# yum install openvpn

# yum install easy-rsa
# mkdir ~/easy-rsa
# cp -ai /usr/share/easy-rsa/2.0/* ~/easy-rsa/

# vi vars

.
.
.
# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
.
.
.
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="NewTaipei"
export KEY_ORG="Wieson"
export KEY_EMAIL="eddie@wieson.com"
export KEY_OU="WSY"
.
.
.
export KEY_CN="SVNServer"
.
.

# cd ~/easy-rsa
# . vars
# ./clean-all

# ./build-ca

範例

[root@RD30 easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.++++++
.++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:TW
State or Province Name (full name) [CA]:Taiwan
Locality Name (eg, city) [SanFrancisco]:Taoyuan
Organization Name (eg, company) [Fort-Funston]:Mapower
Organizational Unit Name (eg, section) []:Software
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:Eddie
Name []:
Email Address [me@myhost.mydomain]:eddie@mapower.com.tw

# ./build-inter $( hostname | cut -d. -f1 )
or
# ./build-key-server server

範例

[root@RD30 easy-rsa]# ./build-inter $( hostname | cut -d. -f1 )
Generating a 1024 bit RSA private key
.............++++++
.....................................++++++
writing new private key to 'RD30.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:TW
State or Province Name (full name) [CA]:Taiwan
Locality Name (eg, city) [SanFrancisco]:Taoyuan
Organization Name (eg, company) [Fort-Funston]:Mapower
Organizational Unit Name (eg, section) []:Software
Common Name (eg, your name or your server's hostname) [RD30]:
Name []:
Email Address [me@myhost.mydomain]:eddie@mapower.com.tw

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:784026
An optional company name []:eddie
Using configuration from /root/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'TW'
stateOrProvinceName   :PRINTABLE:'Taiwan'
localityName          :PRINTABLE:'Taoyuan'
organizationName      :PRINTABLE:'Mapower'
organizationalUnitName:PRINTABLE:'Software'
commonName            :PRINTABLE:'RD30'
emailAddress          :IA5STRING:'eddie@mapower.com.tw'
Certificate is to be certified until Oct 14 12:17:45 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@RD30 easy-rsa]#

# ./build-dh

# mkdir /etc/openvpn/keys    (如果沒有的話)
# cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh1024.pem /etc/openvpn/keys/

# cp -ai /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf

# TLS parms
tls-server 
ca keys/ca.crt
cert keys/4000A.crt
key keys/4000A.key
dh keys/dh1024.pem

local a.b.c.d  -->  Listen IP, if mask is listen 0.0.0.0 
port 1194  --> Listen Port
proto tcp  --> tcp/udp
dev tun  --> tun/tap
ca ./keys/ca.crt  -->  ca.crt path
cert ./keys/server.crt  -->  server.crt path
key ./keys/server.key   -->  server.key path
dh ./keys/dh1024.pem  -->  dh1024.pem path
server 192.168.125.0 255.255.255.0  -->  openvpn ip range(server 為 192.168.125.1)
push "redirect-gateway"  -->  所有連線都透過此gateway
push "dhcp-option DNS 168.95.1.1"  -->  重導 DNS 為 此
duplicate-cn  -->  使用者可重覆發入

# service openvpn start

指令：ifconfig，來查看VPN的網卡連線（tun or tap）
指令：netstat -tulnp（可查看port 1194是否有傾聽）

iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
append INPUT -i tun+ -j ACCEPT
append FORWARD -i tun+ -j ACCEPT
append FORWARD -i eth0 -o tun+ -j ACCEPT
append FORWARD -i eth1 -o tun+ -j established

management localhost 8998

telnet localhost 8998

[root@4000A openvpn]# telnet 127.0.0.1 8998
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
status
OpenVPN CLIENT LIST
Updated,Sat May  6 09:46:15 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
eddie,220.189.249.222:59038,1309218,3106911,Sat May  6 09:15:38 2017
blue,112.17.235.18:12333,27023,24983,Sat May  6 09:46:01 2017
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.126.6,eddie,220.189.249.222:59038,Sat May  6 09:45:52 2017
192.168.126.10,blue,112.17.235.18:12333,Sat May  6 09:46:15 2017
GLOBAL STATS
Max bcast/mcast queue length,0
END