1 脚本一键生成配置

genconf.sh脚本如下，gen_crt()生成根证书、DH、服务器证书和客户端证书。需要先安装easy-rsa3，并配置genconf.sh中正确的路径，client()生成客户端配置文件client.conf。server()生成服务器配置文件server.conf和服务器OpenVPN UP脚本server_up.sh

#!/bin/sh -e

EASYRSA_DIR=/work/easy-rsa/easyrsa3

EASYRSA=$EASYRSA_DIR/easyrsa

gen_crt ()

{

rm -rf pki/

$EASYRSA init-pki

$EASYRSA --batch build-ca nopass

$EASYRSA gen-dh

$EASYRSA build-client-full client nopass

$EASYRSA build-server-full server nopass

}

client()

{

cat <<EOT > client.conf

client

dev tun

proto udp

remote your.domain 81

resolv-retry infinite

nobind

persist-key

persist-tun

<ca>

`cat pki/ca.crt`

</ca>

<cert>

`sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' pki/issued/client.crt`

</cert>

<key>

`cat pki/private/client.key`

</key>

cipher AES-256-CBC

verb 3

comp-lzo

up "/etc/openvpn/client_up_down.sh"

down "/etc/openvpn/client_up_down.sh"

EOT

}

server ()

{

cat <<EOT > server.conf

port 81

proto udp

dev tun

<ca>

`cat pki/ca.crt`

</ca>

<cert>

`sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' pki/issued/server.crt`

</cert>

<key>

`cat pki/private/server.key`

</key>

<dh>

`cat pki/dh.pem`

</dh>

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

cipher AES-256-CBC

persist-key

persist-tun

status /etc/openvpn/openvpn-status.log

verb 3

push "dhcp-option DNS 8.8.8.8"

comp-lzo

script-security 2

up "/etc/openvpn/server_up.sh"

EOT

cat <<EOT > server_up.sh

#!/bin/sh

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

EOT

chmod +x server_up.sh

}

[ $# -ne 0 ] && gen_crt

client

server

2 DNS与路由配置脚本

client_up_down.sh 用于在OpenVPN客户端连接建立后添加DNS和路由。连接断开后删除DNS和相关路由。

#!/bin/sh

[ "$script_type" ] || exit 0

route_china ()

{

ifs=`ls /sys/class/net`

for if in $ifs ; do

if [ $if = "lo" -o $if = "ppp0" -o $if = "tun0" ] ; then

continue

fi

/work/sbin/batchroute $1 :china via 192.168.3.1 dev $ if

done

}

case "$script_type" in

up)

ip route delete default || :

ip route add xx.xx.xx.xx via 192.168.3.1 || :

ip route add default dev tun0

route_china add

;;

down)

ip route delete default || :

ip route add default via 192.168.3.1 || :

route_china del

;;

esac

/etc/openvpn/update-resolv-conf

上述脚本使用了batchroute命令（https://insidelinuxdev.net/article/a01d28.html），让中国的IP网段不走VPN连接。

3 启动服务器和客户端

执行./genconf.sh。

服务器上，将server.conf拷贝到/etc/openvpn/目录，将server_up.sh拷贝到/etc/openvpn，给server_up.sh添加可执行权限，执行service openvpn restart或者/etc/init.d/openvpn restart。注意使用systemd启动后OpenVPN进程直到有客户端连接才会启动，不要误以为启动失败。

客户端上，将client.conf和client_up_down.sh拷贝到/etc/openvpn，给client_up_down.sh添加可执行权限。启动方法和服务器一样。

4 在主接口up/down时重启OpenVPN

/etc/network/if-up.d/openvpn

root@herbert-pc:/etc/network# cat if-up.d/openvpn 
#!/bin/bash
 
OPENVPN=/usr/sbin/openvpn
OPENVPN_INIT=/etc/init.d/openvpn
SYSTEMCTL=/bin/systemctl
SYSTEMD=/run/systemd/system
 
if [ ! -x $OPENVPN ]; then
  exit 0
fi
 
echo "`date` openvpn pre up $IFACE" >> /tmp/debug_net_script
 
if [ "$IFACE" == "lo" -o "${IFACE:0:3}" == "tun" ] ; then
    exit 0
fi
 
echo "`date` excute /etc/init.d/openvpn start" >> /tmp/debug_net_script
/etc/init.d/openvpn start
exit 0

/etc/network/if-post-down.d/openvpn

root@herbert-pc:/etc/network# cat if-post-down.d/openvpn 
#!/bin/bash
 
OPENVPN=/usr/sbin/openvpn
OPENVPN_INIT=/etc/init.d/openvpn
SYSTEMCTL=/bin/systemctl
SYSTEMD=/run/systemd/system
 
if [ ! -x $OPENVPN ]; then
  exit 0
fi
 
echo "`date` openvpn pre down $IFCAE" >> /tmp/debug_net_script 
if [ "$IFACE" = "lo" -o "${IFACE:0:3}" = "tun" ] ; then
    exit 0
fi
 
echo "`date` excute /etc/init.d/openvpn stop" >> /tmp/debug_net_script 
/etc/init.d/openvpn stop
exit 0

请准守中国法律，使用VPN仅用于资料浏览、办公等。

ILD

1 脚本一键生成配置

2 DNS与路由配置脚本

3 启动服务器和客户端

4 在主接口up/down时重启OpenVPN