安装OpenVpn:

使用docker-compose

cd /home
mkdir openvpn
cd openvpn
vim docker-compose.yml
version: '2'

services:
  ovpn:
    image: kylemanna/openvpn
    volumes:
      - ./data:/etc/openvpn
    ports:
      - '1194:1194/udp'
    cap_add:
      - NET_ADMIN
    restart: always
# 1.配置host
docker-compose run --rm ovpn ovpn_genconfig -u udp://host
# 2.需要輸入密码以及一些设置
docker-compose run --rm ovpn ovpn_initpki
# 3.启动 ovpn 服务器
docker-compose up -d
# 4.Client名称
export CLIENTNAME="zyvpn"
# 5.建立一個 client 的凭证 (无需密码)
docker-compose run --rm ovpn easyrsa build-client-full "$CLIENTNAME" nopass
# 4.导出Client凭证
docker-compose run --rm ovpn ovpn_getclient "$CLIENTNAME" > "$CLIENTNAME.ovpn"

其中第二步脚本如下:

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.....................+++
..................................................................+++
writing new private key to '/opt/easy-rsa/pki/private/ca.key.ggOTFt9Y8c'
Enter PEM pass phrase:   1234    #输入PEM密钥密码
Verifying - Enter PEM pass phrase:  1234  #重复PEM密钥密码

Common Name (eg: your user, host, or server name) [Easy-RSA CA]: [回车]
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easy-rsa/pki/ca.crt  ## 生成 ca.crt 文件

至此,即可通过xx.ovpn文件直接连接服务端,默认使用证书模式

服务器配置(顺便加入账号密码认证):

data目录下openvpn.conf


server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/172.16.2.8.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/172.16.2.8.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
# 启用openvpn新版压缩算法 lz4
compress lz4-v2

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
#push "block-outside-dns" #注释这个
#push "dhcp-option DNS 8.8.8.8" #注释这个
#push "dhcp-option DNS 8.8.4.4" #注释这个
# 推送客户端使用新版压缩算法,不能和comp-lzo同时使用
push "compress lz4-v2"
# 最大客户端数
max-clients 2048
# 单一证书多用户使用
duplicate-cn

# 加入账号密码认证
script-security 3
auth-user-pass-verify ./checkpsw.sh via-env # user auth script
username-as-common-name

data目录下创建账号密码校验脚本checkpsw.sh

此脚本是openvpn官方提供

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman 
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
 
PASSFILE="./psw-file"
LOG_FILE="./openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
 
###########################################################
 
if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi
 
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
 
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
 
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
 
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

用户目录下创建账号密码本psw-file

账号 密码,添加新的即可

vinson P@ssW0rd
oyzm 123456

客户端配置:

证书为服务器导出,不能修改


client
nobind
dev tun
remote-cert-tls server

remote 172.16.2.8 1194 udp
auth-user-pass # 使用账号密码认证

route-nopull #默认不走vpn网卡,否则会代理所有流量
route 172.16.0.0 255.255.0.0 vpn_gateway # 添加走vpn的ip和子网掩码
route 10.0.0.0 255.0.0.0 vpn_gateway

// redirect-gateway def1 删除全局代理(一定要)

