --prefix=/usr/local/openssl

## 安装
make && make install

## 动态库配置
root@192-168-3-11:/etc/ld.so.conf.d# cat /etc/ld.so.conf.d/ssl.conf 
/usr/local/openssl/lib

## 检验
root@192-168-3-11:~/openvpn-2.6.6# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
root@192-168-3-11:~/openvpn-2.6.6# openssl version
OpenSSL 1.1.1w  11 Sep 2023

编译openvpn

## 依赖包
root@192-168-3-11:~/openvpn-2.6.6# apt -y install build-essential libnl-genl-3-dev pkg-config libcap-ng-dev libssl-dev liblz4-dev liblzo2-dev libpam0g-dev libsystemd-dev

## 解压
root@192-168-3-11:~# tar xf openvpn-2.6.6.tar.gz

## 配置
root@192-168-3-11:~/openvpn-2.6.6# ./configure --prefix=/app/openvpn --enable-systemd

# 安装
make && make install

# 检查
root@192-168-3-11:/app/openvpn/sbin# ./openvpn --version
OpenVPN 2.6.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=auto enable_dco_arg=auto enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

证书生成

EasyRSA-3.1.7.tgz

## 解压
root@192-168-3-11:~# tar xf EasyRSA-3.1.7.tgz
root@192-168-3-11:~/EasyRSA-3.1.7# cp -a vars.example vars

## 修改vars
set_var EASYRSA_REQ_COUNTRY	"CN"
set_var EASYRSA_REQ_PROVINCE	"ZJ"
set_var EASYRSA_REQ_CITY	"HZ"
set_var EASYRSA_REQ_ORG		"JISHU"
set_var EASYRSA_REQ_EMAIL	"admin@admin.com"
set_var EASYRSA_REQ_OU		"xyl"

set_var EASYRSA_KEY_SIZE	2048

set_var EASYRSA_ALGO		rsa

set_var EASYRSA_CA_EXPIRE	36500

set_var EASYRSA_CERT_EXPIRE	36500

## 初始化
root@192-168-3-11:~/EasyRSA-3.1.7# ./easyrsa init-pki

## ca证书
root@192-168-3-11:~/EasyRSA-3.1.7# ./easyrsa build-ca

## server证书
root@192-168-3-11:~/EasyRSA-3.1.7# ./easyrsa build-server-full server nopass

## dh.pem
root@192-168-3-11:~/EasyRSA-3.1.7# ./easyrsa gen-dh

## client证书
root@192-168-3-11:~/EasyRSA-3.1.7# ./easyrsa build-client-full client

## ta.key
root@192-168-3-11:/app/openvpn/sbin# ./openvpn --genkey secret ta.key

## 整理证书
cd /app/openvpn/
mkdir ssl client conf log
mv sbin/ta.key ssl/
cp -a ~/EasyRSA-3.1.7/pki/ca.crt ssl
cp -a ~/EasyRSA-3.1.7/pki/issued/server.crt ssl
cp -a ~/EasyRSA-3.1.7/pki/private/server.key ssl
cp -a ~/EasyRSA-3.1.7/pki/dh.pem ssl

cp -a ~/EasyRSA-3.1.7/pki/ca.crt client/
cp -a ~/EasyRSA-3.1.7/pki/issued/client.crt client/
cp -a ~/EasyRSA-3.1.7/pki/private/client.key client/
cp -a ssl/ta.key client/

配置文件

/app/openvpn/conf/server-tcp.conf

mode server
tls-server
local 0.0.0.0
port 1197
proto tcp
dev tun
ca /app/openvpn/ssl/ca.crt
cert /app/openvpn/ssl/server.crt
key /app/openvpn/ssl/server.key  # This file should be kept secret
#askpass /app/openvpn/ssl/stdin
dh /app/openvpn/ssl/dh.pem
topology subnet
server 10.9.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.3.104"
push "dhcp-option DNS 223.6.6.6"
duplicate-cn
keepalive 10 120
tls-auth /app/openvpn/ssl/ta.key 0 # This file is secret
cipher AES-256-GCM
;compress lz4-v2
;push "compress lz4-v2"
max-clients 100
persist-key
persist-tun
status /app/openvpn/log/openvpn-status.log
log-append  /app/openvpn/log/openvpn.log
verb 3
auth-nocache
socket-flags TCP_NODELAY
push "socket-flags TCP_NODELAY"
daemon openvpn

/lib/systemd/system/openvpn.service

[Unit]
Description=Songbai Openvpn service
After=network.target

[Service]
ExecStart=/app/openvpn/sbin/openvpn --config /app/openvpn/conf/server-tcp.conf
ExecReload=/bin/kill -HUP $MAINPID
KillMode=control-group
Restart=always
RestartSec=2
RestartPreventExitStatus=255
Type=notify

[Install]
WantedBy=multi-user.target
Alias=openvpn.service

**/app/openvpn/client/client.ovpn

client
dev tun
proto tcp
remote 112.17.100.50 1197
nobind
persist-key
persist-tun
ca /app/openvpn/client/ca.crt
cert /app/openvpn/client/client.crt
key /app/openvpn/client/client.key
askpass /app/openvpn/client/stdin
remote-cert-tls server
tls-auth /app/openvpn/client/ta.key 1
cipher AES-256-GCM
verb 3
auth-nocache

服务端启动

systemctl daemon-reload
systemctl enable openvpn
systemctl start openvpn
systemctl status openvpn

root@192-168-3-11:/app/openvpn/log# netstat -lnpt |grep openvpn
tcp        0      0 0.0.0.0:1197            0.0.0.0:*               LISTEN      136560/openvpn      

# 开启ipv4转发
root@192-168-3-11:~# sysctl -a |grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1

# iptables规则
root@192-168-3-11:~# iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o ens160  -j MASQUERADE

root@192-168-3-11:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !localhost/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        anywhere            
MASQUERADE  all  --  10.9.0.0/24          anywhere            

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere