2020年新型冠状病毒肺炎，促使很多单位紧急采取临时居家远程办公，以保护人身安全。
本文是我公司实际使用的方式，特分享出来，以解决大家的燃眉之急。
一、 自建VPN二大难题解决而很多单位没有支持SSL安全加密的VPN设备，如果能够快速的搭建起安装的VPN系统呢？解决方法：我们采用CentOS Linux 系统，安装开源免费的OpenVPN 软件，来搭建自己可控的、安全的VPN 系统。
2.单位宽带是动态拔号上网，无固定公网IP ，在家的员工如何让VPN 客户端，能够拔上单位里的VPN 服务器呢？解决方法：使用国内优秀的花生壳免费动态域名解析，实现花生壳免费域名和单位宽带公网IP绑定。
自建VPN 系统的2大问题将迎刃而解。
二、 自建VPN核心内容下面我将分为 4 大部份，分别介绍如何来部署一套安全的VPN系统：1. VPN系统网络结构2. 花生壳动态域名解析部署3. 单位OpenVPN服务端部署4.远程用户VPN客户端部署三、VPN系统各个环境部署详解(一）、 VPN系统网络结构图为了便于大家更好的理解本文，我特意画了网络结构图，以便大家理解。
结构如下：二、动态域名解析部署1.先到花生壳官网，免费注册一个动态域名。
参见网址 https://hsk.oray.com/2.在公司的宽带路由器里，动态域名解析里，填写申请到的花生壳帐号，如我的免费域名是 nailxxx.oicp.net。
如果你单位的路由器没有动态域名解析功能，可在单位内任意一台电脑，安装花生壳客户端，填写正确的用户名和密码，即可实现动态域名解析到单位的动态公网IP。
如下图所示：单位路由器 动态域名解析配置3.端口转发配置。
远程办公用户VPN客户端拔入的时候，需要在单位的路由器上，将用户的网络请求，转发给单位内的VPN服务器（本例单位VPN服务器IP 192.168.1.3）,不同厂家的路由器配置界面不一样，但原理均相同。
我单位的路由器配置截图如下：单位路由器端口转发到内网VPN服务器三、OpenVPN 服务端部署VPN 服务端我们以 CentOS 7.6 为系统平台，如下操作，均以 root 帐号执行。
服务器端配置核心工作内容如下：1.Linux环境依赖包的安装2.OpenVPN 服务端软件的安装3.easy-rsa 证书部署4.配置VPN服务1.Linux环境依赖包的安装# yum install openssl openssl-devel pam-devel lzo lzo-devel cmake2.OpenVPN 服务端软件的安装下载地址：http://openvpn.net/ ，该网站访问，需要翻墙，请读者根据自己的喜欢，选择一种。
（1） 解压安装包[root@CentOS7U6 ~]# tar -zxvf openvpn-2.4.8.tar.gz [root@CentOS7U6 ~]# cd openvpn-2.4.8/(2) 执行编译并安装[root@CentOS7U6 openvpn-2.4.8]# ./configure --prefix=/usr/openvpn[root@CentOS7U6 openvpn-2.4.8]# make[root@CentOS7U6 openvpn-2.4.8]# make install(3) 创建工作目录[root@CentOS7U6 openvpn-2.4.8]# cd /usr/openvpn/[root@CentOS7U6 openvpn]# lsinclude lib sbin share[root@CentOS7U6 openvpn]# mkdir etc[root@CentOS7U6 openvpn]# mkdir log[root@CentOS7U6 openvpn]# lsetc include lib log sbin share3.easy-rsa 证书部署下载地址：https://github.com/OpenVPN/easy-rsa(1) 解压 easy-rsa [root@CentOS7U6 ~]# unzip easy-rsa-3.0.6.zip [root@CentOS7U6 ~]# cd easy-rsa-3.0.6/(2) 复制easy-rsa到 OpenVPN安装目录[root@CentOS7U6 easy-rsa-3.0.6]# cp -r easyrsa3/ /usr/openvpn/[root@CentOS7U6 /]# cd /usr/openvpn/[root@CentOS7U6 openvpn]# ls easyrsa3 etc include lib log sbin share(3） 重命名easy-rsa 目录名为 ca [root@CentOS7U6 openvpn]# mv easyrsa3/ ca(4) 准备环境参数文件 vars [root@CentOS7U6 /]# cd /usr/openvpn/ca/[root@CentOS7U6 ca]# lseasyrsa openssl-easyrsa.cnf vars.example x509-types[root@CentOS7U6 ca]# cp vars.example vars[root@CentOS7U6 ca]# ls easyrsa openssl-easyrsa.cnf openssl.cnf vars vars.example x509-types(5) 最终修改后的 vars[root@CentOS7U6 ca]# cat vars |grep -v "#"|grep -v ^$if [ -z "$EASYRSA_CALLER" ]; thenecho "You appear to be sourcing an Easy-RSA 'vars' file." >&2echo "This is no longer necessary and is disallowed. See the section called" >&2echo "'How to use this file' near the top comments for more details." >&2return 1fiset_var EASYRSA "$PWD"set_var EASYRSA_PKI"$EASYRSA/pki"set_var EASYRSA_DN "cn_only"set_var EASYRSA_REQ_COUNTRY "CN"set_var EASYRSA_REQ_PROVINCE"China"set_var EASYRSA_REQ_CITY "ChongQing"set_var EASYRSA_REQ_ORG "VPN"set_var EASYRSA_REQ_EMAIL"nail@nail.cn"set_var EASYRSA_REQ_OU"VPN CA"set_var EASYRSA_KEY_SIZE 2048set_var EASYRSA_ALGO rsaset_var EASYRSA_CA_EXPIRE3650set_var EASYRSA_CERT_EXPIRE3650set_var EASYRSA_NS_COMMENT"VPN Generated Certificate"set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"set_var EASYRSA_DIGEST"sha256" (5) 生成证书CA重要： CA 根证书的密码一定不能遗失，否则无法生成其它证书。
[root@CentOS7U6 ca]# ./easyrsa init-pkiNote: using Easy-RSA configuration from: ./varsinit-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /usr/openvpn/ca/pki[root@CentOS7U6 ca]# [root@CentOS7U6 ca]# ./easyrsa build-caNote: using Easy-RSA configuration from: ./varsUsing SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017Enter New CA Key Passphrase: 123456 #CA根证书密码Re-Enter New CA Key Passphrase: 123456 #CA根证书密码Generating RSA private key, 2048 bit long modulus.....................+++..............+++e is 65537 (0x10001)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/usr/openvpn/ca/pki/ca.crt[root@CentOS7U6 ca]#(6) 生成DH PEM文件[root@CentOS7U6 ca]# ./easyrsa gen-dhNote: using Easy-RSA configuration from: ./varsUsing SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017Generating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time................................................................+......................................................+.........................................................................................+.....................................................................................................+............+....+..................................+..................................+.+..................................................................................................................................................+DH parameters of size 2048 created at /usr/openvpn/ca/pki/dh.pem[root@CentOS7U6 ca]#(7) 生成服务端证书重要： 服务端证书，必须使用nopass参数生成证书，否则生成的证书，在启动VPN服务时，需要手动输入密码，VPN服务端才能够启动.[root@CentOS7U6 ca]# ./easyrsa gen-req server nopassNote: using Easy-RSA configuration from: ./varsUsing SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017Generating a 2048 bit RSA private key............+++......+++writing new private key to '/usr/openvpn/ca/pki/private/server.key.HBXzQozLmF'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.Common Name (eg: your user, host, or server name) [server]:Keypair and certificate request completed. Your files are:req: /usr/openvpn/ca/pki/reqs/server.reqkey: /usr/openvpn/ca/pki/private/server.key[root@CentOS7U6 ca]#[root@CentOS7U6 ca]# ./easyrsa sign-req server serverNote: using Easy-RSA configuration from: ./varsUsing SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender.Request subject, to be signed as a server certificate for 3650 days:subject= commonName = serverType the word 'yes' to continue, or any other input to abort. Confirm request details: yes #这里输入 yes 继续Using configuration from /usr/openvpn/ca/pki/safessl-easyrsa.cnfEnter pass phrase for /usr/openvpn/ca/pki/private/ca.key: 123456 #CA证书的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :ASN.1 12:'server'Certificate is to be certified until Oct 2 03:37:28 2028 GMT (3650 days)Write out database with 1 new entriesData Base UpdatedCertificate created at: /usr/openvpn/ca/pki/issued/server.crt[root@CentOS7U6 ca]#(8) 客户端证书重要./easyrsa build-client-full client1 用户登录时需要输入用户证书的密码。
./easyrsa build-client-full client20 nopass 用户登录时，不需要输入证书的密码。
[root@CentOS7U6 ca]# ./easyrsa build-client-full client1Note: using Easy-RSA configuration from: ./varsUsing SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017Generating a 2048 bit RSA private key...+++.........................................................+++writing new private key to '/usr/openvpn/ca/pki/private/client1.key.6yOFBpL7h0'Enter PEM pass phrase: 666666 #自定义客户端证书的密码Verifying - Enter PEM pass phrase: 666666 #自定义客户端证书的密码Using configuration from /usr/openvpn/ca/pki/safessl-easyrsa.cnfEnter pass phrase for /usr/openvpn/ca/pki/private/ca.key: 123456 #CA证书的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :ASN.1 12:'client1'Certificate is to be certified until Oct 2 03:45:27 2028 GMT (3650 days)Write out database with 1 new entriesData Base Updated[root@CentOS7U6 ca]#生成更多的远程用户VPN 证书，只需要按上面的步骤，继续执行即可[root@CentOS7U6 ca]# ./easyrsa build-client-full client2[root@CentOS7U6 ca]# ./easyrsa build-client-full client3部署VPN服务(1) 复制安装程序中自带的服务端配置文件[root@CentOS7U6 /]# cd /usr/openvpn/etc/[root@CentOS7U6 etc]# cp /opt/setup/openvpn-2.4.8/sample/sample-config-files/server.conf .(2) 最终修改后的服务端配置文件 [root@CentOS7U6 etc]# cat server.conf | grep -v "^#" | grep -v ";" | grep -v ^$port 1194 #工作端口proto tcp #工作协议dev tunca /usr/openvpn/ca/pki/ca.crt #指定证书位置 cert /usr/openvpn/ca/pki/issued/server.crtdh /usr/openvpn/ca/pki/dh.pemserver 10.8.0.0 255.255.255.0 #VPN 网段push "route 192.168.1.0 255.255.255.0" #单位局域网段信息ifconfig-pool-persist ipp.txtkeepalive 10 120cipher AES-256-CBCcomp-lzopersist-keypersist-tunstatus openvpn-status.logverb 3management localhost 7505[root@CentOS7U6 etc]#（3）CentOS 防火墙上允许 openvpn TCP 1194 端口通信 iptables -A INPUT -p tcp --dport 1194 -j ACCEPT（4）启用路由功能echo “1” > /proc/sys/net/ipv4/ip_forward （5）启动VPN 服务/usr/openvpn/sbin/openvpn --config /usr/openvpn/etc/server.conf &（6）VPN 服务器启用SNAT 功能iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE至此 VPN 服务端配置完成四、远程用户OpenVPN客户端部署(1) 下载安装程序远程办公用户，下载Windows平台的OpenVPN安装程序，下载地址：http://openvpn.net/ ，该网站访问，需要翻墙，请读者根据自己的喜欢，选择一种。
OpenVPN 2.4.8 安装程序(2) Windows 执行OpenVPN 程序安装双击安装程序 “openvpn-install-2.4.8-I602-Win10.exe” 根据向导，直接 Next 直到安装完成安装 OpenVPN(3) 准备客户端配置文件 client.ovpn 将Windows 安装目录中 C:\Program Files\OpenVPN\sample-config 复制到 C:\Program Files\OpenVPN\config 目录，并修改该文件内容如下clientdev tunproto tcpremote nail110.oicp.net 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crt # 从CentOS CA 目录下复制该文件cert client1.crt #每个用户的证书文件，从CentOS CA 目录下复制该文件件key client1.key #每个用户的证书文件，从CentOS CA 目录下复制该文件remote-cert-tls servercipher AES-256-CBCcomp-lzoverb 3auth-nocache(4) 远程办公用户拔 VPN 连接启动 Windows 开始菜单==>OpenVPN==> OpenVPN GUI ，它会在任务栏右下角出现一个电脑图标，鼠票右键==》Connect 连接执行VPN 连接输入客户端证书密码VPN 客户端拔号成功远程用户，成功和公司的网络通信至此远程用户 VPN 客户端配置完成。