<key>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDshKTqKOfElEuL
BkGd3ckXeZh+vgvNTsZaJqfXVAZG9QPALfjzCQ9id8Q4l/PscTTSH0mgAbWJYv63
vby6AbiNqvdc4mAFcqYDsLnJh2YvkBk2cPAAom3ERT595X97Mb6ZsMtLTWPv6nsk
ALPWRt97JrNLdY2pQsjBELXL+580QVNVoVULI2XJJ3PnWtEYz0C0YaBmCtK5P0lS
TwEKoVOmtigqGalJklDnULt5qEzQk/nQ1rxwaKSaWwVE6JhWeKnhMCzQZVV3u8ww
VI/Jd4qTNs/lcGf7kKp6s5Ef0/deVpabKv4LxH49EJ0eIUp/53i+msFhShPIYl/t
Lcp5W9kzAgMBAAECggEASv9Af9OaslXHonzIX7OM6TmwZjgC7AYXlUx+miPVnbhh
iRXKw93SmAmcGcntGcNH2Xz8TpVcKAVQ+ZhbeKvFBn740uYhRnj1NWRbdRDPETPj
GsUzBTB8F+lRCIC2LK04X+mUfPs8Pj4e7+qdG8v7X0SFQ98xnUNE/xs6WkUeVWXp
VU+3G7Bw6rGARdWxXndvH6jtTxMblzYdnLhkeDSk1wvgM+iu7mOpPOC4npLoR08c
6JzpoBGXvi8gqmP4B6aEwFsa5+cUySI7sogPhEC1IOq4DQOr6wfugHAt8r45Tj8+
cGVKSqHD0MjT+hBVY12GlF0FUbwkoi8ypA5HAr1ZUQKBgQD9aF/VztxRX19K/zGR
O3hrZWyrTrjq18P8rDgFia8CQw+FHFuV+s0h5Hcj8rGdQ/UYuKfdRzmYllTt4TMC
gbny8vkJycb8rCBSD+CQUthFSCTrVIUiuMHXo+6JGF6uvaiSLrA1UbfgRkhM+0Jj
sVfr1gk83aI8CDEui3Yby/T46QKBgQDu8AoRpCHFQADQplqPSGr60YZVabQz6M1+
W5WxWT2/C0QYOMlJoiM3/1Cfrb/eRbuK85LJqh+dFhwO0knmc25NyjV4dSgWvQ70
+WSJeyDMuFQYYgMMBLwOJm2JlqOdWf/LV5ozhUlbM2uzv6AeYaAYbyhna4E7DLta
HgnJi3VvuwKBgGqzJx804enVeZ9vgqR/YP3/j9k15YDk5x4eOdyDE9ClAgTvYtTs
7LDnrQ7S4tywP6RwJCZ1FhhcvFgJadwVWYGlsxze/E1qAJXtH4ZFi9DoRrtcNE7h
cqVk3kyVmVCEhVVAGWvqA72IemsHpPWrN7USw4MAY45ZeLP7fvjHUVf5AoGATv2o
NoDOcUlhe5kjYy8LvvO5t08EtgyGsvlQGZtpIFl3H5LWaLNjdUXAv6lPPwpKn/s6
UdUeMm52xCedKsSKeMkauEHzCOFjqnUwWYsNIuDlXFI6s6R1DzCBEfVtDb4NJIpH
fjTYNYBgYMI/Cww3QxysfNQ7muvwnDBGCA1Eu7UCgYAoqo2CIHYYKqK6vf0TYuQN
M9EjM00KShdbCZeHBXEflIZ+1H8ZjYf7q8HR2VLZZ/Dhgh2SBWAV2irMZdPLCzk+
glF4Jufk1Loi59X2hP2AqqNRezvQA8pI1gWRCci+Z3aW2Sh2LZvFSxO05IABvBYX
xkWDYzLaCS2UP1MkrGj7SA==
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIQQdzgE4q1CjbipfYR9pfDkzANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yMjEyMTMwNjU4NDJaFw0yNTAzMTcw
NjU4NDJaMBAxDjAMBgNVBAMMBXp5dnBuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA7ISk6ijnxJRLiwZBnd3JF3mYfr4LzU7GWian11QGRvUDwC348wkP
YnfEOJfz7HE00h9JoAG1iWL+t728ugG4jar3XOJgBXKmA7C5yYdmL5AZNnDwAKJt
xEU+feV/ezG+mbDLS01j7+p7JACz1kbfeyazS3WNqULIwRC1y/ufNEFTVaFVCyNl
ySdz51rRGM9AtGGgZgrSuT9JUk8BCqFTprYoKhmpSZJQ51C7eahM0JP50Na8cGik
mlsFROiYVnip4TAs0GVVd7vMMFSPyXeKkzbP5XBn+5CqerORH9P3XlaWmyr+C8R+
PRCdHiFKf+d4vprBYUoTyGJf7S3KeVvZMwIDAQABo4GiMIGfMAkGA1UdEwQCMAAw
HQYDVR0OBBYEFHYrAAw5h+OJPBiIyMegjhGIBkcxMFEGA1UdIwRKMEiAFCt3kQ1D
VRZj3wSzu+dGujR2B7sjoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQYIUYqT7
prEpfUCUAGCmRlYASoxnoEIwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQD
AgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBF6CkEa8D0/CplLEpeYfqKjEFPBAf/zPk2
kVMDwfvdyi76+M4qDyY7A8+j4J1rvBHQb7yEtaWtMADKBeM3bU3qGxDw5iZ+8IuY
SsuxJSv2BRne5UeVE21dE6XaC5jnJrVemG0n5eV0gQUm99uPDQY2bRdnkulslc+7
RpiLJAN1Xo+DSQJseWRrusnhcY+gBNcxZq/Z6kp/ulbbWkQQ9OHJDM5VQNYUC2HW
8gu7OzHXGVn7V22g+4U03ytc13k50OMouCqstgk7P6A6wYOCNzmhmq90Tn9cI08K
v8Sa84KXWdXJRyyY+yLgPipqGcuMAqoabMQzVBaW0Ai4d3AxeKVM
-----END CERTIFICATE-----
</cert>

<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUYqT7prEpfUCUAGCmRlYASoxnoEIwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjIxMjEzMDY1NzE2WhcNMzIx
MjEwMDY1NzE2WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJO/FuaF3fmprsf+ObQUE6vmR4xsKhlN21neiuF4
QsEhOs1UshRgtlS/RSJqGEKKx8RxEsvERrUu+WNBEc5bhA2YAH8DL/9t0zlyL/jC
qhjygjqHcMAsQOn6+yyT7KCGN/6UD+YtwA7EG99HWt4gNm5/d9kH0yJF/Jr5prG1
lm6sYxr8mYA14Bmw49iWU2dUyr54SH3D6zmk8stQ79iZR82R2UD7/gwg+6PMsmkH
iq7om28RVb7mY4k0uElejkNvhtunR+hg1cZGpZJqxWLsm7LyeXPZJ+iPB7dlorY9
KFlZF+biy93dfrb5nC+F381l6Wb0eafftH8vl1M9fdVoecsCAwEAAaOBkDCBjTAd
BgNVHQ4EFgQUK3eRDUNVFmPfBLO750a6NHYHuyMwUQYDVR0jBEowSIAUK3eRDUNV
FmPfBLO750a6NHYHuyOhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRipPum
sSl9QJQAYKZGVgBKjGegQjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEAJ6a98R84S3rAAQnomlRgpjoiJPBEXCib3/0OasTkPJUp
ln1wj9bXNacQbIelwJ8OU8thkEokqsXZFduktCMSJUMYRyCZpUolU/4B+IR3fIJ8
K3guzdTIDdVERZwUhtsTsE8nUoA9h9ox42Dw/B4XiHWTqzba2AwXZkFJKwSXYpcy
FyZiHfCJlyZiqX37KN9FxTJpaIrHQXdR9W2aOHFdNuTjHUJ76IJwT7Lx81RqVh8C
oVi+V28f3030Bn1liwAks1wcq/Ji4pwK4B/QRgVhjggQ8KAMU9CYoQG4JVhnQ+7H
sexxgo+s+ODCVbJ4t4zMiCjBdrN50dO+tLW7oAYJ0Q==
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
f371fc1e7ebf55446c2efc2d51fabfa0
dae52060b6d9a3c78fa6dcc02bff0f59
728bcf437d1e37b974a55ea62de15d30
dd90ec18f344f3d1d9890d626397d2b4
eb99f5bb103b1c5ec2bb821e0f011eff
382c2c94fadcabdb162981dd422ed175
80a796c7246267526b250898125a0834
362e1963c62290dbf60459b16c7c6b45
4cf2062113262e23d0c3656648bbbeb4
0e8d436c174f5d5f3d8be7ecb0f380f0
ea1d974867691822d64f1890cb35c83f
d697466db749a3860c7685eeff5ea86c
54547b44ac18e4f26094848abe58b5f1
c39d0e3e9add4a6766e92d09609652bd
dbff74938b2e26b8770b84e35f3f6c4f
e96fd5348988661ac7f261a04271e77a
-----END OpenVPN Static key V1-----
</tls-auth>

客户端下载地址